This repository has been archived by the owner on May 16, 2024. It is now read-only.
/
loader.go
121 lines (109 loc) · 3.29 KB
/
loader.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package gconfig
import (
"context"
"encoding/json"
"fmt"
"strings"
"sync"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/ssm"
"github.com/common-fate/granted-approvals/pkg/cfaws"
"github.com/pkg/errors"
"golang.org/x/sync/errgroup"
)
type SecretGetter interface {
GetSecret(ctx context.Context, path string) (string, error)
}
// these are our secret backends
// only SSM for now
var secretGetterRegistry = map[string]SecretGetter{
"awsssm://": SSMGetter{},
}
// MapLoader looks up values in it's Values map
// when loading configuration.
//
// It's useful for writing tests which use genv to configure things.
type MapLoader struct {
// Set this to true to skip loading secrets
SkipLoadingSecrets bool
Values map[string]string
}
// Under the hood, this just uses the json loader so we get all the SSM loading capability
func (l *MapLoader) Load(ctx context.Context) (map[string]string, error) {
b, err := json.Marshal(l.Values)
if err != nil {
return nil, err
}
return JSONLoader{Data: b, SkipLoadingSecrets: l.SkipLoadingSecrets}.Load(ctx)
}
// JSONLoader loads configuration from a serialized JSON payload
// set in the 'Data' field.
// if any values are prefixed with one of teh known prefixes, there are further processed
// e.g values prefixed with "awsssm://" will be treated as an ssm parameter and will be fetched via the aws SDK
type JSONLoader struct {
// Set this to true to skip loading secrets
SkipLoadingSecrets bool
Data []byte
}
func (l JSONLoader) Load(ctx context.Context) (map[string]string, error) {
var res map[string]string
err := json.Unmarshal(l.Data, &res)
if err != nil {
return nil, err
}
var mu sync.Mutex
// use an errgroup so we can look up parameter values in parallel.
g, gctx := errgroup.WithContext(ctx)
// After unmarshalling the json, check for any value which match a secret getter
// if it does, get the secret value
if !l.SkipLoadingSecrets {
for k, v := range res {
for getterKey, getter := range secretGetterRegistry {
if strings.HasPrefix(v, getterKey) {
// important: we need to copy the key and value in this closure,
// otherwise 'k' and 'v' will change to the next loop iteration
// while we're loading the value
name := strings.TrimPrefix(v, getterKey)
key := k
g.Go(func() error {
value, err := getter.GetSecret(gctx, name)
if err != nil {
return err
}
// lock the mutex to ensure we're safe to write to the map
// without other Goroutines writing over us.
mu.Lock()
defer mu.Unlock()
res[key] = value
return nil
})
continue
}
}
}
}
err = g.Wait()
if err != nil {
return nil, err
}
return res, nil
}
type SSMGetter struct{}
func (g SSMGetter) GetSecret(ctx context.Context, path string) (string, error) {
cfg, err := cfaws.ConfigFromContextOrDefault(ctx)
if err != nil {
return "", err
}
client := ssm.NewFromConfig(cfg)
output, err := client.GetParameter(ctx, &ssm.GetParameterInput{
Name: &path,
WithDecryption: aws.Bool(true),
})
if err != nil {
return "", errors.Wrapf(err, "looking up %s in ssm", path)
}
if output.Parameter.Value == nil {
return "", fmt.Errorf("looking up %s in ssm: parameter value was nil", path)
}
return *output.Parameter.Value, nil
}