Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 65a8d4bbfb
Branches Tags
helm-externa...
/
pkg
/
provider
/
infisical
/
api
/
api.go

api.go 8.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or impliec.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package api
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"io"
    23. 

  23. 	"net/http"
    24. 

  24. 	"net/url"
    25. 

  25. 	"strconv"
    26. 

  26. 

  27. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    28. 

  28. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    29. 

  29. 	"github.com/external-secrets/external-secrets/pkg/provider/infisical/constants"
    30. 

  30. )
    31. 

  31. 

  32. type InfisicalClient struct {
    33. 

  33. 	BaseURL *url.URL
    34. 

  34. 	client  *http.Client
    35. 

  35. 	token   string
    36. 

  36. }
    37. 

  37. 

  38. type InfisicalApis interface {
    39. 

  39. 	MachineIdentityLoginViaUniversalAuth(data MachineIdentityUniversalAuthLoginRequest) (*MachineIdentityDetailsResponse, error)
    40. 

  40. 	GetSecretsV3(data GetSecretsV3Request) (map[string]string, error)
    41. 

  41. 	GetSecretByKeyV3(data GetSecretByKeyV3Request) (string, error)
    42. 

  42. 	RevokeAccessToken() error
    43. 

  43. }
    44. 

  44. 

  45. const (
    46. 

  46. 	machineIdentityLoginViaUniversalAuth = "MachineIdentityLoginViaUniversalAuth"
    47. 

  47. 	getSecretsV3                         = "GetSecretsV3"
    48. 

  48. 	getSecretByKeyV3                     = "GetSecretByKeyV3"
    49. 

  49. 	revokeAccessToken                    = "RevokeAccessToken"
    50. 

  50. )
    51. 

  51. 

  52. const UserAgentName = "k8-external-secrets-operator"
    53. 

  53. 

  54. var errJSONUnmarshal = errors.New("unable to unmarshal API response")
    55. 

  55. var errNoAccessToken = errors.New("unexpected error: no access token available to revoke")
    56. 

  56. var errAccessTokenAlreadyRetrieved = errors.New("unexpected error: access token was already retrieved")
    57. 

  57. 

  58. type InfisicalAPIError struct {
    59. 

  59. 	StatusCode int
    60. 

  60. 	Err        any
    61. 

  61. 	Message    any
    62. 

  62. 	Details    any
    63. 

  63. }
    64. 

  64. 

  65. func (e *InfisicalAPIError) Error() string {
    66. 

  66. 	if e.Details != nil {
    67. 

  67. 		detailsJSON, _ := json.Marshal(e.Details)
    68. 

  68. 		return fmt.Sprintf("API error (%d): error=%v message=%v, details=%s", e.StatusCode, e.Err, e.Message, string(detailsJSON))
    69. 

  69. 	} else {
    70. 

  70. 		return fmt.Sprintf("API error (%d): error=%v message=%v", e.StatusCode, e.Err, e.Message)
    71. 

  71. 	}
    72. 

  72. }
    73. 

  73. 

  74. // checkError checks for an error on the http response and generates an appropriate error if one is
    75. 

  75. // found.
    76. 

  76. func checkError(resp *http.Response) error {
    77. 

  77. 	if resp.StatusCode >= 200 && resp.StatusCode < 400 {
    78. 

  78. 		return nil
    79. 

  79. 	}
    80. 

  80. 

  81. 	var buf bytes.Buffer
    82. 

  82. 	_, err := buf.ReadFrom(resp.Body)
    83. 

  83. 	if err != nil {
    84. 

  84. 		return fmt.Errorf("API error (%d) and failed to read response body: %w", resp.StatusCode, err)
    85. 

  85. 	}
    86. 

  86. 

  87. 	// Attempt to unmarshal the response body into an InfisicalAPIErrorResponse.
    88. 

  88. 	var errRes InfisicalAPIErrorResponse
    89. 

  89. 	err = json.Unmarshal(buf.Bytes(), &errRes)
    90. 

  90. 	// Non-200 errors that cannot be unmarshaled must be handled, as errors could come from outside of
    91. 

  91. 	// Infisical.
    92. 

  92. 	if err != nil {
    93. 

  93. 		return fmt.Errorf("API error (%d), could not unmarshal error response: %w", resp.StatusCode, err)
    94. 

  94. 	} else if errRes.StatusCode == 0 {
    95. 

  95. 		// When the InfisicalResponse has a zero-value status code, then the
    96. 

  96. 		// response was either malformed or not from Infisical. Instead, just return
    97. 

  97. 		// the error string from the response.
    98. 

  98. 		return fmt.Errorf("API error (%d): %s", resp.StatusCode, buf.String())
    99. 

  99. 	} else {
    100. 

  100. 		return &InfisicalAPIError{
    101. 

  101. 			StatusCode: resp.StatusCode,
    102. 

  102. 			Message:    errRes.Message,
    103. 

  103. 			Err:        errRes.Error,
    104. 

  104. 			Details:    errRes.Details,
    105. 

  105. 		}
    106. 

