keyvault.go 40 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package keyvault
  13. import (
  14. "context"
  15. "crypto/x509"
  16. b64 "encoding/base64"
  17. "encoding/json"
  18. "encoding/pem"
  19. "errors"
  20. "fmt"
  21. "os"
  22. "path"
  23. "regexp"
  24. "strings"
  25. "github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
  26. "github.com/Azure/go-autorest/autorest"
  27. "github.com/Azure/go-autorest/autorest/adal"
  28. "github.com/Azure/go-autorest/autorest/azure"
  29. kvauth "github.com/Azure/go-autorest/autorest/azure/auth"
  30. "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
  31. "github.com/lestrrat-go/jwx/v2/jwk"
  32. "github.com/tidwall/gjson"
  33. "golang.org/x/crypto/sha3"
  34. authv1 "k8s.io/api/authentication/v1"
  35. corev1 "k8s.io/api/core/v1"
  36. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  37. "k8s.io/apimachinery/pkg/types"
  38. "k8s.io/client-go/kubernetes"
  39. kcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
  40. pointer "k8s.io/utils/ptr"
  41. "sigs.k8s.io/controller-runtime/pkg/client"
  42. ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
  43. "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
  44. gopkcs12 "software.sslmate.com/src/go-pkcs12"
  45. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  46. "github.com/external-secrets/external-secrets/pkg/constants"
  47. "github.com/external-secrets/external-secrets/pkg/metrics"
  48. "github.com/external-secrets/external-secrets/pkg/utils"
  49. "github.com/external-secrets/external-secrets/pkg/utils/resolvers"
  50. )
  51. const (
  52. defaultObjType = "secret"
  53. objectTypeCert = "cert"
  54. objectTypeKey = "key"
  55. AzureDefaultAudience = "api://AzureADTokenExchange"
  56. AnnotationClientID = "azure.workload.identity/client-id"
  57. AnnotationTenantID = "azure.workload.identity/tenant-id"
  58. managerLabel = "external-secrets"
  59. errUnexpectedStoreSpec = "unexpected store spec"
  60. errMissingAuthType = "cannot initialize Azure Client: no valid authType was specified"
  61. errPropNotExist = "property %s does not exist in key %s"
  62. errTagNotExist = "tag %s does not exist"
  63. errUnknownObjectType = "unknown Azure Keyvault object Type for %s"
  64. errUnmarshalJSONData = "error unmarshalling json data: %w"
  65. errDataFromCert = "cannot get use dataFrom to get certificate secret"
  66. errDataFromKey = "cannot get use dataFrom to get key secret"
  67. errMissingTenant = "missing tenantID in store config"
  68. errMissingClient = "missing clientID: either serviceAccountRef or service account annotation '%s' is missing"
  69. errMissingSecretRef = "missing secretRef in provider config"
  70. errMissingClientIDSecret = "missing accessKeyID/secretAccessKey in store config"
  71. errInvalidClientCredentials = "both clientSecret and clientCredentials set"
  72. errMultipleClientID = "multiple clientID found. Check secretRef and serviceAccountRef"
  73. errMultipleTenantID = "multiple tenantID found. Check secretRef, 'spec.provider.azurekv.tenantId', and serviceAccountRef"
  74. errFindSecret = "could not find secret %s/%s: %w"
  75. errFindDataKey = "no data for %q in secret '%s/%s'"
  76. errInvalidStore = "invalid store"
  77. errInvalidStoreSpec = "invalid store spec"
  78. errInvalidStoreProv = "invalid store provider"
  79. errInvalidAzureProv = "invalid azure keyvault provider"
  80. errInvalidSecRefClientID = "invalid AuthSecretRef.ClientID: %w"
  81. errInvalidSecRefClientSecret = "invalid AuthSecretRef.ClientSecret: %w"
  82. errInvalidSecRefClientCertificate = "invalid AuthSecretRef.ClientCertificate: %w"
  83. errInvalidSARef = "invalid ServiceAccountRef: %w"
  84. errMissingWorkloadEnvVars = "missing environment variables. AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE must be set"
  85. errReadTokenFile = "unable to read token file %s: %w"
  86. errMissingSAAnnotation = "missing service account annotation: %s"
  87. )
  88. // https://github.com/external-secrets/external-secrets/issues/644
  89. var _ esv1beta1.SecretsClient = &Azure{}
  90. var _ esv1beta1.Provider = &Azure{}
  91. // interface to keyvault.BaseClient.
  92. type SecretClient interface {
  93. GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (result keyvault.KeyBundle, err error)
  94. GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result keyvault.SecretBundle, err error)
  95. GetSecretsComplete(ctx context.Context, vaultBaseURL string, maxresults *int32) (result keyvault.SecretListResultIterator, err error)
  96. GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (result keyvault.CertificateBundle, err error)
  97. SetSecret(ctx context.Context, vaultBaseURL string, secretName string, parameters keyvault.SecretSetParameters) (result keyvault.SecretBundle, err error)
  98. ImportKey(ctx context.Context, vaultBaseURL string, keyName string, parameters keyvault.KeyImportParameters) (result keyvault.KeyBundle, err error)
  99. ImportCertificate(ctx context.Context, vaultBaseURL string, certificateName string, parameters keyvault.CertificateImportParameters) (result keyvault.CertificateBundle, err error)
  100. DeleteCertificate(ctx context.Context, vaultBaseURL string, certificateName string) (result keyvault.DeletedCertificateBundle, err error)
  101. DeleteKey(ctx context.Context, vaultBaseURL string, keyName string) (result keyvault.DeletedKeyBundle, err error)
  102. DeleteSecret(ctx context.Context, vaultBaseURL string, secretName string) (result keyvault.DeletedSecretBundle, err error)
  103. }
  104. type Azure struct {
  105. crClient client.Client
  106. kubeClient kcorev1.CoreV1Interface
  107. store esv1beta1.GenericStore
  108. provider *esv1beta1.AzureKVProvider
  109. baseClient SecretClient
  110. namespace string
  111. }
  112. func init() {
  113. esv1beta1.Register(&Azure{}, &esv1beta1.SecretStoreProvider{
  114. AzureKV: &esv1beta1.AzureKVProvider{},
  115. })
  116. }
  117. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
  118. func (a *Azure) Capabilities() esv1beta1.SecretStoreCapabilities {
  119. return esv1beta1.SecretStoreReadWrite
  120. }
  121. // NewClient constructs a new secrets client based on the provided store.
