Strona główna Odkrywaj Pomoc
Zaloguj się
logic855
/
helm-external-secrets
kopia lustrzana https://github.com/external-secrets/external-secrets
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Gałąź: update-deps-1754301928
Gałęzie Tagi
helm-external-s...
/
pkg
/
provider
/
onepassword
/
onepassword.go

onepassword.go 23 KB
Bezpośredni odnośnik Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package onepassword
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"fmt"
    21. 

  21. 	"net/url"
    22. 

  22. 	"slices"
    23. 

  23. 	"sort"
    24. 

  24. 	"strings"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	"github.com/1Password/connect-sdk-go/connect"
    28. 

  28. 	"github.com/1Password/connect-sdk-go/onepassword"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    31. 

  31. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    32. 

  32. 

  33. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    34. 

  34. 	"github.com/external-secrets/external-secrets/pkg/find"
    35. 

  35. 	"github.com/external-secrets/external-secrets/pkg/utils"
    36. 

  36. 	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
    38. 

  38. )
    39. 

  39. 

  40. const (
    41. 

  41. 	userAgent = "external-secrets"
    42. 

  42. 

  43. 	errOnePasswordStore                           = "received invalid 1Password SecretStore resource: %w"
    44. 

  44. 	errOnePasswordStoreNilSpec                    = "nil spec"
    45. 

  45. 	errOnePasswordStoreNilSpecProvider            = "nil spec.provider"
    46. 

  46. 	errOnePasswordStoreNilSpecProviderOnePassword = "nil spec.provider.onepassword"
    47. 

  47. 	errOnePasswordStoreMissingRefName             = "missing: spec.provider.onepassword.auth.secretRef.connectTokenSecretRef.name"
    48. 

  48. 	errOnePasswordStoreMissingRefKey              = "missing: spec.provider.onepassword.auth.secretRef.connectTokenSecretRef.key"
    49. 

  49. 	errOnePasswordStoreAtLeastOneVault            = "must be at least one vault: spec.provider.onepassword.vaults"
    50. 

  50. 	errOnePasswordStoreInvalidConnectHost         = "unable to parse URL: spec.provider.onepassword.connectHost: %w"
    51. 

  51. 	errOnePasswordStoreNonUniqueVaultNumbers      = "vault order numbers must be unique"
    52. 

  52. 	errGetVault                                   = "error finding 1Password Vault: %w"
    53. 

  53. 

  54. 	errGetItem               = "error finding 1Password Item: %w"
    55. 

  55. 	errUpdateItem            = "error updating 1Password Item: %w"
    56. 

  56. 	errDocumentNotFound      = "error finding 1Password Document: %w"
    57. 

  57. 	errTagsNotImplemented    = "'find.tags' is not implemented in the 1Password provider"
    58. 

  58. 	errVersionNotImplemented = "'remoteRef.version' is not implemented in the 1Password provider"
    59. 

  59. 	errCreateItem            = "error creating 1Password Item: %w"
    60. 

  60. 	errDeleteItem            = "error deleting 1Password Item: %w"
    61. 

  61. 	// custom error messages.
    62. 

  62. 	errKeyNotFoundMsg             = "key not found in 1Password Vaults"
    63. 

  63. 	errNoVaultsMsg                = "no vaults found"
    64. 

  64. 	errMetadataVaultNotinProvider = "metadata vault '%s' not in provider vaults"
    65. 

  65. 	errExpectedOneItemMsg         = "expected one 1Password Item matching"
    66. 

  66. 	errExpectedOneFieldMsg        = "expected one 1Password ItemField matching"
    67. 

  67. 	errExpectedOneFieldMsgF       = "%w: '%s' in '%s', got %d"
    68. 

  68. 

  69. 	documentCategory = "DOCUMENT"
    70. 

  70. 	fieldPrefix      = "field"
    71. 

  71. 	filePrefix       = "file"
    72. 

  72. 	prefixSplitter   = "/"
    73. 

  73. )
    74. 

  74. 

  75. // Custom Errors //.
    76. 

  76. var (
    77. 

  77. 	// ErrKeyNotFound is returned when a key is not found in the 1Password Vaults.
    78. 

  78. 	ErrKeyNotFound = errors.New(errKeyNotFoundMsg)
    79. 

  79. 	// ErrNoVaults is returned when no vaults are found in the 1Password provider.
    80. 

  80. 	ErrNoVaults = errors.New(errNoVaultsMsg)
    81. 

  81. 	// ErrExpectedOneField is returned when more than 1 field is found in the 1Password Vaults.
    82. 

  82. 	ErrExpectedOneField = errors.New(errExpectedOneFieldMsg)
    83. 

  83. 	// ErrExpectedOneItem is returned when more than 1 item is found in the 1Password Vaults.
    84. 

  84. 	ErrExpectedOneItem = errors.New(errExpectedOneItemMsg)
    85. 

  85. )
    86. 

  86. 

  87. // ProviderOnePassword is a provider for 1Password.
    88. 

  88. type ProviderOnePassword struct {
    89. 

