-
Notifications
You must be signed in to change notification settings - Fork 56
/
provider.go
214 lines (179 loc) · 7.08 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
/*
Copyright The Ratify Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package azurekeyvault
// This class is based on implementation from azure secret store csi provider
// Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/provider
import (
"context"
"crypto/x509"
"encoding/pem"
"fmt"
"reflect"
"strings"
"github.com/deislabs/ratify/pkg/certificateprovider"
"github.com/deislabs/ratify/pkg/certificateprovider/azurekeyvault/types"
"github.com/sirupsen/logrus"
kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/pkg/errors"
"gopkg.in/yaml.v2"
)
type keyvaultObject struct {
content string
version string
}
// returns an array of certificates based on certificate properties defined in attrib map
func GetCertificates(ctx context.Context, attrib map[string]string) ([]*x509.Certificate, error) {
keyvaultUri := types.GetKeyVaultUri(attrib)
cloudName := types.GetCloudName(attrib)
tenantID := types.GetTenantID(attrib)
workloadIdentityClientID := types.GetClientID(attrib)
if keyvaultUri == "" {
return nil, fmt.Errorf("keyvaultUri is not set")
}
if tenantID == "" {
return nil, fmt.Errorf("tenantID is not set")
}
if workloadIdentityClientID == "" {
return nil, fmt.Errorf("clientID is not set")
}
azureCloudEnv, err := parseAzureEnvironment(cloudName)
if err != nil {
return nil, fmt.Errorf("cloudName %s is not valid, error: %w", cloudName, err)
}
// 1. cleaning up keyvault objects definition
certificatesStrings := types.GetCertificates(attrib)
if certificatesStrings == "" {
return nil, fmt.Errorf("certificates is not set")
}
logrus.Debugf("certificates string defined in ratify certStore class, certificates %v", certificatesStrings)
objects, err := types.GetCertificatesArray(certificatesStrings)
if err != nil {
return nil, fmt.Errorf("failed to yaml unmarshal objects, error: %w", err)
}
logrus.Debugf("unmarshaled objects yaml, objectsArray %v", objects.Array)
keyVaultCerts := []types.KeyVaultCertificate{}
for i, object := range objects.Array {
var keyVaultCert types.KeyVaultCertificate
if err = yaml.Unmarshal([]byte(object), &keyVaultCert); err != nil {
return nil, fmt.Errorf("unmarshal failed for keyVaultCerts at index %d, error: %w", i, err)
}
// remove whitespace from all fields in keyVaultCert
formatKeyVaultCertificate(&keyVaultCert)
keyVaultCerts = append(keyVaultCerts, keyVaultCert)
}
logrus.Debugf("unmarshaled %v key vault objects, keyVaultObjects: %v", len(keyVaultCerts), keyVaultCerts)
if len(keyVaultCerts) == 0 {
return nil, fmt.Errorf("no keyvault certificate configured")
}
logrus.Debugf("vaultURI %s", keyvaultUri)
kvClient, err := initializeKvClient(ctx, azureCloudEnv.KeyVaultEndpoint, tenantID, workloadIdentityClientID)
if err != nil {
return nil, fmt.Errorf("failed to get keyvault client, error: %w", err)
}
certs := []*x509.Certificate{}
for _, keyVaultCert := range keyVaultCerts {
logrus.Debugf("fetching object from key vault, certName %v, keyvault %v", keyVaultCert.CertificateName, keyvaultUri)
// fetch the object from Key Vault
result, err := getCertificate(ctx, kvClient, keyvaultUri, keyVaultCert)
if err != nil {
return nil, err
}
objectContent := []byte(result.content)
cert := types.Certificate{
CertificateName: keyVaultCert.CertificateName,
Content: objectContent,
Version: result.version,
}
logrus.Debugf("retreived certificate %v from keyvault", cert.CertificateName)
// convert bytes to x509
decodedCerts, err := certificateprovider.DecodeCertificates(cert.Content)
if err != nil {
return nil, fmt.Errorf("failed to decode certificate %s, error: %w", cert.CertificateName, err)
}
certs = append(certs, decodedCerts...)
logrus.Debugf("cert '%v', version '%v' added", cert.CertificateName, cert.Version)
}
return certs, nil
}
// formatKeyVaultCertificate formats the fields in KeyVaultCertificate
func formatKeyVaultCertificate(object *types.KeyVaultCertificate) {
if object == nil {
return
}
objectPtr := reflect.ValueOf(object)
objectValue := objectPtr.Elem()
for i := 0; i < objectValue.NumField(); i++ {
field := objectValue.Field(i)
if field.Type() != reflect.TypeOf("") {
continue
}
str := field.Interface().(string)
str = strings.TrimSpace(str)
field.SetString(str)
}
}
// parseAzureEnvironment returns azure environment by name
func parseAzureEnvironment(cloudName string) (*azure.Environment, error) {
var env azure.Environment
var err error
if cloudName == "" {
env = azure.PublicCloud
} else {
env, err = azure.EnvironmentFromName(cloudName)
}
return &env, err
}
func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientId string) (*kv.BaseClient, error) {
kvClient := kv.New()
kvEndpoint := strings.TrimSuffix(keyVaultEndpoint, "/")
err := kvClient.AddToUserAgent("ratify")
if err != nil {
return nil, fmt.Errorf("failed to add user agent to keyvault client, error: %w", err)
}
kvClient.Authorizer, err = getAuthorizerForWorkloadIdentity(ctx, tenantID, clientId, kvEndpoint)
if err != nil {
return nil, fmt.Errorf("failed to get authorizer for keyvault client, error: %w", err)
}
return &kvClient, nil
}
// getCertificate retrieves the certificate from the vault
func getCertificate(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject types.KeyVaultCertificate) (keyvaultObject, error) {
certbundle, err := kvClient.GetCertificate(ctx, vaultURL, kvObject.CertificateName, kvObject.CertificateVersion)
if err != nil {
return keyvaultObject{}, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", kvObject.CertificateName, kvObject.CertificateVersion, err)
}
if certbundle.Cer == nil {
return keyvaultObject{}, errors.Errorf("certificate value is nil")
}
if certbundle.ID == nil {
return keyvaultObject{}, errors.Errorf("certificate id is nil")
}
version := getObjectVersion(*certbundle.ID)
certBlock := &pem.Block{
Type: types.CertificateType,
Bytes: *certbundle.Cer,
}
var pemData []byte
pemData = append(pemData, pem.EncodeToMemory(certBlock)...)
return keyvaultObject{content: string(pemData), version: version}, nil
}
// getObjectVersion parses the id to retrieve the version
// of object fetched
// example id format - https://kindkv.vault.azure.net/secrets/actual/1f304204f3624873aab40231241243eb
// TODO (aramase) follow up on https://github.com/Azure/azure-rest-api-specs/issues/10825 to provide
// a native way to obtain the version
func getObjectVersion(id string) string {
splitID := strings.Split(id, "/")
return splitID[len(splitID)-1]
}