Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Branch: main
Branches Tags
helm-externa...
/
providers
/
v1
/
cloudru
/
secretmanager
/
client.go

client.go 6.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package secretmanager implements the External Secrets provider for CloudRu Secret Manager.
    18. 

  18. package secretmanager
    19. 

  19. 

  20. import (
    21. 

  21. 	"context"
    22. 

  22. 	"encoding/json"
    23. 

  23. 	"errors"
    24. 

  24. 	"fmt"
    25. 

  25. 	"strconv"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	smsv2 "github.com/cloudru-tech/secret-manager-sdk/api/v2"
    29. 

  29. 	"github.com/google/uuid"
    30. 

  30. 	"github.com/tidwall/gjson"
    31. 

  31. 	corev1 "k8s.io/api/core/v1"
    32. 

  32. 

  33. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    34. 

  34. 	"github.com/external-secrets/external-secrets/providers/v1/cloudru/secretmanager/adapter"
    35. 

  35. 	"github.com/external-secrets/external-secrets/runtime/esutils"
    36. 

  36. )
    37. 

  37. 

  38. var (
    39. 

  39. 	// ErrInvalidSecretVersion represents the error, when trying to access the secret with non-numeric version.
    40. 

  40. 	ErrInvalidSecretVersion = errors.New("invalid secret version: should be a valid int32 value or 'latest' keyword")
    41. 

  41. )
    42. 

  42. 

  43. // SecretProvider is an API client for the Cloud.ru Secret Manager.
    44. 

  44. type SecretProvider interface {
    45. 

  45. 	// ListSecrets lists secrets by the given request.
    46. 

  46. 	ListSecrets(ctx context.Context, req *adapter.ListSecretsRequest) ([]*smsv2.Secret, error)
    47. 

  47. 	// AccessSecretVersionByPath gets the secret by the given path.
    48. 

  48. 	AccessSecretVersionByPath(ctx context.Context, projectID, path string, version *int32) ([]byte, error)
    49. 

  49. 	// AccessSecretVersion gets the secret by the given request.
    50. 

  50. 	AccessSecretVersion(ctx context.Context, id, version string) ([]byte, error)
    51. 

  51. }
    52. 

  52. 

  53. // Client is a provider for CloudRu Secret Manager.
    54. 

  54. type Client struct {
    55. 

  55. 	apiClient SecretProvider
    56. 

  56. 

  57. 	projectID string
    58. 

  58. }
    59. 

  59. 

  60. // GetSecret gets the secret by the remote reference.
    61. 

  61. func (c *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
    62. 

  62. 	secret, err := c.accessSecret(ctx, ref.Key, ref.Version)
    63. 

  63. 	if err != nil {
    64. 

  64. 		return nil, err
    65. 

  65. 	}
    66. 

  66. 

  67. 	prop := strings.TrimSpace(ref.Property)
    68. 

  68. 	if prop == "" {
    69. 

  69. 		return secret, nil
    70. 

  70. 	}
    71. 

  71. 

  72. 	// For more obvious behavior, we return an error if we are dealing with invalid JSON
    73. 

  73. 	// this is needed, because the gjson library works fine with value for `key`, for example:
    74. 

  74. 	//
    75. 

  75. 	// {"key": "value", another: "value"}
    76. 

  76. 	//
    77. 

  77. 	// but it will return "" when accessing to a property `another` (no quotes)
    78. 

  78. 	if err = json.Unmarshal(secret, &map[string]any{}); err != nil {
    79. 

  79. 		return nil, fmt.Errorf("expecting the secret %q in JSON format, could not access property %q", ref.Key, ref.Property)
    80. 

  80. 	}
    81. 

  81. 

  82. 	result := gjson.Parse(string(secret)).Get(prop)
    83. 

  83. 	if !result.Exists() {
    84. 

  84. 		return nil, fmt.Errorf("the requested property %q does not exist in secret %q", prop, ref.Key)
    85. 

  85. 	}
    86. 

  86. 

  87. 	return []byte(result.Str), nil
    88. 

  88. }
    89. 

  89. 

  90. // GetSecretMap retrieves a secret from CloudRu SecretManager and returns it as a map of key/value pairs.
    91. 

  91. func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    92. 

  92. 	secret, err := c.accessSecret(ctx, ref.Key, ref.Version)
    93. 

  93. 	if err != nil {
    94. 

  94. 		return nil, err
    95. 

  95. 	}
    96. 

  96. 

  97. 	secretMap := make(map[string]json.RawMessage)
    98. 

  98. 	if err = json.Unmarshal(secret, &secretMap); err != nil {
    99. 

  99. 		return nil, fmt.Errorf("expecting the secret %q in JSON format", ref.Key)
    100. 

  100. 	}
    101. 

  101. 

