Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: a1722cbfaa
Branches Tags
helm-externa...
/
pkg
/
provider
/
infisical
/
api
/
api.go

api.go 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or impliec.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package api
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"net/http"
    23. 

  23. 	"net/url"
    24. 

  24. 	"time"
    25. 

  25. 

  26. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    27. 

  27. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    28. 

  28. 	"github.com/external-secrets/external-secrets/pkg/provider/infisical/constants"
    29. 

  29. )
    30. 

  30. 

  31. type InfisicalClient struct {
    32. 

  32. 	BaseURL *url.URL
    33. 

  33. 	client  *http.Client
    34. 

  34. 	token   string
    35. 

  35. }
    36. 

  36. 

  37. type InfisicalApis interface {
    38. 

  38. 	MachineIdentityLoginViaUniversalAuth(data MachineIdentityUniversalAuthLoginRequest) (*MachineIdentityDetailsResponse, error)
    39. 

  39. 	GetSecretsV3(data GetSecretsV3Request) (map[string]string, error)
    40. 

  40. 	GetSecretByKeyV3(data GetSecretByKeyV3Request) (string, error)
    41. 

  41. 	RevokeAccessToken() error
    42. 

  42. }
    43. 

  43. 

  44. const UserAgentName = "k8-external-secrets-operator"
    45. 

  45. const errJSONSecretUnmarshal = "unable to unmarshal secret: %w"
    46. 

  46. 

  47. func NewAPIClient(baseURL string) (*InfisicalClient, error) {
    48. 

  48. 	baseParsedURL, err := url.Parse(baseURL)
    49. 

  49. 	if err != nil {
    50. 

  50. 		return nil, err
    51. 

  51. 	}
    52. 

  52. 

  53. 	api := &InfisicalClient{
    54. 

  54. 		BaseURL: baseParsedURL,
    55. 

  55. 		client: &http.Client{
    56. 

  56. 			Timeout: time.Second * 15,
    57. 

  57. 		},
    58. 

  58. 	}
    59. 

  59. 

  60. 	return api, nil
    61. 

  61. }
    62. 

  62. 

  63. func (a *InfisicalClient) SetTokenViaMachineIdentity(clientID, clientSecret string) error {
    64. 

  64. 	if a.token != "" {
    65. 

  65. 		return nil
    66. 

  66. 	}
    67. 

  67. 

  68. 	loginResponse, err := a.MachineIdentityLoginViaUniversalAuth(MachineIdentityUniversalAuthLoginRequest{
    69. 

  69. 		ClientID:     clientID,
    70. 

  70. 		ClientSecret: clientSecret,
    71. 

  71. 	})
    72. 

  72. 	if err != nil {
    73. 

  73. 		return err
    74. 

  74. 	}
    75. 

  75. 

  76. 	a.token = loginResponse.AccessToken
    77. 

  77. 	return nil
    78. 

  78. }
    79. 

  79. 

  80. func (a *InfisicalClient) RevokeAccessToken() error {
    81. 

  81. 	if a.token == "" {
    82. 

  82. 		return nil
    83. 

  83. 	}
    84. 

  84. 	if _, err := a.RevokeMachineIdentityAccessToken(RevokeMachineIdentityAccessTokenRequest{AccessToken: a.token}); err != nil {
    85. 

  85. 		return err
    86. 

  86. 	}
    87. 

  87. 

  88. 	a.token = ""
    89. 

  89. 	return nil
    90. 

  90. }
    91. 

  91. 

  92. func (a *InfisicalClient) resolveEndpoint(path string) string {
    93. 

  93. 	return a.BaseURL.ResolveReference(&url.URL{Path: path}).String()
    94. 

  94. }
    95. 

  95. 

  96. func (a *InfisicalClient) do(r *http.Request) (*http.Response, error) {
    97. 

  97. 	if a.token != "" {
    98. 

  98. 		r.Header.Add("Authorization", "Bearer "+a.token)
    99. 

  99. 	}
    100. 

  100. 	r.Header.Add("User-Agent", UserAgentName)
    101. 

  101. 	r.Header.Add("Content-Type", "application/json")
    102. 

  102. 

  103. 	return a.client.Do(r)
    104. 

  104. }
    105. 

