Add flag to decrypt the configuration (#307)

rubiojr · web-flow · commit c579850b4e59 · 2020-05-02T01:28:08.000+02:00
diff --git a/beehive.go b/beehive.go
@@ -24,7 +24,9 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
+	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
@@ -45,6 +47,7 @@ var (
 	configURL   string
 	versionFlag bool
 	debugFlag   bool
+	decryptFlag bool
 )
 
 func main() {
@@ -67,6 +70,12 @@ func main() {
 			Value: false,
 			Desc:  "Turn on debugging",
 		},
+		{
+			V:     &decryptFlag,
+			Name:  "decrypt",
+			Value: false,
+			Desc:  "Decrypt and print the configuration file",
+		},
 	})
 
 	// Parse command-line args for all registered bees
@@ -77,6 +86,10 @@ func main() {
 		os.Exit(0)
 	}
 
+	if decryptFlag {
+		decryptConfig(configURL)
+	}
+
 	api.Run()
 
 	if debugFlag {
@@ -164,6 +177,32 @@ func main() {
 	}
 }
 
+func decryptConfig(u string) {
+	b := cfg.AESBackend{}
+
+	pu, err := url.Parse(u)
+	if err != nil {
+		log.Fatal("Invalid configuration URL. err: ", err)
+	}
+
+	_, err = os.Stat(pu.Path)
+	if err != nil {
+		log.Fatalf("Invalid configuration file %s", pu.Path)
+	}
+
+	config, err := b.Load(pu)
+	if err != nil {
+		log.Fatal("Error decrypting the configuration file. err: ", err)
+	}
+
+	j, err := json.MarshalIndent(config, "", "  ")
+	if err != nil {
+		log.Fatal("Error encoding the configuraiton file. err: ", err)
+	}
+	fmt.Println(string(j))
+	os.Exit(0)
+}
+
 func init() {
 	log.SetFormatter(&log.TextFormatter{ForceColors: true})
 	log.SetOutput(colorable.NewColorableStdout())
diff --git a/docs/config_encryption.md b/docs/config_encryption.md
@@ -33,6 +33,26 @@ A sample wrapper script (Linux only) is provided in [tools/encrypted-config-wrap
 
 Something similar could be written to do it on macOS using Keychain and its `security(1)` CLI.
 
+## Decrypting the configuration
+
+Use `--decrypt` with a valid password:
+
+```
+beehive --decrypt --config crypto://mysecret@/path/to/config/file
+```
+
+or using an environment variable:
+
+```
+BEEHIVE_CONFIG_PASSWORD=mysecret beehive --decrypt --config crypto:///path/to/config/file
+```
+
+You can also use omit `--config` when using the default configuration path:
+
+```
+BEEHIVE_CONFIG_PASSWORD=mysecret beehive --decrypt
+```
+
 ## Troubleshooting
 
 ```
diff --git a/watchdog_linux.go b/watchdog_linux.go
@@ -22,14 +22,14 @@ func init() {
 	// returns the configured WatchdogSec in the service unit as time.Duration
 	interval, err := daemon.SdWatchdogEnabled(false)
 	if err != nil || interval == 0 {
-		log.Printf("Systemd watchdog not enabled")
+		log.Debug("Systemd watchdog not enabled")
 		return
 	}
 
 	// We want to notify the watchdog every WatchdogSec/3, that is, if WatchdogSec is
 	// set to 30 seconds, we'll send a notification to systemd every 10 seconds.
 	runEvery := interval / 3
-	log.Printf("Systemd watchdog notifications every %.2f seconds", runEvery.Seconds())
+	log.Debugf("Systemd watchdog notifications every %.2f seconds", runEvery.Seconds())
 
 	go func() {
 		for {
