Merge pull request #1 from ocraviotto/be_extended

Extended support to Mesos tasks

.editorconfig

@@ -0,0 +1,49 @@
+# unifying the coding style for different editors and IDEs => editorconfig.org
+
+; indicate this is the root of the project
+root = true
+
+###########################################################
+; common
+###########################################################
+
+[*]
+charset = utf-8
+
+end_of_line = LF
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+indent_style = space
+indent_size = 4
+
+###########################################################
+; make
+###########################################################
+
+[Makefile]
+indent_style = tab
+
+[makefile]
+indent_style = tab
+
+###########################################################
+; markdown
+###########################################################
+
+[*.md]
+trim_trailing_whitespace = false
+
+###########################################################
+; json, yml/yaml
+###########################################################
+
+[*.{json,yml,yaml}]
+indent_size = 2
+
+###########################################################
+; golang
+###########################################################
+
+[*.go]
+indent_style = tab

.travis.yml

@@ -1,21 +1,31 @@
 language: go
-sudo: false
+sudo: required
 os:
-  - linux
-  - osx
+- linux
+- osx
 go:
-  - 1.6.3
-
-# Deploy executables to Github release tags
+- 1.9.2
+services:
+- docker
+script:
+- make
+- if [ "$TRAVIS_TAG" != "" ] && [ "$TRAVIS_OS_NAME" == "linux" ]; then make docker;
+  fi
 deploy:
-  provider: releases
+- provider: releases
   api_key:
-    secure: JotH2XgNOyR2Pi+5NMQRS2t7VhMamxzhlxWf+pXC3hUUzeIKSTszX0DVtfgjKkLkJzoai9Y62kEUhEvOHEqdQN8hsE89mjbBVCTPpO0Jl0NNJ8HKbIlg0iY5vgMesQTO5LrSIQoYfILhGFVUqVvRPw/7CX7Y5wSV6ca4SvvruSSzyG2dEyehCR5TcPFJR/aH4DmO/I4AumPEA82uuv3naaGmFl1y45Q51jgUWWq2WvJK/i0pECWzSc6HtVUAvFvrypZKRu4L+EFC0DS8mSUa6lgEsUnp714/YnYM2zXqXy2vBZR/ZNZVN3/67BGpqaZeGmoKEH0l5cXzBdPTiuihneziI6v3E+CP6E/bhVTSiDKJw1yeA8E5fdotnjhvXVHAxftA182yh3TVPnDinn/QKgTsdtS4ofs99AOyqtaMGdIGp5WRDJsP/40bsy9uRApdrxiKqpSxWcSQndqs3x506fVcd2VnuITSIA9q4lM6d1x1pP74qtcGx175iI1TLt06wu59mnXC8Ba+uZh6ycY37Zsiqdvr1J+hJCUJrTMXDghFtrHSUhxOvVWtehQbG2VL53/NhvwCauwZLVJiiNmqZcppyWDww6Y7+zSNBPm9MIY0o/bgr3nCHSDRiQ3mhmauO12hab6svmPIhcDQ/n1lMpF4OgXbdWwlPCoGh/sZAYg=
-  file: "secretary-$(uname -s)-$(uname -m)"