  105. 

  106. func (a *InfisicalClient) MachineIdentityLoginViaUniversalAuth(data MachineIdentityUniversalAuthLoginRequest) (*MachineIdentityDetailsResponse, error) {
    107. 

  107. 	endpointURL := a.resolveEndpoint("api/v1/auth/universal-auth/login")
    108. 

  108. 	body, err := MarshalReqBody(data)
    109. 

  109. 	if err != nil {
    110. 

  110. 		return nil, err
    111. 

  111. 	}
    112. 

  112. 

  113. 	req, err := http.NewRequest(http.MethodPost, endpointURL, body)
    114. 

  114. 	metrics.ObserveAPICall(constants.ProviderName, "MachineIdentityLoginViaUniversalAuth", err)
    115. 

  115. 	if err != nil {
    116. 

  116. 		return nil, err
    117. 

  117. 	}
    118. 

  118. 

  119. 	rawRes, err := a.do(req)
    120. 

  120. 	if err != nil {
    121. 

  121. 		return nil, err
    122. 

  122. 	}
    123. 

  123. 

  124. 	var res MachineIdentityDetailsResponse
    125. 

  125. 	err = ReadAndUnmarshal(rawRes, &res)
    126. 

  126. 	if err != nil {
    127. 

  127. 		return nil, fmt.Errorf(errJSONSecretUnmarshal, err)
    128. 

  128. 	}
    129. 

  129. 	return &res, nil
    130. 

  130. }
    131. 

  131. 

  132. func (a *InfisicalClient) RevokeMachineIdentityAccessToken(data RevokeMachineIdentityAccessTokenRequest) (*RevokeMachineIdentityAccessTokenResponse, error) {
    133. 

  133. 	endpointURL := a.resolveEndpoint("api/v1/auth/token/revoke")
    134. 

  134. 	body, err := MarshalReqBody(data)
    135. 

  135. 	if err != nil {
    136. 

  136. 		return nil, err
    137. 

  137. 	}
    138. 

  138. 

  139. 	req, err := http.NewRequest(http.MethodPost, endpointURL, body)
    140. 

  140. 	metrics.ObserveAPICall(constants.ProviderName, "RevokeMachineIdentityAccessToken", err)
    141. 

  141. 	if err != nil {
    142. 

  142. 		return nil, err
    143. 

  143. 	}
    144. 

  144. 

  145. 	rawRes, err := a.do(req)
    146. 

  146. 	if err != nil {
    147. 

  147. 		return nil, err
    148. 

  148. 	}
    149. 

  149. 

  150. 	var res RevokeMachineIdentityAccessTokenResponse
    151. 

  151. 	err = ReadAndUnmarshal(rawRes, &res)
    152. 

  152. 	if err != nil {
    153. 

  153. 		return nil, fmt.Errorf(errJSONSecretUnmarshal, err)
    154. 

  154. 	}
    155. 

  155. 	return &res, nil
    156. 

  156. }
    157. 

  157. 

  158. func (a *InfisicalClient) GetSecretsV3(data GetSecretsV3Request) (map[string]string, error) {
    159. 

  159. 	endpointURL := a.resolveEndpoint("api/v3/secrets/raw")
    160. 

  160. 

  161. 	req, err := http.NewRequest(http.MethodGet, endpointURL, http.NoBody)
    162. 

  162. 	metrics.ObserveAPICall(constants.ProviderName, "GetSecretsV3", err)
    163. 

  163. 	if err != nil {
    164. 

  164. 		return nil, err
    165. 

  165. 	}
    166. 

  166. 

  167. 	q := req.URL.Query()
    168. 

  168. 	q.Add("workspaceSlug", data.ProjectSlug)
    169. 

  169. 	q.Add("environment", data.EnvironmentSlug)
    170. 

  170. 	q.Add("secretPath", data.SecretPath)
    171. 

  171. 	q.Add("include_imports", "true")
    172. 

  172. 	q.Add("expandSecretReferences", "true")
    173. 

  173. 	req.URL.RawQuery = q.Encode()
    174. 

  174. 

  175. 	rawRes, err := a.do(req)
    176. 

  176. 	if err != nil {
    177. 

  177. 		return nil, err
    178. 

