/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"github.com/spiffe/vsecm-sdk-go/startup"
e "github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/lib/system"
)
func main() {
id := crypto.Id()
//Print the diagnostic information about the environment.
log.PrintEnvironmentInfo(&id, []string{
string(e.AppVersion),
string(e.VSecMLogLevel),
string(e.VSecMSafeEndpointUrl),
})
log.InfoLn(&id, "Starting VSecM Init Container")
// Wait for a specified duration before exiting the init container.
// This can be useful when you want things to reconcile before
// starting the main container.
go startup.Watch(env.WaitBeforeExitForInitContainer())
// Block the process from exiting, but also be graceful and honor the
// termination signals that may come from the orchestrator.
system.KeepAlive()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"github.com/vmware-tanzu/secrets-manager/lib/system"
)
func main() {
// Run on the main thread to wait forever.
system.KeepAlive()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"github.com/spiffe/vsecm-sdk-go/sentry"
"github.com/vmware-tanzu/secrets-manager/core/constants/symbol"
"github.com/vmware-tanzu/secrets-manager/lib/system"
)
func main() {
go system.KeepAlive()
// Fetch the secret from the VSecM Safe.
d, err := sentry.Fetch()
if err != nil {
fmt.Println("Err:", err.Error())
return
}
if d.Data == "" {
fmt.Println(symbol.Null)
return
}
// d.Data is a serialized collection of VSecM secrets.
fmt.Println(d.Data)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"os"
"github.com/vmware-tanzu/secrets-manager/app/keygen/internal"
e "github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
func main() {
id := crypto.Id()
// Print the diagnostic information about the environment.
log.PrintEnvironmentInfo(&id, []string{
string(e.AppVersion),
string(e.VSecMLogLevel),
string(e.VSecMKeygenDecrypt),
})
if env.KeyGenDecrypt() {
// This is a Kubernetes Secret, mounted as a file.
keyPath := env.RootKeyPathForKeyGen()
if _, err := os.Stat(keyPath); os.IsNotExist(err) {
log.FatalLn(&id,
"CreateRootKey: Secret key not mounted at", keyPath)
return
}
data, err := os.ReadFile(keyPath)
if err != nil {
log.FatalLn(&id,
"CreateRootKey: Error reading file:", err.Error())
return
}
// Root key needs to be committed to memory for VSecM Keygen to be able
// to decrypt the secrets.
secret := string(data)
crypto.SetRootKeyInMemory(secret)
internal.PrintDecryptedKeys()
return
}
internal.PrintGeneratedKeys()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package internal
import (
"fmt"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
)
// PrintDecryptedKeys retrieves and prints the decrypted keys along with their
// metadata.
//
// The `secrets` function should return a structure with an `Algorithm` field
// and a `Secrets` field.
// Each element in the `Secrets` slice should have a `Name`, `EncryptedValue`,
// `Created`, and `Updated` field.
// The `crypto.Decrypt` function is used to decrypt the encrypted values.
func PrintDecryptedKeys() {
ss := secrets()
algorithm := ss.Algorithm
const ruler = "---"
fmt.Println("Algorithm:", algorithm)
fmt.Println(ruler)
for _, secret := range ss.Secrets {
fmt.Println("Name:", secret.Name)
value := secret.EncryptedValue
dv, err := crypto.Decrypt([]byte(value), algorithm)
if err != nil {
fmt.Println("Error decrypting value:", err.Error())
continue
}
fmt.Printf("Value: %s\n", dv)
fmt.Println("Created:", secret.Created.String())
fmt.Println("Updated:", secret.Updated.String())
fmt.Println(ruler)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package internal
import (
"fmt"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
)
// PrintGeneratedKeys generates a new collection of root keys and prints the
// combined key.
func PrintGeneratedKeys() {
rkt, err := crypto.NewRootKeyCollection()
if err != nil {
fmt.Println()
fmt.Println("Failed to generate keys:")
fmt.Println(err.Error())
fmt.Println()
return
}
fmt.Println()
fmt.Println(rkt.Combine())
fmt.Println()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package internal
import (
"encoding/json"
"log"
"os"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
func secrets() entity.SecretEncryptedListResponse {
p := env.ExportedSecretPathForKeyGen()
content, err := os.ReadFile(p)
if err != nil {
log.Fatalf("Error reading file: %v", err)
}
var secrets entity.SecretEncryptedListResponse
err = json.Unmarshal(content, &secrets)
if err != nil {
log.Fatalf("Error unmarshalling JSON: %v", err)
}
return secrets
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
sys "log"
"os"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/lib/system"
)
func main() {
id := crypto.Id()
//Print the diagnostic information about the environment.
log.PrintEnvironmentInfo(&id, []string{string(env.AppVersion)})
sys.Println(
"VSecM Keystone",
fmt.Sprintf("v%s", os.Getenv(string(env.AppVersion))),
)
// Run on the main thread to wait forever.