+    secure: L2eddprJPdwL8NMsRZdHOjlRIkXX3sJtX4oDx14ZLN7XVKFzjXVxeaUWf28mK0SaY9tbjE7cJUUGE38vtkiYail5fp8Ji0Ta4o6rOzbO7TNsHiyl+IOPDzsTwcpdEDWHaR6zMNPsulEiK8PF9I9GYggyUaZ2UQdJK+XsAtUrmDKBOJYgad32O9u0Vzjd/8GQVpXGFLCQxsKFoSqYhbReh9/uJg2DST0nTtGqW8doUyklr/lCWDsxRNJJncEjT0IO0YKWrOOX5H2ZCljH9ojsbIZantLgawjYuypk0TuXpE/2S3Ei26+jf0XIWlZSPqkjbq0irztH9X+OZgICOvPI+iOr6LM9yXPTCvCfVxUv2tAed/rJU2TJB3sjrENSVGmA7IByCn5BZznShpIt2hMYq83y75N2NGxvCgYae69rqR/B25tj30uTtLbObaCoObESiQ5Va/z+1BpgWVVJaFenrxHv0Jq1yw8oiHrYOhIJQ4Y7POkO85/gNC2VcHzC2gl80NFY2UyGWEfE1AL5++FguGCQy+9s2dzkIlXops1+ViamQSR8y+TxM7KRRGFM5niay4SzVhlcQ/5zoZjl1Ft3T2sVA/Ol+kTKXTymdCGVne8h6nnO5gL9AyxynOXDeoflxOsGV64ytkF3/9k6ffpAgtiUTyfBlqmj0lh+ixCh4xY=
+  file: secretary-$(uname -s)-$(uname -m)
   skip_cleanup: true
   on:
     tags: true
-
-# Code coverage for master branch using https://codecov.io/github/mikljohansson/secretary
+    repo: ocraviotto/secretary
 after_success:
-  - if [ "$TRAVIS_TAG" == "" ] && [ "$TRAVIS_OS_NAME" == "linux" ]; then bash <(curl -s https://codecov.io/bash); fi
+- if [ "$TRAVIS_TAG" == "" ] && [ "$TRAVIS_OS_NAME" == "linux" ]; then bash <(curl
+  -s https://codecov.io/bash); fi
+- if [ "$TRAVIS_TAG" != "" ] && [ "$TRAVIS_OS_NAME" == "linux" ]; then docker login
+  -u $DOCKER_USERNAME -p $DOCKER_PASSWORD ; make docker-push ; fi
+env:
+  global:
+  - secure: P0pp9CJXAsik45wRoOXuRBdIbyseXllkJrEZjTV3zuT8ebL7RShc37jsHK3MTeicv9JDVFTkCNrjrquV0rlmTE1tfMYSNMniWUZ/Wovyw9IoTN+dFbK3F3qxjpC8PxEm9xNRLCVvsWZ95KHHAkGZYDvLLTxBvvYWpGT/+wFcabI7cF2yXqpmh+3aUtfET4fcTRaOPHWo1n40gCDFqQTOj/91wuPsJB4QGYb5wuWwHFO5ATGseycz01yKdI7NVL280+Ab3SNX6aqEarqGYN97HKeGNZ3f81UejOoHYXpNo3/cevTbDINtfeu0GF0RLS7QBxAZjcgHBHf904kZtC4iYtE+Kw2H83fZ++kl/MgVdvc/BOIsDY25w4bkc0XZh+uSlcdLmpWlTCf1EchmnNm2HlZ1g/jVkTlwr8qcCah4L2VJWyAOopkzLhZw/QAnUny2IeYPPx2IVLkbOBiV3TC4MjuK1JKgijECqch8sOVaOu7hhPKBrkcpX46/cGRvMgDeANsjXJ5wem2a559pNc5cOYUFtepdBDH6Eux+zPLlE4p63MdlLvSEUSWL8n2iVYz1oTSrg48g8Vmnid0aRXbm023RPptbEGIDZCnLcahhOo2UZPDWh9qRu6iYDPEbXuO5CDBwJXGTyxJ4UMD4g8EPAfo6QN4W1dw1RACrS/eoBn4=
+  - secure: n1QRfncqyxUrhA8izqiVf2JfWvE09yhEs0JLtwuSKgYHRmnPzGwwaqUzOkpB/pt5i12yvOHZChVqbJyiSIunbFdweY3Wh1sPvkqARRZoNf30Pu+sqJsAuA6MzPRw+x2uo4YVzMj8EiwZVfUrXqxhdj7lithxcnC4SOtwRfi5cYQ/duzQgWtzPMXg/tomtNe20AW1QsA5UHVoeiUumz0yp0qVVCFD8UEFF4UD4YOk7GEI4orLHCS5Ie724qyus8SuROVtBEnzZ/kxqPEiwgJyeHVemHACRtGxAPlb6ZkRYjTGzcEMhyKAze673hri/PgYbLT0gddGtkzu+C4dm9aPBEagdDozncjaCmqQYogJPuk9OFORnMPuk1J3bqmx9VApZ3WQKIbUs8SXfPQ2lr2/LDhhpSVrMA/8OPP5KTxnigM3GYDCJvClMWy1UZsNZ4CGRQLWZZfZ14lmbr7l3eD3V38DLMeVqokSAJ4Qh0yOtBx7Cf5DiEKeRxtYvUrvoAiHK3ZXixK3zEpq4mIXr0RoKKcIYkkLZ5q2XF+bP76h6iWjO1ymUrHxS6rcz6kdC0t8IRzG5Tloi8ITuJytcrQvv8WDwY57SQ1DD7c3rPzUGOr8ozN1snldSX7VHYNF0ncozucesXGh2FFxJcOUFi2Ew9ZN9TeSOQ6Tfur/o/r4tLk=