  89. 	vaults map[string]int
    90. 

  90. 	client connect.Client
    91. 

  91. }
    92. 

  92. 

  93. type PushSecretMetadataSpec struct {
    94. 

  94. 	Tags  []string `json:"tags,omitempty"`
    95. 

  95. 	Vault string   `json:"vault,omitempty"`
    96. 

  96. }
    97. 

  97. 

  98. // https://github.com/external-secrets/external-secrets/issues/644
    99. 

  99. var (
    100. 

  100. 	_ esv1beta1.SecretsClient = &ProviderOnePassword{}
    101. 

  101. 	_ esv1beta1.Provider      = &ProviderOnePassword{}
    102. 

  102. )
    103. 

  103. 

  104. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
    105. 

  105. func (provider *ProviderOnePassword) Capabilities() esv1beta1.SecretStoreCapabilities {
    106. 

  106. 	return esv1beta1.SecretStoreReadOnly
    107. 

  107. }
    108. 

  108. 

  109. // NewClient constructs a 1Password Provider.
    110. 

  110. func (provider *ProviderOnePassword) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
    111. 

  111. 	config := store.GetSpec().Provider.OnePassword
    112. 

  112. 	token, err := resolvers.SecretKeyRef(
    113. 

  113. 		ctx,
    114. 

  114. 		kube,
    115. 

  115. 		store.GetKind(),
    116. 

  116. 		namespace,
    117. 

  117. 		&config.Auth.SecretRef.ConnectToken,
    118. 

  118. 	)
    119. 

  119. 	if err != nil {
    120. 

  120. 		return nil, err
    121. 

  121. 	}
    122. 

  122. 	provider.client = connect.NewClientWithUserAgent(config.ConnectHost, token, userAgent)
    123. 

  123. 	provider.vaults = config.Vaults
    124. 

  124. 	return provider, nil
    125. 

  125. }
    126. 

  126. 

  127. // ValidateStore checks if the provided store is valid.
    128. 

  128. func (provider *ProviderOnePassword) ValidateStore(store esv1beta1.GenericStore) (admission.Warnings, error) {
    129. 

  129. 	return nil, validateStore(store)
    130. 

  130. }
    131. 

  131. 

  132. func validateStore(store esv1beta1.GenericStore) error {
    133. 

  133. 	// check nils
    134. 

  134. 	storeSpec := store.GetSpec()
    135. 

  135. 	if storeSpec == nil {
    136. 

  136. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpec))
    137. 

  137. 	}
    138. 

  138. 	if storeSpec.Provider == nil {
    139. 

  139. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpecProvider))
    140. 

  140. 	}
    141. 

  141. 	if storeSpec.Provider.OnePassword == nil {
    142. 

  142. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNilSpecProviderOnePassword))
    143. 

  143. 	}
    144. 

  144. 

  145. 	// check mandatory fields
    146. 

  146. 	config := storeSpec.Provider.OnePassword
    147. 

  147. 	if config.Auth.SecretRef.ConnectToken.Name == "" {
    148. 

  148. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreMissingRefName))
    149. 

  149. 	}
    150. 

  150. 	if config.Auth.SecretRef.ConnectToken.Key == "" {
    151. 

  151. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreMissingRefKey))
    152. 

  152. 	}
    153. 

  153. 

  154. 	// check namespace compared to kind
    155. 

  155. 	if err := utils.ValidateSecretSelector(store, config.Auth.SecretRef.ConnectToken); err != nil {
    156. 

  156. 		return fmt.Errorf(errOnePasswordStore, err)
    157. 

  157. 	}
    158. 

  158. 

  159. 	// check at least one vault
    160. 

  160. 	if len(config.Vaults) == 0 {
    161. 

  161. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreAtLeastOneVault))
    162. 

  162. 	}
    163. 

  163. 

  164. 	// ensure vault numbers are unique
    165. 

  165. 	if !hasUniqueVaultNumbers(config.Vaults) {
    166. 

  166. 		return fmt.Errorf(errOnePasswordStore, errors.New(errOnePasswordStoreNonUniqueVaultNumbers))
    167. 

  167. 	}
    168. 

  168. 

  169. 	// check valid URL
    170. 

  170. 	if _, err := url.Parse(config.ConnectHost); err != nil {
    171. 

  171. 		return fmt.Errorf(errOnePasswordStore, fmt.Errorf(errOnePasswordStoreInvalidConnectHost, err))
    172. 

  172. 	}
    173. 

  173. 

  174. 	return nil
    175. 

  175. }
    176. 

  176. 

  177. func deleteField(fields []*onepassword.ItemField, label string) ([]*onepassword.ItemField, error) {
    178. 

  178. 	// This will always iterate over all items
    179. 

  179. 	// but its done to ensure that two fields with the same label
    180. 

  180. 	// exist resulting in undefined behavior
    181. 

  181. 	var (
    182. 

  182. 		found   bool
    183. 

  183. 		fieldsF = make([]*onepassword.ItemField, 0, len(fields))
    184. 

  184. 	)
    185. 

  185. 	for _, item := range fields {
    186. 

