Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Branch: main
Branches Tags
helm-externa...
/
providers
/
v1
/
delinea
/
client.go

client.go 3.7 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package delinea implements a provider for Delinea DevOps Secrets Vault.
    18. 

  18. // It provides functionality to interact with secrets stored in Delinea DSV,
    19. 

  19. // supporting operations like fetching secrets and managing secret lifecycles.
    20. 

  20. package delinea
    21. 

  21. 

  22. import (
    23. 

  23. 	"context"
    24. 

  24. 	"encoding/json"
    25. 

  25. 	"errors"
    26. 

  26. 

  27. 	"github.com/DelineaXPM/dsv-sdk-go/v2/vault"
    28. 

  28. 	"github.com/tidwall/gjson"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 

  31. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    32. 

  32. 	"github.com/external-secrets/external-secrets/runtime/esutils"
    33. 

  33. )
    34. 

  34. 

  35. type client struct {
    36. 

  36. 	api secretAPI
    37. 

  37. }
    38. 

  38. 

  39. var _ esv1.SecretsClient = &client{}
    40. 

  40. 

  41. // GetSecret supports two types:
    42. 

  42. //  1. get the full secret as json-encoded value
    43. 

  43. //     by leaving the ref.Property empty.
    44. 

  44. //  2. get a key from the secret.
    45. 

  45. //     Nested values are supported by specifying a gjson expression
    46. 

  46. func (c *client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
    47. 

  47. 	secret, err := c.getSecret(ctx, ref)
    48. 

  48. 	if err != nil {
    49. 

  49. 		return nil, err
    50. 

  50. 	}
    51. 

  51. 	// Return nil if secret value is null
    52. 

  52. 	if secret.Data == nil {
    53. 

  53. 		return nil, nil
    54. 

  54. 	}
    55. 

  55. 	jsonStr, err := json.Marshal(secret.Data)
    56. 

  56. 	if err != nil {
    57. 

  57. 		return nil, err
    58. 

  58. 	}
    59. 

  59. 	// return raw json if no property is defined
    60. 

  60. 	if ref.Property == "" {
    61. 

  61. 		return jsonStr, nil
    62. 

  62. 	}
    63. 

  63. 	// extract key from secret using gjson
    64. 

  64. 	val := gjson.Get(string(jsonStr), ref.Property)
    65. 

  65. 	if !val.Exists() {
    66. 

  66. 		return nil, esv1.NoSecretError{}
    67. 

  67. 	}
    68. 

  68. 	return []byte(val.String()), nil
    69. 

  69. }
    70. 

  70. 

  71. func (c *client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
    72. 

  72. 	return errors.New("pushing secrets is not supported by Delinea DevOps Secrets Vault")
    73. 

  73. }
    74. 

  74. 

  75. func (c *client) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
    76. 

  76. 	return errors.New("deleting secrets is not supported by Delinea DevOps Secrets Vault")
    77. 

  77. }
    78. 

  78. 

  79. func (c *client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
    80. 

  80. 	return false, errors.New("not implemented")
    81. 

  81. }
    82. 

  82. 

  83. func (c *client) Validate() (esv1.ValidationResult, error) {
    84. 

  84. 	return esv1.ValidationResultReady, nil
    85. 

  85. }
    86. 

  86. 

  87. // GetSecretMap retrieves all key-value pairs from the secret referenced by ref.
    88. 

  88. func (c *client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    89. 

  89. 	secret, err := c.getSecret(ctx, ref)
    90. 

  90. 	if err != nil {
    91. 

  91. 		return nil, err
    92. 

  92. 	}
    93. 

  93. 	byteMap := make(map[string][]byte, len(secret.Data))
    94. 

  94. 	for k := range secret.Data {
    95. 

  95. 		byteMap[k], err = esutils.GetByteValueFromMap(secret.Data, k)
    96. 

  96. 		if err != nil {
    97. 

  97. 			return nil, err
    98. 

  98. 		}
    99. 

  99. 	}
    100. 

  100. 

  101. 	return byteMap, nil
    102. 

  102. }
    103. 

  103. 

  104. // GetAllSecrets lists secrets matching the given criteria and return their latest versions.
    105. 

  105. func (c *client) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
    106. 

  106. 	return nil, errors.New("getting all secrets is not supported by Delinea DevOps Secrets Vault")
    107. 

  107. }
    108. 

  108. 

  109. func (c *client) Close(context.Context) error {
    110. 

  110. 	return nil
    111. 

  111. }
    112. 

  112. 

  113. // getSecret retrieves the secret referenced by ref from the Vault API.
    114. 

  114. func (c *client) getSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) (*vault.Secret, error) {
    115. 

  115. 	if ref.Version != "" {
    116. 

  116. 		return nil, errors.New("specifying a version is not yet supported")
    117. 

  117. 	}
    118. 

  118. 	return c.api.Secret(ref.Key)
    119. 

  119. }
    120.