system.KeepAlive()
}
package main
import (
"context"
"fmt"
"io"
"net/http"
"time"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
func main() {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
cid := crypto.Id()
source, err := workloadapi.NewX509Source(
ctx,
workloadapi.WithClientOptions(
workloadapi.WithAddr(env.SpiffeSocketUrl()),
),
)
if err != nil {
log.FatalLn(&cid, "Unable to fetch X.509 Bundle", err.Error())
return
}
if source == nil {
log.FatalLn(&cid, "Could not find source")
return
}
svid, err := source.GetX509SVID()
if err != nil {
log.FatalLn(&cid, "Unable to get X.509 SVID from source bundle", err.Error())
return
}
if svid == nil {
log.FatalLn(&cid, "Could not find SVID in source bundle")
return
}
svidId := svid.ID
if !validation.IsRelayClient(svidId.String()) {
log.FatalLn(
&cid,
"SpiffeId check: RelayClient:bootstrap: I don't know you, and it's crazy:",
svidId.String(),
)
return
}
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsRelayServer(id.String()) {
return nil
}
return fmt.Errorf(
"TLS Config: I don't know you, and it's crazy '%s'", id.String(),
)
})
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
serverURL := env.RelayServerUrl()
for {
err := sendPostRequest(client, serverURL, cid)
if err != nil {
log.WarnLn(&cid, "Failed to send POST request:", err.Error())
}
time.Sleep(30 * time.Second) // Wait for 30 seconds before sending the next request
}
}
func sendPostRequest(client *http.Client, url string, cid string) error {
req, err := http.NewRequest("POST", url, nil)
if err != nil {
return fmt.Errorf("failed to create request: %v", err)
}
resp, err := client.Do(req)
if err != nil {
return fmt.Errorf("failed to send request: %v", err)
}
defer func(Body io.ReadCloser) {
err := Body.Close()
if err != nil {
log.WarnLn(&cid, "Failed to close response body:", err.Error())
}
}(resp.Body)
body, err := io.ReadAll(resp.Body)
if err != nil {
return fmt.Errorf("failed to read response body: %v", err)
}
log.DebugLn(&cid, "Response status:", resp.Status)
log.DebugLn(&cid, "Response body:", string(body))
return nil
}
package main
import (
"context"
"fmt"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/core/validation"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
"io"
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
func fallback(
cid string, r *http.Request, w http.ResponseWriter,
) {
log.DebugLn(&cid, "Handler: route mismatch:", r.RequestURI)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.WarnLn(&cid, "Problem writing response:", err.Error())
}
}
func success(
cid string, r *http.Request, w http.ResponseWriter,
) {
w.WriteHeader(http.StatusOK)
_, err := io.WriteString(w, "OK "+r.URL.Path)
if err != nil {
log.WarnLn(&cid, "Problem writing response:", err.Error())
}
}
func main() {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
cid := crypto.Id()
source, err := workloadapi.NewX509Source(
ctx,
workloadapi.WithClientOptions(
workloadapi.WithAddr(env.SpiffeSocketUrl()),
),
)
if err != nil {
log.FatalLn(&cid, "Unable to fetch X.509 Bundle", err.Error())
return
}
if source == nil {
log.FatalLn(&cid, "Could not find source")
return
}
svid, err := source.GetX509SVID()
if err != nil {
log.FatalLn(&cid, "Unable to get X.509 SVID from source bundle", err.Error())
return
}
if svid == nil {
log.FatalLn(&cid, "Could not find SVID in source bundle")
return
}
svidId := svid.ID
if !validation.IsRelayServer(svidId.String()) {
log.FatalLn(
&cid,
"SpiffeId check: RelayServer:bootstrap: I don't know you, and it's crazy:",
svidId.String(),
)
return
}
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
cid := crypto.Id()
validation.EnsureRelayServer(source)
id, err := s.IdFromRequest(r)
if err != nil {
log.WarnLn(&cid, "Handler: blocking insecure svid", id, err)
fallback(cid, r, w)
return
}
sid := s.IdAsString(r)
p := r.URL.Path
m := r.Method
log.DebugLn(
&cid,
"Handler: got svid:", sid, "path", p, "method", m)
success(cid, r, w)
})
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsRelayClient(id.String()) {
return nil
}
return fmt.Errorf(
"TLS Config: I don't know you, and it's crazy '%s'", id.String(),
)
})
tlsConfig := tlsconfig.MTLSServerConfig(source, source, authorizer)
server := &http.Server{
Addr: env.TlsPort(),
TLSConfig: tlsConfig,
}
if err := server.ListenAndServeTLS("", ""); err != nil {
log.FatalLn(&cid, "Failed to listen and serve", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"context"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/bootstrap"
server "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/engine"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
cEnv "github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/probe"
)
func main() {
id := crypto.Id()
//Print the diagnostic information about the environment.
log.PrintEnvironmentInfo(&id, []string{
string(env.AppVersion),
string(env.VSecMLogLevel),
})
ctx, cancel := context.WithCancel(
context.WithValue(context.Background(), key.CorrelationId, &id),
)
defer cancel()
if cEnv.BackingStoreForSafe() == entity.Postgres {
go func() {
log.InfoLn(&id, "Backing store is postgres.")
log.InfoLn(&id, "Secrets will be stored in-memory "+
"until the internal config is loaded.")
safeConfig, err := bootstrap.PollForConfig(id, ctx)
if err != nil {
log.FatalLn(&id,
"Failed to retrieve VSecM Safe internal configuration", err.Error())
}
log.InfoLn(&id,
"VSecM Safe internal configuration loaded. Initializing database.")
err = io.InitDB(safeConfig.Config.DataSourceName)
if err != nil {
log.FatalLn(&id, "Failed to initialize database:", err)
return
}
log.InfoLn(&id, "Database connection initialized.")
// Persist secrets that have not been persisted yet to Postgres.
errChan := make(chan error, 1)
collection.Secrets.Range(func(key any, value any) bool {
v := value.(entity.SecretStored)
io.PersistToPostgres(v, errChan)
// This will not block since the channel has a buffer of 1.
for err := range errChan {
if err != nil {
log.ErrorLn(&id, "Error persisting secret", err.Error())
}
}
return true
})
// Drain any remaining errors from the channel
close(errChan)
for err := range errChan {
if err != nil {
log.ErrorLn(&id, "Error persisting secret", err.Error())
}
}
}()
}
log.InfoLn(&id, "Acquiring identity...")
// Channel to notify when the bootstrap timeout has been reached.
timedOut := make(chan bool, 1)
// These channels must complete in a timely manner, otherwise
// the timeOut will be fired and will crash the app.
acquiredSvid := make(chan bool, 1)
updatedSecret := make(chan bool, 1)
serverStarted := make(chan bool, 1)
// Monitor the progress of acquiring an identity, updating the age key,
// and starting the server. If the timeout occurs before all three events
// happen, the function logs a fatal message and the process crashes.
go bootstrap.Monitor(&id,
bootstrap.ChannelsToMonitor{
AcquiredSvid: acquiredSvid,
UpdatedSecret: updatedSecret,
ServerStarted: serverStarted,
}, timedOut,
)
// Time out if things take too long.
go bootstrap.NotifyTimeout(timedOut)
// Create initial cryptographic seeds off-cycle.
go bootstrap.CreateRootKey(&id, updatedSecret)
// App is alive; however, not yet ready to accept connections.
<-probe.CreateLiveness()
log.InfoLn(&id, "before acquiring source...")
source := bootstrap.AcquireSource(ctx, acquiredSvid)
defer func(s *workloadapi.X509Source) {
if s == nil {
return
}
// Close the source after the server (1) is done serving, likely
// when the app is shutting down due to an eviction or a panic.
if err := s.Close(); err != nil {
log.InfoLn(&id, "Problem closing SVID Bundle source: %v\n", err)
}
}(source)
// (1)
if err := server.Serve(source, serverStarted); err != nil {
log.FatalLn(&id, "failed to serve", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package bootstrap
import (
"context"
"os"
"reflect"
"time"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// NotifyTimeout waits for the duration specified by
// env.BootstrapTimeoutForSafe() and then sends a 'true' value to the provided
// 'timedOut' channel. This function can be used to notify other parts of the
// application when a specific timeout has been reached.
func NotifyTimeout(timedOut chan<- bool) {
time.Sleep(env.BootstrapTimeoutForSafe())
timedOut <- true
}
// ChannelsToMonitor holds channels to monitor various asynchronous signals.
type ChannelsToMonitor struct {
AcquiredSvid <-chan bool
UpdatedSecret <-chan bool
ServerStarted <-chan bool
}
// Size returns the number of fields in the ChannelsToMonitor struct.