  186. 		if item.Label == label {
    187. 

  187. 			if found {
    188. 

  188. 				return nil, ErrExpectedOneField
    189. 

  189. 			}
    190. 

  190. 			found = true
    191. 

  191. 			continue
    192. 

  192. 		}
    193. 

  193. 		fieldsF = append(fieldsF, item)
    194. 

  194. 	}
    195. 

  195. 	return fieldsF, nil
    196. 

  196. }
    197. 

  197. 

  198. func (provider *ProviderOnePassword) DeleteSecret(_ context.Context, ref esv1beta1.PushSecretRemoteRef) error {
    199. 

  199. 	providerItem, err := provider.findItem(ref.GetRemoteKey())
    200. 

  200. 	if err != nil {
    201. 

  201. 		return err
    202. 

  202. 	}
    203. 

  203. 

  204. 	providerItem.Fields, err = deleteField(providerItem.Fields, ref.GetProperty())
    205. 

  205. 	if err != nil {
    206. 

  206. 		return fmt.Errorf(errUpdateItem, err)
    207. 

  207. 	}
    208. 

  208. 

  209. 	if len(providerItem.Fields) == 0 && len(providerItem.Files) == 0 && len(providerItem.Sections) == 0 {
    210. 

  210. 		// Delete the item if there are no fields, files or sections
    211. 

  211. 		if err = provider.client.DeleteItem(providerItem, providerItem.Vault.ID); err != nil {
    212. 

  212. 			return fmt.Errorf(errDeleteItem, err)
    213. 

  213. 		}
    214. 

  214. 		return nil
    215. 

  215. 	}
    216. 

  216. 

  217. 	if _, err = provider.client.UpdateItem(providerItem, providerItem.Vault.ID); err != nil {
    218. 

  218. 		return fmt.Errorf(errDeleteItem, err)
    219. 

  219. 	}
    220. 

  220. 	return nil
    221. 

  221. }
    222. 

  222. 

  223. func (provider *ProviderOnePassword) SecretExists(_ context.Context, _ esv1beta1.PushSecretRemoteRef) (bool, error) {
    224. 

  224. 	return false, errors.New("not implemented")
    225. 

  225. }
    226. 

  226. 

  227. const (
    228. 

  228. 	passwordLabel = "password"
    229. 

  229. )
    230. 

  230. 

  231. // createItem creates a new item in the first vault. If no vaults exist, it returns an error.
    232. 

  232. func (provider *ProviderOnePassword) createItem(val []byte, ref esv1beta1.PushSecretData) error {
    233. 

  233. 	// Get the metadata
    234. 

  234. 	metadata, err := metadata.ParseMetadataParameters[PushSecretMetadataSpec](ref.GetMetadata())
    235. 

  235. 	if err != nil {
    236. 

  236. 		return fmt.Errorf("failed to parse push secret metadata: %w", err)
    237. 

  237. 	}
    238. 

  238. 

  239. 	// Check if there is a vault is specified in the metadata
    240. 

  240. 	vaultID := ""
    241. 

  241. 	if metadata != nil && metadata.Spec.Vault != "" {
    242. 

  242. 		// check if metadata.Spec.Vault is in provider.vaults
    243. 

  243. 		if _, ok := provider.vaults[metadata.Spec.Vault]; !ok {
    244. 

  244. 			return fmt.Errorf(errMetadataVaultNotinProvider, metadata.Spec.Vault)
    245. 

  245. 		}
    246. 

  246. 		vaultID = metadata.Spec.Vault
    247. 

  247. 	} else {
    248. 

  248. 		// Get the first vault from the provider
    249. 

  249. 		sortedVaults := sortVaults(provider.vaults)
    250. 

  250. 		if len(sortedVaults) == 0 {
    251. 

  251. 			return ErrNoVaults
    252. 

  252. 		}
    253. 

  253. 		vaultID = sortedVaults[0]
    254. 

  254. 	}
    255. 

  255. 

  256. 	// Get the label
    257. 

  257. 	label := ref.GetProperty()
    258. 

  258. 	if label == "" {
    259. 

  259. 		label = passwordLabel
    260. 

  260. 	}
    261. 

  261. 

  262. 	var tags []string
    263. 

  263. 	if metadata != nil && metadata.Spec.Tags != nil {
    264. 

  264. 		tags = metadata.Spec.Tags
    265. 

  265. 	}
    266. 

  266. 

  267. 	// Create the item
    268. 

  268. 	item := &onepassword.Item{
    269. 

  269. 		Title:    ref.GetRemoteKey(),
    270. 

  270. 		Category: onepassword.Server,
    271. 

  271. 		Vault: onepassword.ItemVault{
    272. 

  272. 			ID: vaultID,
    273. 

  273. 		},
    274. 

  274. 		Fields: []*onepassword.ItemField{
    275. 

  275. 			generateNewItemField(label, string(val)),
    276. 

  276. 		},
    277. 

  277. 		Tags: tags,
    278. 

  278. 	}
    279. 

  279. 