Dockerfile

@@ -1,8 +1,31 @@
-FROM golang:onbuild
+FROM alpine:3.7
 
-WORKDIR /
+ENV DUMB_INIT_VERSION 1.2.1
+
+RUN addgroup secretary && \
+    adduser -S -G secretary secretary
+
+COPY launch.sh /
+COPY secretary-Linux-x86_64 /usr/bin/secretary
+
+# Set up certificates, base tools, dumb-init and secretary.
+RUN apk add --no-cache ca-certificates openssl curl bash && \
+    wget -O /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_amd64 && \
+    chmod +x /usr/bin/secretary /usr/bin/dumb-init && \
+    mkdir -p /secretary/keys && \
+    chmod 0700 /secretary/keys && \
+    chown secretary:secretary /launch.sh && \
+    chown -R secretary:secretary /secretary && \
+    apk del openssl && \
+    rm -rf /var/cache/apk/*
+
+USER secretary
+
+WORKDIR /secretary
 VOLUME /keys
 
-ADD launch.sh /
+EXPOSE 5070
+
 ENTRYPOINT ["/launch.sh"]
-CMD ["daemon"]
+CMD ["secretary", "daemon"]
+

Makefile

@@ -30,6 +30,9 @@ clean:
 	rm -f ./secretary
 
 docker:
-	docker build -t meltwater/secretary:latest .
+	docker build -t comptel/secretary:${VERSION} .
+
+docker-push:
+	docker push comptel/secretary:${VERSION}
 
 .PHONY: tools deps fmt build test lint clean

README.md

@@ -1,7 +1,10 @@
 # Secretary
-[![Travis CI](https://img.shields.io/travis/meltwater/secretary/master.svg)](https://travis-ci.org/meltwater/secretary)
-[![Coverage Status](http://codecov.io/github/meltwater/secretary/coverage.svg?branch=master)](http://codecov.io/github/meltwater/secretary?branch=master)
-[![Go Report Card](https://goreportcard.com/badge/github.com/meltwater/secretary)](https://goreportcard.com/report/github.com/meltwater/secretary)
+[![Travis CI](https://img.shields.io/travis/ocraviotto/secretary/master.svg)](https://travis-ci.org/ocraviotto/secretary)
+[![Coverage Status](http://codecov.io/github/ocraviotto/secretary/coverage.svg?branch=master)](http://codecov.io/github/ocraviotto/secretary?branch=master)
+[![Go Report Card](https://goreportcard.com/badge/github.com/ocraviotto/secretary)](https://goreportcard.com/report/github.com/ocraviotto/secretary)
+
+## NOTE: 
+This is a Fork of [Meltwater's Secretary](https://github.com/meltwater/secretary/) extended to support mesos tasks. It is WIP and eventually I will try to have it merged upstream (not sure when, if at all, there is an [old PR](https://github.com/meltwater/secretary/pull/22) still pending from early October last year and I need to get in touch with the authors as there has been little activity over the past half a year). On the meantime, we'll develop and will publish to the Docker Hub public repo [comptel/secretary](https://hub.docker.com/r/comptel/secretary/)
 