// This is useful to programmatically check the count of different channels
// that need to be monitored.
func (c ChannelsToMonitor) Size() int {
t := reflect.TypeOf(c)
return t.NumField()
}
// Monitor listens to various channels to track the progress of acquiring an
// identity, updating the age key, and starting the server. It takes a
// correlationId for logging purposes and four channels: acquiredSvid,
// updatedSecret, serverStarted, and timedOut. When all three of the first
// events (acquiring identity, updating age key, and starting the server) have
// occurred, the function initializes the state and creates a readiness probe.
// If a timeout occurs before all three events happen, the function logs a
// fatal message.
func Monitor(
correlationId *string,
channels ChannelsToMonitor,
timedOut <-chan bool,
) {
// Number of channels ins `channels` to wait for.
counter := channels.Size()
for {
if counter == 0 {
break
}
select {
// Acquired SVID for this workload from the SPIRE Agent via
// workload API:
case <-channels.AcquiredSvid:
log.AuditLn(correlationId, "Acquired identity.")
counter--
log.InfoLn(
correlationId,
"remaining operations before ready:", counter)
if counter == 0 {
completeInitialization(correlationId)
}
// Updated the root key:
case <-channels.UpdatedSecret:
log.DebugLn(correlationId, "Updated age key.")
counter--
log.InfoLn(
correlationId,
"remaining operations before ready:", counter)
if counter == 0 {
completeInitialization(correlationId)
}
// VSecM Safe REST API is ready to serve:
case <-channels.ServerStarted:
log.DebugLn(correlationId, "Server ready.")
counter--
log.InfoLn(
correlationId,
"remaining operations before ready:", counter)
if counter == 0 {
completeInitialization(correlationId)
}
// Things didn't start in a timely manner:
case <-timedOut:
log.FatalLn(
correlationId,
"Failed to acquire"+
" an identity in a timely manner.")
}
}
}
// AcquireSource establishes a connection to the workload API, fetches the
// X.509 bundle, and returns an X509Source. It takes a context and a channel
// acquiredSvid to signal when the SVID has been acquired. If there are any
// errors during the process, the function logs a fatal message and exits.
func AcquireSource(
ctx context.Context, acquiredSvid chan<- bool,
) *workloadapi.X509Source {
cid := ctx.Value(key.CorrelationId).(*string)
log.InfoLn(cid, "Acquiring source...")
source, err := workloadapi.NewX509Source(
ctx, workloadapi.WithClientOptions(
workloadapi.WithAddr(env.SpiffeSocketUrl()),
),
)
if err != nil {
log.FatalLn(cid, "Unable to fetch X.509 Bundle", err.Error())
return nil
}
if source == nil {
log.FatalLn(cid, "Could not find source")
return nil
}
//goland:noinspection ALL
svid, err := source.GetX509SVID()
if err != nil {
log.FatalLn(cid, "Unable to get X.509 SVID from source bundle", err.Error())
return nil
}
if svid == nil {
log.FatalLn(cid, "Could not find SVID in source bundle")
return nil
}
svidId := svid.ID
if !validation.IsSafe(svidId.String()) {
log.FatalLn(
cid,
"SpiffeId check: Safe:bootstrap: I don't know you, and it's crazy:",
svidId.String(),
)
return nil
}
log.TraceLn(cid, "Sending: Acquired SVID", len(acquiredSvid))
acquiredSvid <- true
log.TraceLn(cid, "Sent: Acquired SVID", len(acquiredSvid))
return source
}
// CreateRootKey generates or reuses a cryptographic key pair for the
// application, taking an id for logging purposes and a channel updatedSecret
// to signal when the secret has been updated. If the secret key is not mounted
// at the expected location or there are any errors reading the key file, the
// function logs a fatal message and exits. If the secret has not been set in
// the cluster, the function generates a new key pair, persists them, and
// signals the updatedSecret channel.
func CreateRootKey(id *string, updatedSecret chan<- bool) {
if env.RootKeyInputModeManual() {
log.InfoLn(id,
"Manual key input enabled. Skipping automatic key generation.")
updatedSecret <- true
return
}
// This is a Kubernetes Secret, mounted as a file.
keyPath := env.RootKeyPathForSafe()
if _, err := os.Stat(keyPath); os.IsNotExist(err) {
log.FatalLn(id,
"CreateRootKey: Secret key not mounted at", keyPath)
return
}
data, err := os.ReadFile(keyPath)
if err != nil {
log.FatalLn(id,
"CreateRootKey: Error reading file:", err.Error())
return
}
secret := string(data)
if secret != val.BlankRootKey {
log.InfoLn(id,
"Secret has been set in the cluster, will reuse it")
crypto.SetRootKeyInMemory(secret)
updatedSecret <- true
return
}
log.InfoLn(id,
"Secret has not been set yet. Will compute a secure secret.")
rkt, err := crypto.NewRootKeyCollection()
if err != nil {
log.FatalLn(id, "Failed to generate keys", err.Error())
}
log.InfoLn(id, "Generated public key, private key, and aes seed")
// Save the key to VSecM Safe's memory, and also save them to
// VSecM Safe's root key Kubernetes Secret.
// If the root key input mode is not manual, VSecM Safe will
// use a trusted backing store to retrieve the key in case of
// Pod crash or eviction. As of Mar,17, 2024 the only trusted
// backing store is the VSecM root key Kubernetes Secret; however
// this will change in the future.
if err = PersistRootKeysToRootKeyBackingStore(rkt); err != nil {
log.FatalLn(id, "Failed to persist keys", err.Error())
}
updatedSecret <- true
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package bootstrap
import (
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/queue"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/probe"
)
func completeInitialization(correlationId *string) {
queue.Initialize()
log.DebugLn(correlationId, "Creating readiness probe.")
<-probe.CreateReadiness()
log.AuditLn(correlationId, "VSecM Safe is ready to serve.")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package bootstrap
import (
"context"
"encoding/json"
"errors"
v1 "k8s.io/api/core/v1"
metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
e "github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
// PersistRootKeysToRootKeyBackingStore persists the root keys to the
// configured backing store. This is useful to restore VSecM Safe back to
// operation if it crashes or gets temporarily evicted by the scheduler.
