helm-external-secrets/providers/v1/passbolt/passbolt.go

/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Package passbolt implements a provider for Passbolt password manager.
// It allows fetching secrets stored in Passbolt using their REST API.
package passbolt

import (
	"context"
	"errors"
	"fmt"
	"net/url"
	"regexp"

	"github.com/passbolt/go-passbolt/api"
	"github.com/passbolt/go-passbolt/helper"
	corev1 "k8s.io/api/core/v1"
	kclient "sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	"github.com/external-secrets/external-secrets/runtime/esutils"
	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
)

const (
	errPassboltStoreMissingProvider                = "missing: spec.provider.passbolt"
	errPassboltStoreMissingAuth                    = "missing: spec.provider.passbolt.auth"
	errPassboltStoreMissingAuthPassword            = "missing: spec.provider.passbolt.auth.passwordSecretRef"
	errPassboltStoreMissingAuthPrivateKey          = "missing: spec.provider.passbolt.auth.privateKeySecretRef"
	errPassboltStoreMissingHost                    = "missing: spec.provider.passbolt.host"
	errPassboltExternalSecretMissingFindNameRegExp = "missing: find.name.regexp"
	errPassboltStoreHostSchemeNotHTTPS             = "host Url has to be https scheme"
	errPassboltSecretPropertyInvalid               = "property must be one of name, username, uri, password or description"
	errNotImplemented                              = "not implemented"
)

// ProviderPassbolt implements the External Secrets provider interface for Passbolt.
type ProviderPassbolt struct {
	client *api.Client
}

// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
func (provider *ProviderPassbolt) Capabilities() esv1.SecretStoreCapabilities {
	return esv1.SecretStoreReadOnly
}

// NewClient constructs a new secrets client based on the provided store.
func (provider *ProviderPassbolt) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
	config := store.GetSpec().Provider.Passbolt

	password, err := resolvers.SecretKeyRef(
		ctx,
		kube,
		store.GetKind(),
		namespace,
		config.Auth.PasswordSecretRef,
	)
	if err != nil {
		return nil, err
	}

	privateKey, err := resolvers.SecretKeyRef(
		ctx,
		kube,
		store.GetKind(),
		namespace,
		config.Auth.PrivateKeySecretRef,
	)
	if err != nil {
		return nil, err
	}

	client, err := api.NewClient(nil, "", config.Host, privateKey, password)
	if err != nil {
		return nil, err
	}

	// Login immediately (like CLI does)
	if err := client.Login(ctx); err != nil {
		return nil, err
	}

	// Prefetch caches for V5 metadata decryption performance (CLI pattern)
	// This caches session keys and metadata keys for fast V5 decryption
	if _, _, err := client.PreFetchCaches(ctx); err != nil {
		fmt.Printf("passbolt: prefetch caches failed (non-fatal): %v\n", err)
	}

	provider.client = client
	return provider, nil
}

// SecretExists checks if a secret exists in Passbolt.
func (provider *ProviderPassbolt) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
	return false, errors.New(errNotImplemented)
}

// GetSecret retrieves a secret from Passbolt.
func (provider *ProviderPassbolt) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
	if err := assureLoggedIn(ctx, provider.client); err != nil {
		return nil, err
	}

	secret, err := provider.getPassboltSecret(ctx, ref.Key)
	if err != nil {
		return nil, err
	}

	if ref.Property == "" {
		return esutils.JSONMarshal(secret)
	}

	return secret.GetProp(ref.Property)
}

// PushSecret is not implemented for Passbolt as it is read-only.
func (provider *ProviderPassbolt) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
	return errors.New(errNotImplemented)
}

// DeleteSecret is not implemented for Passbolt as it is read-only.
func (provider *ProviderPassbolt) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
	return errors.New(errNotImplemented)
}

// Validate performs validation of the Passbolt provider configuration.
func (provider *ProviderPassbolt) Validate() (esv1.ValidationResult, error) {
	return esv1.ValidationResultUnknown, nil
}

// GetSecretMap retrieves a secret and returns it as a map of key/value pairs.
func (provider *ProviderPassbolt) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
	return nil, errors.New(errNotImplemented)
}