 [Secretary](https://en.wikipedia.org/wiki/Secretary#Etymology) helps solve the problem of
 secrets distribution and authorization in highly dynamic container and VM environments.
@@ -23,7 +26,8 @@ local NaCL keys or by calling the AWS Key Management Service.
 In Mesos clusters it may not be desirable to have all slave nodes hold master keys or access KMS
 directly. A container would instead call `secretary daemon` which authenticates its signature and
 performs the decryption in a central place. The `secretary daemon` queries [Marathon](https://mesosphere.github.io/marathon/)
-to retrieve a containers public keys and determine what secrets it may access.
+or the [Mesos Opoerator API](http://mesos.apache.org/documentation/latest/operator-http-api/)
+to retrieve a containers/task public keys and determine what secrets it may access.
 
 Encryption is done at configuration time through public keys or by calling KMS. This
 enables delegation of secrets management to non-admin users and help keep configuration, secrets
@@ -48,11 +52,10 @@ service instances.
 
 - *deploy* key pair is used to control what service can access what secrets, and
   to authenticate services at runtime. It is generated automatically at deployment
-  time for each service, and is part of the Marathon app config. When using
-  [Lighter](https://github.com/meltwater/lighter) it will generate this key pair
-  automatically.
+  time for each service, and is part of the Marathon app config (Env) or the Mesos
+  task json representation (as a Label).
 
-  Access to the Marathon REST API should be restricted to avoid reading out the
+  Access to the Marathon/Mesos APIs should be restricted to avoid reading out the
   *deploy* private keys, and not to mention prevent anyone from starting containers
   with `--privileged --volume=/:/host-root`.
 
@@ -229,7 +232,7 @@ environment variables, before starting the actual service.
 ```
 # Install secretary
 ENV SECRETARY_VERSION x.y.z
-RUN curl -fsSLo /usr/bin/secretary "https://github.com/meltwater/secretary/releases/download/${SECRETARY_VERSION}/secretary-`uname -s`-`uname -m`" && \
+RUN curl -fsSLo /usr/bin/secretary "https://github.com/ocraviotto/secretary/releases/download/${SECRETARY_VERSION}/secretary-`uname -s`-`uname -m`" && \
     chmod +x /usr/bin/secretary
 ```
 
@@ -271,7 +274,7 @@ The complete decryption sequence could be described as
 
 ## Installation
 Place a `secretary` script in the root of your configuration repo. Replace the SECRETARY_VERSION with
-a version from the [releases page](https://github.com/meltwater/secretary/releases).
+a version from the [releases page](https://github.com/ocraviotto/secretary/releases).
 
 ```
 #!/bin/bash
@@ -284,7 +287,7 @@ SECRETARY="$BASEDIR/target/secretary-`uname -s`-`uname -m`-${SECRETARY_VERSION}"
 
 if [ ! -x "$SECRETARY" ]; then
     mkdir -p $(dirname "$SECRETARY")
-    curl -sSfLo "$SECRETARY" https://github.com/meltwater/secretary/releases/download/${SECRETARY_VERSION}/secretary-`uname -s`-`uname -m`
+    curl -sSfLo "$SECRETARY" https://github.com/ocraviotto/secretary/releases/download/${SECRETARY_VERSION}/secretary-`uname -s`-`uname -m`
     chmod +x "$SECRETARY"
 fi
 
@@ -411,12 +414,12 @@ specific KMS keys.
 When using [CoreOS cloud-config](https://coreos.com/os/docs/latest/cloud-config.html) and passing secrets
 in the user-data section.
 
-In the examples replace the SECRETARY_VERSION with a version from the [releases page](https://github.com/meltwater/secretary/releases).
+In the examples replace the SECRETARY_VERSION with a version from the [releases page](https://github.com/ocraviotto/secretary/releases).
 You also need to replace the `e59c5534e4e6fb3c2ad0d3c075d9e2fa664889b9` sha1sum with one that is calculated
 from the exact version you intend to use. This can be done like
 
