logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143
							/*
Copyright © 2025 ESO Maintainer Team

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package device42

import (
	"bytes"
	"context"
	"crypto/tls"
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"strconv"
	"time"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
)

const (
	// DoRequestError is the error format string for HTTP request failures.
	DoRequestError         = "error: do request: %w"
	errJSONSecretUnmarshal = "unable to unmarshal secret from JSON: %w"
)

// HTTPClient is the interface for making HTTP requests.
type HTTPClient interface {
	Do(*http.Request) (*http.Response, error)
}

// API implements the Device42 REST API client.
type API struct {
	client   HTTPClient
	baseURL  string
	hostPort string
	password string
	username string
}

// D42PasswordResponse represents the response from Device42 passwords API.
type D42PasswordResponse struct {
	Passwords []D42Password
}

// D42Password represents a password entry in Device42.
type D42Password struct {
	Password string `json:"password"`
	ID       int    `json:"id"`
}

// NewAPI creates a new Device42 API client.
func NewAPI(baseURL, username, password, hostPort string) *API {
	tr := &http.Transport{
		TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
	}
	api := &API{
		baseURL:  baseURL,
		hostPort: hostPort,
		username: username,
		password: password,
		client:   &http.Client{Transport: tr},
	}

	return api
}

func (api *API) doAuthenticatedRequest(r *http.Request) (*http.Response, error) {
	r.SetBasicAuth(api.username, api.password)
	return api.client.Do(r)
}

// ReadAndUnmarshal reads an HTTP response body and unmarshals it into the target structure.
func ReadAndUnmarshal(resp *http.Response, target any) error {
	var buf bytes.Buffer
	defer func() {
		err := resp.Body.Close()
		if err != nil {
			return
		}
	}()
	if resp.StatusCode < 200 || resp.StatusCode > 299 {
		return fmt.Errorf("failed to authenticate with the given credentials: %d %s", resp.StatusCode, buf.String())
	}
	_, err := buf.ReadFrom(resp.Body)
	if err != nil {
		return err
	}
	return json.Unmarshal(buf.Bytes(), target)
}

// GetSecret retrieves a password from Device42.
func (api *API) GetSecret(secretID string) (D42Password, error) {
	// https://api.device42.com/#!/Passwords/getPassword
	endpointURL := fmt.Sprintf("https://%s:%s/api/1.0/passwords/?id=%s&plain_text=yes", api.baseURL, api.hostPort, secretID)
	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
	defer cancel()
	readSecretRequest, err := http.NewRequestWithContext(ctx, "GET", endpointURL, http.NoBody)
	if err != nil {
		return D42Password{}, fmt.Errorf("error: creating secrets request: %w", err)
	}

	respSecretRead, err := api.doAuthenticatedRequest(readSecretRequest) //nolint:bodyclose // linters bug
	if err != nil {
		return D42Password{}, fmt.Errorf(DoRequestError, err)
	}

	d42PasswordResponse := D42PasswordResponse{}
	err = ReadAndUnmarshal(respSecretRead, &d42PasswordResponse)
	if err != nil {
		return D42Password{}, fmt.Errorf(errJSONSecretUnmarshal, err)
	}
	if len(d42PasswordResponse.Passwords) == 0 {
		return D42Password{}, err
	}
	// There should only be one response
	return d42PasswordResponse.Passwords[0], err
}

// GetSecretMap returns a map of secret values from Device42.
func (api *API) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
	return nil, errors.New(errNotImplemented)
}

// ToMap converts a D42Password to a map of secret values.
func (s D42Password) ToMap() map[string][]byte {
	m := make(map[string][]byte)
	m["password"] = []byte(s.Password)
	m["id"] = []byte(strconv.Itoa(s.ID))
	return m
}