Inicio Explorar Axuda
Iniciar sesión
logic855
/
helm-external-secrets
réplica de https://github.com/external-secrets/external-secrets
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: helm-chart
Ramas Etiquetas
helm-externa...
/
providers
/
v1
/
barbican
/
client.go

client.go 6.0 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package barbican client implementation.
    18. 

  18. package barbican
    19. 

  19. 

  20. import (
    21. 

  21. 	"context"
    22. 

  22. 	"encoding/json"
    23. 

  23. 	"errors"
    24. 

  24. 	"fmt"
    25. 

  25. 	"strings"
    26. 

  26. 

  27. 	"github.com/gophercloud/gophercloud/v2"
    28. 

  28. 	"github.com/gophercloud/gophercloud/v2/openstack/keymanager/v1/secrets"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 

  31. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    32. 

  32. )
    33. 

  33. 

  34. const (
    35. 

  35. 	errClientGeneric                  = "barbican client: %w"
    36. 

  36. 	errClientMissingField             = "barbican client: missing field %w"
    37. 

  37. 	errClientListAllSecrets           = "barbican client: failed to list all secrets: %w"
    38. 

  38. 	errClientExtractSecrets           = "barbican client: failed to extract secrets: %w"
    39. 

  39. 	errClientGetSecretPayload         = "barbican client: failed to get secret payload: %w"
    40. 

  40. 	errClientGetSecretPayloadProperty = "barbican client: failed to get secret payload property: %w"
    41. 

  41. 	errClientJSONUnmarshal            = "barbican client: failed to unmarshal json: %w"
    42. 

  42. )
    43. 

  43. 

  44. var _ esapi.SecretsClient = &Client{}
    45. 

  45. 

  46. // Client is a Barbican secrets client.
    47. 

  47. type Client struct {
    48. 

  48. 	keyManager *gophercloud.ServiceClient
    49. 

  49. }
    50. 

  50. 

  51. // GetAllSecrets retrieves all secrets matching the given name.
    52. 

  52. func (c *Client) GetAllSecrets(ctx context.Context, ref esapi.ExternalSecretFind) (map[string][]byte, error) {
    53. 

  53. 	if ref.Name == nil || ref.Name.RegExp == "" {
    54. 

  54. 		return nil, fmt.Errorf(errClientMissingField, errors.New("name and/or regexp"))
    55. 

  55. 	}
    56. 

  56. 

  57. 	opts := secrets.ListOpts{
    58. 

  58. 		Name: ref.Name.RegExp,
    59. 

  59. 	}
    60. 

  60. 

  61. 	allPages, err := secrets.List(c.keyManager, opts).AllPages(ctx)
    62. 

  62. 	if err != nil {
    63. 

  63. 		return nil, fmt.Errorf(errClientListAllSecrets, err)
    64. 

  64. 	}
    65. 

  65. 

  66. 	allSecrets, err := secrets.ExtractSecrets(allPages)
    67. 

  67. 	if err != nil {
    68. 

  68. 		return nil, fmt.Errorf(errClientExtractSecrets, err)
    69. 

  69. 	}
    70. 

  70. 

  71. 	if len(allSecrets) == 0 {
    72. 

  72. 		return nil, fmt.Errorf(errClientGeneric, errors.New("no secrets found"))
    73. 

  73. 	}
    74. 

  74. 

  75. 	var secretsMap = make(map[string][]byte)
    76. 

  76. 

  77. 	// return a secret map with all found secrets.
    78. 

  78. 	for _, secret := range allSecrets {
    79. 

  79. 		secretUUID := extractUUIDFromRef(secret.SecretRef)
    80. 

  80. 		secretsMap[secretUUID], err = secrets.GetPayload(ctx, c.keyManager, secretUUID, nil).Extract()
    81. 

  81. 		if err != nil {
    82. 

  82. 			return nil, fmt.Errorf(errClientGetSecretPayload, fmt.Errorf("failed to get secret payload for secret %s: %w", secretUUID, err))
    83. 

  83. 		}
    84. 

  84. 	}
    85. 

  85. 	return secretsMap, nil
    86. 

  86. }
    87. 

  87. 

  88. // GetSecret retrieves a secret from Barbican.
    89. 

  89. func (c *Client) GetSecret(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) ([]byte, error) {
    90. 

  90. 	payload, err := secrets.GetPayload(ctx, c.keyManager, ref.Key, nil).Extract()
    91. 

  91. 	if err != nil {
    92. 

  92. 		return nil, fmt.Errorf(errClientGetSecretPayload, err)
    93. 

  93. 	}
    94. 

  94. 

  95. 	if ref.Property == "" {
    96. 

  96. 		return payload, nil
    97. 

  97. 	}
    98. 

  98. 

  99. 	propertyValue, err := getSecretPayloadProperty(payload, ref.Property)
    100. 

  100. 	if err != nil {
    101. 

  101. 		return nil, fmt.Errorf(errClientGetSecretPayloadProperty, fmt.Errorf("failed to get property %s from secret payload: %w", ref.Property, err))
    102. 

  102. 	}
    103. 

  103. 

  104. 	return propertyValue, nil
    105. 

  105. }
    106. 

  106. 

  107. // GetSecretMap retrieves a secret and parses it as a JSON object.
    108. 

  108. func (c *Client) GetSecretMap(ctx context.Context, ref esapi.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    109. 

  109. 	payload, err := c.GetSecret(ctx, ref)
    110. 

  110. 	if err != nil {
    111. 

  111. 		return nil, fmt.Errorf(errClientGeneric, err)
    112. 

  112. 	}
    113. 

  113. 

  114. 	var rawJSON map[string]json.RawMessage
    115. 

  115. 	if err := json.Unmarshal(payload, &rawJSON); err != nil {
    116. 

  116. 		return nil, fmt.Errorf(errClientJSONUnmarshal, err)
    117. 

  117. 	}
    118. 

  118. 

  119. 	secretMap := make(map[string][]byte, len(rawJSON))
    120. 

  120. 	for k, v := range rawJSON {
    121. 

  121. 		secretMap[k] = []byte(v)
    122. 

  122. 	}
    123. 

  123. 

  124. 	return secretMap, nil
    125. 

  125. }
    126. 

  126. 

  127. // PushSecret is not implemented right now for Barbican.
    128. 

  128. func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esapi.PushSecretData) error {
    129. 

  129. 	return fmt.Errorf("barbican provider does not support pushing secrets")
    130. 

  130. }
    131. 

  131. 

  132. // SecretExists is not implemented right now for Barbican.
    133. 

  133. func (c *Client) SecretExists(_ context.Context, _ esapi.PushSecretRemoteRef) (bool, error) {
    134. 

  134. 	return false, fmt.Errorf("barbican provider does not pushing secrets with update policy IfNotExists")
    135. 

  135. }
    136. 

  136. 

  137. // DeleteSecret is not implemented right now for Barbican.
    138. 

  138. func (c *Client) DeleteSecret(_ context.Context, _ esapi.PushSecretRemoteRef) error {
    139. 

  139. 	return fmt.Errorf("barbican provider does not support deleting secrets (delete policy Delete)")
    140. 

  140. }
    141. 

  141. 

  142. // Validate checks if the client is properly configured.
    143. 

  143. func (c *Client) Validate() (esapi.ValidationResult, error) {
    144. 

  144. 	return esapi.ValidationResultUnknown, nil
    145. 

  145. }
    146. 

  146. 

  147. // Close closes the client and any underlying connections.
    148. 

  148. func (c *Client) Close(_ context.Context) error {
    149. 

  149. 	return nil
    150. 

  150. }
    151. 

  151. 

  152. // getSecretPayloadProperty extracts a property from a JSON payload.
    153. 

  153. func getSecretPayloadProperty(payload []byte, property string) ([]byte, error) {
    154. 

  154. 	if property == "" {
    155. 

  155. 		return payload, nil
    156. 

  156. 	}
    157. 

  157. 

  158. 	var rawJSON map[string]json.RawMessage
    159. 

  159. 	if err := json.Unmarshal(payload, &rawJSON); err != nil {
    160. 

  160. 		return nil, fmt.Errorf(errClientJSONUnmarshal, err)
    161. 

  161. 	}
    162. 

  162. 

  163. 	value, ok := rawJSON[property]
    164. 

  164. 	if !ok {
    165. 

  165. 		return nil, fmt.Errorf(errClientGeneric, fmt.Errorf("property %s not found in secret payload", property))
    166. 

  166. 	}
    167. 

  167. 

  168. 	return value, nil
    169. 

  169. }
    170. 

  170. 

  171. // extractUUIDFromRef extracts the UUID from a Barbican secret reference URL.
    172. 

  172. func extractUUIDFromRef(secretRef string) string {
    173. 

  173. 	// Barbican secret refs are usually of the form: https://<endpoint>/v1/secrets/<uuid>
    174. 

  174. 	// We'll just take the last part after the last '/'
    175. 

  175. 	// If there's a trailing slash, the UUID part would be empty, so return empty string
    176. 

  176. 

  177. 	lastSlash := strings.LastIndex(secretRef, "/")
    178. 

  178. 	if lastSlash > -1 {
    179. 

  179. 		return secretRef[lastSlash+1:] // <- will not result in overflow even if it's the last `/`
    180. 

  180. 	}
    181. 

  181. 

  182. 	return ""
    183. 

  183. }
    184.