vm_server/main.go at main · external-secrets-inc/vm_server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package main

import (
	"crypto/tls"
	"crypto/x509"
	"flag"
	"log"
	"os"
	"os/signal"
	"syscall"
	consumersHandler "vm-server/handlers/consumers"
	scanHandler "vm-server/handlers/scan"
	"vm-server/handlers/secrets"
	"vm-server/jobs"
	scanService "vm-server/services/scan"
	secretsvc "vm-server/services/secrets"
	memory "vm-server/store/memory"
	"vm-server/watcher"

	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

func main() {
	// Command-line flags for TLS files
	caFile := flag.String("ca-file", "", "Path to the CA certificate file")
	certFile := flag.String("cert-file", "", "Path to the server certificate file")
	keyFile := flag.String("key-file", "", "Path to the server key file")
	port := flag.String("port", "1323", "Port for the server to listen on")
	watchEnable := flag.Bool("watch-enable", true, "Enable fanotify watcher (Linux only)")
	watchMount := flag.Bool("watch-mount", false, "Use mount-wide marks for watcher")
	watchVerbose := flag.Bool("watch-verbose", false, "Verbose watcher logging")
	flag.Parse()

	// Initialize data store
	store, err := memory.NewStore()
	if err != nil {
		log.Fatalf("Failed to initialize store: %v", err)
	}
	/* for gorm db on sqlite
	store, err := gorm.NewStore()
	if err != nil {
		log.Fatalf("Failed to initialize store: %v", err)
	}
	*/
	// Initialize services
	scanSvc := scanService.NewService(store)

	// Initialize services
	secretsSvc := secretsvc.NewService(scanSvc)

	// Initialize job runner
	scanner := jobs.NewScanner(scanSvc)

	// Initialize fanotify watcher (best-effort)
	var watchMgr *watcher.Manager
	if *watchEnable {
		var werr error
		watchMgr, werr = watcher.NewManager(scanSvc, watcher.Options{Mount: *watchMount, Verbose: *watchVerbose})
		if werr != nil {
			log.Printf("Watcher disabled: %v", werr)
			watchMgr = nil
		}
	} else {
		log.Printf("Watcher disabled by flag")
	}

	// Initialize handlers
	scanHdlr := scanHandler.NewHandler(scanSvc, scanner, watchMgr)
	err = scanner.Cleanup()
	if err != nil {
		log.Fatalf("Failed to cleanup: %v", err)
	}
	secretHdlr := secrets.NewHandler(secretsSvc, scanSvc)
	consHdlr := consumersHandler.NewHandler(scanSvc)

	// Echo instance
	e := echo.New()

	// Middleware
	// e.Use(middleware.Logger())
	e.Use(middleware.Recover())

	// Routes
	apiV1 := e.Group("/api/v1")

	// Scan routes
	apiV1.POST("/scan", scanHdlr.ScanHandler)
	apiV1.GET("/scan/:id", scanHdlr.ScanByIDHandler)

	// Secrets routes
	apiV1.POST("/secrets/:id/version", secretHdlr.CreateSecretVersionHandler)

	// Consumers routes
	apiV1.GET("/consumers", consHdlr.ListConsumersHandler)

	// Configure mTLS
	if *caFile != "" && *certFile != "" && *keyFile != "" {
		caCert, err := os.ReadFile(*caFile)
		if err != nil {
			log.Fatalf("Failed to read CA certificate: %v", err)
		}
		caCertPool := x509.NewCertPool()
		caCertPool.AppendCertsFromPEM(caCert)

		tlsConfig := &tls.Config{
			ClientCAs:  caCertPool,
			ClientAuth: tls.RequireAndVerifyClientCert,
			MinVersion: tls.VersionTLS12,
		}

		e.Server.TLSConfig = tlsConfig
		addr := ":" + *port
		// Start server with TLS
		e.Logger.Fatal(e.StartTLS(addr, *certFile, *keyFile))
	} else {
		addr := ":" + *port
		// Start server without TLS
		e.Logger.Fatal(e.Start(addr))
	}

	// Signal handler to stop watcher
	if watchMgr != nil {
		sigCh := make(chan os.Signal, 1)
		signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
		go func() {
			<-sigCh
			log.Printf("Stopping watcher...")
			watchMgr.Stop()
		}()
	}
}