  122. func (a *Azure) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
  123. return newClient(ctx, store, kube, namespace)
  124. }
  125. func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (esv1beta1.SecretsClient, error) {
  126. provider, err := getProvider(store)
  127. if err != nil {
  128. return nil, err
  129. }
  130. cfg, err := ctrlcfg.GetConfig()
  131. if err != nil {
  132. return nil, err
  133. }
  134. kubeClient, err := kubernetes.NewForConfig(cfg)
  135. if err != nil {
  136. return nil, err
  137. }
  138. az := &Azure{
  139. crClient: kube,
  140. kubeClient: kubeClient.CoreV1(),
  141. store: store,
  142. namespace: namespace,
  143. provider: provider,
  144. }
  145. // allow SecretStore controller validation to pass
  146. // when using referent namespace.
  147. if store.GetKind() == esv1beta1.ClusterSecretStoreKind &&
  148. namespace == "" &&
  149. isReferentSpec(provider) {
  150. return az, nil
  151. }
  152. var authorizer autorest.Authorizer
  153. switch *provider.AuthType {
  154. case esv1beta1.AzureManagedIdentity:
  155. authorizer, err = az.authorizerForManagedIdentity()
  156. case esv1beta1.AzureServicePrincipal:
  157. authorizer, err = az.authorizerForServicePrincipal(ctx)
  158. case esv1beta1.AzureWorkloadIdentity:
  159. authorizer, err = az.authorizerForWorkloadIdentity(ctx, NewTokenProvider)
  160. default:
  161. err = fmt.Errorf(errMissingAuthType)
  162. }
  163. cl := keyvault.New()
  164. cl.Authorizer = authorizer
  165. az.baseClient = &cl
  166. return az, err
  167. }
  168. func getProvider(store esv1beta1.GenericStore) (*esv1beta1.AzureKVProvider, error) {
  169. spc := store.GetSpec()
  170. if spc == nil || spc.Provider.AzureKV == nil {
  171. return nil, errors.New(errUnexpectedStoreSpec)
  172. }
  173. return spc.Provider.AzureKV, nil
  174. }
  175. func (a *Azure) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
  176. if store == nil {
  177. return nil, fmt.Errorf(errInvalidStore)
  178. }
  179. spc := store.GetSpec()
  180. if spc == nil {
  181. return nil, fmt.Errorf(errInvalidStoreSpec)
  182. }
  183. if spc.Provider == nil {
  184. return nil, fmt.Errorf(errInvalidStoreProv)
  185. }
  186. p := spc.Provider.AzureKV
  187. if p == nil {
  188. return nil, fmt.Errorf(errInvalidAzureProv)
  189. }
  190. if p.AuthSecretRef != nil {
  191. if p.AuthSecretRef.ClientID != nil {
  192. if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientID); err != nil {
  193. return nil, fmt.Errorf(errInvalidSecRefClientID, err)
  194. }
  195. }
  196. if p.AuthSecretRef.ClientSecret != nil {
  197. if err := utils.ValidateReferentSecretSelector(store, *p.AuthSecretRef.ClientSecret); err != nil {
  198. return nil, fmt.Errorf(errInvalidSecRefClientSecret, err)
  199. }
  200. }
  201. }
  202. if p.ServiceAccountRef != nil {
  203. if err := utils.ValidateReferentServiceAccountSelector(store, *p.ServiceAccountRef); err != nil {
  204. return nil, fmt.Errorf(errInvalidSARef, err)
  205. }
  206. }
  207. return nil, nil
  208. }
  209. func canDelete(tags map[string]*string, err error) (bool, error) {
  210. aerr := &autorest.DetailedError{}
  211. conv := errors.As(err, aerr)
  212. if err != nil && !conv {
  213. return false, fmt.Errorf("could not parse error: %w", err)
  214. }
  215. if conv && aerr.StatusCode != 404 { // Secret is already deleted, nothing to do.
