-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Parse the secrets group structure and retrieve the secrets from Conjur
- Loading branch information
Showing
5 changed files
with
233 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
package pushtofile | ||
|
||
import ( | ||
"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token" | ||
"github.com/cyberark/conjur-authn-k8s-client/pkg/log" | ||
"strings" | ||
"github.com/cyberark/secrets-provider-for-k8s/pkg/log/messages" | ||
"github.com/cyberark/secrets-provider-for-k8s/pkg/secrets/clients/conjur" | ||
) | ||
|
||
func IterateOverGroups(accessToken access_token.AccessToken, | ||
secretGroups *SecretGroups) error { | ||
|
||
return iterateOverGroups(accessToken, secretGroups, | ||
conjur.RetrieveConjurSecrets) | ||
|
||
} | ||
|
||
func iterateOverGroups(accessToken access_token.AccessToken, | ||
secretGroups *SecretGroups, | ||
retrieveConjurSecretsFunc conjur.RetrieveConjurSecretsFunc) error { | ||
|
||
var err error | ||
var retrieved map[string][]byte | ||
|
||
for groupkey, group := range *secretGroups { | ||
requiredSecrets := []string{} | ||
for _, spec := range group.SecretSpecs { | ||
requiredSecrets = append(requiredSecrets, spec.Id) | ||
} | ||
retrieved, err = RetrieveConjurSecretGroup(accessToken, requiredSecrets, retrieveConjurSecretsFunc) | ||
|
||
for _, spec := range group.SecretSpecs { | ||
for id, secret := range retrieved { | ||
if strings.Contains(id, spec.Id) { | ||
(*secretGroups)[groupkey].SecretsMap[spec.Alias] = secret | ||
} | ||
} | ||
} | ||
|
||
if err != nil { | ||
return log.RecordedError(messages.CSPFK052E, err.Error()) | ||
} | ||
|
||
} | ||
return err | ||
} | ||
|
||
func RetrieveConjurSecretGroup( | ||
accessToken access_token.AccessToken, | ||
variableIDs []string, | ||
retrieveConjurSecretsFunc conjur.RetrieveConjurSecretsFunc) ( | ||
map[string][]byte, error) { | ||
accessTokenData, err := accessToken.Read() | ||
if err != nil { | ||
return nil, log.RecordedError(messages.CSPFK053E, err.Error()) | ||
} | ||
return retrieveConjurSecretsFunc(accessTokenData, variableIDs) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,154 @@ | ||
package pushtofile | ||
|
||
import ( | ||
"fmt" | ||
"github.com/cyberark/secrets-provider-for-k8s/pkg/secrets/k8s_secrets_storage/mocks" | ||
"github.com/stretchr/testify/assert" | ||
"testing" | ||
) | ||
|
||
type retrieveSecretsTestCase struct { | ||
description string | ||
contents SecretGroups | ||
assert func(t *testing.T, result SecretGroups, err error) | ||
} | ||
|
||
func assertGoodResults(expectedResult SecretGroups) func(*testing.T, SecretGroups, error) { | ||
return func(t *testing.T, result SecretGroups, err error) { | ||
|
||
if !assert.NoError(t, err) { | ||
return | ||
} | ||
assert.Equal( | ||
t, | ||
expectedResult, | ||
result, | ||
) | ||
} | ||
} | ||
|
||
var retrieveSecretsTestCases = []retrieveSecretsTestCase{ | ||
{ | ||
description: "Happy Case", | ||
contents: SecretGroups{ | ||
SecretGroup{ | ||
Label: "cache", | ||
FilePath: "./testdata/cache.cfg", | ||
FileTemplate: "", | ||
ConjurSecretPathPrefix: "", | ||
SecretSpecs: []SecretSpec{ | ||
{Alias: "api-url", Id: "dev/openshift/api-url"}, | ||
{Alias: "username", Id: "dev/openshift/username"}, | ||
{Alias: "password", Id: "dev/openshift/password"}, | ||
}, | ||
SecretsMap: map[string][]byte{}, | ||
}, | ||
SecretGroup{ | ||
Label: "db", | ||
FileTemplate: "", | ||
FilePath: "./testdata/db.json", | ||
ConjurSecretPathPrefix: "", | ||
