feat(beyondtrust): add support for decrypt parameter on get secret (#5786)

apis/externalsecrets/v1/secretstore_beyondtrust_types.go

@@ -55,6 +55,10 @@ type BeyondtrustServer struct {
 	RetrievalType string `json:"retrievalType,omitempty"`
 	// A character that separates the folder names.
 	Separator string `json:"separator,omitempty"`
+	// When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.
+	// +optional
+	// +kubebuilder:default=true
+	Decrypt bool `json:"decrypt,omitempty"`
 	// +required - Indicates whether to verify the certificate authority on the Secrets Safe instance. Warning - false is insecure, instructs the BT provider not to verify the certificate authority.
 	VerifyCA bool `json:"verifyCA"`
 	// Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.

apis/externalsecrets/v1beta1/secretstore_beyondtrust_types.go

@@ -54,6 +54,10 @@ type BeyondtrustServer struct {
 	RetrievalType string `json:"retrievalType,omitempty"`
 	// A character that separates the folder names.
 	Separator string `json:"separator,omitempty"`
+	// When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.
+	// +optional
+	// +kubebuilder:default=true
+	Decrypt bool `json:"decrypt,omitempty"`
 	// +required - Indicates whether to verify the certificate authority on the Secrets Safe instance. Warning - false is insecure, instructs the BT provider not to verify the certificate authority.
 	VerifyCA bool `json:"verifyCA"`
 	// Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -1209,6 +1209,13 @@ spec:
                               time, any redirects, and reading the response body.
                               Defaults to 45 seconds.
                             type: integer
+                          decrypt:
+                            default: true
+                            description: 'When true, the response includes the decrypted
+                              password. When false, the password field is omitted.
+                              This option only applies to the SECRET retrieval type.
+                              Default: true.'
+                            type: boolean
                           retrievalType:
                             description: The secret retrieval type. SECRET = Secrets
                               Safe (credential, text, file). MANAGED_ACCOUNT = Password
@@ -7232,6 +7239,13 @@ spec:
                               time, any redirects, and reading the response body.
                               Defaults to 45 seconds.
                             type: integer
+                          decrypt:
+                            default: true
+                            description: 'When true, the response includes the decrypted
+                              password. When false, the password field is omitted.
+                              This option only applies to the SECRET retrieval type.
+                              Default: true.'
+                            type: boolean
                           retrievalType:
                             description: The secret retrieval type. SECRET = Secrets
                               Safe (credential, text, file). MANAGED_ACCOUNT = Password

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -1209,6 +1209,13 @@ spec:
                               time, any redirects, and reading the response body.
                               Defaults to 45 seconds.
                             type: integer
+                          decrypt:
+                            default: true
+                            description: 'When true, the response includes the decrypted
+                              password. When false, the password field is omitted.
+                              This option only applies to the SECRET retrieval type.
+                              Default: true.'
+                            type: boolean
                           retrievalType:
                             description: The secret retrieval type. SECRET = Secrets
                               Safe (credential, text, file). MANAGED_ACCOUNT = Password
@@ -7232,6 +7239,13 @@ spec:
                               time, any redirects, and reading the response body.
                               Defaults to 45 seconds.
                             type: integer
+                          decrypt:
+                            default: true
+                            description: 'When true, the response includes the decrypted
+                              password. When false, the password field is omitted.
+                              This option only applies to the SECRET retrieval type.
+                              Default: true.'
+                            type: boolean
                           retrievalType:
                             description: The secret retrieval type. SECRET = Secrets
                               Safe (credential, text, file). MANAGED_ACCOUNT = Password