//
// If the persist operation succeed, it updates the root keys stored in the
// memory too.
//
// This function is typically called during the first bootstrapping of
// VSecM Safe when there are no keys that have been registered yet.
//
// Note that changing the root key without backing up the existing one means
// the secrets backed up with the old key will be impossible to decrypt.
func PersistRootKeysToRootKeyBackingStore(rkt data.RootKeyCollection) error {
config, err := rest.InClusterConfig()
if err != nil {
return errors.Join(
err,
errors.New("error creating client config"),
)
}
k8sApi, err := kubernetes.NewForConfig(config)
if err != nil {
return errors.Join(
err,
errors.New("error creating k8sApi"),
)
}
dd := make(map[string][]byte)
keysCombined := rkt.Combine()
dd[string(e.RootKeyText)] = ([]byte)(keysCombined)
// Serialize the Secret's configuration to JSON
secretConfigJSON, err := json.Marshal(v1.Secret{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
ObjectMeta: metaV1.ObjectMeta{
Name: env.RootKeySecretNameForSafe(),
Namespace: env.NamespaceForVSecMSystem(),
},
Data: dd,
})
if err != nil {
return errors.Join(
err,
errors.New("error marshalling the secret"),
)
}
// Update the Secret in the cluster
err = backoff.RetryFixed(
env.NamespaceForVSecMSystem(),
func() error {
_, err = k8sApi.CoreV1().Secrets(
env.NamespaceForVSecMSystem()).Update(
context.Background(),
&v1.Secret{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
ObjectMeta: metaV1.ObjectMeta{
Name: env.RootKeySecretNameForSafe(),
Namespace: env.NamespaceForVSecMSystem(),
Annotations: map[string]string{
"kubectl.kubernetes.io/last-applied-configuration": string(secretConfigJSON),
},
},
Data: dd,
},
metaV1.UpdateOptions{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
},
)
return err
},
)
if err != nil {
return errors.Join(
err,
errors.New("error creating the secret"),
)
}
crypto.SetRootKeyInMemory(keysCombined)
return nil
}
package bootstrap
import (
"context"
"encoding/json"
"time"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// PollForConfig continuously polls for the VSecM Safe internal configuration.
//
// This function attempts to read the configuration from a secret. It will keep
// polling until a valid configuration is found or the context is cancelled.
//
// Parameters:
// - ctx: A context.Context for cancellation and timeout control.
// - id: A correlation ID for logging purposes.
//
// Returns:
// - *data.VSecMSafeInternalConfig: A pointer to the parsed VSecM Safe internal
// configuration.
// - error: An error if the context is cancelled or if there's an issue parsing
// the configuration.
//
// The function will log informational messages about its progress and any
// errors encountered.
// It sleeps for 5 seconds between each polling attempt.
func PollForConfig(id string, ctx context.Context,
) (*data.VSecMSafeInternalConfig, error) {
log.InfoLn(&id, "Will poll for VSecM Safe internal configuration...")
for {
select {
case <-ctx.Done():
return nil, ctx.Err()
default:
vSecMSafeInternalConfig, err := collection.ReadSecret(id, "vsecm-safe")
if vSecMSafeInternalConfig == nil {
log.InfoLn(&id, "VSecM Safe internal configuration not found")
time.Sleep(5 * time.Second)
continue
}
if err != nil {
log.InfoLn(&id, "Failed to load VSecM Safe internal configuration",
err.Error())
time.Sleep(5 * time.Second)
continue
}
if len(vSecMSafeInternalConfig.Value) == 0 {
log.InfoLn(&id, "VSecM Safe internal configuration is empty")
time.Sleep(5 * time.Second)
continue
}
var safeConfig data.VSecMSafeInternalConfig
err = json.Unmarshal(
[]byte(vSecMSafeInternalConfig.Value), &safeConfig,
)
if err != nil {
log.InfoLn(&id, "Failed to parse VSecM Safe internal configuration",
err.Error())
time.Sleep(5 * time.Second)
continue
}
return &safeConfig, nil
}
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package engine
import (
"errors"
"fmt"
"net/http"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/handle"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// Serve initializes and starts an mTLS-secured HTTP server using the given
// X509Source and TLS configuration. It also signals that the server has started
// by sending a message on the provided channel.
//
// Parameters:
// - source: A pointer to workloadapi.X509Source, which provides X.509 SVIDs
// for mTLS.
// - serverStarted: A channel that will receive a boolean value to signal
// server startup.
//
// Returns:
// - error: An error object if the server fails to start or run; otherwise,
// returns nil.
//
// The function performs the following operations:
// 1. Validates the source and initializes routes.
// 2. Sets up a custom authorizer using the TLS configuration.
// 3. Configures and starts the HTTP server with mTLS enabled.
// 4. Signals server startup by sending a boolean value on the `serverStarted`
// channel.
// 5. Listens and serves incoming HTTP requests.
//
// The function will return an error if any of the following conditions occur:
// - The source is nil.
// - Server fails to listen and serve.
//
// Note: Serve should be called only once during the application lifecycle to
// initialize the HTTP server.
func Serve(source *workloadapi.X509Source, serverStarted chan<- bool) error {
if source == nil {
return errors.New("serve: got nil source while trying to serve")
}
handle.InitializeRoutes(source)
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsWorkload(id.String()) {
return nil
}
return fmt.Errorf(
"TLS Config: I don't know you, and it's crazy '%s'", id.String(),
)
})
tlsConfig := tlsconfig.MTLSServerConfig(source, source, authorizer)
server := &http.Server{
Addr: env.TlsPort(),
TLSConfig: tlsConfig,
}
serverStarted <- true
if err := server.ListenAndServeTLS("", ""); err != nil {
return errors.Join(
err,
errors.New("serve: failed to listen and serve"),
)
}
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package handle
import (
"net/http"
"github.com/spiffe/go-spiffe/v2/workloadapi"
routeFallback "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fallback"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
// InitializeRoutes initializes the HTTP routes for the web server. It sets up
// an HTTP handler function for the root URL ("/"). The handler uses the given
// X509Source to retrieve X.509 SVIDs for validating incoming connections.
//
// Parameters:
// - source: A pointer to a `workloadapi.X509Source`, used to obtain X.509
// SVIDs.
