Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: ef30f69604
Branches Tags
helm-externa...
/
providers
/
v1
/
dvls
/
client.go

client.go 7.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package dvls
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"net/http"
    24. 

  24. 	"strings"
    25. 

  25. 

  26. 	"github.com/Devolutions/go-dvls"
    27. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 

  29. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    30. 

  30. )
    31. 

  31. 

  32. const errFailedToGetEntry = "failed to get entry: %w"
    33. 

  33. 

  34. var errNotImplemented = errors.New("not implemented")
    35. 

  35. 

  36. var _ esv1.SecretsClient = &Client{}
    37. 

  37. 

  38. // Client implements the SecretsClient interface for DVLS.
    39. 

  39. type Client struct {
    40. 

  40. 	dvls credentialClient
    41. 

  41. }
    42. 

  42. 

  43. type credentialClient interface {
    44. 

  44. 	GetByID(ctx context.Context, vaultID, entryID string) (dvls.Entry, error)
    45. 

  45. 	Update(ctx context.Context, entry dvls.Entry) (dvls.Entry, error)
    46. 

  46. 	DeleteByID(ctx context.Context, vaultID, entryID string) error
    47. 

  47. }
    48. 

  48. 

  49. type realCredentialClient struct {
    50. 

  50. 	cred *dvls.EntryCredentialService
    51. 

  51. }
    52. 

  52. 

  53. func (r *realCredentialClient) GetByID(ctx context.Context, vaultID, entryID string) (dvls.Entry, error) {
    54. 

  54. 	return r.cred.GetByIdWithContext(ctx, vaultID, entryID)
    55. 

  55. }
    56. 

  56. 

  57. func (r *realCredentialClient) Update(ctx context.Context, entry dvls.Entry) (dvls.Entry, error) {
    58. 

  58. 	return r.cred.UpdateWithContext(ctx, entry)
    59. 

  59. }
    60. 

  60. 

  61. func (r *realCredentialClient) DeleteByID(ctx context.Context, vaultID, entryID string) error {
    62. 

  62. 	return r.cred.DeleteByIdWithContext(ctx, vaultID, entryID)
    63. 

  63. }
    64. 

  64. 

  65. // NewClient creates a new DVLS secrets client.
    66. 

  66. func NewClient(dvlsClient credentialClient) *Client {
    67. 

  67. 	return &Client{dvls: dvlsClient}
    68. 

  68. }
    69. 

  69. 

  70. // GetSecret retrieves a secret from DVLS.
    71. 

  71. func (c *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
    72. 

  72. 	vaultID, entryID, err := c.parseSecretRef(ref.Key)
    73. 

  73. 	if err != nil {
    74. 

  74. 		return nil, err
    75. 

  75. 	}
    76. 

  76. 

  77. 	entry, err := c.dvls.GetByID(ctx, vaultID, entryID)
    78. 

  78. 	if isNotFoundError(err) {
    79. 

  79. 		return nil, esv1.NoSecretErr
    80. 

  80. 	}
    81. 

  81. 	if err != nil {
    82. 

  82. 		return nil, fmt.Errorf(errFailedToGetEntry, err)
    83. 

  83. 	}
    84. 

  84. 

  85. 	secretMap, err := c.entryToSecretMap(entry)
    86. 

  86. 	if err != nil {
    87. 

  87. 		return nil, err
    88. 

  88. 	}
    89. 

  89. 

  90. 	// Default to "password" when no property specified (consistent with 1Password provider).
    91. 

  91. 	property := ref.Property
    92. 

  92. 	if property == "" {
    93. 

  93. 		property = "password"
    94. 

  94. 	}
    95. 

  95. 

  96. 	value, ok := secretMap[property]
    97. 

  97. 	if !ok {
    98. 

  98. 		return nil, fmt.Errorf("property %q not found in entry", property)
    99. 

  99. 	}
    100. 

  100. 	return value, nil
    101. 

  101. }
    102. 

  102. 

  103. // GetSecretMap retrieves all fields from a DVLS entry.
    104. 

  104. func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    105. 

  105. 	vaultID, entryID, err := c.parseSecretRef(ref.Key)
    106. 

  106. 	if err != nil {
    107. 

  107. 		return nil, err
    108. 

  108. 	}
    109. 

  109. 

  110. 	entry, err := c.dvls.GetByID(ctx, vaultID, entryID)
    111. 

  111. 	if isNotFoundError(err) {
    112. 

  112. 		return nil, esv1.NoSecretErr
    113. 

  113. 	}
    114. 

  114. 	if err != nil {
    115. 

  115. 		return nil, fmt.Errorf(errFailedToGetEntry, err)
    116. 

  116. 	}
    117. 

  117. 

  118. 	return c.entryToSecretMap(entry)
    119. 

  119. }
    120. 

  120. 

  121. // GetAllSecrets is not implemented for DVLS.
    122. 

  122. func (c *Client) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
    123. 

  123. 	return nil, errNotImplemented
    124. 

  124. }
    125. 

  125. 

  126. // PushSecret updates an existing entry's password field.
    127. 

  127. func (c *Client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
    128. 

  128. 	if secret == nil {
    129. 

  129. 		return errors.New("secret is required for DVLS push")
    130. 

  130. 	}
    131. 

  131. 	vaultID, entryID, err := c.parseSecretRef(data.GetRemoteKey())
    132. 

  132. 	if err != nil {
    133. 

  133. 		return err
    134. 

  134. 	}
    135. 

  135. 

  136. 	value, err := extractPushValue(secret, data)
    137. 

  137. 	if err != nil {
    138. 

  138. 		return err
    139. 

  139. 	}
    140. 

  140. 

  141. 	existingEntry, err := c.dvls.GetByID(ctx, vaultID, entryID)
    142. 

  142. 	if isNotFoundError(err) {
    143. 

  143. 		return fmt.Errorf("entry %s not found in vault %s: entry must exist before pushing secrets", entryID, vaultID)
    144. 

  144. 	}
    145. 

  145. 	if err != nil {
    146. 

  146. 		return fmt.Errorf(errFailedToGetEntry, err)
    147. 

  147. 	}
    148. 

  148. 

  149. 	// SetCredentialSecret only updates the password/secret field.
    150. 

  150. 	if err := existingEntry.SetCredentialSecret(string(value)); err != nil {
    151. 

  151. 		return err
    152. 

  152. 	}
    153. 

  153. 

  154. 	_, err = c.dvls.Update(ctx, existingEntry)
    155. 

  155. 	if err != nil {
    156. 

  156. 		return fmt.Errorf("failed to update entry: %w", err)
    157. 

  157. 	}
    158. 

  158. 	return nil
    159. 

  159. }
    160. 

  160. 

  161. // DeleteSecret deletes a secret from DVLS.
    162. 

  162. func (c *Client) DeleteSecret(ctx context.Context, ref esv1.PushSecretRemoteRef) error {
    163. 

  163. 	vaultID, entryID, err := c.parseSecretRef(ref.GetRemoteKey())
    164. 

  164. 	if err != nil {
    165. 

  165. 		return err
    166. 

  166. 	}
    167. 

  167. 	return c.dvls.DeleteByID(ctx, vaultID, entryID)
    168. 

  168. }
    169. 

  169. 

  170. // SecretExists checks if a secret exists in DVLS.
    171. 

  171. func (c *Client) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
    172. 

  172. 	vaultID, entryID, err := c.parseSecretRef(ref.GetRemoteKey())
    173. 

  173. 	if err != nil {
    174. 

  174. 		return false, err
    175. 

  175. 	}
    176. 

  176. 

  177. 	_, err = c.dvls.GetByID(ctx, vaultID, entryID)
    178. 

  178. 	if isNotFoundError(err) {
    179. 

  179. 		return false, nil
    180. 

  180. 	}
    181. 

  181. 	if err != nil {
    182. 

  182. 		return false, err
    183. 

  183. 	}
    184. 

  184. 	return true, nil
    185. 

  185. }
    186. 

  186. 

  187. // Validate checks if the client is properly configured.
    188. 