  216. return false, fmt.Errorf("unexpected api error: %w", err)
  217. }
  218. if aerr.StatusCode == 404 {
  219. return false, nil
  220. }
  221. manager, ok := tags["managed-by"]
  222. if !ok || manager == nil || *manager != managerLabel {
  223. return false, fmt.Errorf("not managed by external-secrets")
  224. }
  225. return true, nil
  226. }
  227. func (a *Azure) deleteKeyVaultKey(ctx context.Context, keyName string) error {
  228. value, err := a.baseClient.GetKey(ctx, *a.provider.VaultURL, keyName, "")
  229. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetKey, err)
  230. ok, err := canDelete(value.Tags, err)
  231. if err != nil {
  232. return fmt.Errorf("error getting key %v: %w", keyName, err)
  233. }
  234. if ok {
  235. _, err = a.baseClient.DeleteKey(ctx, *a.provider.VaultURL, keyName)
  236. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVDeleteKey, err)
  237. if err != nil {
  238. return fmt.Errorf("error deleting key %v: %w", keyName, err)
  239. }
  240. }
  241. return nil
  242. }
  243. func (a *Azure) deleteKeyVaultSecret(ctx context.Context, secretName string) error {
  244. value, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  245. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  246. ok, err := canDelete(value.Tags, err)
  247. if err != nil {
  248. return fmt.Errorf("error getting secret %v: %w", secretName, err)
  249. }
  250. if ok {
  251. _, err = a.baseClient.DeleteSecret(ctx, *a.provider.VaultURL, secretName)
  252. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVDeleteSecret, err)
  253. if err != nil {
  254. return fmt.Errorf("error deleting secret %v: %w", secretName, err)
  255. }
  256. }
  257. return nil
  258. }
  259. func (a *Azure) deleteKeyVaultCertificate(ctx context.Context, certName string) error {
  260. value, err := a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, certName, "")
  261. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetCertificate, err)
  262. ok, err := canDelete(value.Tags, err)
  263. if err != nil {
  264. return fmt.Errorf("error getting certificate %v: %w", certName, err)
  265. }
  266. if ok {
  267. _, err = a.baseClient.DeleteCertificate(ctx, *a.provider.VaultURL, certName)
  268. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVDeleteCertificate, err)
  269. if err != nil {
  270. return fmt.Errorf("error deleting certificate %v: %w", certName, err)
  271. }
  272. }
  273. return nil
  274. }
  275. func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
  276. objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: remoteRef.GetRemoteKey()})
  277. switch objectType {
  278. case defaultObjType:
  279. return a.deleteKeyVaultSecret(ctx, secretName)
  280. case objectTypeCert:
  281. return a.deleteKeyVaultCertificate(ctx, secretName)
  282. case objectTypeKey:
  283. return a.deleteKeyVaultKey(ctx, secretName)
  284. default:
  285. return fmt.Errorf("secret type '%v' is not supported", objectType)
  286. }
  287. }
  288. func (a *Azure) SecretExists(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) (bool, error) {
  289. objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: remoteRef.GetRemoteKey()})
  290. var err error
  291. switch objectType {
  292. case defaultObjType:
  293. _, err = a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  294. case objectTypeCert:
  295. _, err = a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, secretName, "")
  296. case objectTypeKey:
  297. _, err = a.baseClient.GetKey(ctx, *a.provider.VaultURL, secretName, "")
  298. default:
  299. errMsg := fmt.Sprintf("secret type '%v' is not supported", objectType)
  300. return false, errors.New(errMsg)
  301. }
  302. err = parseError(err)
  303. if err != nil {
  304. var noSecretErr esv1beta1.NoSecretError
  305. if errors.As(err, &noSecretErr) {
  306. return false, nil
  307. }
  308. return false, err
  309. }
  310. return true, nil
  311. }
  312. func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
  313. // 1st: try decode pkcs12
  314. _, localCert, err := gopkcs12.Decode(value, "")
  315. if err == nil {
  316. return localCert, nil
  317. }
  318. // 2nd: try DER
  319. localCert, err = x509.ParseCertificate(value)
  320. if err == nil {
  321. return localCert, nil
  322. }
  323. // 3nd: parse PEM blocks
  324. for {
  325. block, rest := pem.Decode(value)
  326. value = rest
  327. if block == nil {
  328. break
  329. }
  330. cert, err := x509.ParseCertificate(block.Bytes)
  331. if err == nil {
  332. return cert, nil
  333. }
  334. }
  335. return nil, fmt.Errorf("could not parse certificate value as PKCS#12, DER or PEM")
  336. }
  337. func getKeyFromValue(value []byte) (any, error) {
  338. val := value
  339. pemBlock, _ := pem.Decode(value)
  340. // if a private key regular expression doesn't match, we should consider this key to be symmetric
  341. if pemBlock == nil {
  342. return val, nil
  343. }
  344. val = pemBlock.Bytes
  345. switch pemBlock.Type {
  346. case "PRIVATE KEY":
  347. return x509.ParsePKCS8PrivateKey(val)
  348. case "RSA PRIVATE KEY":
  349. return x509.ParsePKCS1PrivateKey(val)
  350. case "EC PRIVATE KEY":
  351. return x509.ParseECPrivateKey(val)
  352. default:
  353. return nil, fmt.Errorf("key type %v is not supported", pemBlock.Type)
  354. }
  355. }
  356. func canCreate(tags map[string]*string, err error) (bool, error) {
  357. aerr := &autorest.DetailedError{}
  358. conv := errors.As(err, aerr)
  359. if err != nil && !conv {
  360. return false, fmt.Errorf("could not parse error: %w", err)
  361. }
  362. if conv && aerr.StatusCode != 404 {
  363. return false, fmt.Errorf("unexpected api error: %w", err)
  364. }
  365. if err == nil {
  366. manager, ok := tags["managed-by"]
  367. if !ok || manager == nil || *manager != managerLabel {
  368. return false, fmt.Errorf("not managed by external-secrets")
  369. }
  370. }
  371. return true, nil
  372. }
  373. func (a *Azure) setKeyVaultSecret(ctx context.Context, secretName string, value []byte) error {
  374. secret, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  375. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  376. ok, err := canCreate(secret.Tags, err)
  377. if err != nil {
  378. return fmt.Errorf("cannot get secret %v: %w", secretName, err)
  379. }
  380. if !ok {
  381. return nil
  382. }
  383. val := string(value)
  384. if secret.Value != nil && val == *secret.Value {
  385. return nil
  386. }
  387. secretParams := keyvault.SecretSetParameters{
  388. Value: &val,
  389. Tags: map[string]*string{
  390. "managed-by": pointer.To(managerLabel),
  391. },
