SSM support WIP, I moved to a go backend in a different repossm

2 files changed, 114 insertions, 1 deletions

diff --git a/Makefile b/Makefile
index baffd11..c283e96 100644
--- a/Makefile
+++ b/Makefile
@@ -9,8 +9,9 @@ install:
 	install -m 755 dpw $(PREFIX)/bin/dpw
 	install -m 755 dpw-gpg $(PREFIX)/bin/dpw-gpg
 	install -m 755 dpw-age $(PREFIX)/bin/dpw-age
+	install -m 755 dpw-ssm $(PREFIX)/bin/dpw-ssm
 	install -m 755 dpw-menu $(PREFIX)/bin/dpw-menu
 
 uninstall:
 	rm "$(PREFIX)/bin/dpw" "$(PREFIX)/bin/dpw-gpg" "$(PREFIX)/bin/dpw-menu" \
-		"$(PREFIX)/bin/dpw-menu"
+		"$(PREFIX)/bin/dpw-ssm" "$(PREFIX)/bin/dpw-menu"
diff --git a/dpw-ssm b/dpw-ssm
new file mode 100755
index 0000000..34bfc2c
--- /dev/null
+++ b/dpw-ssm
@@ -0,0 +1,112 @@
+#!/bin/sh
+# Copyright 2022 Mitchell Riedstra
+# 
+# Permission to use, copy, modify, and/or distribute this software for any purpose
+# with or without fee is hereby granted, provided that the above copyright notice
+# and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+# FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+# THIS SOFTWARE.
+# 
+# This DPW storage plugin is backed to the AWS parameter store / SSM.
+# This uses SecureString by default. You can optionally set an environment
+# variable to specify a particular KMS key.
+#
+# The environment variable DPW_SSM_PREFIX can be used to prefix all keys
+# with a specific identifier
+#
+# You can configure this client to use a non default KMS key with the
+# environment variable DPW_KMS_KEY=<key-id>
+#
+# Configuration of the AWS calls should be done through environment variables
+# Most notable are:
+#
+# AWS_PROFILE
+# AWS_DEFAULT_REGION
+# AWS_ACCESS_KEY_ID
+# AWS_SECRET_ACCESS_KEY
+#
+# Full docs:
+# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+set -e
+# set -x
+
+UMASK="${PASSWORD_STORE_UMASK:-077}"
+umask "$UMASK"
+
+# Interface
+
+show() {
+pth="$1"; shift
+#shellcheck disable=SC2086
+aws ssm get-parameter --with-decryption --name "${DPW_SSM_PREFIX}$pth" \
+	| jq -r '.Parameter | .Value' \
+	| base64 -d
+}
+
+
+insert() {
+pth="$1"; shift
+
+tmpdir=/dev/shm
+if ! [ -d "$tmpdir" ] ; then
+	printf "Your system does not have /dev/shm, continue? [Yy] "
+	read -r resp
+	ok=0
+	case $resp in
+		Y*|y*) ok=1
+	esac
+	echo ""
+	[ $ok -eq 0 ] && return
+	tmpdir=/tmp
+fi
+_f="$(mktemp "${tmpdir}/dpw.XXXXXXXXXX")"
+base64 > "$_f"
+if [ -n "$DPW_KMS_KEY" ] ; then
+	aws ssm put-parameter \
+		--key-id "$DPW_KMS_KEY" \
+		--type SecureString \
+		--name "${DPW_SSM_PREFIX}$pth" \
+		--value "$(cat "$_f")"
+else
+	aws ssm put-parameter \
+		--type SecureString \
+		--name "${DPW_SSM_PREFIX}$pth" \
+		--value "$(cat "$_f")"
+fi
+rm "$_f"
+}
+
+list() {
+if [ -z "$DPW_SSM_PREFIX" ] ; then
+	aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name'
+else
+	aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name' \
+		| sed -n -e"s/^$DPW_SSM_PREFIX//gp"
+fi
+}
+
+remove() {
+pth="$1"; shift
+aws ssm delete-parameter --name "${DPW_SSM_PREFIX}$pth"
+}
+
+_init() {
+echo "No initialization needed"
+}
+
+act="$1"; shift
+case $act in
+	show) show "$@" ;;
+	list) list "$@" ;;
+	insert) insert "$@" ;;
+	rm) remove "$@" ;;
+	init) _init "$@" ;;
+	*) echo "Bad command $act"; exit 1; ;;
+esac
+