// GetAllSecrets retrieves all secrets from Passbolt that match the given criteria.
func (provider *ProviderPassbolt) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
	res := make(map[string][]byte)

	if ref.Name == nil || ref.Name.RegExp == "" {
		return res, errors.New(errPassboltExternalSecretMissingFindNameRegExp)
	}

	if err := assureLoggedIn(ctx, provider.client); err != nil {
		return nil, err
	}

	resources, err := provider.client.GetResources(ctx, &api.GetResourcesOptions{})
	if err != nil {
		return nil, err
	}

	nameRegexp, err := regexp.Compile(ref.Name.RegExp)
	if err != nil {
		return nil, err
	}

	// NOTE: For V5 resources, metadata (including name) is encrypted, so we must
	// decrypt each resource before filtering. This means all secrets are decrypted
	// even if they don't match the filter, which may impact performance with large
	// secret stores.
	for _, resource := range resources {
		secret, err := provider.getPassboltSecret(ctx, resource.ID)
		if err != nil {
			return nil, err
		}

		// Filter by decrypted name (works for both V4 and V5)
		if !nameRegexp.MatchString(secret.Name) {
			continue
		}

		marshaled, err := esutils.JSONMarshal(secret)
		if err != nil {
			return nil, err
		}
		res[resource.ID] = marshaled
	}

	return res, nil
}

// Close implements cleanup operations for the Passbolt provider.
func (provider *ProviderPassbolt) Close(ctx context.Context) error {
	// Save any pending session keys discovered during decryption (CLI pattern)
	// This improves performance for future connections
	_, _ = provider.client.SavePendingSessionKeys(ctx) // Best effort
	return provider.client.Logout(ctx)
}

// ValidateStore validates the Passbolt SecretStore resource configuration.
func (provider *ProviderPassbolt) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
	config := store.GetSpec().Provider.Passbolt
	if config == nil {
		return nil, errors.New(errPassboltStoreMissingProvider)
	}

	if config.Auth == nil {
		return nil, errors.New(errPassboltStoreMissingAuth)
	}

	if config.Auth.PasswordSecretRef == nil || config.Auth.PasswordSecretRef.Name == "" || config.Auth.PasswordSecretRef.Key == "" {
		return nil, errors.New(errPassboltStoreMissingAuthPassword)
	}

	if config.Auth.PrivateKeySecretRef == nil || config.Auth.PrivateKeySecretRef.Name == "" || config.Auth.PrivateKeySecretRef.Key == "" {
		return nil, errors.New(errPassboltStoreMissingAuthPrivateKey)
	}
	if config.Host == "" {
		return nil, errors.New(errPassboltStoreMissingHost)
	}

	host, err := url.Parse(config.Host)
	if err != nil {
		return nil, err
	}

	if host.Scheme != "https" {
		return nil, errors.New(errPassboltStoreHostSchemeNotHTTPS)
	}

	return nil, nil
}

// Secret represents a Passbolt secret with its properties.
type Secret struct {
	Name        string `json:"name"`
	Username    string `json:"username"`
	Password    string `json:"password"`
	URI         string `json:"uri"`
	Description string `json:"description"`
}

// GetProp retrieves a specific property from the Passbolt secret.
func (ps Secret) GetProp(key string) ([]byte, error) {
	switch key {
	case "name":
		return []byte(ps.Name), nil
	case "username":
		return []byte(ps.Username), nil
	case "uri":
		return []byte(ps.URI), nil
	case "password":
		return []byte(ps.Password), nil
	case "description":
		return []byte(ps.Description), nil
	default:
		return nil, errors.New(errPassboltSecretPropertyInvalid)
	}
}

func (provider *ProviderPassbolt) getPassboltSecret(ctx context.Context, id string) (*Secret, error) {
	_, name, username, uri, password, description, err := helper.GetResource(ctx, provider.client, id)
	if err != nil {
		return nil, err
	}
	return &Secret{
		Name:        name,
		Username:    username,
		URI:         uri,
		Password:    password,
		Description: description,
	}, nil
}

func assureLoggedIn(ctx context.Context, client *api.Client) error {
	if client.CheckSession(ctx) {
		return nil
	}
	return client.Login(ctx)
}

// NewProvider creates a new Provider instance.
func NewProvider() esv1.Provider {
	return &ProviderPassbolt{}
}

// ProviderSpec returns the provider specification for registration.
func ProviderSpec() *esv1.SecretStoreProvider {
	return &esv1.SecretStoreProvider{
		Passbolt: &esv1.PassboltProvider{},
	}
}

// MaintenanceStatus returns the maintenance status of the provider.
func MaintenanceStatus() esv1.MaintenanceStatus {
	return esv1.MaintenanceStatusMaintained
}