/* Copyright © The ESO Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Package onboardbase implements a client for interacting with Onboardbase secrets management service. package onboardbase import ( "context" "encoding/json" "errors" "fmt" "net/url" "strings" "time" "github.com/tidwall/gjson" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" kclient "sigs.k8s.io/controller-runtime/pkg/client" esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1" obclient "github.com/external-secrets/external-secrets/providers/v1/onboardbase/client" "github.com/external-secrets/external-secrets/runtime/esutils" "github.com/external-secrets/external-secrets/runtime/find" ) const ( errGetSecret = "could not get secret %s: %s" errGetSecrets = "could not get secrets %s" errUnmarshalSecretMap = "unable to unmarshal secret %s: %w" errOnboardbaseAPIKeySecretName = "missing auth.secretRef.onboardbaseAPIKey.name" errInvalidClusterStoreMissingOnboardbaseAPIKeyNamespace = "missing auth.secretRef.onboardbaseAPIKey.namespace" errFetchOnboardbaseAPIKeySecret = "unable to find find OnboardbaseAPIKey secret: %w" errMissingOnboardbaseAPIKey = "auth.secretRef.onboardbaseAPIKey.key '%s' not found in secret '%s'" errMissingOnboardbasePasscode = "auth.secretRef.onboardbasePasscode.key '%s' not found in secret '%s'" errSecretKeyFmt = "cannot find property %s in secret data for key: %q" ) // Client implements the Onboardbase secrets client. type Client struct { onboardbase SecretsClientInterface onboardbaseAPIKey string onboardbasePasscode string project string environment string kube kclient.Client store *esv1.OnboardbaseProvider namespace string storeKind string } // SecretsClientInterface defines the required Onboardbase Client methods. type SecretsClientInterface interface { BaseURL() *url.URL Authenticate() error GetSecret(request obclient.SecretRequest) (*obclient.SecretResponse, error) DeleteSecret(request obclient.SecretRequest) error GetSecrets(request obclient.SecretsRequest) (*obclient.SecretsResponse, error) } func (c *Client) setAuth(ctx context.Context) error { credentialsSecret := &corev1.Secret{} credentialsSecretName := c.store.Auth.OnboardbaseAPIKeyRef.Name if credentialsSecretName == "" { return errors.New(errOnboardbaseAPIKeySecretName) } objectKey := types.NamespacedName{ Name: credentialsSecretName, Namespace: c.namespace, } // only ClusterStore is allowed to set namespace (and then it's required) if c.storeKind == esv1.ClusterSecretStoreKind { if c.store.Auth.OnboardbaseAPIKeyRef.Namespace == nil { return errors.New(errInvalidClusterStoreMissingOnboardbaseAPIKeyNamespace) } objectKey.Namespace = *c.store.Auth.OnboardbaseAPIKeyRef.Namespace } err := c.kube.Get(ctx, objectKey, credentialsSecret) if err != nil { return fmt.Errorf(errFetchOnboardbaseAPIKeySecret, err) } onboardbaseAPIKey := credentialsSecret.Data[c.store.Auth.OnboardbaseAPIKeyRef.Key] if (onboardbaseAPIKey == nil) || (len(onboardbaseAPIKey) == 0) { return fmt.Errorf(errMissingOnboardbaseAPIKey, c.store.Auth.OnboardbaseAPIKeyRef.Key, credentialsSecretName) } c.onboardbaseAPIKey = string(onboardbaseAPIKey) onboardbasePasscode := credentialsSecret.Data[c.store.Auth.OnboardbasePasscodeRef.Key] if (onboardbasePasscode == nil) || (len(onboardbasePasscode) == 0) { return fmt.Errorf(errMissingOnboardbasePasscode, c.store.Auth.OnboardbasePasscodeRef.Key, credentialsSecretName) } c.onboardbasePasscode = string(onboardbasePasscode) return nil } // Validate performs validation of the Onboardbase client configuration. func (c *Client) Validate() (esv1.ValidationResult, error) { timeout := 15 * time.Second clientURL := c.onboardbase.BaseURL().String() if err := esutils.NetworkValidate(clientURL, timeout); err != nil { return esv1.ValidationResultError, err } if err := c.onboardbase.Authenticate(); err != nil { return esv1.ValidationResultError, err } return esv1.ValidationResultReady, nil } // DeleteSecret removes a secret from Onboardbase. func (c *Client) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error { // not implemented return nil } // SecretExists checks if a secret exists in Onboardbase. func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) { // not implemented return false, nil } // PushSecret creates or updates a secret in Onboardbase. func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error { // not implemented return nil } // GetSecret retrieves a secret from Onboardbase by its reference. func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) { request := obclient.SecretRequest{ Project: c.project, Environment: c.environment, Name: ref.Key, } secret, err := c.onboardbase.GetSecret(request) if err != nil { return nil, fmt.Errorf(errGetSecret, ref.Key, err) } value := secret.Value if ref.Property != "" { jsonRes := gjson.Get(secret.Value, ref.Property) if !jsonRes.Exists() { return nil, fmt.Errorf(errSecretKeyFmt, ref.Property, ref.Key) } value = jsonRes.Raw } return []byte(value), nil } // GetSecretMap retrieves a secret from Onboardbase and returns it as a map. func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) { data, err := c.GetSecret(ctx, ref) if err != nil { return nil, err } kv := make(map[string]json.RawMessage) err = json.Unmarshal(data, &kv) if err != nil { return nil, fmt.Errorf(errUnmarshalSecretMap, ref.Key, err) } secretData := make(map[string][]byte) for k, v := range kv { var strVal string err = json.Unmarshal(v, &strVal) if err == nil { secretData[k] = []byte(strVal) } else { secretData[k] = v } } return secretData, nil } // GetAllSecrets retrieves all secrets from Onboardbase that match the given criteria. func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) { if len(ref.Tags) > 0 { return nil, errors.New("find by tags not supported") } secrets, err := c.getSecrets(ctx) if err != nil { return nil, err } if ref.Name == nil && ref.Path == nil { return secrets, nil } var matcher *find.Matcher if ref.Name != nil { m, err := find.New(*ref.Name) if err != nil { return nil, err } matcher = m } selected := map[string][]byte{} for key, value := range secrets { if (matcher != nil && !matcher.MatchName(key)) || (ref.Path != nil && !strings.HasPrefix(key, *ref.Path)) { continue } selected[key] = value } return selected, nil } // Close implements cleanup operations for the Onboardbase client. func (c *Client) Close(_ context.Context) error { return nil } func (c *Client) getSecrets(_ context.Context) (map[string][]byte, error) { request := obclient.SecretsRequest{ Project: c.project, Environment: c.environment, } response, err := c.onboardbase.GetSecrets(request) if err != nil { return nil, fmt.Errorf(errGetSecrets, err) } return externalSecretsFormat(response.Secrets), nil } func externalSecretsFormat(secrets obclient.Secrets) map[string][]byte { converted := make(map[string][]byte, len(secrets)) for key, value := range secrets { converted[key] = []byte(value) } return converted }