-
Notifications
You must be signed in to change notification settings - Fork 9
/
secrets.go
104 lines (87 loc) · 3.13 KB
/
secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Copyright 2022 Namespace Labs Inc; All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
package secrets
import (
"context"
"namespacelabs.dev/foundation/framework/rpcerrors/multierr"
"namespacelabs.dev/foundation/internal/fnerrors"
"namespacelabs.dev/foundation/internal/secrets"
"namespacelabs.dev/foundation/schema"
"namespacelabs.dev/foundation/std/pkggraph"
)
type groundedSecrets struct {
source secrets.SecretsSource
sealedCtx pkggraph.SealedPackageLoader
server *secrets.SecretLoadRequest_ServerRef
}
type Server interface {
SealedContext() pkggraph.SealedContext
PackageName() schema.PackageName
Module() *pkggraph.Module
RelPath() string
}
func ScopeSecretsToServer(source secrets.SecretsSource, server Server) secrets.GroundedSecrets {
return ScopeSecretsTo(source, server.SealedContext(), &secrets.SecretLoadRequest_ServerRef{
PackageName: server.PackageName(),
ModuleName: server.Module().ModuleName(),
RelPath: server.RelPath(),
})
}
func ScopeSecretsTo(source secrets.SecretsSource, sealedCtx pkggraph.SealedPackageLoader, server *secrets.SecretLoadRequest_ServerRef) secrets.GroundedSecrets {
return groundedSecrets{source: source, sealedCtx: sealedCtx, server: server}
}
func (gs groundedSecrets) Get(ctx context.Context, ref *schema.PackageRef, externalTypeUrl ...string) (*schema.SecretResult, error) {
specs, err := LoadSecretSpecs(ctx, gs.sealedCtx, ref)
if err != nil {
return nil, err
}
gsec := &schema.SecretResult{
Ref: ref,
Spec: specs[0],
}
if gsec.Spec.Generate == nil {
value, err := gs.source.Load(ctx, gs.sealedCtx, &secrets.SecretLoadRequest{SecretRef: ref, Server: gs.server, ExternalRefTypeUrl: externalTypeUrl})
if err != nil {
return nil, err
}
if value == nil {
var server schema.PackageName
if gs.server != nil {
server = gs.server.PackageName
}
return nil, gs.source.MissingError(ref, specs[0], server)
}
gsec.Value = value.Value
gsec.FileContents = value.FileContents
gsec.ExternalRef = value.ExternalRef
}
return gsec, nil
}
func LoadSecretSpecs(ctx context.Context, pl pkggraph.PackageLoader, secrets ...*schema.PackageRef) ([]*schema.SecretSpec, error) {
var errs []error
var specs []*schema.SecretSpec // Same indexing as secrets.
for _, ref := range secrets {
secretPackage, err := pl.LoadByName(ctx, ref.AsPackageName())
if err != nil {
errs = append(errs, err)
} else {
if spec := secretPackage.LookupSecret(ref.Name); spec == nil {
errs = append(errs, fnerrors.NewWithLocation(ref.AsPackageName(), "no such secret %q", ref.Name))
} else {
if spec.Generate != nil {
if spec.Generate.UniqueId == "" {
errs = append(errs, fnerrors.NewWithLocation(ref.AsPackageName(), "%s: missing unique id", ref.Name))
} else if spec.Generate.RandomByteCount <= 0 {
errs = append(errs, fnerrors.NewWithLocation(ref.AsPackageName(), "%s: randomByteCount must be > 0", ref.Name))
}
}
specs = append(specs, spec)
}
}
}
if err := multierr.New(errs...); err != nil {
return nil, err
}
return specs, nil
}