//
// Note: The InitializeRoutes function should be called only once, usually
// during server initialization.
func InitializeRoutes(source *workloadapi.X509Source) {
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
cid := crypto.Id()
validation.EnsureSafe(source)
id, err := s.IdFromRequest(r)
if err != nil {
log.WarnLn(&cid, "Handler: blocking insecure svid", id, err)
routeFallback.Fallback(cid, r, w)
return
}
sid := s.IdAsString(r)
p := r.URL.Path
m := r.Method
log.DebugLn(
&cid,
"Handler: got svid:", sid, "path", p, "method", m)
route(cid, r, w)
})
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package handle
import (
"net/http"
routeDelete "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/delete"
routeFallback "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fallback"
routeFetch "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fetch"
routeKeystone "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/keystone"
routeList "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/list"
routeReceive "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/receive"
routeSecret "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/secret"
"github.com/vmware-tanzu/secrets-manager/core/constants/url"
)
type handler func(string, *http.Request, http.ResponseWriter)
func factory(p, m string) handler {
switch {
// Route to fetch the Keystone status.
// The status can be "pending" or "ready".
case m == http.MethodGet && p == url.SentinelKeystone:
return routeKeystone.Status
// Route to return the secrets list. The values of the
// secrets are encrypted.
case m == http.MethodGet && p == url.SentinelSecretsWithReveal:
return routeList.Encrypted
// Route to return the secrets list. This route only displays names
// and metadata of the secrets. The values will not be provided.
case m == http.MethodGet && p == url.SentinelSecrets:
return routeList.Masked
// Route to upsert a secret.
case m == http.MethodPost && p == url.SentinelSecrets:
return routeSecret.Secret
// Route to delete secrets from VSecM Safe.
// Only VSecM Sentinel is allowed to call this API endpoint.
// Calling it from anywhere else will error out.
case m == http.MethodDelete && p == url.SentinelSecrets:
return routeDelete.Delete
// Route to define the root key.
// Only VSecM Sentinel is allowed to call this API endpoint.
case m == http.MethodPost && p == url.SentinelKeys:
return routeReceive.Keys
// Route to fetch secrets.
// Only a VSecM-nominated workload is allowed to
// call this API endpoint. Calling it from anywhere else will
// error out.
case m == http.MethodGet && p == url.WorkloadSecrets:
return routeFetch.Fetch
// Route to post secrets from the workload.
case m == http.MethodPost && p == url.WorkloadSecrets:
panic("routeWorkloadPostSecrets not implemented")
// Fallback route.
default:
return routeFallback.Fallback
}
}
func route(
cid string, r *http.Request, w http.ResponseWriter,
) {
factory(r.URL.Path, r.Method)(cid, r, w)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package extract
import (
"encoding/json"
"regexp"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// WorkloadIdAndParts extracts the workload identifier and its constituent parts
// from a SPIFFE ID string, based on a predefined prefix that is removed from
// the SPIFFE ID.
//
// Parameters:
// - spiffeid (string): The SPIFFE ID string from which the workload
// identifier and parts are to be extracted.
//
// Returns:
// - (string, []string): The first return value is the workload identifier,
// which is essentially the first part of the SPIFFE ID after removing the
// prefix. The second return value is a slice of strings representing all
// parts of the SPIFFE ID after the prefix removal.
func WorkloadIdAndParts(spiffeid string) (string, []string) {
re := env.NameRegExpForWorkload()
if re == "" {
return "", nil
}
wre := regexp.MustCompile(env.NameRegExpForWorkload())
match := wre.FindStringSubmatch(spiffeid)
if len(match) > 1 {
return match[1], match
}
return "", nil
}
// SecretValue determines the appropriate representation of a secret's value to
// use, giving precedence to a transformed value over the raw values. This
// function supports both current implementations and backward compatibility by
// handling secrets with multiple values or transformed values.
//
// Parameters:
// - cid (string): Correlation ID for operation tracing and logging.
// - secret (*entity.SecretStored): A pointer to the secret entity from which
// the value is to be retrieved.
//
// Returns:
// - string: The selected representation of the secret's value. This could be
// the transformed value, a single raw value, a JSON-encoded string of
// multiple values, or an empty string in case of an error.
func SecretValue(cid string, secrets []entity.SecretStored) string {
if secrets == nil {
return ""
}
if len(secrets) == 0 {
return ""
}
if len(secrets) == 1 {
secret := secrets[0]
if secret.ValueTransformed != "" {
log.TraceLn(&cid, "Fetch: using transformed value")
return secret.ValueTransformed
}
// This part is for backwards compatibility.
// It probably won't execute because `secret.ValueTransformed` will
// always be set.
log.TraceLn(&cid, "Fetch: no transformed value found. returning raw value")
return secret.Value
}
jsonData, err := json.Marshal(secrets)
if err != nil {
log.WarnLn(&cid, "Fetch: Problem marshaling secrets", err.Error())
return ""
}
return string(jsonData)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package handle
import (
"encoding/json"
"io"
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// BadSvidResponse logs an event for a bad SPIFFE ID and sends an HTTP 400 Bad
// Request response. This function is typically invoked when the SPIFFE ID
// provided in a request is invalid or malformed.
//
// Parameters:
// - cid (string): Correlation ID for operation tracing and logging.
// - w (http.ResponseWriter): The HTTP response writer to send back the
// response.
// - spiffeid (string): The SPIFFE ID that was determined to be invalid.
// - j (audit.JournalEntry): An audit journal entry for recording the event.
func BadSvidResponse(
cid string, w http.ResponseWriter, spiffeid string,
j data.JournalEntry,
) {
j.Event = audit.BadSpiffeId
journal.Log(j)
log.DebugLn(&cid, "Fetch: bad spiffeid", spiffeid)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem sending response", err.Error())
}
}
// BadPeerSvidResponse logs an event for a bad peer SPIFFE ID and sends an
// HTTP 400 Bad Request response. This function is used when the peer SPIFFE ID
// in a mutual TLS session is found to be invalid or unacceptable.
//
// Parameters:
// - cid (string): Correlation ID for operation tracing and logging.
// - w (http.ResponseWriter): The HTTP response writer to send back the
// response.
//
// - spiffeid (string): The peer's SPIFFE ID that was found to be invalid.
// - j (audit.JournalEntry): An audit journal entry for recording the event.
func BadPeerSvidResponse(
cid string, w http.ResponseWriter,
spiffeid string, j data.JournalEntry,
) {
j.Event = audit.BadPeerSvid
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem with spiffeid", spiffeid)
}
}
// NoSecretResponse logs an event indicating that no secret was found and sends
// an HTTP 404 Not Found response. This function is invoked when a request for
// a secret results in no matching secret being available.
//
// Parameters:
// - cid (string): Correlation ID for operation tracing and logging.
// - w (http.ResponseWriter): The HTTP response writer to send back the
// response.