  102. 	out := make(map[string][]byte)
    103. 

  103. 	for k, v := range secretMap {
    104. 

  104. 		out[k] = []byte(strings.Trim(string(v), "\""))
    105. 

  105. 	}
    106. 

  106. 

  107. 	return out, nil
    108. 

  108. }
    109. 

  109. 

  110. // GetAllSecrets returns all secrets matching the find criteria (path, name, tags).
    111. 

  111. func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
    112. 

  112. 	if len(ref.Tags) == 0 && ref.Name == nil && ref.Path == nil {
    113. 

  113. 		return nil, fmt.Errorf("at least one of the following fields must be set: tags, name, path")
    114. 

  114. 	}
    115. 

  115. 

  116. 	var nameFilter string
    117. 

  117. 	if ref.Name != nil {
    118. 

  118. 		nameFilter = ref.Name.RegExp
    119. 

  119. 	}
    120. 

  120. 

  121. 	searchReq := &adapter.ListSecretsRequest{
    122. 

  122. 		ProjectID: c.projectID,
    123. 

  123. 		Labels:    ref.Tags,
    124. 

  124. 		NameRegex: nameFilter,
    125. 

  125. 	}
    126. 

  126. 	if ref.Path != nil {
    127. 

  127. 		searchReq.Path = *ref.Path
    128. 

  128. 	}
    129. 

  129. 	secrets, err := c.apiClient.ListSecrets(ctx, searchReq)
    130. 

  130. 	if err != nil {
    131. 

  131. 		return nil, fmt.Errorf("failed to list secrets: %w", err)
    132. 

  132. 	}
    133. 

  133. 

  134. 	out := make(map[string][]byte)
    135. 

  135. 	for _, s := range secrets {
    136. 

  136. 		secret, accessErr := c.accessSecret(ctx, s.GetId(), "latest")
    137. 

  137. 		if accessErr != nil {
    138. 

  138. 			return nil, accessErr
    139. 

  139. 		}
    140. 

  140. 

  141. 		out[s.GetPath()] = secret
    142. 

  142. 	}
    143. 

  143. 

  144. 	return esutils.ConvertKeys(ref.ConversionStrategy, out)
    145. 

  145. }
    146. 

  146. 

  147. func (c *Client) accessSecret(ctx context.Context, key, version string) ([]byte, error) {
    148. 

  148. 	// check if the secret key is UUID
    149. 

  149. 	// The uuid value means that the provided `key` is a secret identifier.
    150. 

  150. 	// if not, then it is a secret name, and we need to get the secret by
    151. 

  151. 	// name before accessing the version.
    152. 

  152. 	if _, err := uuid.Parse(key); err != nil {
    153. 

  153. 		var versionNum *int32
    154. 

  154. 		if version != "" && version != "latest" {
    155. 

  155. 			num, parseErr := strconv.ParseInt(version, 10, 32)
    156. 

  156. 			if parseErr != nil {
    157. 

  157. 				return nil, ErrInvalidSecretVersion
    158. 

  158. 			}
    159. 

  159. 

  160. 			versionNum = &[]int32{int32(num)}[0]
    161. 

  161. 		}
    162. 

  162. 

  163. 		return c.apiClient.AccessSecretVersionByPath(ctx, c.projectID, key, versionNum)
    164. 

  164. 	}
    165. 

  165. 

  166. 	return c.apiClient.AccessSecretVersion(ctx, key, version)
    167. 

  167. }
    168. 

  168. 

  169. // PushSecret pushes a secret to CloudRu Secret Manager.
    170. 

  170. func (c *Client) PushSecret(context.Context, *corev1.Secret, esv1.PushSecretData) error {
    171. 

  171. 	return fmt.Errorf("push secret is not supported")
    172. 

  172. }
    173. 

  173. 

  174. // DeleteSecret deletes a secret from CloudRu Secret Manager.
    175. 

  175. func (c *Client) DeleteSecret(context.Context, esv1.PushSecretRemoteRef) error {
    176. 

  176. 	return fmt.Errorf("not implemented")
    177. 

  177. }
    178. 

  178. 

  179. // SecretExists checks if a secret exists in CloudRu Secret Manager.
    180. 

  180. func (c *Client) SecretExists(context.Context, esv1.PushSecretRemoteRef) (bool, error) {
    181. 

  181. 	return false, fmt.Errorf("secret exists is not supported")
    182. 

  182. }
    183. 

  183. 

  184. // Validate validates the client.
    185. 

  185. func (c *Client) Validate() (esv1.ValidationResult, error) {
    186. 

  186. 	return esv1.ValidationResultUnknown, nil
    187. 

  187. }
    188. 

  188. 

  189. // Close closes the client.
    190. 

  190. func (c *Client) Close(_ context.Context) error { return nil }
    191.