From e1a9944082b339a3550f75480ecf564ec22a61e3 Mon Sep 17 00:00:00 2001
From: svkalinin <svkalinin@samsonpost.ru>
Date: Wed, 10 Jul 2024 12:55:19 +0300
Subject: [PATCH] =?UTF-8?q?vault-wrap:=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2?=
 =?UTF-8?q?=D0=BB=D0=B5=D0=BD=D0=B0=20=D1=80=D0=B0=D0=B1=D0=BE=D1=87=D0=B0?=
 =?UTF-8?q?=D1=8F=20=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83=D1=80=D0=B0?=
 =?UTF-8?q?=D1=86=D0=B8=D1=8F=20traefik?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Dockerfile                      |  2 ++
 docker-compose.yml              | 37 +++++++++++++++++++++++++++++++++
 entrypoint.sh                   |  2 +-
 html-template/index.html        | 21 +++++++++++--------
 traefik-files/certificates.yaml | 12 +++++++++++
 traefik-files/traefik.yml       | 30 ++++++++++++++++++++++++++
 vault.go                        | 35 +++++++++++++++++++++++--------
 7 files changed, 120 insertions(+), 19 deletions(-)
 create mode 100644 traefik-files/certificates.yaml
 create mode 100644 traefik-files/traefik.yml

diff --git a/Dockerfile b/Dockerfile
index a814719..87bb10a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,8 +4,10 @@ RUN apk --no-cache add gcc g++ make git
 WORKDIR /go/src/app
 
 COPY . .
+
 RUN go get ./...
 RUN GOOS=linux go build -ldflags="-s -w" -o ./bin/vault-wrap ./vault.go
+
 FROM alpine:3.20
 RUN apk add tzdata
 #RUN apk --no-cache add ca-certificates
diff --git a/docker-compose.yml b/docker-compose.yml
index 0d38d20..146fcea 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,7 @@ services:
     environment:
       - ACTION_ADDRESS=${ACTION_ADDRESS}
       - VAULT_ADDRESS=${VAULT_ADDRESS}
+      - LISTEN_PORT=443
       - TLS_KEY_FILE=${TLS_KEY_FILE}
       - TLS_CERT_FILE=${TLS_CERT_FILE}
       - TZ=Europe/Moscow
@@ -22,6 +23,42 @@ services:
         max-size: "10m"
         max-file: "5"
 
+  traefik:
+    image: traefik:v3.0
+    command:
+#      - --entrypoints.web.address=:80
+#      - --entrypoints.web-secure.address=:443
+#      - --providers.docker=true
+      - --providers.file.directory=/configuration/
+      - --providers.file.watch=true
+    volumes:
+      - ./configuration/:/configuration/
+      - ./traefik.yml:/traefik.yml:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./ssl/:/ssl/:ro
+    ports:
+      - 80:80
+      - 8080:8080
+      - 888:888
+      - 443:443
+    restart: always
+    networks:
+      - default
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`runner1-prod.corp.samsonopt.ru`)"
+      - "traefik.http.routers.traefik.tls=true"
+#      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
+
+networks:
+  default:
+    name: reverse-proxy
+    external: true
+
+
 volumes:
   vault-wrap-log:
   vault-wrap-conf:
diff --git a/entrypoint.sh b/entrypoint.sh
index 2f0ae4f..099470f 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,7 +2,7 @@
 set -u
 
 while true ;do
-    /go/bin/vault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log
+    /go/binv/ault-wrap -action-address "${ACTION_ADDRESS}" -vault-url "${VAULT_ADDRESS}" -tls-cert "/usr/local/share/vault-wrap/${TLS_CERT_FILE}" -tls-key "/usr/local/share/vault-wrap/${TLS_KEY_FILE}" -template-dir /usr/local/share/vault-wrap -log-file /var/log/vault-wrap/vault-wrap.log -listen-port "${LISTEN_PORT}"
 