  280. 	_, err = provider.client.CreateItem(item, vaultID)
    281. 

  281. 	return err
    282. 

  282. }
    283. 

  283. 

  284. // updateFieldValue updates the fields value of an item with the given label.
    285. 

  285. // If the label does not exist, a new field is created. If the label exists but
    286. 

  286. // the value is different, the value is updated. If the label exists and the
    287. 

  287. // value is the same, nothing is done.
    288. 

  288. func updateFieldValue(fields []*onepassword.ItemField, label, newVal string) ([]*onepassword.ItemField, error) {
    289. 

  289. 	// This will always iterate over all items.
    290. 

  290. 	// This is done to ensure that two fields with the same label
    291. 

  291. 	// exist resulting in undefined behavior.
    292. 

  292. 	var (
    293. 

  293. 		found bool
    294. 

  294. 		index int
    295. 

  295. 	)
    296. 

  296. 	for i, item := range fields {
    297. 

  297. 		if item.Label == label {
    298. 

  298. 			if found {
    299. 

  299. 				return nil, ErrExpectedOneField
    300. 

  300. 			}
    301. 

  301. 			found = true
    302. 

  302. 			index = i
    303. 

  303. 		}
    304. 

  304. 	}
    305. 

  305. 	if !found {
    306. 

  306. 		return append(fields, generateNewItemField(label, newVal)), nil
    307. 

  307. 	}
    308. 

  308. 

  309. 	if fields[index].Value != newVal {
    310. 

  310. 		fields[index].Value = newVal
    311. 

  311. 	}
    312. 

  312. 

  313. 	return fields, nil
    314. 

  314. }
    315. 

  315. 

  316. // generateNewItemField generates a new item field with the given label and value.
    317. 

  317. func generateNewItemField(label, newVal string) *onepassword.ItemField {
    318. 

  318. 	field := &onepassword.ItemField{
    319. 

  319. 		Label: label,
    320. 

  320. 		Value: newVal,
    321. 

  321. 		Type:  onepassword.FieldTypeConcealed,
    322. 

  322. 	}
    323. 

  323. 

  324. 	return field
    325. 

  325. }
    326. 

  326. 

  327. func (provider *ProviderOnePassword) PushSecret(ctx context.Context, secret *corev1.Secret, ref esv1beta1.PushSecretData) error {
    328. 

  328. 	val, ok := secret.Data[ref.GetSecretKey()]
    329. 

  329. 	if !ok {
    330. 

  330. 		return ErrKeyNotFound
    331. 

  331. 	}
    332. 

  332. 

  333. 	title := ref.GetRemoteKey()
    334. 

  334. 	providerItem, err := provider.findItem(title)
    335. 

  335. 	if errors.Is(err, ErrKeyNotFound) {
    336. 

  336. 		if err = provider.createItem(val, ref); err != nil {
    337. 

  337. 			return fmt.Errorf(errCreateItem, err)
    338. 

  338. 		}
    339. 

  339. 

  340. 		err = provider.waitForFunc(ctx, provider.waitForItemToExist(title))
    341. 

  341. 		return err
    342. 

  342. 	} else if err != nil {
    343. 

  343. 		return err
    344. 

  344. 	}
    345. 

  345. 

  346. 	label := ref.GetProperty()
    347. 

  347. 	if label == "" {
    348. 

  348. 		label = passwordLabel
    349. 

  349. 	}
    350. 

  350. 

  351. 	metadata, err := metadata.ParseMetadataParameters[PushSecretMetadataSpec](ref.GetMetadata())
    352. 

  352. 	if err != nil {
    353. 

  353. 		return fmt.Errorf("failed to parse push secret metadata: %w", err)
    354. 

  354. 	}
    355. 

  355. 	if metadata != nil && metadata.Spec.Tags != nil {
    356. 

  356. 		providerItem.Tags = metadata.Spec.Tags
    357. 

  357. 	}
    358. 

  358. 

  359. 	providerItem.Fields, err = updateFieldValue(providerItem.Fields, label, string(val))
    360. 

  360. 	if err != nil {
    361. 

  361. 		return fmt.Errorf(errUpdateItem, err)
    362. 

  362. 	}
    363. 

  363. 

  364. 	if _, err = provider.client.UpdateItem(providerItem, providerItem.Vault.ID); err != nil {
    365. 

  365. 		return fmt.Errorf(errUpdateItem, err)
    366. 

  366. 	}
    367. 

  367. 

  368. 	if err := provider.waitForFunc(ctx, provider.waitForLabelToBeUpdated(title, label, val)); err != nil {
    369. 

  369. 		return fmt.Errorf("failed waiting for label update: %w", err)
    370. 

  370. 	}
    371. 

  371. 

  372. 	return nil
    373. 

  373. }
    374. 

  374. 

  375. // Clean property string by removing property prefix if needed.
    376. 

  376. func getObjType(documentType onepassword.ItemCategory, property string) (string, string) {
    377. 

  377. 	if strings.HasPrefix(property, fieldPrefix+prefixSplitter) {
    378. 

  378. 		return fieldPrefix, property[6:]
    379. 