  106. 	}
    107. 

  107. }
    108. 

  108. 

  109. func NewAPIClient(baseURL string, client *http.Client) (*InfisicalClient, error) {
    110. 

  110. 	baseParsedURL, err := url.Parse(baseURL)
    111. 

  111. 	if err != nil {
    112. 

  112. 		return nil, err
    113. 

  113. 	}
    114. 

  114. 

  115. 	api := &InfisicalClient{
    116. 

  116. 		BaseURL: baseParsedURL,
    117. 

  117. 		client:  client,
    118. 

  118. 	}
    119. 

  119. 

  120. 	return api, nil
    121. 

  121. }
    122. 

  122. 

  123. func (a *InfisicalClient) SetTokenViaMachineIdentity(clientID, clientSecret string) error {
    124. 

  124. 	if a.token != "" {
    125. 

  125. 		return errAccessTokenAlreadyRetrieved
    126. 

  126. 	}
    127. 

  127. 

  128. 	var loginResponse MachineIdentityDetailsResponse
    129. 

  129. 	err := a.do(
    130. 

  130. 		"api/v1/auth/universal-auth/login",
    131. 

  131. 		http.MethodPost,
    132. 

  132. 		map[string]string{},
    133. 

  133. 		MachineIdentityUniversalAuthLoginRequest{
    134. 

  134. 			ClientID:     clientID,
    135. 

  135. 			ClientSecret: clientSecret,
    136. 

  136. 		},
    137. 

  137. 		&loginResponse,
    138. 

  138. 	)
    139. 

  139. 	metrics.ObserveAPICall(constants.ProviderName, machineIdentityLoginViaUniversalAuth, err)
    140. 

  140. 

  141. 	if err != nil {
    142. 

  142. 		return err
    143. 

  143. 	}
    144. 

  144. 

  145. 	a.token = loginResponse.AccessToken
    146. 

  146. 	return nil
    147. 

  147. }
    148. 

  148. 

  149. func (a *InfisicalClient) RevokeAccessToken() error {
    150. 

  150. 	if a.token == "" {
    151. 

  151. 		return errNoAccessToken
    152. 

  152. 	}
    153. 

  153. 

  154. 	var revokeResponse RevokeMachineIdentityAccessTokenResponse
    155. 

  155. 	err := a.do(
    156. 

  156. 		"api/v1/auth/token/revoke",
    157. 

  157. 		http.MethodPost,
    158. 

  158. 		map[string]string{},
    159. 

  159. 		RevokeMachineIdentityAccessTokenRequest{AccessToken: a.token},
    160. 

  160. 		&revokeResponse,
    161. 

  161. 	)
    162. 

  162. 	metrics.ObserveAPICall(constants.ProviderName, revokeAccessToken, err)
    163. 

  163. 

  164. 	if err != nil {
    165. 

  165. 		return err
    166. 

  166. 	}
    167. 

  167. 

  168. 	a.token = ""
    169. 

  169. 	return nil
    170. 

  170. }
    171. 

  171. 

  172. func (a *InfisicalClient) resolveEndpoint(path string) string {
    173. 

  173. 	return a.BaseURL.ResolveReference(&url.URL{Path: path}).String()
    174. 

  174. }
    175. 

  175. 

  176. func (a *InfisicalClient) addHeaders(r *http.Request) {
    177. 

  177. 	if a.token != "" {
    178. 

  178. 		r.Header.Add("Authorization", "Bearer "+a.token)
    179. 

  179. 	}
    180. 

  180. 	r.Header.Add("User-Agent", UserAgentName)
    181. 

  181. 	r.Header.Add("Content-Type", "application/json")
    182. 

  182. }
    183. 

  183. 

  184. // do is a generic function that makes an API call to the Infisical API, and handle the response
    185. 

  185. // (including if an API error is returned).
    186. 

  186. func (a *InfisicalClient) do(endpoint, method string, params map[string]string, body, response any) error {
    187. 

  187. 	endpointURL := a.resolveEndpoint(endpoint)
    188. 

  188. 

  189. 	bodyReader, err := MarshalReqBody(body)
    190. 

  190. 	if err != nil {
    191. 

  191. 		return err
    192. 

  192. 	}
    193. 

  193. 

  194. 	r, err := http.NewRequest(method, endpointURL, bodyReader)
    195. 

  195. 	if err != nil {
    196. 

  196. 		return err
    197. 

  197. 	}
    198. 

  198. 

  199. 	a.addHeaders(r)
    200. 

  200. 

  201. 	q := r.URL.Query()
    202. 

  202. 	for key, value := range params {
    203. 

  203. 		q.Add(key, value)
    204. 

  204. 	}
    205. 

  205. 	r.URL.RawQuery = q.Encode()
    206. 

  206. 

  207. 	resp, err := a.client.Do(r)
    208. 