  392. SecretAttributes: &keyvault.SecretAttributes{
  393. Enabled: pointer.To(true),
  394. },
  395. }
  396. _, err = a.baseClient.SetSecret(ctx, *a.provider.VaultURL, secretName, secretParams)
  397. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  398. if err != nil {
  399. return fmt.Errorf("could not set secret %v: %w", secretName, err)
  400. }
  401. return nil
  402. }
  403. func (a *Azure) setKeyVaultCertificate(ctx context.Context, secretName string, value []byte) error {
  404. val := b64.StdEncoding.EncodeToString(value)
  405. localCert, err := getCertificateFromValue(value)
  406. if err != nil {
  407. return fmt.Errorf("value from secret is not a valid certificate: %w", err)
  408. }
  409. cert, err := a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, secretName, "")
  410. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetCertificate, err)
  411. ok, err := canCreate(cert.Tags, err)
  412. if err != nil {
  413. return fmt.Errorf("cannot get certificate %v: %w", secretName, err)
  414. }
  415. if !ok {
  416. return nil
  417. }
  418. b512 := sha3.Sum512(localCert.Raw)
  419. if cert.Cer != nil && b512 == sha3.Sum512(*cert.Cer) {
  420. return nil
  421. }
  422. params := keyvault.CertificateImportParameters{
  423. Base64EncodedCertificate: &val,
  424. Tags: map[string]*string{
  425. "managed-by": pointer.To(managerLabel),
  426. },
  427. }
  428. _, err = a.baseClient.ImportCertificate(ctx, *a.provider.VaultURL, secretName, params)
  429. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVImportCertificate, err)
  430. if err != nil {
  431. return fmt.Errorf("could not import certificate %v: %w", secretName, err)
  432. }
  433. return nil
  434. }
  435. func equalKeys(newKey, oldKey keyvault.JSONWebKey) bool {
  436. // checks for everything except KeyID and KeyOps
  437. rsaCheck := newKey.E != nil && oldKey.E != nil && *newKey.E == *oldKey.E &&
  438. newKey.N != nil && oldKey.N != nil && *newKey.N == *oldKey.N
  439. symmetricCheck := newKey.Crv == oldKey.Crv &&
  440. newKey.T != nil && oldKey.T != nil && *newKey.T == *oldKey.T &&
  441. newKey.X != nil && oldKey.X != nil && *newKey.X == *oldKey.X &&
  442. newKey.Y != nil && oldKey.Y != nil && *newKey.Y == *oldKey.Y
  443. return newKey.Kty == oldKey.Kty && (rsaCheck || symmetricCheck)
  444. }
  445. func (a *Azure) setKeyVaultKey(ctx context.Context, secretName string, value []byte) error {
  446. key, err := getKeyFromValue(value)
  447. if err != nil {
  448. return fmt.Errorf("could not load private key %v: %w", secretName, err)
  449. }
  450. jwKey, err := jwk.FromRaw(key)
  451. if err != nil {
  452. return fmt.Errorf("failed to generate a JWK from secret %v content: %w", secretName, err)
  453. }
  454. buf, err := json.Marshal(jwKey)
  455. if err != nil {
  456. return fmt.Errorf("error parsing key: %w", err)
  457. }
  458. azkey := keyvault.JSONWebKey{}
  459. err = json.Unmarshal(buf, &azkey)
  460. if err != nil {
  461. return fmt.Errorf("error unmarshalling key: %w", err)
  462. }
  463. keyFromVault, err := a.baseClient.GetKey(ctx, *a.provider.VaultURL, secretName, "")
  464. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetKey, err)
  465. ok, err := canCreate(keyFromVault.Tags, err)
  466. if err != nil {
  467. return fmt.Errorf("cannot get key %v: %w", secretName, err)
  468. }
  469. if !ok {
  470. return nil
  471. }
  472. if keyFromVault.Key != nil && equalKeys(azkey, *keyFromVault.Key) {
  473. return nil
  474. }
  475. params := keyvault.KeyImportParameters{
  476. Key: &azkey,
  477. KeyAttributes: &keyvault.KeyAttributes{},
  478. Tags: map[string]*string{
  479. "managed-by": pointer.To(managerLabel),
  480. },
  481. }
  482. _, err = a.baseClient.ImportKey(ctx, *a.provider.VaultURL, secretName, params)
  483. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVImportKey, err)
  484. if err != nil {
  485. return fmt.Errorf("could not import key %v: %w", secretName, err)
  486. }
  487. return nil
  488. }
  489. // PushSecret stores secrets into a Key vault instance.
  490. func (a *Azure) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
  491. var (
  492. value []byte
  493. err error
  494. )
  495. if data.GetSecretKey() == "" {
  496. // Must convert secret values to string, otherwise data will be sent as base64 to Vault
  497. secretStringVal := make(map[string]string)
  498. for k, v := range secret.Data {
  499. secretStringVal[k] = string(v)
  500. }
  501. value, err = utils.JSONMarshal(secretStringVal)
  502. if err != nil {
  503. return fmt.Errorf("failed to serialize secret content as JSON: %w", err)
  504. }
  505. } else {
  506. value = secret.Data[data.GetSecretKey()]
  507. }
  508. objectType, secretName := getObjType(esv1beta1.ExternalSecretDataRemoteRef{Key: data.GetRemoteKey()})
  509. switch objectType {
  510. case defaultObjType:
  511. return a.setKeyVaultSecret(ctx, secretName, value)
  512. case objectTypeCert:
  513. return a.setKeyVaultCertificate(ctx, secretName, value)
  514. case objectTypeKey:
  515. return a.setKeyVaultKey(ctx, secretName, value)
  516. default:
  517. return fmt.Errorf("secret type %v not supported", objectType)
  518. }
  519. }
  520. // Implements store.Client.GetAllSecrets Interface.
  521. // Retrieves a map[string][]byte with the secret names as key and the secret itself as the calue.
  522. func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  523. basicClient := a.baseClient
  524. secretsMap := make(map[string][]byte)
  525. checkTags := len(ref.Tags) > 0
  526. checkName := ref.Name != nil && ref.Name.RegExp != ""
  527. secretListIter, err := basicClient.GetSecretsComplete(ctx, *a.provider.VaultURL, nil)
  528. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecrets, err)
  529. err = parseError(err)
  530. if err != nil {
  531. return nil, err
  532. }
  533. for secretListIter.NotDone() {
  534. secret := secretListIter.Value()
  535. ok, secretName := isValidSecret(checkTags, checkName, ref, secret)
  536. if !ok {
  537. err = secretListIter.Next()
  538. if err != nil {
  539. return nil, err
  540. }
  541. continue
  542. }
  543. secretResp, err := basicClient.GetSecret(ctx, *a.provider.VaultURL, secretName, "")
  544. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  545. err = parseError(err)
  546. if err != nil {
  547. return nil, err
  548. }
  549. secretValue := *secretResp.Value
  550. secretsMap[secretName] = []byte(secretValue)
  551. err = secretListIter.Next()
  552. if err != nil {
  553. return nil, err
  554. }
  555. }
  556. return secretsMap, nil
  557. }
  558. // Retrieves a tag value if specified and all tags in JSON format if not.