// - j (audit.JournalEntry): An audit journal entry for recording the event.
func NoSecretResponse(
cid string, w http.ResponseWriter,
j data.JournalEntry,
) {
j.Event = audit.NoSecret
journal.Log(j)
w.WriteHeader(http.StatusNotFound)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem sending response", err.Error())
}
}
// SuccessResponse logs a successful operation event and sends a structured
// success response back to the client. It marshals and sends a secret fetch
// response, indicating the successful retrieval of a secret.
//
// Parameters:
// - cid (string): Correlation ID for operation tracing and logging.
// - w (http.ResponseWriter): The HTTP response writer to send back the
// response.
// - j (audit.JournalEntry): An audit journal entry for recording the event.
// - sfr (reqres.SecretFetchResponse): The secret fetch response payload to be
// marshaled and sent.
func SuccessResponse(cid string, w http.ResponseWriter,
j data.JournalEntry, sfr reqres.SecretFetchResponse) {
j.Event = audit.Ok
journal.Log(j)
resp, err := json.Marshal(sfr)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "Problem unmarshalling response")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem sending response", err.Error())
}
return
}
log.DebugLn(&cid, "Fetch: before response")
_, err = io.WriteString(w, string(resp))
if err != nil {
log.InfoLn(&cid, "Problem sending response", err.Error())
}
log.DebugLn(&cid, "Fetch: after response")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package http
import (
"io"
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// SendEncryptedValue takes a plain text value and encrypts it. If the
// encryption is successful, the encrypted value is written to the HTTP
// response. In case of an error or if the input value is empty, it logs the
// event, updates the HTTP response status accordingly, and may log additional
// errors encountered when sending the HTTP response.
//
// Parameters:
// - cid (string): Correlation ID for tracing the operation through logs.
// - value (string): The plain text value to be encrypted.
// - j (audit.JournalEntry): An audit journal entry for recording the event.
// - w (http.ResponseWriter): The HTTP response writer to send back the
// encrypted value or errors.
func SendEncryptedValue(
cid string, value string, j data.JournalEntry, w http.ResponseWriter,
) {
if value == "" {
j.Event = audit.NoValue
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
return
}
encrypted, err := crypto.EncryptValue(value)
if err != nil {
j.Event = audit.EncryptionFailed
journal.Log(j)
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
return
}
_, err = io.WriteString(w, encrypted)
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package http
import (
"io"
"net/http"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// ReadBody reads the body from an HTTP request and returns it as a byte slice.
// If there is an error reading the body, it returns the error.
//
// The function takes the following parameters:
// - cid: A string representing the correlation ID for logging purposes.
// - r: A pointer to an http.Request from which the body is to be read.
//
// It returns:
// - A byte slice containing the body of the request.
// - An error if there was an issue reading the body or closing the request
// body.
//
// Example usage:
//
// body, err := ReadBody(cid, request)
// if err != nil {
// log.Error("Failed to read body:", err)
// // Handle error
// }
// // Use body
func ReadBody(cid string, r *http.Request) ([]byte, error) {
body, err := io.ReadAll(r.Body)
if err != nil {
return nil, err
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.InfoLn(&cid, "ReadBody: Problem closing body", err.Error())
}
}(r.Body)
return body, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package json
import (
"encoding/json"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
)
// UnmarshalSecretUpsertRequest takes a JSON-encoded request body and attempts
// to unmarshal it into a SecretUpsertRequest struct. It handles JSON
// unmarshalling errors by logging, responding with an HTTP error, and returning
// nil. This function is typically used in HTTP server handlers to process
// incoming requests for secret upsert operations.
//
// Parameters:
// - body ([]byte): The JSON-encoded request body to be unmarshalled.
//
// Returns:
// - *reqres.SecretUpsertRequest: A pointer to the unmarshalled
// SecretUpsertRequest struct, or nil if unmarshalling fails.
// - error: An error if unmarshalling fails.
func UnmarshalSecretUpsertRequest(
body []byte,
) (*reqres.SecretUpsertRequest, error) {
var sr reqres.SecretUpsertRequest
if err := json.Unmarshal(body, &sr); err != nil {
return nil, err
}
return &sr, nil
}
// UnmarshalKeyInputRequest takes a JSON-encoded request body and attempts to
// unmarshal it into a KeyInputRequest struct. Similar to
// UnmarshalSecretUpsertRequest, it deals with JSON unmarshalling errors by
// logging, issuing an HTTP error response, and returning nil. This function is
// utilized within HTTP server handlers to parse incoming requests for key input
// operations.
//
// Parameters:
// - body ([]byte): The JSON-encoded request body to be unmarshalled.
//
// Returns:
// - *reqres.KeyInputRequest: A pointer to the unmarshalled KeyInputRequest
// struct, or nil if unmarshalling fails.
// - error: An error if unmarshalling fails.
func UnmarshalKeyInputRequest(body []byte) (*reqres.KeyInputRequest, error) {
var sr reqres.KeyInputRequest
err := json.Unmarshal(body, &sr)
if err != nil {
return nil, err
}
return &sr, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package state
import (
"github.com/vmware-tanzu/secrets-manager/core/env"
"io"
"net/http"
net "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// Upsert handles the insertion or update of a secret in the application's
// state. It supports appending values to existing secrets and logs the
// completion of the operation. If specified, it also sends an HTTP response
// indicating success.
//
// Parameters:
// - secretToStore (entity.SecretStored): The secret entity to be inserted or
// updated.
// - appendValue (bool): A flag indicating whether to append the value to an
// existing secret (if true) or overwrite the existing secret (if false).
// - workloadId (string): The identifier of the workload associated with the
// secret operation, used for logging purposes.
// - cid (string): Correlation ID for operation tracing and logging.
// - j (audit.JournalEntry): An audit journal entry for recording the event.
// - w (http.ResponseWriter): The HTTP response writer to send back the
// operation's outcome.
func Upsert(secretToStore entity.SecretStored,
workloadId string, cid string,
j entity.JournalEntry, w http.ResponseWriter,
) {
// If the secret is not internal VSecM Safe configuration secret and
// if db persistence is enabled, and the db is not ready,
// then respond with an error.
if secretToStore.Name != "vsecm-safe" &&
env.BackingStoreForSafe() == entity.Postgres &&
!net.PostgresReady() {
log.InfoLn(&cid, "Secret: DB not ready. Responding with error.")
