WIP: added first logic for checking and saving Secret metadata.

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Co-authored-by: Amr Fawzy <amr.fawzy@container-solutions.com>
Co-authored-by: Adrienne Galloway <adrienne.galloway@engineerbetter.com>
Co-authored-by: Dominic Meddick <dom.meddick@engineerbetter.com>
Co-authored-by: William Young <will.young@engineerbetter.com>
Co-authored-by: Lilly Daniell <lilly.daniell@engineerbetter.com>

pkg/provider/vault/vault.go

@@ -362,30 +362,49 @@ func (c *connector) ValidateStore(store esv1beta1.GenericStore) error {
 }
 
 func (v *client) SetSecret(ctx context.Context, value []byte, remoteRef esv1beta1.PushRemoteRef) error {
-	label := make(map[string]string)
-	label["managed-by"] = "external-secrets"
-	// remoteRef.GetRemoteKey() -> "foo"
-	secretRequest := vault.Secret{
-		Data: map[string]interface{}{remoteRef.GetRemoteKey(): string(value)},
-		Auth: &vault.SecretAuth{Metadata: label},
+	label := map[string]interface{}{
+		"custom_metadata": map[string]string{
+			"managed-by": "external-secrets",
+		},
+	}
+	secretToPush := map[string]interface{}{
+		"data": map[string]string{
+			remoteRef.GetRemoteKey(): string(value),
+		},
 	}
-
 	path := v.buildPath(remoteRef.GetRemoteKey())
+	metaPath, err := v.buildMetadataPath(remoteRef.GetRemoteKey())
+	if err != nil {
+		return err
+	}
 
 	// Retrieve the secret map from vault and convert the secret value in string form.
 	vaultSecret, err := v.GetSecretMap(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: path})
 	vaultSecretValue := string(vaultSecret[remoteRef.GetRemoteKey()])
+	// If error is not of type secret not found, we should error
+	if err != nil && !strings.Contains(err.Error(), "secret not found") {
+		return err
+	}
+	// If the secret exists (err == nil), we should check if it is managed by external-secrets
+	if err == nil {
+		metadata, err := v.readSecretMetadata(ctx, remoteRef.GetRemoteKey())
+		if err != nil {
+			return err
+		}
+		manager, ok := metadata["managed-by"]
+		if !ok || manager != "external-secrets" {
+			return fmt.Errorf("secret not managed by external-secrets")
+		}
+	}
 
 	// Retrieve the secret value to be pushed and convert it to string form.
-	secretToPush := secretRequest.Data
 	pushSecretValue := string(value)
 
 	if vaultSecretValue == pushSecretValue {
 		return nil
 	}
-
-	// If error is not of type secret not found, we should error
-	if err != nil && !strings.Contains(err.Error(), "secret not found") {
+	_, err = v.logical.WriteWithContext(ctx, metaPath, label)
+	if err != nil {
 		return err
 	}
 	// Otherwise, create or update the version.

pkg/provider/vault/vault_test.go

@@ -38,6 +38,7 @@ import (
 const (
 	tokenSecretName  = "example-secret-token"
 	secretDataString = "some-creds"
+	secretPath       = "secret"
 )
 
 var (
@@ -1409,11 +1410,8 @@ func (f fakeRef) GetRemoteKey() string {
 	return f.key
 }
 
-
-
-
 func TestSetSecretUpdateSecretNotFound(t *testing.T) {
-	path := "secret"
+	path := secretPath
 	secretData := map[string]interface{}{
 		"data": map[string]interface{}{
 			"fake key": "fake value",
@@ -1436,7 +1434,7 @@ func TestSetSecretUpdateSecretNotFound(t *testing.T) {
 }
 
 func TestSetSecretUpdateSecretNotFoundWithError(t *testing.T) {
-	path := "secret"
+	path := secretPath
 	f := fake.Logical{
 		ReadWithDataWithContextFn: fake.NewReadWithContextFn(nil, fmt.Errorf("secret not found")),
 	}
@@ -1452,8 +1450,8 @@ func TestSetSecretUpdateSecretNotFoundWithError(t *testing.T) {
 	err := client.SetSecret(context.Background(), []byte("HI"), ref)
 	assert.Equal(t, err.Error(), "no permissions")
 }
-func TestSetSecretEqualsPushSecret(t *testing.T){
-	path := "secret"
+func TestSetSecretEqualsPushSecret(t *testing.T) {
+	path := secretPath
 	f := fake.Logical{
 		ReadWithDataWithContextFn: fake.NewReadWithContextFn(map[string]interface{}{
 			"key": "fake value",
@@ -1470,12 +1468,11 @@ func TestSetSecretEqualsPushSecret(t *testing.T){
 
 	err := client.SetSecret(context.Background(), []byte("fake value"), ref)
 
-
 	assert.Equal(t, err, nil)
 }
 
-func TestSetSecretEqualsPushSecretWithError(t *testing.T){
-	path := "secret"
+func TestSetSecretEqualsPushSecretWithError(t *testing.T) {
+	path := secretPath
 	f := fake.Logical{
 		ReadWithDataWithContextFn: fake.NewReadWithContextFn(map[string]interface{}{
 			"key": "wrong-key",
@@ -1493,8 +1490,8 @@ func TestSetSecretEqualsPushSecretWithError(t *testing.T){
 	err := client.SetSecret(context.Background(), []byte("fake value"), ref)
 	assert.Equal(t, err.Error(), "boom")
 }
-func TestSetSecretErrorReadingSecret(t *testing.T){
-	path := "secret"
+func TestSetSecretErrorReadingSecret(t *testing.T) {
+	path := secretPath
 	f := fake.Logical{
 		ReadWithDataWithContextFn: fake.NewReadWithContextFn(nil, fmt.Errorf("you shall not pass")),
 	}
@@ -1508,7 +1505,7 @@ func TestSetSecretErrorReadingSecret(t *testing.T){
 	ref := fakeRef{key: "key"}
 
 	err := client.SetSecret(context.Background(), []byte("fake value"), ref)
-	assert.ErrorContains(t,err,"you shall not pass")
+	assert.ErrorContains(t, err, "you shall not pass")
 }
 
 // Above test pushing same exact secret twice.