SecretSpecs: []SecretSpec{ | ||
{Alias: "api-url", Id: "ci/openshift/api-url"}, | ||
{Alias: "username", Id: "ci/openshift/username"}, | ||
{Alias: "password", Id: "ci/openshift/password"}, | ||
}, | ||
SecretsMap: map[string][]byte{}, | ||
}, | ||
}, | ||
assert: assertGoodResults(SecretGroups{ | ||
SecretGroup{ | ||
Label: "cache", | ||
FilePath: "./testdata/cache.cfg", | ||
FileTemplate: "", | ||
ConjurSecretPathPrefix: "", | ||
SecretSpecs: []SecretSpec{ | ||
{Alias: "api-url", Id: "dev/openshift/api-url"}, | ||
{Alias: "username", Id: "dev/openshift/username"}, | ||
{Alias: "password", Id: "dev/openshift/password"}, | ||
}, | ||
SecretsMap: map[string][]byte{ | ||
"api-url": []byte("https://postgres.example.com"), | ||
"username": []byte("admin"), | ||
"password": []byte("open-$e$ame"), | ||
}, | ||
}, | ||
SecretGroup{ | ||
Label: "db", | ||
FilePath: "./testdata/db.json", | ||
FileTemplate: "", | ||
ConjurSecretPathPrefix: "", | ||
SecretSpecs: []SecretSpec{ | ||
{Alias: "api-url", Id: "ci/openshift/api-url"}, | ||
{Alias: "username", Id: "ci/openshift/username"}, | ||
{Alias: "password", Id: "ci/openshift/password"}, | ||
}, | ||
SecretsMap: map[string][]byte{ | ||
"api-url": []byte("https://ci.postgres.example.com"), | ||
"username": []byte("administrator"), | ||
"password": []byte("open-$e$ame"), | ||
}, | ||
}, | ||
}), | ||
}, | ||
{ | ||
description: "Bad ID", | ||
contents: SecretGroups{ | ||
SecretGroup{ | ||
Label: "cache", | ||
FilePath: "./testdata/cache.cfg", | ||
FileTemplate: "", | ||
ConjurSecretPathPrefix: "", | ||
SecretSpecs: []SecretSpec{ | ||
{Alias: "api-url", Id: "foo/openshift/bar"}, | ||
{Alias: "username", Id: "dev/openshift/username"}, | ||
{Alias: "password", Id: "dev/openshift/password"}, | ||
}, | ||
SecretsMap: map[string][]byte{}, | ||
}, | ||
SecretGroup{ | ||
Label: "db", | ||
FileTemplate: "", | ||
FilePath: "./testdata/db.json", | ||
ConjurSecretPathPrefix: "", | ||
SecretSpecs: []SecretSpec{ | ||
{Alias: "api-url", Id: "ci/openshift/api-url"}, | ||
{Alias: "username", Id: "ci/openshift/username"}, | ||
{Alias: "password", Id: "ci/openshift/password"}, | ||
}, | ||
SecretsMap: map[string][]byte{}, | ||
}, | ||
}, | ||
assert: func(t *testing.T, result SecretGroups, err error) { | ||
assert.Contains(t, err.Error(), "Failed to retrieve secrets") | ||
}, | ||
}, | ||
} | ||
|
||
func TestRetrieveSecrets(t *testing.T) { | ||
var mockAccessToken mocks.MockAccessToken | ||
prepareMockDBs() | ||
var s SecretGroups | ||
for _, tc := range retrieveSecretsTestCases { | ||
t.Run(tc.description, func(t *testing.T) { | ||
s = tc.contents | ||
fmt.Printf("TestRetrieveSecrets %t\n", mocks.CanExecuteConjurVar) | ||
err := iterateOverGroups(mockAccessToken, | ||
&s, | ||
//&tc.contents, | ||
mocks.RetrieveConjurSecrets) | ||
tc.assert(t, s, err) | ||
}) | ||
} | ||
} | ||
|
||
func prepareMockDBs() { | ||
mocks.CanExecuteConjurVar = true | ||
mocks.MockConjurDB = make(map[string][]byte) | ||
mocks.MockConjurDB["dev/openshift/api-url"] = []byte("https://postgres.example.com") | ||
mocks.MockConjurDB["dev/openshift/username"] = []byte("admin") | ||
mocks.MockConjurDB["dev/openshift/password"] = []byte("open-$e$ame") | ||
mocks.MockConjurDB["ci/openshift/api-url"] = []byte("https://ci.postgres.example.com") | ||
mocks.MockConjurDB["ci/openshift/username"] = []byte("administrator") | ||
mocks.MockConjurDB["ci/openshift/password"] = []byte("open-$e$ame") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters