Acasă Explorează Ajutor
Autentificare
logic855
/
helm-external-secrets
oglindă de https://github.com/external-secrets/external-secrets
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Ramură: main
Ramuri Etichete
helm-external-s...
/
generators
/
v1
/
beyondtrustworkloadcredentials
/
beyondtrustworkloadcredentials.go

beyondtrustworkloadcredentials.go 6.2 KB
Permalink Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8. 	https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package beyondtrustworkloadcredentialsdynamic provides a generator for BeyondTrust Workload Credentials dynamic credentials.
    18. 

  18. package beyondtrustworkloadcredentialsdynamic
    19. 

  19. 

  20. import (
    21. 

  21. 	"context"
    22. 

  22. 	"encoding/json"
    23. 

  23. 	"errors"
    24. 

  24. 	"fmt"
    25. 

  25. 	"strings"
    26. 

  26. 

  27. 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
    28. 

  28. 	"sigs.k8s.io/controller-runtime/pkg/client"
    29. 

  29. 	"sigs.k8s.io/yaml"
    30. 

  30. 

  31. 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
    32. 

  32. 	beyondtrustworkloadcredentialsprovider "github.com/external-secrets/external-secrets/providers/v1/beyondtrustworkloadcredentials"
    33. 

  33. 	"github.com/external-secrets/external-secrets/providers/v1/beyondtrustworkloadcredentials/httpclient"
    34. 

  34. 	btwcutil "github.com/external-secrets/external-secrets/providers/v1/beyondtrustworkloadcredentials/util"
    35. 

  35. )
    36. 

  36. 

  37. // Generator implements BeyondtrustWorkloadCredentials dynamic generator.
    38. 

  38. type Generator struct {
    39. 

  39. 	// NewBeyondtrustWorkloadCredentialsClient is a factory function to create a BeyondtrustWorkloadCredentials client.
    40. 

  40. 	// If nil, defaults to httpclient.NewBeyondtrustWorkloadCredentialsClient.
    41. 

  41. 	NewBeyondtrustWorkloadCredentialsClient func(server, token string) (btwcutil.Client, error)
    42. 

  42. }
    43. 

  43. 

  44. const (
    45. 

  45. 	errNoSpec        = "no config spec provided"
    46. 

  46. 	errParseSpec     = "unable to parse spec: %w"
    47. 

  47. 	errMissingConfig = "no beyondtrustworkloadcredentials provider config in spec"
    48. 

  48. 	errNoPath        = "path is required in spec"
    49. 

  49. 	errGetSecret     = "unable to generate dynamic secret: %w"
    50. 

  50. )
    51. 

  51. 

  52. // Generate creates the dynamic credentials by calling BeyondtrustWorkloadCredentials generate endpoint.
    53. 

  53. func (g *Generator) Generate(ctx context.Context, jsonSpec *apiextensions.JSON, kube client.Client, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
    54. 

  54. 	spec, err := getDynamicSecretSpec(jsonSpec)
    55. 

  55. 	if err != nil {
    56. 

  56. 		return nil, nil, err
    57. 

  57. 	}
    58. 

  58. 	provider := spec.Spec.Provider
    59. 

  59. 

  60. 	// parse and validate folder path and secret name early
    61. 

  61. 	fullPath := spec.Spec.Provider.FolderPath
    62. 

  62. 	folderPath, secretName := parsePath(fullPath)
    63. 

  63. 	if secretName == "" {
    64. 

  64. 		return nil, nil, fmt.Errorf("invalid path: missing secret name in %q", fullPath)
    65. 

  65. 	}
    66. 

  66. 

  67. 	// create BeyondtrustWorkloadCredentials provider and initialize a client for generator controller
    68. 

  68. 	clientFactory := g.NewBeyondtrustWorkloadCredentialsClient
    69. 

  69. 	if clientFactory == nil {
    70. 

  70. 		clientFactory = httpclient.NewBeyondtrustWorkloadCredentialsClient
    71. 

  71. 	}
    72. 

  72. 	prov := beyondtrustworkloadcredentialsprovider.Provider{
    73. 

  73. 		NewBeyondtrustWorkloadCredentialsClient: clientFactory,
    74. 

  74. 	}
    75. 

  75. 	cl, err := prov.NewGeneratorClient(ctx, kube, provider, namespace)
    76. 

  76. 	if err != nil {
    77. 

  77. 		return nil, nil, fmt.Errorf("failed to create BeyondtrustWorkloadCredentials client: %w", err)
    78. 

  78. 	}
    79. 

  79. 

  80. 	// call generate
    81. 

  81. 	generatedSecret, err := cl.GenerateDynamicSecret(ctx, secretName, folderPath)
    82. 

  82. 	if err != nil {
    83. 

  83. 		return nil, nil, fmt.Errorf(errGetSecret, err)
    84. 

  84. 	}
    85. 

  85. 	if generatedSecret == nil {
    86. 

  86. 		return nil, nil, fmt.Errorf("generated secret is nil")
    87. 

  87. 	}
    88. 

  88. 

  89. 	out := convertToByteMap(generatedSecret)
    90. 