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "DB not ready")
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
return
}
collection.UpsertSecret(secretToStore)
log.DebugLn(&cid, "Secret:UpsertEnd: workloadId", workloadId)
j.Event = audit.Ok
journal.Log(j)
_, err := io.WriteString(w, "OK")
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package validation
import (
"io"
"net/http"
ioState "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// IsSentinel evaluates if a given SPIFFE ID corresponds to a VSecM Sentinel
// entity. It logs the operation and, if the SPIFFE ID is not recognized as
// VSecM Sentinel, logs an error event and sends an HTTP bad request response.
//
// Parameters:
// - j: An instance of journal.Entry which is an audit log.
// - cid: A string representing the correlation ID for the operation, used
// primarily for logging.
// - spiffeid: A string representing the SPIFFE ID to be validated against
// sentinel conditions.
//
// Returns:
// - bool: Returns true if the SPIFFE ID is a sentinel, otherwise false.
// - func(http.ResponseWriter): Returns an HTTP handler function. If the
// SPIFFE ID represents VSecM Sentinel, the handler is a no-op.
// If the SPIFFE ID is not for VSecM Sentinel, it returns a handler that
// responds with HTTP 400 Bad Request and logs the error if the response
// writing fails.
//
// Note:
// This function should be used in scenarios where SPIFFE ID validation is
// critical for further processing steps, and appropriate HTTP response behavior
// needs to be enforced based on the validation results.
func IsSentinel(
j data.JournalEntry, cid string, spiffeid string,
) (bool, func(http.ResponseWriter)) {
journal.Log(j)
if validation.IsSentinel(spiffeid) {
return true, func(writer http.ResponseWriter) {}
}
j.Event = audit.BadSpiffeId
journal.Log(j)
var responder = func(w http.ResponseWriter) {
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem sending response", err.Error())
}
}
return false, responder
}
func IsClerk(
j data.JournalEntry, cid string, spiffeid string,
) (bool, func(http.ResponseWriter)) {
journal.Log(j)
if validation.IsClerk(spiffeid) {
return true, func(writer http.ResponseWriter) {}
}
j.Event = audit.BadSpiffeId
journal.Log(j)
var responder = func(w http.ResponseWriter) {
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem sending response", err.Error())
}
}
return false, responder
}
func IsSentinelOrScout(
j data.JournalEntry, cid string, spiffeid string,
) (bool, func(http.ResponseWriter)) {
journal.Log(j)
if validation.IsSentinel(spiffeid) {
return true, func(writer http.ResponseWriter) {}
}
if validation.IsScout(spiffeid) {
return true, func(writer http.ResponseWriter) {}
}
j.Event = audit.BadSpiffeId
journal.Log(j)
var responder = func(w http.ResponseWriter) {
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Fetch: Problem sending response", err.Error())
}
}
return false, responder
}
// CheckDatabaseReadiness checks if the database is ready for use.
//
// This function verifies the readiness of the database, specifically for
// PostgreSQL mode. If the database is not initialized when PostgreSQL
// mode is enabled, it returns an error response.
//
// Parameters:
// - cid: A string representing the context or correlation ID for logging.
// - w: An http.ResponseWriter to write the HTTP response.
//
// Returns:
// - bool: true if the database is ready, false otherwise.
//
// Side effects:
// - Writes an HTTP 503 (Service Unavailable) status and response body
// if the database is not ready.
// - Logs information about the database status.
func CheckDatabaseReadiness(cid string, w http.ResponseWriter) bool {
// If postgres mode enabled and db is not initialized, return error.
if env.BackingStoreForSafe() == data.Postgres && !ioState.PostgresReady() {
w.WriteHeader(http.StatusServiceUnavailable)
_, err := io.WriteString(w, val.NotOk)
if err != nil {
log.ErrorLn(&cid, "error writing response", err.Error())
}
log.InfoLn(&cid, "Secret: Database not initialized")
return false
}
return true
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package delete
import (
"encoding/json"
"io"
"net/http"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
// Delete handles the deletion of a secret identified by a workload ID.
// It performs a series of checks and logging steps before carrying out the
// deletion.
//
// Parameters:
// - cid: A string representing the correlation ID for the request, used for
// tracking and logging purposes.
// - w: An http.ResponseWriter object used to send responses back to the
// client.
// - r: An http.Request object containing the request details from the client.
// - spiffeid: A string representing the SPIFFE ID of the client making the
// request.
func Delete(
cid string, r *http.Request, w http.ResponseWriter,
) {
spiffeid := s.IdAsString(r)
if !crypto.RootKeySetInMemory() {
log.InfoLn(&cid, "Delete: Root key not set")
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(
&cid, "Delete: Problem sending response",
err.Error())
}
return
}
if !validation.CheckDatabaseReadiness(cid, w) {
return
}
j := entity.JournalEntry{
CorrelationId: cid,
Method: r.Method,
Url: r.RequestURI,
SpiffeId: spiffeid,
Event: audit.Enter,
}
// Only sentinel can execute delete requests.
if ok, respond := validation.IsSentinel(j, cid, spiffeid); !ok {
j.Event = audit.NotSentinel
journal.Log(j)
respond(w)
return
}
log.DebugLn(&cid, "Delete: sentinel spiffeid:", spiffeid)
body, err := io.ReadAll(r.Body)
if err != nil {
j.Event = audit.BrokenBody
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(
&cid,
"Delete: Problem sending response",
err.Error())
}
return
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.InfoLn(
&cid,
"Delete: Problem closing body", err.Error())
}
}(r.Body)
log.DebugLn(&cid, "Delete: Parsed request body")
var sr reqres.SecretDeleteRequest
err = json.Unmarshal(body, &sr)
if err != nil {
log.DebugLn(&cid,
"Delete: Error unmarshalling request body",
err.Error())
j.Event = audit.RequestTypeMismatch
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(
&cid,
"Delete: Problem sending response",
err.Error())
}
log.TraceLn(&cid, "Delete: Exiting from error case")
return
}
workloadIds := sr.WorkloadIds
if len(workloadIds) == 0 {
log.TraceLn(&cid, "Delete: Empty workload ids")
j.Event = audit.NoWorkloadId
journal.Log(j)
log.TraceLn(
&cid,
"Delete: Exiting from empty workload ids case")
return
}
log.DebugLn(&cid, "Secret:Delete: ", "workloadIds:", workloadIds)
for _, workloadId := range workloadIds {
collection.DeleteSecret(entity.SecretStored{
Name: workloadId,
Meta: entity.SecretMeta{
CorrelationId: cid,
},
})
}
log.DebugLn(&cid, "Delete:End: workloadIds:", workloadIds)
j.Event = audit.Ok
journal.Log(j)
_, err = io.WriteString(w, "OK")
if err != nil {
log.InfoLn(
&cid,
"Delete: Problem sending response", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package fallback
import (
"io"
"net/http"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// Fallback handles requests that don't match any defined routes.