  379. 	}
    380. 

  380. 	if strings.HasPrefix(property, filePrefix+prefixSplitter) {
    381. 

  381. 		return filePrefix, property[5:]
    382. 

  382. 	}
    383. 

  383. 

  384. 	if documentType == documentCategory {
    385. 

  385. 		return filePrefix, property
    386. 

  386. 	}
    387. 

  387. 

  388. 	return fieldPrefix, property
    389. 

  389. }
    390. 

  390. 

  391. // GetSecret returns a single secret from the provider.
    392. 

  392. func (provider *ProviderOnePassword) GetSecret(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    393. 

  393. 	if ref.Version != "" {
    394. 

  394. 		return nil, errors.New(errVersionNotImplemented)
    395. 

  395. 	}
    396. 

  396. 

  397. 	item, err := provider.findItem(ref.Key)
    398. 

  398. 	if err != nil {
    399. 

  399. 		return nil, err
    400. 

  400. 	}
    401. 

  401. 

  402. 	propertyType, property := getObjType(item.Category, ref.Property)
    403. 

  403. 	if propertyType == filePrefix {
    404. 

  404. 		return provider.getFile(item, property)
    405. 

  405. 	}
    406. 

  406. 	return provider.getField(item, property)
    407. 

  407. }
    408. 

  408. 

  409. // Validate checks if the client is configured correctly
    410. 

  410. // to be able to retrieve secrets from the provider.
    411. 

  411. func (provider *ProviderOnePassword) Validate() (esv1beta1.ValidationResult, error) {
    412. 

  412. 	for vaultName := range provider.vaults {
    413. 

  413. 		_, err := provider.client.GetVaultByTitle(vaultName)
    414. 

  414. 		if err != nil {
    415. 

  415. 			return esv1beta1.ValidationResultError, err
    416. 

  416. 		}
    417. 

  417. 	}
    418. 

  418. 

  419. 	return esv1beta1.ValidationResultReady, nil
    420. 

  420. }
    421. 

  421. 

  422. // GetSecretMap returns multiple k/v pairs from the provider, for dataFrom.extract.
    423. 

  423. func (provider *ProviderOnePassword) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    424. 

  424. 	if ref.Version != "" {
    425. 

  425. 		return nil, errors.New(errVersionNotImplemented)
    426. 

  426. 	}
    427. 

  427. 

  428. 	item, err := provider.findItem(ref.Key)
    429. 

  429. 	if err != nil {
    430. 

  430. 		return nil, err
    431. 

  431. 	}
    432. 

  432. 

  433. 	propertyType, property := getObjType(item.Category, ref.Property)
    434. 

  434. 	if propertyType == filePrefix {
    435. 

  435. 		return provider.getFiles(item, property)
    436. 

  436. 	}
    437. 

  437. 	return provider.getFields(item, property)
    438. 

  438. }
    439. 

  439. 

  440. // GetAllSecrets syncs multiple 1Password Items into a single Kubernetes Secret, for dataFrom.find.
    441. 

  441. func (provider *ProviderOnePassword) GetAllSecrets(_ context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    442. 

  442. 	secretData := make(map[string][]byte)
    443. 

  443. 	sortedVaults := sortVaults(provider.vaults)
    444. 

  444. 	for _, vaultName := range sortedVaults {
    445. 

  445. 		vault, err := provider.client.GetVaultByTitle(vaultName)
    446. 

  446. 		if err != nil {
    447. 

  447. 			return nil, fmt.Errorf(errGetVault, err)
    448. 

  448. 		}
    449. 

  449. 		if ref.Tags != nil {
    450. 

  450. 			err = provider.getAllByTags(vault.ID, ref, secretData)
    451. 

  451. 			if err != nil {
    452. 

  452. 				return nil, err
    453. 

  453. 			}
    454. 

  454. 			return secretData, nil
    455. 

  455. 		}
    456. 

  456. 		err = provider.getAllForVault(vault.ID, ref, secretData)
    457. 

  457. 		if err != nil {
    458. 

  458. 			return nil, err
    459. 

  459. 		}
    460. 

  460. 	}
    461. 

  461. 

  462. 	return secretData, nil
    463. 

  463. }
    464. 

  464. 

  465. // Close closes the client connection.
    466. 

  466. func (provider *ProviderOnePassword) Close(_ context.Context) error {
    467. 

  467. 	return nil
    468. 

  468. }
    469. 

  469. 

  470. func (provider *ProviderOnePassword) findItem(name string) (*onepassword.Item, error) {
    471. 

  471. 	sortedVaults := sortVaults(provider.vaults)
    472. 

  472. 	for _, vaultName := range sortedVaults {
    473. 

  473. 		vault, err := provider.client.GetVaultByTitle(vaultName)
    474. 

  474. 		if err != nil {
    475. 

  475. 			return nil, fmt.Errorf(errGetVault, err)
    476. 

  476. 		}
    477. 

  477. 

  478. 		// use GetItemsByTitle instead of GetItemByTitle in order to handle length cases
    479. 