  90. 

  91. 	// prepare provider state
    92. 

  92. 	state := &struct {
    93. 

  93. 		Path string `json:"path,omitempty"`
    94. 

  94. 	}{Path: spec.Spec.Provider.FolderPath}
    95. 

  95. 

  96. 	stateJSON, _ := json.Marshal(state)
    97. 

  97. 	gpState := genv1alpha1.GeneratorProviderState(&apiextensions.JSON{Raw: stateJSON})
    98. 

  98. 

  99. 	return out, gpState, nil
    100. 

  100. }
    101. 

  101. 

  102. // Cleanup is a no-op for BeyondtrustWorkloadCredentials dynamic generator.
    103. 

  103. func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alpha1.GeneratorProviderState, _ client.Client, _ string) error {
    104. 

  104. 	return nil
    105. 

  105. }
    106. 

  106. 

  107. // getDynamicSecretSpec checks if the provided spec is valid.
    108. 

  108. func getDynamicSecretSpec(jsonSpec *apiextensions.JSON) (*genv1alpha1.BeyondtrustWorkloadCredentialsDynamicSecret, error) {
    109. 

  109. 	if jsonSpec == nil {
    110. 

  110. 		return nil, errors.New(errNoSpec)
    111. 

  111. 	}
    112. 

  112. 

  113. 	spec, err := parseSpec(jsonSpec.Raw)
    114. 

  114. 	if err != nil {
    115. 

  115. 		return nil, fmt.Errorf(errParseSpec, err)
    116. 

  116. 	}
    117. 

  117. 	if spec == nil || spec.Spec.Provider == nil {
    118. 

  118. 		return nil, errors.New(errMissingConfig)
    119. 

  119. 	}
    120. 

  120. 	if spec.Spec.Provider.FolderPath == "" {
    121. 

  121. 		return nil, errors.New(errNoPath)
    122. 

  122. 	}
    123. 

  123. 

  124. 	return spec, nil
    125. 

  125. }
    126. 

  126. 

  127. // parseSpec unmarshals the JSON spec into a BeyondtrustWorkloadCredentialsDynamicSecret struct.
    128. 

  128. func parseSpec(data []byte) (*genv1alpha1.BeyondtrustWorkloadCredentialsDynamicSecret, error) {
    129. 

  129. 	var spec genv1alpha1.BeyondtrustWorkloadCredentialsDynamicSecret
    130. 

  130. 	if err := yaml.Unmarshal(data, &spec); err != nil {
    131. 

  131. 		return nil, err
    132. 

  132. 	}
    133. 

  133. 	return &spec, nil
    134. 

  134. }
    135. 

  135. 

  136. // Parse the path to extract folder and secret name.
    137. 

  137. // Path format: "folder/subfolder/secretname" or just "secretname".
    138. 

  138. func parsePath(fullPath string) (*string, string) {
    139. 

  139. 	var folderPath *string
    140. 

  140. 	var secretName string
    141. 

  141. 

  142. 	lastSlash := strings.LastIndex(fullPath, "/")
    143. 

  143. 	if lastSlash >= 0 {
    144. 

  144. 		folder := fullPath[:lastSlash]
    145. 

  145. 		folderPath = &folder
    146. 

  146. 		secretName = fullPath[lastSlash+1:]
    147. 

  147. 	} else {
    148. 

  148. 		secretName = fullPath
    149. 

  149. 	}
    150. 

  150. 	return folderPath, secretName
    151. 

  151. }
    152. 

  152. 

  153. // Convert generatedSecret to map[string][]byte.
    154. 

  154. func convertToByteMap(generatedSecret *btwcutil.GeneratedSecret) map[string][]byte {
    155. 

  155. 	out := make(map[string][]byte)
    156. 

  156. 

  157. 	// Defensive nil check
    158. 

  158. 	if generatedSecret == nil {
    159. 

  159. 		return out
    160. 

  160. 	}
    161. 

  161. 

  162. 	out["accessKeyId"] = []byte(generatedSecret.AccessKeyID)
    163. 

  163. 	out["secretAccessKey"] = []byte(generatedSecret.SecretAccessKey)
    164. 

  164. 	out["leaseId"] = []byte(generatedSecret.LeaseID)
    165. 

  165. 	out["expiration"] = []byte(generatedSecret.Expiration)
    166. 

  166. 

  167. 	if generatedSecret.SessionToken != "" {
    168. 

  168. 		out["sessionToken"] = []byte(generatedSecret.SessionToken)
    169. 

  169. 	}
    170. 

  170. 

  171. 	return out
    172. 

  172. }
    173. 

  173. 

  174. // NewGenerator creates a new BeyondtrustWorkloadCredentials generator instance.
    175. 

  175. func NewGenerator() genv1alpha1.Generator {
    176. 

  176. 	return &Generator{}
    177. 

  177. }
    178. 

  178. 

  179. // Kind returns the generator kind string.
    180. 

  180. func Kind() string {
    181. 

  181. 	return string(genv1alpha1.GeneratorKindBeyondtrustWorkloadCredentialsDynamicSecret)
    182. 

  182. }
    183.