     sleep 120
 done
diff --git a/html-template/index.html b/html-template/index.html
index e4a773f..a777ff2 100644
--- a/html-template/index.html
+++ b/html-template/index.html
@@ -4,26 +4,29 @@
         <meta charset="utf-8">
         <meta name="viewport" content="width=device-width, initial-scale=1.0">
         <title>Data Unwrap Form</title>
-        <!-- <link rel="stylesheet" href="css/normalize.css">
-            <link href="https://fonts.googleapis.com/css?family=Lato:300,400,700" rel="stylesheet">
-            <link rel="stylesheet" href="css/main.css"> -->
-    </head>
+        </head>
     <body>
     <table>
       <tr><td>
-      <a href={{.URL}}/unwrap>Расшифровать</a> |
-      <a href={{.URL}}/genpassword>Сгенерировать пароль</a>
+      <!-- <a href={{.URL}}/unwrap>Расшифровать</a> |
+      <a href={{.URL}}/genpassword>Сгенерировать пароль</a>-->
       <tr><td><p></p></td></tr>
       <tr><td>
-      <form method="post" action="{{.URL}}/unwrap">
+      <form method="post">
       <table>
           <tr><td>
               <textarea id="wrapped_token" name="input_token" cols=50 rows=10>{{ .TEXT }}</textarea>
           </td></tr>
           <tr><td align=right>
-              <button type="submit">Расшифровать</button>
+              <button type="submit" formaction="{{.URL}}/unwrap">Расшифровать</button>
+          <tr><td><hr></td></tr>
           </td></tr>
-      </form>
+          <tr><td align=right>
+              Длина пароля (от 15 до 1024)
+              <input type="text" name="passlength"/ size=4 pattern="[0-9]{2,4}">
+              <button type="submit" formaction="{{.URL}}/genpassword">Сгенерировать пароль</button>
+          </td></tr>
+          </form>
       </td></tr>
       <tr><td>
       </td></tr>
diff --git a/traefik-files/certificates.yaml b/traefik-files/certificates.yaml
new file mode 100644
index 0000000..f555e91
--- /dev/null
+++ b/traefik-files/certificates.yaml
@@ -0,0 +1,12 @@
+# Dynamic configuration
+# in configuration/certificates.yaml
+tls:
+  certificates:
+    # first certificate
+    - certFile: /ssl/runner1-prod.corp.samsonopt.ru.crt
+      keyFile: /ssl/runner1-prod.corp.samsonopt.ru.key
+
+    # second certificate
+    #- certFile: /path/to/other.cert
+    #  keyFile: /path/to/other.key
+
diff --git a/traefik-files/traefik.yml b/traefik-files/traefik.yml
new file mode 100644
index 0000000..ca87039
--- /dev/null
+++ b/traefik-files/traefik.yml
@@ -0,0 +1,30 @@
+api:
+  dashboard: true
+  insecure: true
+
+accessLog: {}
+
+log:
+  level: INFO
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+  dashboard:
+    address: ":888"
+
+http:
+  routers:
+    host:
+      entryPoints:
+      - http
+      rule: Host(`corp.samsonopt.ru`)
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /configuration/certificates.yaml
diff --git a/vault.go b/vault.go
index cd69a71..a425972 100644
--- a/vault.go
+++ b/vault.go
@@ -195,24 +195,38 @@ func getDataFromHtmlForm(w http.ResponseWriter, r *http.Request) {
 }
 
 func genPassword(w http.ResponseWriter, r *http.Request) {
-	params := mux.Vars(r)
-	passLength := params["passLength"]
+	// params := mux.Vars(r)
+	// passLength := params["passLength"]
+
+    r.ParseForm()
+    passLength := r.FormValue("passlength")
+    if Debug {
+	    log.Printf(r.FormValue("passlength"), passLength)
+    }
+    if len(passLength) == 0 {
+        passLength = "32"
+    }
 	// w.Write([]byte("Длина пароля " + passLength + "/n"))
 	passwordLength, err := strconv.Atoi(passLength)
 	if passwordLength > 1024 {
 		log.Printf("Oversized password length")
-		w.Write([]byte("Oversized password length"))
+		Data = "Превышена длина пароля"
+        getStaticPage(w, r)
 		return
 	}
 	if err != nil {
-		log.Fatal(err)
+		log.Println(err)
 	}
 	res, err := password.Generate(passwordLength, 10, 5, false, true)
 	if err != nil {
-		log.Fatal(err)
+		log.Println(err)
 	}
-	log.Printf(res)
-	w.Write([]byte(res))
+    if Debug {
+	    log.Printf(res)
+    }
+    Data = res
+	// w.Write([]byte(res))
+    	getStaticPage(w, r)
 }
 
 func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
@@ -221,7 +235,10 @@ func genPasswordDefault(w http.ResponseWriter, r *http.Request) {
 		log.Fatal(err)
 	}
 	log.Printf(res)
-	w.Write([]byte(res))
+	// w.Write([]byte(res))
+    Data = res
+	// w.Write([]byte(res))
+    	getStaticPage(w, r)
 }
 
 func main() {
@@ -270,7 +287,7 @@ func main() {
     rtr := mux.NewRouter()
     rtr.HandleFunc("/unwrap", getDataFromHtmlForm)
     rtr.HandleFunc("/genpassword/{passLength:[0-9]+}", genPassword)
-    rtr.HandleFunc("/genpassword", genPasswordDefault)
+    rtr.HandleFunc("/genpassword", genPassword)
     
     rtr.HandleFunc("/", getDataFromHtmlForm)
     rtr.PathPrefix("/").Handler(http.FileServer(http.Dir("./static")))