  479. 		items, err := provider.client.GetItemsByTitle(name, vault.ID)
    480. 

  480. 		if err != nil {
    481. 

  481. 			return nil, fmt.Errorf(errGetItem, err)
    482. 

  482. 		}
    483. 

  483. 		switch {
    484. 

  484. 		case len(items) == 1:
    485. 

  485. 			return provider.client.GetItemByUUID(items[0].ID, items[0].Vault.ID)
    486. 

  486. 		case len(items) > 1:
    487. 

  487. 			return nil, fmt.Errorf("%w: '%s', got %d", ErrExpectedOneItem, name, len(items))
    488. 

  488. 		}
    489. 

  489. 	}
    490. 

  490. 

  491. 	return nil, fmt.Errorf("%w: %s in: %v", ErrKeyNotFound, name, provider.vaults)
    492. 

  492. }
    493. 

  493. 

  494. func (provider *ProviderOnePassword) getField(item *onepassword.Item, property string) ([]byte, error) {
    495. 

  495. 	// default to a field labeled "password"
    496. 

  496. 	fieldLabel := "password"
    497. 

  497. 	if property != "" {
    498. 

  498. 		fieldLabel = property
    499. 

  499. 	}
    500. 

  500. 

  501. 	if length := countFieldsWithLabel(fieldLabel, item.Fields); length != 1 {
    502. 

  502. 		return nil, fmt.Errorf("%w: '%s' in '%s', got %d", ErrExpectedOneField, fieldLabel, item.Title, length)
    503. 

  503. 	}
    504. 

  504. 

  505. 	// caution: do not use client.GetValue here because it has undesirable behavior on keys with a dot in them
    506. 

  506. 	value := ""
    507. 

  507. 	for _, field := range item.Fields {
    508. 

  508. 		if field.Label == fieldLabel {
    509. 

  509. 			value = field.Value
    510. 

  510. 			break
    511. 

  511. 		}
    512. 

  512. 	}
    513. 

  513. 

  514. 	return []byte(value), nil
    515. 

  515. }
    516. 

  516. 

  517. func (provider *ProviderOnePassword) getFields(item *onepassword.Item, property string) (map[string][]byte, error) {
    518. 

  518. 	secretData := make(map[string][]byte)
    519. 

  519. 	for _, field := range item.Fields {
    520. 

  520. 		if property != "" && field.Label != property {
    521. 

  521. 			continue
    522. 

  522. 		}
    523. 

  523. 		if length := countFieldsWithLabel(field.Label, item.Fields); length != 1 {
    524. 

  524. 			return nil, fmt.Errorf(errExpectedOneFieldMsgF, ErrExpectedOneField, field.Label, item.Title, length)
    525. 

  525. 		}
    526. 

  526. 

  527. 		// caution: do not use client.GetValue here because it has undesirable behavior on keys with a dot in them
    528. 

  528. 		secretData[field.Label] = []byte(field.Value)
    529. 

  529. 	}
    530. 

  530. 

  531. 	return secretData, nil
    532. 

  532. }
    533. 

  533. 

  534. func (provider *ProviderOnePassword) getAllFields(item onepassword.Item, ref esv1beta1.ExternalSecretFind, secretData map[string][]byte) error {
    535. 

  535. 	i, err := provider.client.GetItemByUUID(item.ID, item.Vault.ID)
    536. 

  536. 	if err != nil {
    537. 

  537. 		return fmt.Errorf(errGetItem, err)
    538. 

  538. 	}
    539. 

  539. 	item = *i
    540. 

  540. 	for _, field := range item.Fields {
    541. 

  541. 		if length := countFieldsWithLabel(field.Label, item.Fields); length != 1 {
    542. 

  542. 			return fmt.Errorf(errExpectedOneFieldMsgF, ErrExpectedOneField, field.Label, item.Title, length)
    543. 

  543. 		}
    544. 

  544. 		if ref.Name != nil {
    545. 

  545. 			matcher, err := find.New(*ref.Name)
    546. 

  546. 			if err != nil {
    547. 

  547. 				return err
    548. 

  548. 			}
    549. 

  549. 			if !matcher.MatchName(field.Label) {
    550. 

  550. 				continue
    551. 

  551. 			}
    552. 

  552. 		}
    553. 

  553. 		if _, ok := secretData[field.Label]; !ok {
    554. 

  554. 			secretData[field.Label] = []byte(field.Value)
    555. 

  555. 		}
    556. 

  556. 	}
    557. 

  557. 

  558. 	return nil
    559. 

  559. }
    560. 

  560. 

  561. func (provider *ProviderOnePassword) getFile(item *onepassword.Item, property string) ([]byte, error) {
    562. 

  562. 	for _, file := range item.Files {
    563. 

  563. 		// default to the first file when ref.Property is empty
    564. 

  564. 		if file.Name == property || property == "" {
    565. 

  565. 			contents, err := provider.client.GetFileContent(file)
    566. 

  566. 			if err != nil {
    567. 

  567. 				return nil, err
    568. 

  568. 			}
    569. 

