Add static unseal as known seals mechanism

cmd/devbao/node_start.go

@@ -1,7 +1,10 @@
 package main
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"fmt"
+	"io"
 	"net/url"
 	"os"
 	"strings"
@@ -200,7 +203,7 @@ func ProdServerFlags() []cli.Flag {
 		&cli.StringSliceFlag{
 			Name:  "seals",
 			Value: nil,
-			Usage: "URI schemes of seals to add; can be specified multiple times. Use\n\t`http(s)://<TOKEN>@<ADDR>/<MOUNT_PATH>/keys/<KEY_NAME>` for Transit.",
+			Usage: "URI schemes of seals to add; can be specified multiple times. Use\n\t`http(s)://<TOKEN>@<ADDR>/<MOUNT_PATH>/keys/<KEY_NAME>` for Transit,\n\t`static://<key, optional>` for static.",
 		},
 	}
 
@@ -292,29 +295,45 @@ func RunNodeStartCommand(cCtx *cli.Context) error {
 			return fmt.Errorf("failed parsing seal's uri at index %d (`%v`): %w", index, seal, err)
 		}
 
-		// Assume transit.
-
-		if url.User == nil || url.User.Username() == "" {
-			return fmt.Errorf("malformed or missing user info: expected token in username for Transit: `%v`", url.User.String())
-		}
+		switch url.Scheme {
+		case "http", "https":
+			// Assume transit.
+			if url.User == nil || url.User.Username() == "" {
+				return fmt.Errorf("malformed or missing user info: expected token in username for Transit: `%v`", url.User.String())
+			}
 
-		token := url.User.Username()
-		addr := fmt.Sprintf("%v://%v", url.Scheme, url.Host)
+			token := url.User.Username()
+			addr := fmt.Sprintf("%v://%v", url.Scheme, url.Host)
 
-		if !strings.Contains(url.Path, "/keys/") {
-			return fmt.Errorf("malformed path: no `/keys/` segment: `%v`", url.Path)
-		}
+			if !strings.Contains(url.Path, "/keys/") {
+				return fmt.Errorf("malformed path: no `/keys/` segment: `%v`", url.Path)
+			}
 
-		parts := strings.Split(url.Path, "/keys/")
-		mount_path := strings.Join(parts[0:len(parts)-1], "/keys")
-		key_name := parts[len(parts)-1]
+			parts := strings.Split(url.Path, "/keys/")
+			mount_path := strings.Join(parts[0:len(parts)-1], "/keys")
+			key_name := parts[len(parts)-1]
 
-		opts = append(opts, &bao.TransitSeal{
-			Address:   addr,
-			Token:     token,
-			MountPath: mount_path,
-			KeyName:   key_name,
-		})
+			opts = append(opts, &bao.TransitSeal{
+				Address:   addr,
+				Token:     token,
+				MountPath: mount_path,
+				KeyName:   key_name,
+			})
+		case "static":
+			seal := &bao.StaticSeal{}
+			if url.Host != "" {
+				seal.CurrentKey = url.Host
+			} else {
+				data := make([]byte, 32)
+				if _, err := io.ReadFull(rand.Reader, data); err != nil {
+					return fmt.Errorf("failed to generate random key for static seal: %w", err)
+				}
+				seal.CurrentKey = hex.EncodeToString(data)
+			}
+			opts = append(opts, seal)
+		default:
+			return fmt.Errorf("unknown type of URL: %v", url.Scheme)
+		}
 	}
 
 	if audit {

go.mod

@@ -1,39 +1,39 @@
 module github.com/cipherboy/devbao
 
-go 1.22.0
+go 1.23.0
+
+toolchain go1.24.3
 
 require (
 	github.com/charmbracelet/bubbles v0.18.0
 	github.com/charmbracelet/bubbletea v0.25.0
 	github.com/charmbracelet/lipgloss v0.9.1
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/openbao/openbao/api/v2 v2.0.1
+	github.com/openbao/openbao/api/v2 v2.3.0
 	github.com/shirou/gopsutil/v3 v3.24.1
 	github.com/urfave/cli/v2 v2.27.1
 )
 
 require (
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
-	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
@@ -49,11 +49,11 @@ require (
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
 )