  178. 	}
    179. 

  179. 

  180. 	var res GetSecretsV3Response
    181. 

  181. 	err = ReadAndUnmarshal(rawRes, &res)
    182. 

  182. 	if err != nil {
    183. 

  183. 		return nil, fmt.Errorf(errJSONSecretUnmarshal, err)
    184. 

  184. 	}
    185. 

  185. 

  186. 	secrets := make(map[string]string)
    187. 

  187. 	for _, s := range res.ImportedSecrets {
    188. 

  188. 		for _, el := range s.Secrets {
    189. 

  189. 			secrets[el.SecretKey] = el.SecretValue
    190. 

  190. 		}
    191. 

  191. 	}
    192. 

  192. 	for _, el := range res.Secrets {
    193. 

  193. 		secrets[el.SecretKey] = el.SecretValue
    194. 

  194. 	}
    195. 

  195. 

  196. 	return secrets, nil
    197. 

  197. }
    198. 

  198. 

  199. func (a *InfisicalClient) GetSecretByKeyV3(data GetSecretByKeyV3Request) (string, error) {
    200. 

  200. 	endpointURL := a.resolveEndpoint(fmt.Sprintf("api/v3/secrets/raw/%s", data.SecretKey))
    201. 

  201. 

  202. 	req, err := http.NewRequest(http.MethodGet, endpointURL, http.NoBody)
    203. 

  203. 	metrics.ObserveAPICall(constants.ProviderName, "GetSecretByKeyV3", err)
    204. 

  204. 	if err != nil {
    205. 

  205. 		return "", err
    206. 

  206. 	}
    207. 

  207. 

  208. 	q := req.URL.Query()
    209. 

  209. 	q.Add("workspaceSlug", data.ProjectSlug)
    210. 

  210. 	q.Add("environment", data.EnvironmentSlug)
    211. 

  211. 	q.Add("secretPath", data.SecretPath)
    212. 

  212. 	q.Add("include_imports", "true")
    213. 

  213. 	req.URL.RawQuery = q.Encode()
    214. 

  214. 

  215. 	rawRes, err := a.do(req)
    216. 

  216. 	if err != nil {
    217. 

  217. 		return "", err
    218. 

  218. 	}
    219. 

  219. 	if rawRes.StatusCode == 400 {
    220. 

  220. 		var errRes InfisicalAPIErrorResponse
    221. 

  221. 		err = ReadAndUnmarshal(rawRes, &errRes)
    222. 

  222. 		if err != nil {
    223. 

  223. 			return "", fmt.Errorf(errJSONSecretUnmarshal, err)
    224. 

  224. 		}
    225. 

  225. 

  226. 		if errRes.Message == "Secret not found" {
    227. 

  227. 			return "", esv1beta1.NoSecretError{}
    228. 

  228. 		}
    229. 

  229. 		return "", errors.New(errRes.Message)
    230. 

  230. 	}
    231. 

  231. 

  232. 	var res GetSecretByKeyV3Response
    233. 

  233. 	err = ReadAndUnmarshal(rawRes, &res)
    234. 

  234. 	if err != nil {
    235. 

  235. 		return "", fmt.Errorf(errJSONSecretUnmarshal, err)
    236. 

  236. 	}
    237. 

  237. 

  238. 	return res.Secret.SecretValue, nil
    239. 

  239. }
    240. 

  240. 

  241. func MarshalReqBody(data any) (*bytes.Reader, error) {
    242. 

  242. 	body, err := json.Marshal(data)
    243. 

  243. 	if err != nil {
    244. 

  244. 		return nil, err
    245. 

  245. 	}
    246. 

  246. 	return bytes.NewReader(body), nil
    247. 

  247. }
    248. 

  248. 

  249. func ReadAndUnmarshal(resp *http.Response, target any) error {
    250. 

  250. 	var buf bytes.Buffer
    251. 

  251. 	defer resp.Body.Close()
    252. 

  252. 	_, err := buf.ReadFrom(resp.Body)
    253. 

  253. 	if err != nil {
    254. 

  254. 		return err
    255. 

  255. 	}
    256. 

  256. 	return json.Unmarshal(buf.Bytes(), target)
    257. 

  257. }
    258.