deploy/crds/bundle.yaml

@@ -3223,6 +3223,10 @@ spec:
                             clientTimeOutSeconds:
                               description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
                               type: integer
+                            decrypt:
+                              default: true
+                              description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+                              type: boolean
                             retrievalType:
                               description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
                               type: string
@@ -8830,6 +8834,10 @@ spec:
                             clientTimeOutSeconds:
                               description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
                               type: integer
+                            decrypt:
+                              default: true
+                              description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+                              type: boolean
                             retrievalType:
                               description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
                               type: string
@@ -14992,6 +15000,10 @@ spec:
                             clientTimeOutSeconds:
                               description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
                               type: integer
+                            decrypt:
+                              default: true
+                              description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+                              type: boolean
                             retrievalType:
                               description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
                               type: string
@@ -20599,6 +20611,10 @@ spec:
                             clientTimeOutSeconds:
                               description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
                               type: integer
+                            decrypt:
+                              default: true
+                              description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+                              type: boolean
                             retrievalType:
                               description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
                               type: string

docs/api/spec.md

@@ -1708,6 +1708,18 @@ string
 </tr>
 <tr>
 <td>
+<code>decrypt</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>verifyCA</code></br>
 <em>
 bool
@@ -15290,6 +15302,18 @@ string
 </tr>
 <tr>
 <td>
+<code>decrypt</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>verifyCA</code></br>
 <em>
 bool

docs/snippets/beyondtrust-secret-store.yaml

@@ -32,3 +32,4 @@ spec:
       clientTimeOutSeconds: 45
       apiUrl: https://example.ps-dev.beyondtrustcloud.com:443/BeyondTrust/api/public/v3/
       apiVersion: "3.1"
+      decrypt: true

go.mod

@@ -191,7 +191,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/BeyondTrust/go-client-library-passwordsafe v0.25.0 // indirect
+	github.com/BeyondTrust/go-client-library-passwordsafe v1.0.0 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/DelineaXPM/dsv-sdk-go/v2 v2.2.0 // indirect
 	github.com/DelineaXPM/tss-sdk-go/v3 v3.0.1 // indirect

go.sum

@@ -119,8 +119,8 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mo
 github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
-github.com/BeyondTrust/go-client-library-passwordsafe v0.25.0 h1:A+ZyF5sigY51kep48CnZezZY4WLzPCk2UnwMrUUTvu4=
-github.com/BeyondTrust/go-client-library-passwordsafe v0.25.0/go.mod h1:ntgg5j8QRG0XyF8WUTa57T1TwYJOJjerLMCc1XvJO0M=
+github.com/BeyondTrust/go-client-library-passwordsafe v1.0.0 h1:khr3BeVQscPf5MBhVaNPhobcdmo7pdQAzhmwQPeXNQ0=
+github.com/BeyondTrust/go-client-library-passwordsafe v1.0.0/go.mod h1:ntgg5j8QRG0XyF8WUTa57T1TwYJOJjerLMCc1XvJO0M=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=

providers/v1/beyondtrust/go.mod

@@ -3,7 +3,7 @@ module github.com/external-secrets/external-secrets/providers/v1/beyondtrust
 go 1.25.5
 
 require (
-	github.com/BeyondTrust/go-client-library-passwordsafe v0.25.0
+	github.com/BeyondTrust/go-client-library-passwordsafe v1.0.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/external-secrets/external-secrets/apis v0.0.0
 	github.com/external-secrets/external-secrets/runtime v0.0.0

providers/v1/beyondtrust/go.sum

@@ -1,7 +1,7 @@
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
-github.com/BeyondTrust/go-client-library-passwordsafe v0.25.0 h1:A+ZyF5sigY51kep48CnZezZY4WLzPCk2UnwMrUUTvu4=
-github.com/BeyondTrust/go-client-library-passwordsafe v0.25.0/go.mod h1:ntgg5j8QRG0XyF8WUTa57T1TwYJOJjerLMCc1XvJO0M=
+github.com/BeyondTrust/go-client-library-passwordsafe v1.0.0 h1:khr3BeVQscPf5MBhVaNPhobcdmo7pdQAzhmwQPeXNQ0=
+github.com/BeyondTrust/go-client-library-passwordsafe v1.0.0/go.mod h1:ntgg5j8QRG0XyF8WUTa57T1TwYJOJjerLMCc1XvJO0M=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=