  559. func getSecretTag(tags map[string]*string, property string) ([]byte, error) {
  560. if property == "" {
  561. secretTagsData := make(map[string]string)
  562. for k, v := range tags {
  563. secretTagsData[k] = *v
  564. }
  565. return json.Marshal(secretTagsData)
  566. }
  567. if val, exist := tags[property]; exist {
  568. return []byte(*val), nil
  569. }
  570. idx := strings.Index(property, ".")
  571. if idx < 0 {
  572. return nil, fmt.Errorf(errTagNotExist, property)
  573. }
  574. if idx > 0 {
  575. tagName := property[0:idx]
  576. if val, exist := tags[tagName]; exist {
  577. key := strings.Replace(property, tagName+".", "", 1)
  578. return getProperty(*val, key, property)
  579. }
  580. }
  581. return nil, fmt.Errorf(errTagNotExist, property)
  582. }
  583. // Retrieves a property value if specified and the secret value if not.
  584. func getProperty(secret, property, key string) ([]byte, error) {
  585. if property == "" {
  586. return []byte(secret), nil
  587. }
  588. res := gjson.Get(secret, property)
  589. if !res.Exists() {
  590. idx := strings.Index(property, ".")
  591. if idx < 0 {
  592. return nil, fmt.Errorf(errPropNotExist, property, key)
  593. }
  594. escaped := strings.ReplaceAll(property, ".", "\\.")
  595. jValue := gjson.Get(secret, escaped)
  596. if jValue.Exists() {
  597. return []byte(jValue.String()), nil
  598. }
  599. return nil, fmt.Errorf(errPropNotExist, property, key)
  600. }
  601. return []byte(res.String()), nil
  602. }
  603. func parseError(err error) error {
  604. aerr := autorest.DetailedError{}
  605. if errors.As(err, &aerr) && aerr.StatusCode == 404 {
  606. return esv1beta1.NoSecretError{}
  607. }
  608. return err
  609. }
  610. // Implements store.Client.GetSecret Interface.
  611. // Retrieves a secret/Key/Certificate/Tag with the secret name defined in ref.Name
  612. // The Object Type is defined as a prefix in the ref.Name , if no prefix is defined , we assume a secret is required.
  613. func (a *Azure) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  614. objectType, secretName := getObjType(ref)
  615. switch objectType {
  616. case defaultObjType:
  617. // returns a SecretBundle with the secret value
  618. // https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#SecretBundle
  619. secretResp, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, ref.Version)
  620. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  621. err = parseError(err)
  622. if err != nil {
  623. return nil, err
  624. }
  625. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  626. return getSecretTag(secretResp.Tags, ref.Property)
  627. }
  628. return getProperty(*secretResp.Value, ref.Property, ref.Key)
  629. case objectTypeCert:
  630. // returns a CertBundle. We return CER contents of x509 certificate
  631. // see: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#CertificateBundle
  632. certResp, err := a.baseClient.GetCertificate(ctx, *a.provider.VaultURL, secretName, ref.Version)
  633. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetCertificate, err)
  634. err = parseError(err)
  635. if err != nil {
  636. return nil, err
  637. }
  638. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  639. return getSecretTag(certResp.Tags, ref.Property)
  640. }
  641. return *certResp.Cer, nil
  642. case objectTypeKey:
  643. // returns a KeyBundle that contains a jwk
  644. // azure kv returns only public keys
  645. // see: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault#KeyBundle
  646. keyResp, err := a.baseClient.GetKey(ctx, *a.provider.VaultURL, secretName, ref.Version)
  647. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetKey, err)
  648. err = parseError(err)
  649. if err != nil {
  650. return nil, err
  651. }
  652. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  653. return getSecretTag(keyResp.Tags, ref.Property)
  654. }
  655. return json.Marshal(keyResp.Key)
  656. }
  657. return nil, fmt.Errorf(errUnknownObjectType, secretName)
  658. }
  659. // returns a SecretBundle with the tags values.
  660. func (a *Azure) getSecretTags(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string]*string, error) {
  661. _, secretName := getObjType(ref)
  662. secretResp, err := a.baseClient.GetSecret(ctx, *a.provider.VaultURL, secretName, ref.Version)
  663. metrics.ObserveAPICall(constants.ProviderAzureKV, constants.CallAzureKVGetSecret, err)
  664. err = parseError(err)
  665. if err != nil {
  666. return nil, err
  667. }
  668. secretTagsData := make(map[string]*string)
  669. for tagname, tagval := range secretResp.Tags {
  670. name := secretName + "_" + tagname
  671. kv := make(map[string]string)
  672. err = json.Unmarshal([]byte(*tagval), &kv)
  673. // if the tagvalue is not in JSON format then we added to secretTagsData we added as it is
  674. if err != nil {
  675. secretTagsData[name] = tagval
  676. } else {
  677. for k, v := range kv {
  678. value := v
  679. secretTagsData[name+"_"+k] = &value
  680. }
  681. }
  682. }
  683. return secretTagsData, nil
  684. }
  685. // Implements store.Client.GetSecretMap Interface.
  686. // New version of GetSecretMap.
