logic855
/
helm-external-secrets
mirror de https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298
							/*
Copyright © 2025 ESO Maintainer Team

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package passbolt

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"net/url"
	"regexp"

	"github.com/passbolt/go-passbolt/api"
	corev1 "k8s.io/api/core/v1"
	kclient "sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	"github.com/external-secrets/external-secrets/pkg/utils"
	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
)

const (
	errPassboltStoreMissingProvider                = "missing: spec.provider.passbolt"
	errPassboltStoreMissingAuth                    = "missing: spec.provider.passbolt.auth"
	errPassboltStoreMissingAuthPassword            = "missing: spec.provider.passbolt.auth.passwordSecretRef"
	errPassboltStoreMissingAuthPrivateKey          = "missing: spec.provider.passbolt.auth.privateKeySecretRef"
	errPassboltStoreMissingHost                    = "missing: spec.provider.passbolt.host"
	errPassboltExternalSecretMissingFindNameRegExp = "missing: find.name.regexp"
	errPassboltStoreHostSchemeNotHTTPS             = "host Url has to be https scheme"
	errPassboltSecretPropertyInvalid               = "property must be one of name, username, uri, password or description"
	errNotImplemented                              = "not implemented"
)

type ProviderPassbolt struct {
	client Client
}

func (provider *ProviderPassbolt) Capabilities() esv1.SecretStoreCapabilities {
	return esv1.SecretStoreReadOnly
}

type Client interface {
	CheckSession(ctx context.Context) bool
	Login(ctx context.Context) error
	Logout(ctx context.Context) error
	GetResource(ctx context.Context, resourceID string) (*api.Resource, error)
	GetResources(ctx context.Context, opts *api.GetResourcesOptions) ([]api.Resource, error)
	GetResourceType(ctx context.Context, typeID string) (*api.ResourceType, error)
	DecryptMessage(message string) (string, error)
	GetSecret(ctx context.Context, resourceID string) (*api.Secret, error)
}

func (provider *ProviderPassbolt) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
	config := store.GetSpec().Provider.Passbolt

	password, err := resolvers.SecretKeyRef(
		ctx,
		kube,
		store.GetKind(),
		namespace,
		config.Auth.PasswordSecretRef,
	)
	if err != nil {
		return nil, err
	}

	privateKey, err := resolvers.SecretKeyRef(
		ctx,
		kube,
		store.GetKind(),
		namespace,
		config.Auth.PrivateKeySecretRef,
	)
	if err != nil {
		return nil, err
	}

	client, err := api.NewClient(nil, "", config.Host, privateKey, password)
	if err != nil {
		return nil, err
	}

	provider.client = client
	return provider, nil
}

func (provider *ProviderPassbolt) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
	return false, errors.New(errNotImplemented)
}

func (provider *ProviderPassbolt) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
	if err := assureLoggedIn(ctx, provider.client); err != nil {
		return nil, err
	}

	secret, err := provider.getPassboltSecret(ctx, ref.Key)
	if err != nil {
		return nil, err
	}

	if ref.Property == "" {
		return utils.JSONMarshal(secret)
	}

	return secret.GetProp(ref.Property)
}

func (provider *ProviderPassbolt) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
	return errors.New(errNotImplemented)
}

func (provider *ProviderPassbolt) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
	return errors.New(errNotImplemented)
}

func (provider *ProviderPassbolt) Validate() (esv1.ValidationResult, error) {
	return esv1.ValidationResultUnknown, nil
}

func (provider *ProviderPassbolt) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
	return nil, errors.New(errNotImplemented)
}

func (provider *ProviderPassbolt) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
	res := make(map[string][]byte)

	if ref.Name == nil || ref.Name.RegExp == "" {
		return res, errors.New(errPassboltExternalSecretMissingFindNameRegExp)
	}

	if err := assureLoggedIn(ctx, provider.client); err != nil {
		return nil, err
	}

	resources, err := provider.client.GetResources(ctx, &api.GetResourcesOptions{})
	if err != nil {
		return nil, err
	}

	nameRegexp, err := regexp.Compile(ref.Name.RegExp)
	if err != nil {
		return nil, err
	}

	for _, resource := range resources {
		if !nameRegexp.MatchString(resource.Name) {
			continue
		}

		secret, err := provider.getPassboltSecret(ctx, resource.ID)
		if err != nil {
			return nil, err
		}
		marshaled, err := utils.JSONMarshal(secret)
		if err != nil {
			return nil, err
		}
		res[resource.ID] = marshaled
	}

	return res, nil
}

func (provider *ProviderPassbolt) Close(ctx context.Context) error {
	return provider.client.Logout(ctx)
}

func (provider *ProviderPassbolt) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
	config := store.GetSpec().Provider.Passbolt
	if config == nil {
		return nil, errors.New(errPassboltStoreMissingProvider)
	}

	if config.Auth == nil {
		return nil, errors.New(errPassboltStoreMissingAuth)
	}

	if config.Auth.PasswordSecretRef == nil || config.Auth.PasswordSecretRef.Name == "" || config.Auth.PasswordSecretRef.Key == "" {
		return nil, errors.New(errPassboltStoreMissingAuthPassword)
	}

	if config.Auth.PrivateKeySecretRef == nil || config.Auth.PrivateKeySecretRef.Name == "" || config.Auth.PrivateKeySecretRef.Key == "" {
		return nil, errors.New(errPassboltStoreMissingAuthPrivateKey)
	}
	if config.Host == "" {
		return nil, errors.New(errPassboltStoreMissingHost)
	}

	host, err := url.Parse(config.Host)
	if err != nil {
		return nil, err
	}

	if host.Scheme != "https" {
		return nil, errors.New(errPassboltStoreHostSchemeNotHTTPS)
	}

	return nil, nil
}

func init() {
	esv1.Register(&ProviderPassbolt{}, &esv1.SecretStoreProvider{
		Passbolt: &esv1.PassboltProvider{},
	}, esv1.MaintenanceStatusNotMaintained)
}

type Secret struct {
	Name        string `json:"name"`
	Username    string `json:"username"`
	Password    string `json:"password"`
	URI         string `json:"uri"`
	Description string `json:"description"`
}

func (ps Secret) GetProp(key string) ([]byte, error) {
	switch key {
	case "name":
		return []byte(ps.Name), nil
	case "username":
		return []byte(ps.Username), nil
	case "uri":
		return []byte(ps.URI), nil
	case "password":
		return []byte(ps.Password), nil
	case "description":
		return []byte(ps.Description), nil
	default:
		return nil, errors.New(errPassboltSecretPropertyInvalid)
	}
}

func (provider *ProviderPassbolt) getPassboltSecret(ctx context.Context, id string) (*Secret, error) {
	resource, err := provider.client.GetResource(ctx, id)
	if err != nil {
		return nil, err
	}

	secret, err := provider.client.GetSecret(ctx, resource.ID)
	if err != nil {
		return nil, err
	}
	res := Secret{
		Name:        resource.Name,
		Username:    resource.Username,
		URI:         resource.URI,
		Description: resource.Description,
	}

	raw, err := provider.client.DecryptMessage(secret.Data)
	if err != nil {
		return nil, err
	}

	resourceType, err := provider.client.GetResourceType(ctx, resource.ResourceTypeID)
	if err != nil {
		return nil, err
	}

	switch resourceType.Slug {
	case "password-string":
		res.Password = raw
	case "password-and-description", "password-description-totp":
		var pwAndDesc api.SecretDataTypePasswordAndDescription
		if err := json.Unmarshal([]byte(raw), &pwAndDesc); err != nil {
			return nil, err
		}
		res.Password = pwAndDesc.Password
		res.Description = pwAndDesc.Description
	case "totp":
	default:
		return nil, fmt.Errorf("UnknownPassboltResourceType: %q", resourceType)
	}

	return &res, nil
}

func assureLoggedIn(ctx context.Context, client Client) error {
	if client.CheckSession(ctx) {
		return nil
	}

	return client.Login(ctx)
}