Add support to read a password from an

encrypted file
2026-02-10 18:07:44 +00:00 · 2025-06-13 08:36:49 +02:00 · 2025-06-13 08:36:49 +02:00 · 7e45223caa
commit 7e45223caa
parent 9c19289790
2 changed files with 82 additions and 15 deletions
--- a/cmd/auth/config/configuration.go
+++ b/cmd/auth/config/configuration.go
@ -5,6 +5,10 @@ import (
 	"github.com/knadh/koanf/providers/confmap"
 	"github.com/knadh/koanf/providers/file"
 	"github.com/knadh/koanf/v2"
+    "crypto/aes"
+    "crypto/cipher"
+    "encoding/hex"
+    "io/ioutil"
 	"log"
 	"os"
 )
@ -14,29 +18,91 @@ type Configuration struct {
 }

 type UserConfig struct {
-	Username             string   `koanf:"username"`
-	Password             string   `koanf:"password"`
+	Username string `koanf:"username"`
+	Password string `koanf:"password"`
+	Path     string `koanf:"path"`
 }

 var Conf Configuration

 func Load(configFile string) Configuration {

-	var k = koanf.New(".")
+    var k = koanf.New(".")

-	k.Load(confmap.Provider(map[string]interface{}{}, "."), nil)
+    k.Load(confmap.Provider(map[string]interface{}{}, "."), nil)

-	if _, err := os.Stat(configFile); os.IsNotExist(err) {
-		log.Printf("Config file %s not found, skipping config file", configFile)
-	} else {
-		if err := k.Load(file.Provider(configFile), yaml.Parser()); err != nil {
-			log.Fatalf("Error loading config from file: %v", err)
-		}
+    if _, err := os.Stat(configFile); os.IsNotExist(err) {
+        log.Printf("Config file %s not found, skipping config file", configFile)
+    } else {
+        if err := k.Load(file.Provider(configFile), yaml.Parser()); err != nil {
+            log.Fatalf("Error loading config from file: %v", err)
+        }
+    }
+
+    koanfTag := koanf.UnmarshalConf{Tag: "koanf"}
+    k.UnmarshalWithConf("Users", &Conf.Users, koanfTag)
+
+    var password, path string
+    if len(Conf.Users) > 0 {
+        password = Conf.Users[0].Password
+        path = Conf.Users[0].Path
+        // log.Printf("Password from Conf: %s", password)
+        // log.Printf("Path from Conf: %s", path)
+
+        decrypted, err := DecryptFileContent(path, password)
+        if err != nil {
+            log.Printf("Failed to decrypt file: %v", err)
+        } else {
+            // log.Printf("Decrypted file content: %s", decrypted)
+			Conf.Users[0].Password = decrypted
+        }
+    } else {
+        log.Printf("No users found in configuration")
+    }
+
+    // Log the loaded configuration to the console
+    // log.Printf("Loaded configuration: %+v", Conf)
+
+    return Conf
+}
+
+func DecryptFileContent(path, passphrase string) (string, error) {
+    encryptedData, err := ioutil.ReadFile(path)
+    if err != nil {
+        return "", err
+    }
+    // log.Printf("Loaded secret: %s", encryptedData)
+    // log.Printf("Encryption key: %s", passphrase)
+
+	keyBytes := []byte(passphrase)
+	if len(keyBytes) != 32 {
+		log.Printf("Key must be 32 bytes long for AES-256: %d bytes provided", len(keyBytes))
+		return "", err
 	}

-	koanfTag := koanf.UnmarshalConf{Tag: "koanf"}
-	k.UnmarshalWithConf("Users", &Conf.Users, koanfTag)
+    block, err := aes.NewCipher(keyBytes)
+	if err != nil {
+		log.Printf("Error creating AES block cipher: %s", err)
+		return "", err
+	}

-	return Conf
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		log.Printf("Error setting GCM mode: %s", err)
+		return "", err
+	}

+	decodedCipherText, err := hex.DecodeString(string(encryptedData))
+	if err != nil {
+		log.Printf("Error decoding HEX: %s", err)
+		return "", err
+	}
+
+	decryptedData, err := gcm.Open(nil, decodedCipherText[:gcm.NonceSize()], decodedCipherText[gcm.NonceSize():], nil)
+	if err != nil {
+		log.Printf("Error decrypting data: %s", err)
+		return "", err
+	}
+
+    return string(decryptedData), nil
 }
--- a/go.mod
+++ b/go.mod
@ -1,7 +1,8 @@
 module github.com/bolkedebruin/rdpgw

-go 1.22
-toolchain go1.24.1
+go 1.23.0
+
+toolchain go1.24.3

 require (
 	github.com/bolkedebruin/gokrb5/v8 v8.5.0