Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 7d3d062421
Branches Tags
helm-externa...
/
providers
/
v1
/
yandex
/
lockbox
/
lockboxsecretgetter.go

lockboxsecretgetter.go 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package lockbox
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"fmt"
    23. 

  23. 

  24. 	"github.com/yandex-cloud/go-genproto/yandex/cloud/lockbox/v1"
    25. 

  25. 

  26. 	ydxcommon "github.com/external-secrets/external-secrets/providers/v1/yandex/common"
    27. 

  27. 	"github.com/external-secrets/external-secrets/providers/v1/yandex/lockbox/client"
    28. 

  28. )
    29. 

  29. 

  30. // Implementation of ydxcommon.SecretGetter.
    31. 

  31. type lockboxSecretGetter struct {
    32. 

  32. 	lockboxClient client.LockboxClient
    33. 

  33. }
    34. 

  34. 

  35. func newLockboxSecretGetter(lockboxClient client.LockboxClient) (ydxcommon.SecretGetter, error) {
    36. 

  36. 	return &lockboxSecretGetter{
    37. 

  37. 		lockboxClient: lockboxClient,
    38. 

  38. 	}, nil
    39. 

  39. }
    40. 

  40. 

  41. func (g *lockboxSecretGetter) GetSecret(ctx context.Context, iamToken, resourceKey string, resourceKeyType ydxcommon.ResourceKeyType, folderID, versionID, property string) ([]byte, error) {
    42. 

  42. 	entries, err := g.fetchPayloadEntries(ctx, iamToken, resourceKey, resourceKeyType, folderID, versionID)
    43. 

  43. 	if err != nil {
    44. 

  44. 		return nil, fmt.Errorf("unable to request secret payload to get secret: %w", err)
    45. 

  45. 	}
    46. 

  46. 	if property == "" {
    47. 

  47. 		keyToValue := make(map[string]any, len(entries))
    48. 

  48. 		for _, entry := range entries {
    49. 

  49. 			value, err := getValueAsIs(entry)
    50. 

  50. 			if err != nil {
    51. 

  51. 				return nil, err
    52. 

  52. 			}
    53. 

  53. 			keyToValue[entry.Key] = value
    54. 

  54. 		}
    55. 

  55. 		out, err := json.Marshal(keyToValue)
    56. 

  56. 		if err != nil {
    57. 

  57. 			return nil, fmt.Errorf("failed to marshal secret: %w", err)
    58. 

  58. 		}
    59. 

  59. 		return out, nil
    60. 

  60. 	}
    61. 

  61. 	entry, err := findEntryByKey(entries, property)
    62. 

  62. 	if err != nil {
    63. 

  63. 		return nil, err
    64. 

  64. 	}
    65. 

  65. 	return getValueAsBinary(entry)
    66. 

  66. }
    67. 

  67. 

  68. func (g *lockboxSecretGetter) GetSecretMap(ctx context.Context, iamToken, resourceKey string, resourceKeyType ydxcommon.ResourceKeyType, folderID, versionID string) (map[string][]byte, error) {
    69. 

  69. 	entries, err := g.fetchPayloadEntries(ctx, iamToken, resourceKey, resourceKeyType, folderID, versionID)
    70. 

  70. 	if err != nil {
    71. 

  71. 		return nil, fmt.Errorf("unable to request secret payload to get secret map: %w", err)
    72. 

  72. 	}
    73. 

  73. 	secretMap := make(map[string][]byte, len(entries))
    74. 

  74. 	for _, entry := range entries {
    75. 

  75. 		value, err := getValueAsBinary(entry)
    76. 

  76. 		if err != nil {
    77. 

  77. 			return nil, err
    78. 

  78. 		}
    79. 

  79. 		secretMap[entry.Key] = value
    80. 

  80. 	}
    81. 

  81. 	return secretMap, nil
    82. 

  82. }
    83. 

  83. 

  84. func (g *lockboxSecretGetter) fetchPayloadEntries(
    85. 

  85. 	ctx context.Context,
    86. 

  86. 	iamToken, resourceKey string,
    87. 

  87. 	resourceKeyType ydxcommon.ResourceKeyType,
    88. 

  88. 	folderID, versionID string,
    89. 

  89. ) ([]*lockbox.Payload_Entry, error) {
    90. 

  90. 	switch resourceKeyType {
    91. 

  91. 	case ydxcommon.ResourceKeyTypeID:
    92. 

  92. 		return g.lockboxClient.GetPayloadEntries(ctx, iamToken, resourceKey, versionID)
    93. 

  93. 	case ydxcommon.ResourceKeyTypeName:
    94. 

  94. 		entriesMap, err := g.lockboxClient.GetExPayload(ctx, iamToken, folderID, resourceKey, versionID)
    95. 

  95. 		if err != nil {
    96. 

  96. 			return nil, err
    97. 

  97. 		}
    98. 

  98. 		return convertToPayloadEntries(entriesMap), nil
    99. 

  99. 	default:
    100. 

  100. 		return nil, fmt.Errorf("unsupported resource key type: %v", resourceKeyType)
    101. 

  101. 	}
    102. 

  102. }
    103. 

  103. 

  104. func getValueAsIs(entry *lockbox.Payload_Entry) (any, error) {
    105. 

  105. 	switch entry.Value.(type) {
    106. 

  106. 	case *lockbox.Payload_Entry_TextValue:
    107. 

  107. 		return entry.GetTextValue(), nil
    108. 

  108. 	case *lockbox.Payload_Entry_BinaryValue:
    109. 

  109. 		return entry.GetBinaryValue(), nil
    110. 

  110. 	default:
    111. 

  111. 		return nil, fmt.Errorf("unsupported payload value type, key: %v", entry.Key)
    112. 

  112. 	}
    113. 

  113. }
    114. 

  114. 

  115. func getValueAsBinary(entry *lockbox.Payload_Entry) ([]byte, error) {
    116. 

  116. 	switch entry.Value.(type) {
    117. 

  117. 	case *lockbox.Payload_Entry_TextValue:
    118. 

  118. 		return []byte(entry.GetTextValue()), nil
    119. 

  119. 	case *lockbox.Payload_Entry_BinaryValue:
    120. 

  120. 		return entry.GetBinaryValue(), nil
    121. 

  121. 	default:
    122. 

  122. 		return nil, fmt.Errorf("unsupported payload value type, key: %v", entry.Key)
    123. 

  123. 	}
    124. 

  124. }
    125. 

  125. 

  126. func findEntryByKey(entries []*lockbox.Payload_Entry, key string) (*lockbox.Payload_Entry, error) {
    127. 

  127. 	for i := range entries {
    128. 

  128. 		if entries[i].Key == key {
    129. 

  129. 			return entries[i], nil
    130. 

  130. 		}
    131. 

  131. 	}
    132. 

  132. 	return nil, fmt.Errorf("payload entry with key '%s' not found", key)
    133. 

  133. }
    134. 

  134. 

  135. func convertToPayloadEntries(entriesMap map[string][]byte) []*lockbox.Payload_Entry {
    136. 

  136. 	entries := make([]*lockbox.Payload_Entry, 0, len(entriesMap))
    137. 

  137. 	for key, value := range entriesMap {
    138. 

  138. 		entries = append(entries, &lockbox.Payload_Entry{
    139. 

  139. 			Key:   key,
    140. 

  140. 			Value: &lockbox.Payload_Entry_BinaryValue{BinaryValue: value},
    141. 

  141. 		})
    142. 

  142. 	}
    143. 

  143. 	return entries
    144. 

  144. }
    145.