  208. 	if err != nil {
    209. 

  209. 		return err
    210. 

  210. 	}
    211. 

  211. 	defer func() {
    212. 

  212. 		_ = resp.Body.Close()
    213. 

  213. 	}()
    214. 

  214. 

  215. 	if err := checkError(resp); err != nil {
    216. 

  216. 		return err
    217. 

  217. 	}
    218. 

  218. 

  219. 	bodyBytes, err := io.ReadAll(resp.Body)
    220. 

  220. 	if err != nil {
    221. 

  221. 		return err
    222. 

  222. 	}
    223. 

  223. 

  224. 	err = json.Unmarshal(bodyBytes, response)
    225. 

  225. 	if err != nil {
    226. 

  226. 		// Importantly, we do not include the response in the actual error to avoid
    227. 

  227. 		// leaking anything sensitive.
    228. 

  228. 		return errJSONUnmarshal
    229. 

  229. 	}
    230. 

  230. 

  231. 	return nil
    232. 

  232. }
    233. 

  233. 

  234. func (a *InfisicalClient) GetSecretsV3(data GetSecretsV3Request) (map[string]string, error) {
    235. 

  235. 	params := map[string]string{
    236. 

  236. 		"workspaceSlug":          data.ProjectSlug,
    237. 

  237. 		"environment":            data.EnvironmentSlug,
    238. 

  238. 		"secretPath":             data.SecretPath,
    239. 

  239. 		"include_imports":        "true",
    240. 

  240. 		"expandSecretReferences": strconv.FormatBool(data.ExpandSecretReferences),
    241. 

  241. 		"recursive":              strconv.FormatBool(data.Recursive),
    242. 

  242. 	}
    243. 

  243. 

  244. 	res := GetSecretsV3Response{}
    245. 

  245. 	err := a.do(
    246. 

  246. 		"api/v3/secrets/raw",
    247. 

  247. 		http.MethodGet,
    248. 

  248. 		params,
    249. 

  249. 		http.NoBody,
    250. 

  250. 		&res,
    251. 

  251. 	)
    252. 

  252. 	metrics.ObserveAPICall(constants.ProviderName, getSecretsV3, err)
    253. 

  253. 	if err != nil {
    254. 

  254. 		return nil, err
    255. 

  255. 	}
    256. 

  256. 

  257. 	secrets := make(map[string]string)
    258. 

  258. 	for _, s := range res.ImportedSecrets {
    259. 

  259. 		for _, el := range s.Secrets {
    260. 

  260. 			secrets[el.SecretKey] = el.SecretValue
    261. 

  261. 		}
    262. 

  262. 	}
    263. 

  263. 	for _, el := range res.Secrets {
    264. 

  264. 		secrets[el.SecretKey] = el.SecretValue
    265. 

  265. 	}
    266. 

  266. 

  267. 	return secrets, nil
    268. 

  268. }
    269. 

  269. 

  270. func (a *InfisicalClient) GetSecretByKeyV3(data GetSecretByKeyV3Request) (string, error) {
    271. 

  271. 	params := map[string]string{
    272. 

  272. 		"workspaceSlug":          data.ProjectSlug,
    273. 

  273. 		"environment":            data.EnvironmentSlug,
    274. 

  274. 		"secretPath":             data.SecretPath,
    275. 

  275. 		"include_imports":        "true",
    276. 

  276. 		"expandSecretReferences": strconv.FormatBool(data.ExpandSecretReferences),
    277. 

  277. 	}
    278. 

  278. 

  279. 	endpointURL := fmt.Sprintf("api/v3/secrets/raw/%s", data.SecretKey)
    280. 

  280. 

  281. 	res := GetSecretByKeyV3Response{}
    282. 

  282. 	err := a.do(
    283. 

  283. 		endpointURL,
    284. 

  284. 		http.MethodGet,
    285. 

  285. 		params,
    286. 

  286. 		http.NoBody,
    287. 

  287. 		&res,
    288. 

  288. 	)
    289. 

  289. 	metrics.ObserveAPICall(constants.ProviderName, getSecretByKeyV3, err)
    290. 

  290. 	if err != nil {
    291. 

  291. 		var apiErr *InfisicalAPIError
    292. 

  292. 		if errors.As(err, &apiErr) && apiErr.StatusCode == 404 {
    293. 

  293. 			return "", esv1.NoSecretError{}
    294. 

  294. 		}
    295. 

  295. 		return "", err
    296. 

  296. 	}
    297. 

  297. 

  298. 	return res.Secret.SecretValue, nil
    299. 

  299. }
    300. 

  300. 

  301. func MarshalReqBody(data any) (*bytes.Reader, error) {
    302. 

  302. 	body, err := json.Marshal(data)
    303. 

  303. 	if err != nil {
    304. 

  304. 		return nil, err
    305. 

  305. 	}
    306. 

  306. 	return bytes.NewReader(body), nil
    307. 

  307. }
    308.