  569. 

  570. 			return contents, nil
    571. 

  571. 		}
    572. 

  572. 	}
    573. 

  573. 

  574. 	return nil, fmt.Errorf(errDocumentNotFound, fmt.Errorf("'%s', '%s'", item.Title, property))
    575. 

  575. }
    576. 

  576. 

  577. func (provider *ProviderOnePassword) getFiles(item *onepassword.Item, property string) (map[string][]byte, error) {
    578. 

  578. 	secretData := make(map[string][]byte)
    579. 

  579. 	for _, file := range item.Files {
    580. 

  580. 		if property != "" && file.Name != property {
    581. 

  581. 			continue
    582. 

  582. 		}
    583. 

  583. 		contents, err := provider.client.GetFileContent(file)
    584. 

  584. 		if err != nil {
    585. 

  585. 			return nil, err
    586. 

  586. 		}
    587. 

  587. 		secretData[file.Name] = contents
    588. 

  588. 	}
    589. 

  589. 

  590. 	return secretData, nil
    591. 

  591. }
    592. 

  592. 

  593. func (provider *ProviderOnePassword) getAllFiles(item onepassword.Item, ref esv1beta1.ExternalSecretFind, secretData map[string][]byte) error {
    594. 

  594. 	for _, file := range item.Files {
    595. 

  595. 		if ref.Name != nil {
    596. 

  596. 			matcher, err := find.New(*ref.Name)
    597. 

  597. 			if err != nil {
    598. 

  598. 				return err
    599. 

  599. 			}
    600. 

  600. 			if !matcher.MatchName(file.Name) {
    601. 

  601. 				continue
    602. 

  602. 			}
    603. 

  603. 		}
    604. 

  604. 		if _, ok := secretData[file.Name]; !ok {
    605. 

  605. 			contents, err := provider.client.GetFileContent(file)
    606. 

  606. 			if err != nil {
    607. 

  607. 				return err
    608. 

  608. 			}
    609. 

  609. 			secretData[file.Name] = contents
    610. 

  610. 		}
    611. 

  611. 	}
    612. 

  612. 

  613. 	return nil
    614. 

  614. }
    615. 

  615. 

  616. func (provider *ProviderOnePassword) getAllByTags(vaultID string, ref esv1beta1.ExternalSecretFind, secretData map[string][]byte) error {
    617. 

  617. 	items, err := provider.client.GetItems(vaultID)
    618. 

  618. 	if err != nil {
    619. 

  619. 		return fmt.Errorf(errGetItem, err)
    620. 

  620. 	}
    621. 

  621. 	for _, item := range items {
    622. 

  622. 		if !checkTags(ref.Tags, item.Tags) {
    623. 

  623. 			continue
    624. 

  624. 		}
    625. 

  625. 		// handle files
    626. 

  626. 		err = provider.getAllFiles(item, ref, secretData)
    627. 

  627. 		if err != nil {
    628. 

  628. 			return err
    629. 

  629. 		}
    630. 

  630. 		// handle fields
    631. 

  631. 		err = provider.getAllFields(item, ref, secretData)
    632. 

  632. 		if err != nil {
    633. 

  633. 			return err
    634. 

  634. 		}
    635. 

  635. 	}
    636. 

  636. 	return nil
    637. 

  637. }
    638. 

  638. 

  639. // checkTags verifies that all elements in source are present in target.
    640. 

  640. func checkTags(source map[string]string, target []string) bool {
    641. 

  641. 	for s := range source {
    642. 

  642. 		if !slices.Contains(target, s) {
    643. 

  643. 			return false
    644. 

  644. 		}
    645. 

  645. 	}
    646. 

  646. 	return true
    647. 

  647. }
    648. 

  648. 

  649. func (provider *ProviderOnePassword) getAllForVault(vaultID string, ref esv1beta1.ExternalSecretFind, secretData map[string][]byte) error {
    650. 

  650. 	items, err := provider.client.GetItems(vaultID)
    651. 

  651. 	if err != nil {
    652. 

  652. 		return fmt.Errorf(errGetItem, err)
    653. 

  653. 	}
    654. 

  654. 	for _, item := range items {
    655. 

  655. 		if ref.Path != nil && *ref.Path != item.Title {
    656. 

  656. 			continue
    657. 

  657. 		}
    658. 

  658. 

  659. 		// handle files
    660. 

  660. 		err = provider.getAllFiles(item, ref, secretData)
    661. 

  661. 		if err != nil {
    662. 

  662. 			return err
    663. 

  663. 		}
    664. 

  664. 

  665. 		// handle fields
    666. 

  666. 		err = provider.getAllFields(item, ref, secretData)
    667. 

  667. 		if err != nil {
    668. 

  668. 			return err
    669. 

  669. 		}
    670. 

  670. 	}
    671. 

  671. 

  672. 	return nil
    673. 

  673. }
    674. 

  674. 

  675. // waitForFunc will wait for OnePassword to _actually_ create/update the secret. OnePassword returns immediately after
    676. 