  188. func (c *Client) Validate() (esv1.ValidationResult, error) {
    189. 

  189. 	if c.dvls == nil {
    190. 

  190. 		return esv1.ValidationResultError, errors.New("DVLS client is not initialized")
    191. 

  191. 	}
    192. 

  192. 	return esv1.ValidationResultReady, nil
    193. 

  193. }
    194. 

  194. 

  195. // Close is a no-op for the DVLS client.
    196. 

  196. func (c *Client) Close(_ context.Context) error {
    197. 

  197. 	return nil
    198. 

  198. }
    199. 

  199. 

  200. // parseSecretRef parses the secret reference key.
    201. 

  201. // Format: "<vault-id>/<entry-id>".
    202. 

  202. func (c *Client) parseSecretRef(key string) (vaultID, entryID string, err error) {
    203. 

  203. 	parts := strings.SplitN(key, "/", 2)
    204. 

  204. 	if len(parts) != 2 {
    205. 

  205. 		return "", "", fmt.Errorf("invalid key format: expected '<vault-id>/<entry-id>', got %q", key)
    206. 

  206. 	}
    207. 

  207. 

  208. 	vaultID = strings.TrimSpace(parts[0])
    209. 

  209. 	entryID = strings.TrimSpace(parts[1])
    210. 

  210. 

  211. 	if vaultID == "" {
    212. 

  212. 		return "", "", errors.New("vault ID cannot be empty")
    213. 

  213. 	}
    214. 

  214. 	if entryID == "" {
    215. 

  215. 		return "", "", errors.New("entry ID cannot be empty")
    216. 

  216. 	}
    217. 

  217. 

  218. 	return vaultID, entryID, nil
    219. 

  219. }
    220. 

  220. 

  221. // entryToSecretMap converts a DVLS entry to a map of secret values.
    222. 

  222. func (c *Client) entryToSecretMap(entry dvls.Entry) (map[string][]byte, error) {
    223. 

  223. 	secretMap, err := entry.ToCredentialMap()
    224. 

  224. 	if err != nil {
    225. 

  225. 		return nil, err
    226. 

  226. 	}
    227. 

  227. 

  228. 	result := make(map[string][]byte, len(secretMap))
    229. 

  229. 	for k, v := range secretMap {
    230. 

  230. 		result[k] = []byte(v)
    231. 

  231. 	}
    232. 

  232. 

  233. 	return result, nil
    234. 

  234. }
    235. 

  235. 

  236. func extractPushValue(secret *corev1.Secret, data esv1.PushSecretData) ([]byte, error) {
    237. 

  237. 	if data.GetSecretKey() == "" {
    238. 

  238. 		return nil, fmt.Errorf("secretKey is required for DVLS push")
    239. 

  239. 	}
    240. 

  240. 

  241. 	if secret.Data == nil {
    242. 

  242. 		return nil, fmt.Errorf("secret %q has no data", secret.Name)
    243. 

  243. 	}
    244. 

  244. 

  245. 	value, ok := secret.Data[data.GetSecretKey()]
    246. 

  246. 	if !ok {
    247. 

  247. 		return nil, fmt.Errorf("key %q not found in secret %q", data.GetSecretKey(), secret.Name)
    248. 

  248. 	}
    249. 

  249. 

  250. 	if len(value) == 0 {
    251. 

  251. 		return nil, fmt.Errorf("key %q in secret %q is empty", data.GetSecretKey(), secret.Name)
    252. 

  252. 	}
    253. 

  253. 

  254. 	return value, nil
    255. 

  255. }
    256. 

  256. 

  257. func isNotFoundError(err error) bool {
    258. 

  258. 	if err == nil {
    259. 

  259. 		return false
    260. 

  260. 	}
    261. 

  261. 

  262. 	if dvls.IsNotFound(err) {
    263. 

  263. 		return true
    264. 

  264. 	}
    265. 

  265. 

  266. 	var reqErr dvls.RequestError
    267. 

  267. 	return errors.As(err, &reqErr) && reqErr.StatusCode == http.StatusNotFound
    268. 

  268. }
    269.