  687. func (a *Azure) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  688. objectType, secretName := getObjType(ref)
  689. switch objectType {
  690. case defaultObjType:
  691. data, err := a.GetSecret(ctx, ref)
  692. if err != nil {
  693. return nil, err
  694. }
  695. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  696. tags, _ := a.getSecretTags(ctx, ref)
  697. return getSecretMapProperties(tags, ref.Key, ref.Property), nil
  698. }
  699. return getSecretMapMap(data)
  700. case objectTypeCert:
  701. return nil, fmt.Errorf(errDataFromCert)
  702. case objectTypeKey:
  703. return nil, fmt.Errorf(errDataFromKey)
  704. }
  705. return nil, fmt.Errorf(errUnknownObjectType, secretName)
  706. }
  707. func getSecretMapMap(data []byte) (map[string][]byte, error) {
  708. kv := make(map[string]json.RawMessage)
  709. err := json.Unmarshal(data, &kv)
  710. if err != nil {
  711. return nil, fmt.Errorf(errUnmarshalJSONData, err)
  712. }
  713. secretData := make(map[string][]byte)
  714. for k, v := range kv {
  715. var strVal string
  716. err = json.Unmarshal(v, &strVal)
  717. if err == nil {
  718. secretData[k] = []byte(strVal)
  719. } else {
  720. secretData[k] = v
  721. }
  722. }
  723. return secretData, nil
  724. }
  725. func getSecretMapProperties(tags map[string]*string, key, property string) map[string][]byte {
  726. tagByteArray := make(map[string][]byte)
  727. if property != "" {
  728. keyPropertyName := key + "_" + property
  729. singleTag, _ := getSecretTag(tags, keyPropertyName)
  730. tagByteArray[keyPropertyName] = singleTag
  731. return tagByteArray
  732. }
  733. for k, v := range tags {
  734. tagByteArray[k] = []byte(*v)
  735. }
  736. return tagByteArray
  737. }
  738. func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider tokenProviderFunc) (autorest.Authorizer, error) {
  739. aadEndpoint := AadEndpointForType(a.provider.EnvironmentType)
  740. kvResource := kvResourceForProviderConfig(a.provider.EnvironmentType)
  741. // If no serviceAccountRef was provided
  742. // we expect certain env vars to be present.
  743. // They are set by the azure workload identity webhook
  744. // by adding the label `azure.workload.identity/use: "true"` to the external-secrets pod
  745. if a.provider.ServiceAccountRef == nil {
  746. clientID := os.Getenv("AZURE_CLIENT_ID")
  747. tenantID := os.Getenv("AZURE_TENANT_ID")
  748. tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
  749. if clientID == "" || tenantID == "" || tokenFilePath == "" {
  750. return nil, errors.New(errMissingWorkloadEnvVars)
  751. }
  752. token, err := os.ReadFile(tokenFilePath)
  753. if err != nil {
  754. return nil, fmt.Errorf(errReadTokenFile, tokenFilePath, err)
  755. }
  756. tp, err := tokenProvider(ctx, string(token), clientID, tenantID, aadEndpoint, kvResource)
  757. if err != nil {
  758. return nil, err
  759. }
  760. return autorest.NewBearerAuthorizer(tp), nil
  761. }
  762. ns := a.namespace
  763. if a.store.GetKind() == esv1beta1.ClusterSecretStoreKind && a.provider.ServiceAccountRef.Namespace != nil {
  764. ns = *a.provider.ServiceAccountRef.Namespace
  765. }
  766. var sa corev1.ServiceAccount
  767. err := a.crClient.Get(ctx, types.NamespacedName{
  768. Name: a.provider.ServiceAccountRef.Name,
  769. Namespace: ns,
  770. }, &sa)
  771. if err != nil {
  772. return nil, err
  773. }
  774. // Extract clientID
  775. var clientID string
  776. // First check if AuthSecretRef is set and clientID can be fetched from there
  777. if a.provider.AuthSecretRef != nil {
  778. if a.provider.AuthSecretRef.ClientID == nil {
  779. return nil, fmt.Errorf(errMissingClientIDSecret)
  780. }
  781. clientID, err = resolvers.SecretKeyRef(
  782. ctx,
  783. a.crClient,
  784. a.store.GetKind(),
  785. a.namespace, a.provider.AuthSecretRef.ClientID)
  786. if err != nil {
  787. return nil, err
  788. }
  789. }
  790. // If AuthSecretRef is not set, use default (Service Account) implementation
  791. // Try to get clientID from Annotations
  792. if len(sa.ObjectMeta.Annotations) > 0 {
  793. if val, found := sa.ObjectMeta.Annotations[AnnotationClientID]; found {
  794. // If clientID is defined in both Annotations and AuthSecretRef, return an error
  795. if clientID != "" {
  796. return nil, fmt.Errorf(errMultipleClientID)
  797. }
  798. clientID = val
  799. }
  800. }
  801. // Return an error if clientID is still empty
  802. if clientID == "" {
  803. return nil, fmt.Errorf(errMissingClient, AnnotationClientID)
  804. }
  805. // Extract tenantID
  806. var tenantID string
  807. // First check if AuthSecretRef is set and tenantID can be fetched from there
  808. if a.provider.AuthSecretRef != nil {
  809. // We may want to set tenantID explicitly in the `spec.provider.azurekv` section of the SecretStore object
  810. // So that is okay if it is not there
  811. if a.provider.AuthSecretRef.TenantID != nil {
  812. tenantID, err = resolvers.SecretKeyRef(
  813. ctx,
  814. a.crClient,
  815. a.store.GetKind(),
  816. a.namespace, a.provider.AuthSecretRef.TenantID)
  817. if err != nil {
  818. return nil, err
  819. }
  820. }
  821. }
  822. // Check if spec.provider.azurekv.tenantID is set
  823. if tenantID == "" && a.provider.TenantID != nil {
  824. tenantID = *a.provider.TenantID
  825. }
  826. // Try to get tenantID from Annotations first. Default implementation.
  827. if len(sa.ObjectMeta.Annotations) > 0 {
  828. if val, found := sa.ObjectMeta.Annotations[AnnotationTenantID]; found {
  829. // If tenantID is defined in both Annotations and AuthSecretRef, return an error
  830. if tenantID != "" {
  831. return nil, fmt.Errorf(errMultipleTenantID)
  832. }
  833. tenantID = val
  834. }
  835. }
  836. // Fallback: use the AZURE_TENANT_ID env var which is set by the azure workload identity webhook
  837. // https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html#service-account
  838. if tenantID == "" {
  839. tenantID = os.Getenv("AZURE_TENANT_ID")
  840. }
  841. // Return an error if tenantID is still empty
  842. if tenantID == "" {
  843. return nil, errors.New(errMissingTenant)
  844. }
  845. audiences := []string{AzureDefaultAudience}
  846. if len(a.provider.ServiceAccountRef.Audiences) > 0 {
  847. audiences = append(audiences, a.provider.ServiceAccountRef.Audiences...)
  848. }
  849. token, err := FetchSAToken(ctx, ns, a.provider.ServiceAccountRef.Name, audiences, a.kubeClient)
  850. if err != nil {
  851. return nil, err
  852. }
  853. tp, err := tokenProvider(ctx, token, clientID, tenantID, aadEndpoint, kvResource)
  854. if err != nil {
  855. return nil, err
  856. }
  857. return autorest.NewBearerAuthorizer(tp), nil
  858. }
  859. func FetchSAToken(ctx context.Context, ns, name string, audiences []string, kubeClient kcorev1.CoreV1Interface) (string, error) {
  860. token, err := kubeClient.ServiceAccounts(ns).CreateToken(ctx, name, &authv1.TokenRequest{
  861. Spec: authv1.TokenRequestSpec{
  862. Audiences: audiences,
  863. },
  864. }, metav1.CreateOptions{})
  865. if err != nil {
  866. return "", err
  867. }
  868. return token.Status.Token, nil
  869. }
  870. // tokenProvider satisfies the adal.OAuthTokenProvider interface.
  871. type tokenProvider struct {
  872. accessToken string
  873. }
  874. type tokenProviderFunc func(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error)
  875. func NewTokenProvider(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error) {
  876. // exchange token with Azure AccessToken
  877. cred := confidential.NewCredFromAssertionCallback(func(ctx context.Context, aro confidential.AssertionRequestOptions) (string, error) {
  878. return token, nil
  879. })
  880. cClient, err := confidential.New(fmt.Sprintf("%s%s/oauth2/token", aadEndpoint, tenantID), clientID, cred)
  881. if err != nil {
  882. return nil, err
  883. }
  884. scope := kvResource
  885. // .default needs to be added to the scope
  886. if !strings.Contains(kvResource, ".default") {
  887. scope = fmt.Sprintf("%s/.default", kvResource)
  888. }
  889. authRes, err := cClient.AcquireTokenByCredential(ctx, []string{
  890. scope,
  891. })
  892. if err != nil {
  893. return nil, err
  894. }
  895. return &tokenProvider{
  896. accessToken: authRes.AccessToken,
  897. }, nil
  898. }
  899. func (t *tokenProvider) OAuthToken() string {
  900. return t.accessToken
  901. }
  902. func (a *Azure) authorizerForManagedIdentity() (autorest.Authorizer, error) {
  903. msiConfig := kvauth.NewMSIConfig()
  904. msiConfig.Resource = kvResourceForProviderConfig(a.provider.EnvironmentType)
  905. if a.provider.IdentityID != nil {
  906. msiConfig.ClientID = *a.provider.IdentityID
  907. }
  908. return msiConfig.Authorizer()
  909. }
  910. func (a *Azure) authorizerForServicePrincipal(ctx context.Context) (autorest.Authorizer, error) {
  911. if a.provider.TenantID == nil {
  912. return nil, fmt.Errorf(errMissingTenant)
  913. }
  914. if a.provider.AuthSecretRef == nil {
  915. return nil, fmt.Errorf(errMissingSecretRef)
  916. }
  917. if a.provider.AuthSecretRef.ClientID == nil || (a.provider.AuthSecretRef.ClientSecret == nil && a.provider.AuthSecretRef.ClientCertificate == nil) {
  918. return nil, fmt.Errorf(errMissingClientIDSecret)
  919. }
  920. if a.provider.AuthSecretRef.ClientSecret != nil && a.provider.AuthSecretRef.ClientCertificate != nil {
  921. return nil, fmt.Errorf(errInvalidClientCredentials)
  922. }
  923. return a.getAuthorizerFromCredentials(ctx)
  924. }
  925. func (a *Azure) getAuthorizerFromCredentials(ctx context.Context) (autorest.Authorizer, error) {
  926. clientID, err := resolvers.SecretKeyRef(
  927. ctx,
  928. a.crClient,
  929. a.store.GetKind(),
  930. a.namespace, a.provider.AuthSecretRef.ClientID,
  931. )
  932. if err != nil {
  933. return nil, err
  934. }
  935. if a.provider.AuthSecretRef.ClientSecret != nil {
  936. clientSecret, err := resolvers.SecretKeyRef(
  937. ctx,
  938. a.crClient,
  939. a.store.GetKind(),
  940. a.namespace, a.provider.AuthSecretRef.ClientSecret,
  941. )
  942. if err != nil {
  943. return nil, err
  944. }
  945. return getAuthorizerForClientSecret(
  946. clientID,
  947. clientSecret,
  948. *a.provider.TenantID,
  949. a.provider.EnvironmentType,
  950. )
  951. } else {
  952. clientCertificate, err := resolvers.SecretKeyRef(
  953. ctx,
  954. a.crClient,
  955. a.store.GetKind(),
  956. a.namespace, a.provider.AuthSecretRef.ClientCertificate,
  957. )
  958. if err != nil {
  959. return nil, err
  960. }
  961. return getAuthorizerForClientCertificate(
  962. clientID,
  963. []byte(clientCertificate),
  964. *a.provider.TenantID,
  965. a.provider.EnvironmentType,
  966. )
  967. }
  968. }
  969. func getAuthorizerForClientSecret(clientID, clientSecret, tenantID string, environmentType esv1beta1.AzureEnvironmentType) (autorest.Authorizer, error) {
  970. clientCredentialsConfig := kvauth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
  971. clientCredentialsConfig.Resource = kvResourceForProviderConfig(environmentType)
  972. clientCredentialsConfig.AADEndpoint = AadEndpointForType(environmentType)
  973. return clientCredentialsConfig.Authorizer()
  974. }
  975. func getAuthorizerForClientCertificate(clientID string, certificateBytes []byte, tenantID string, environmentType esv1beta1.AzureEnvironmentType) (autorest.Authorizer, error) {
  976. clientCertificateConfig := NewClientInMemoryCertificateConfig(clientID, certificateBytes, tenantID)
  977. clientCertificateConfig.Resource = kvResourceForProviderConfig(environmentType)
  978. clientCertificateConfig.AADEndpoint = AadEndpointForType(environmentType)
  979. return clientCertificateConfig.Authorizer()
  980. }
  981. func (a *Azure) Close(_ context.Context) error {
  982. return nil
  983. }
  984. func (a *Azure) Validate() (esv1beta1.ValidationResult, error) {
  985. if a.store.GetKind() == esv1beta1.ClusterSecretStoreKind && isReferentSpec(a.provider) {
  986. return esv1beta1.ValidationResultUnknown, nil
  987. }
  988. return esv1beta1.ValidationResultReady, nil
  989. }
  990. func isReferentSpec(prov *esv1beta1.AzureKVProvider) bool {
  991. if prov.AuthSecretRef != nil &&
  992. ((prov.AuthSecretRef.ClientID != nil &&
  993. prov.AuthSecretRef.ClientID.Namespace == nil) ||
  994. (prov.AuthSecretRef.ClientSecret != nil &&
  995. prov.AuthSecretRef.ClientSecret.Namespace == nil)) {
  996. return true
  997. }
  998. if prov.ServiceAccountRef != nil &&
  999. prov.ServiceAccountRef.Namespace == nil {
  1000. return true
  1001. }
  1002. return false
  1003. }
  1004. func AadEndpointForType(t esv1beta1.AzureEnvironmentType) string {
  1005. switch t {
  1006. case esv1beta1.AzureEnvironmentPublicCloud:
  1007. return azure.PublicCloud.ActiveDirectoryEndpoint
  1008. case esv1beta1.AzureEnvironmentChinaCloud:
  1009. return azure.ChinaCloud.ActiveDirectoryEndpoint
  1010. case esv1beta1.AzureEnvironmentUSGovernmentCloud:
  1011. return azure.USGovernmentCloud.ActiveDirectoryEndpoint
  1012. case esv1beta1.AzureEnvironmentGermanCloud:
  1013. return azure.GermanCloud.ActiveDirectoryEndpoint
  1014. default:
  1015. return azure.PublicCloud.ActiveDirectoryEndpoint
  1016. }
  1017. }
  1018. func ServiceManagementEndpointForType(t esv1beta1.AzureEnvironmentType) string {
  1019. switch t {
  1020. case esv1beta1.AzureEnvironmentPublicCloud:
  1021. return azure.PublicCloud.ServiceManagementEndpoint
  1022. case esv1beta1.AzureEnvironmentChinaCloud:
  1023. return azure.ChinaCloud.ServiceManagementEndpoint
  1024. case esv1beta1.AzureEnvironmentUSGovernmentCloud:
  1025. return azure.USGovernmentCloud.ServiceManagementEndpoint
  1026. case esv1beta1.AzureEnvironmentGermanCloud:
  1027. return azure.GermanCloud.ServiceManagementEndpoint
  1028. default:
  1029. return azure.PublicCloud.ServiceManagementEndpoint
  1030. }
  1031. }
  1032. func kvResourceForProviderConfig(t esv1beta1.AzureEnvironmentType) string {
  1033. var res string
  1034. switch t {
  1035. case esv1beta1.AzureEnvironmentPublicCloud:
  1036. res = azure.PublicCloud.KeyVaultEndpoint
  1037. case esv1beta1.AzureEnvironmentChinaCloud:
  1038. res = azure.ChinaCloud.KeyVaultEndpoint
  1039. case esv1beta1.AzureEnvironmentUSGovernmentCloud:
  1040. res = azure.USGovernmentCloud.KeyVaultEndpoint
  1041. case esv1beta1.AzureEnvironmentGermanCloud:
  1042. res = azure.GermanCloud.KeyVaultEndpoint
  1043. default:
  1044. res = azure.PublicCloud.KeyVaultEndpoint
  1045. }
  1046. return strings.TrimSuffix(res, "/")
  1047. }
  1048. func getObjType(ref esv1beta1.ExternalSecretDataRemoteRef) (string, string) {
  1049. objectType := defaultObjType
  1050. secretName := ref.Key
  1051. nameSplitted := strings.Split(secretName, "/")
  1052. if len(nameSplitted) > 1 {
  1053. objectType = nameSplitted[0]
  1054. secretName = nameSplitted[1]
  1055. // TODO: later tokens can be used to read the secret tags
  1056. }
  1057. return objectType, secretName
  1058. }
  1059. func isValidSecret(checkTags, checkName bool, ref esv1beta1.ExternalSecretFind, secret keyvault.SecretItem) (bool, string) {
  1060. if secret.ID == nil || !*secret.Attributes.Enabled {
  1061. return false, ""
  1062. }
  1063. if checkTags && !okByTags(ref, secret) {
  1064. return false, ""
  1065. }
  1066. secretName := path.Base(*secret.ID)
  1067. if checkName && !okByName(ref, secretName) {
  1068. return false, ""
  1069. }
  1070. return true, secretName
  1071. }
  1072. func okByName(ref esv1beta1.ExternalSecretFind, secretName string) bool {
  1073. matches, _ := regexp.MatchString(ref.Name.RegExp, secretName)
  1074. return matches
  1075. }
  1076. func okByTags(ref esv1beta1.ExternalSecretFind, secret keyvault.SecretItem) bool {
  1077. tagsFound := true
  1078. for k, v := range ref.Tags {
  1079. if val, ok := secret.Tags[k]; !ok || *val != v {
  1080. tagsFound = false
  1081. break
  1082. }
  1083. }
  1084. return tagsFound
  1085. }