  676. // the initial create/update which makes the next call for the same item create/update a new item with the same name. Hence, we'll
    677. 

  677. // wait for the item to exist or be updated on OnePassword's side as well.
    678. 

  678. // Ideally we could do bulk operations and handle data with one submit, but that would require re-writing the entire
    679. 

  679. // push secret controller. For now, this is sufficient.
    680. 

  680. func (provider *ProviderOnePassword) waitForFunc(ctx context.Context, fn func() error) error {
    681. 

  681. 	// check every .5 seconds
    682. 

  682. 	tick := time.NewTicker(500 * time.Millisecond)
    683. 

  683. 	defer tick.Stop()
    684. 

  684. 	done, cancel := context.WithTimeout(ctx, 5*time.Second)
    685. 

  685. 	defer cancel()
    686. 

  686. 

  687. 	var err error
    688. 

  688. 	for {
    689. 

  689. 		select {
    690. 

  690. 		case <-tick.C:
    691. 

  691. 			if err = fn(); err == nil {
    692. 

  692. 				return nil
    693. 

  693. 			}
    694. 

  694. 		case <-done.Done():
    695. 

  695. 			return fmt.Errorf("timeout to wait for function to run successfully; last error was: %w", err)
    696. 

  696. 		}
    697. 

  697. 	}
    698. 

  698. }
    699. 

  699. 

  700. func (provider *ProviderOnePassword) waitForItemToExist(title string) func() error {
    701. 

  701. 	return func() error {
    702. 

  702. 		_, err := provider.findItem(title)
    703. 

  703. 

  704. 		return err
    705. 

  705. 	}
    706. 

  706. }
    707. 

  707. 

  708. func (provider *ProviderOnePassword) waitForLabelToBeUpdated(title, label string, val []byte) func() error {
    709. 

  709. 	return func() error {
    710. 

  710. 		item, err := provider.findItem(title)
    711. 

  711. 		if err != nil {
    712. 

  712. 			return err
    713. 

  713. 		}
    714. 

  714. 

  715. 		for _, field := range item.Fields {
    716. 

  716. 			// we found the label with the right value
    717. 

  717. 			if field.Label == label && field.Value == string(val) {
    718. 

  718. 				return nil
    719. 

  719. 			}
    720. 

  720. 		}
    721. 

  721. 

  722. 		return fmt.Errorf("label %s no found on value with title %s", title, label)
    723. 

  723. 	}
    724. 

  724. }
    725. 

  725. 

  726. func countFieldsWithLabel(fieldLabel string, fields []*onepassword.ItemField) int {
    727. 

  727. 	count := 0
    728. 

  728. 	for _, field := range fields {
    729. 

  729. 		if field.Label == fieldLabel {
    730. 

  730. 			count++
    731. 

  731. 		}
    732. 

  732. 	}
    733. 

  733. 

  734. 	return count
    735. 

  735. }
    736. 

  736. 

  737. type orderedVault struct {
    738. 

  738. 	Name  string
    739. 

  739. 	Order int
    740. 

  740. }
    741. 

  741. 

  742. type orderedVaultList []orderedVault
    743. 

  743. 

  744. func (list orderedVaultList) Len() int           { return len(list) }
    745. 

  745. func (list orderedVaultList) Swap(i, j int)      { list[i], list[j] = list[j], list[i] }
    746. 

  746. func (list orderedVaultList) Less(i, j int) bool { return list[i].Order < list[j].Order }
    747. 

  747. 

  748. func sortVaults(vaults map[string]int) []string {
    749. 

  749. 	list := make(orderedVaultList, len(vaults))
    750. 

  750. 	index := 0
    751. 

  751. 	for key, value := range vaults {
    752. 

  752. 		list[index] = orderedVault{key, value}
    753. 

  753. 		index++
    754. 

  754. 	}
    755. 

  755. 	sort.Sort(list)
    756. 

  756. 	sortedVaults := []string{}
    757. 

  757. 	for _, item := range list {
    758. 

  758. 		sortedVaults = append(sortedVaults, item.Name)
    759. 

  759. 	}
    760. 

  760. 

  761. 	return sortedVaults
    762. 

  762. }
    763. 

  763. 

  764. func hasUniqueVaultNumbers(vaults map[string]int) bool {
    765. 

  765. 	unique := make([]int, 0, len(vaults))
    766. 

  766. 	tracker := make(map[int]bool)
    767. 

  767. 

  768. 	for _, number := range vaults {
    769. 

  769. 		if _, ok := tracker[number]; !ok {
    770. 

  770. 			tracker[number] = true
    771. 

  771. 			unique = append(unique, number)
    772. 

  772. 		}
    773. 

  773. 	}
    774. 

  774. 

  775. 	return len(vaults) == len(unique)
    776. 

  776. }
    777. 

  777. 

  778. func init() {
    779. 

  779. 	esv1beta1.Register(&ProviderOnePassword{}, &esv1beta1.SecretStoreProvider{
    780. 

  780. 		OnePassword: &esv1beta1.OnePasswordProvider{},
    781. 

  781. 	})
    782. 

  782. }
    783.