providers/v1/beyondtrust/provider.go

@@ -78,6 +78,7 @@ var (
 type Provider struct {
 	apiURL        string
 	retrievaltype string
+	decrypt       bool
 	authenticate  auth.AuthenticationObj
 	log           logging.LogrLogger
 	separator     string
@@ -133,7 +134,7 @@ func (p *Provider) Validate() (esv1.ValidationResult, error) {
 // SecretExists checks if a secret exists in the provider.
 func (p *Provider) SecretExists(_ context.Context, pushSecretRef esv1.PushSecretRemoteRef) (bool, error) {
 	logger := logging.NewLogrLogger(&ESOLogger)
-	secretObj, err := secrets.NewSecretObj(p.authenticate, logger, maxFileSecretSizeBytes)
+	secretObj, err := secrets.NewSecretObj(p.authenticate, logger, maxFileSecretSizeBytes, false)
 
 	if err != nil {
 		return false, err
@@ -218,6 +219,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 		authenticate:  *authenticate,
 		log:           *logger,
 		separator:     separator,
+		decrypt:       config.Server.Decrypt,
 	}, nil
 }
 
@@ -360,7 +362,7 @@ func (p *Provider) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemot
 	}
 	unmanagedFetch := func() (string, error) {
 		ESOLogger.Info("retrieve secrets safe value", "retrievalPath:", retrievalPath)
-		secretObj, _ := secrets.NewSecretObj(p.authenticate, &p.log, maxFileSecretSizeBytes)
+		secretObj, _ := secrets.NewSecretObj(p.authenticate, &p.log, maxFileSecretSizeBytes, p.decrypt)
 		return secretObj.GetSecret(retrievalPath, p.separator)
 	}
 	fetch := unmanagedFetch
@@ -476,7 +478,7 @@ func (p *Provider) PushSecret(_ context.Context, secret *v1.Secret, psd esv1.Pus
 // CreateSecret creates a secret in BeyondTrust Password Safe.
 func (p *Provider) CreateSecret(secret string, data map[string]interface{}, signAppinResponse entities.SignAppinResponse) error {
 	logger := logging.NewLogrLogger(&ESOLogger)
-	secretObj, err := secrets.NewSecretObj(p.authenticate, logger, maxFileSecretSizeBytes)
+	secretObj, err := secrets.NewSecretObj(p.authenticate, logger, maxFileSecretSizeBytes, false)
 
 	if err != nil {
 		return err

tests/__snapshot__/clustersecretstore-v1.yaml

@@ -182,6 +182,7 @@ spec:
         apiUrl: string
         apiVersion: external-secrets.io/v1
         clientTimeOutSeconds: 1
+        decrypt: true
         retrievalType: string
         separator: string
         verifyCA: true

tests/__snapshot__/clustersecretstore-v1beta1.yaml

@@ -159,6 +159,7 @@ spec:
         apiUrl: string
         apiVersion: external-secrets.io/v1beta1
         clientTimeOutSeconds: 1
+        decrypt: true
         retrievalType: string
         separator: string
         verifyCA: true

tests/__snapshot__/secretstore-v1.yaml

@@ -182,6 +182,7 @@ spec:
         apiUrl: string
         apiVersion: external-secrets.io/v1
         clientTimeOutSeconds: 1
+        decrypt: true
         retrievalType: string
         separator: string
         verifyCA: true

tests/__snapshot__/secretstore-v1beta1.yaml

@@ -159,6 +159,7 @@ spec:
         apiUrl: string
         apiVersion: external-secrets.io/v1beta1
         clientTimeOutSeconds: 1
+        decrypt: true
         retrievalType: string
         separator: string
         verifyCA: true