 ```
-curl -sSL https://github.com/meltwater/secretary/releases/download/${SECRETARY_VERSION}/secretary-Linux-x86_64 | sha1sum -
+curl -sSL https://github.com/ocraviotto/secretary/releases/download/${SECRETARY_VERSION}/secretary-Linux-x86_64 | sha1sum -
 ```
 
 #### Embedded Secretary binary
@@ -503,7 +506,7 @@ coreos:
       # Download and verify signature of secretary binary
       ExecStartPre=/bin/sh -c '\
         if [ ! -f /tmp/secretary ]; then \
-          curl -sSLo /tmp/secretary https://github.com/meltwater/secretary/releases/download/${SECRETARY_VERSION}/secretary-Linux-x86_64 && \
+          curl -sSLo /tmp/secretary https://github.com/ocraviotto/secretary/releases/download/${SECRETARY_VERSION}/secretary-Linux-x86_64 && \
           chmod +x /tmp/secretary; \
         fi'
       ExecStartPre=/bin/sh -c 'echo e59c5534e4e6fb3c2ad0d3c075d9e2fa664889b9 /tmp/secretary | sha1sum -c -'

client.go

@@ -13,7 +13,7 @@ type EncryptionStrategy interface {
 
 // DecryptionStrategy is a generic decryption mechanism
 type DecryptionStrategy interface {
-	Decrypt(envelope string) ([]byte, error)
+	Decrypt(envelope, optionalName string) ([]byte, error)
 }
 
 // CompositeDecryptionStrategy multiplexes other decryption strategies {NACL, KMS}
@@ -22,13 +22,13 @@ type CompositeDecryptionStrategy struct {
 }
 
 // Decrypt decrypts an envelope
-func (k *CompositeDecryptionStrategy) Decrypt(envelope string) ([]byte, error) {
+func (k *CompositeDecryptionStrategy) Decrypt(envelope, optionalName string) ([]byte, error) {
 	// Get the type of encryption {NACL, KMS}
 	envelopeType := extractEnvelopeType(envelope)
 	strategy := k.Strategies[envelopeType]
 
 	if strategy != nil {
-		return strategy.Decrypt(envelope)
+		return strategy.Decrypt(envelope, optionalName)
 	}
 
 	return nil, fmt.Errorf("Not configured for decrypting ENC[%s,..] values", envelopeType)
@@ -63,7 +63,7 @@ type KeyDecryptionStrategy struct {
 }
 
 // Decrypt decrypts an envelope
-func (k *KeyDecryptionStrategy) Decrypt(envelope string) ([]byte, error) {
+func (k *KeyDecryptionStrategy) Decrypt(envelope, optionalName string) ([]byte, error) {
 	return decryptEnvelope(k.PublicKey, k.PrivateKey, envelope)
 }
 
@@ -86,10 +86,10 @@ func newDaemonDecryptionStrategy(
 }
 
 // Decrypt decrypts an envelope
-func (r *DaemonDecryptionStrategy) Decrypt(envelope string) ([]byte, error) {
+func (r *DaemonDecryptionStrategy) Decrypt(envelope, optionalName string) ([]byte, error) {
 	message := DaemonRequest{
 		AppID: r.AppID, AppVersion: r.AppVersion, TaskID: r.TaskID,
-		RequestedSecret: envelope,
+		RequestedSecret: envelope, Key: optionalName,
 	}
 	encoded, err := json.Marshal(message)
 	if err != nil {