//
// It logs the mismatched route, sets the HTTP status to BadRequest,
// and writes an empty response. If there's an error writing the response,
// it logs a warning.
//
// Parameters:
// - cid: A string representing the correlation ID for logging.
// - r: The HTTP request that didn't match any routes.
// - w: The HTTP response writer to send the response.
func Fallback(
cid string, r *http.Request, w http.ResponseWriter,
) {
log.DebugLn(&cid, "Handler: route mismatch:", r.RequestURI)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.WarnLn(&cid, "Problem writing response:", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package fetch
import (
"fmt"
"io"
"net/http"
"time"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/extract"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/handle"
rv "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
// Fetch handles the retrieval of a secret for a given workload, identified by
// its SPIFFE ID.
// The function performs several checks to ensure the request is valid and then
// fetches the secret.
//
// Parameters:
// - cid: A string representing the correlation ID for the request, used for
// tracking and logging purposes.
// - w: An http.ResponseWriter object used to send responses back to the
// client.
// - r: An http.Request object containing the request details from the client.
// - spiffeid: A string representing the SPIFFE ID of the client making the
// request.
func Fetch(
cid string, r *http.Request, w http.ResponseWriter,
) {
spiffeid := s.IdAsString(r)
if !crypto.RootKeySetInMemory() {
log.InfoLn(&cid, "Fetch: Root key not set")
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(
&cid,
"Status: problem sending response", spiffeid)
}
return
}
if !rv.CheckDatabaseReadiness(cid, w) {
return
}
j := data.JournalEntry{
CorrelationId: cid,
Method: r.Method,
Url: r.RequestURI,
SpiffeId: spiffeid,
Event: audit.Enter,
}
journal.Log(j)
// Only workloads can fetch.
if !validation.IsWorkload(spiffeid) {
handle.BadSvidResponse(cid, w, spiffeid, j)
return
}
log.DebugLn(&cid, "Fetch: sending response")
defer func(b io.ReadCloser) {
err := b.Close()
if err != nil {
log.InfoLn(&cid, "Fetch: Problem closing body")
}
}(r.Body)
log.DebugLn(&cid, "Fetch: preparing request")
workloadId, parts := extract.WorkloadIdAndParts(spiffeid)
if len(parts) == 0 {
handle.BadPeerSvidResponse(cid, w, spiffeid, j)
return
}
var secrets []data.SecretStored
if workloadId == "vsecm-scout" {
secrets = collection.RawSecrets(cid)
} else {
secret, err := collection.ReadSecret(cid, workloadId)
if err != nil {
log.WarnLn(&cid, "Fetch: Attempted to read secret from disk.")
log.TraceLn(&cid,
"Likely expected error. No need to panic:", err.Error())
}
if secret != nil {
secrets = append(secrets, *secret)
}
}
log.TraceLn(&cid, "Fetch: workloadId", workloadId)
// If secret does not exist, send an empty response.
if secrets == nil {
handle.NoSecretResponse(cid, w, j)
return
}
if len(secrets) == 0 {
handle.NoSecretResponse(cid, w, j)
return
}
if workloadId == "vsecm-scout" {
value := extract.SecretValue(cid, secrets)
sfr := reqres.SecretFetchResponse{
Data: value,
}
handle.SuccessResponse(cid, w, j, sfr)
return
}
// Only vsecm-scout workloads can fetch multiple `raw` secrets.
if len(secrets) > 1 {
log.WarnLn(&cid, "Fetch: Sending 'no secrets' response:",
workloadId, len(secrets))
handle.NoSecretResponse(cid, w, j)
return
}
// Regular workloads will only have one secret.
secret := secrets[0]
log.DebugLn(&cid, "Fetch: will send. workload id:", workloadId)
value := extract.SecretValue(cid, secrets)
// RFC3339 is what Go uses internally when marshaling dates.
// Choosing it to be consistent.
sfr := reqres.SecretFetchResponse{
Data: value,
Created: fmt.Sprintf("\"%s\"",
secret.Created.Format(time.RFC3339)),
Updated: fmt.Sprintf("\"%s\"",
secret.Updated.Format(time.RFC3339)),
}
handle.SuccessResponse(cid, w, j, sfr)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package keystone
import (
"encoding/json"
"io"
"net/http"
"strings"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
// Status handles HTTP requests to determine the current status of
// VSecM Keystone. The assumption is, if VSecM Keystone has an associated
// secret, then VSecM Sentinel will have finished its "init commands" flow
// successfully and will not need to re-run the init commands if it crashes
// or gets evicted.
//
// Parameters:
// - cid: A unique identifier for the correlation of logs and audit entries.
// - w: The http.ResponseWriter object through which HTTP responses are
// written.
// - r: The http.Request received from the client. This contains all the
// details about the request made by the client.
// - spiffeid: The SPIFFE ID of the entity making the request, used for
// authentication and logging.
func Status(
cid string, r *http.Request, w http.ResponseWriter,
) {
spiffeid := s.IdAsString(r)
j := data.JournalEntry{
CorrelationId: cid,
Method: r.Method,
Url: r.RequestURI,
SpiffeId: spiffeid,
Event: audit.Enter,
}
journal.Log(j)
if spiffeid == "" {
log.InfoLn(&cid, "Status: Bad SPIFFE ID")
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.ErrorLn(&cid, "Status: Problem sending response", err.Error())
}
j.Event = audit.BadSpiffeId
journal.Log(j)
return
}
if !crypto.RootKeySetInMemory() {
log.InfoLn(&cid, "Status: Root key not set")
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.ErrorLn(&cid, "Status: Problem sending response", err.Error())
}
j.Event = audit.RootKeyNotSet
journal.Log(j)
return
}
// Return 5xx if postgres mode and db is not ready.
if !validation.CheckDatabaseReadiness(cid, w) {
return
}
// Only sentinel can get the status.
if ok, respond := validation.IsSentinel(j, cid, spiffeid); !ok {
j.Event = audit.NotSentinel
journal.Log(j)
respond(w)
return
}
log.TraceLn(&cid, "Status: before defer")
defer func(b io.ReadCloser) {
err := b.Close()
if err != nil {
log.InfoLn(&cid, "Status: Problem closing body")
}
}(r.Body)
log.TraceLn(&cid, "Status: after defer")
tmp := strings.Replace(spiffeid, env.SpiffeIdPrefixForSentinel(), "", 1)
parts := strings.Split(tmp, "/")
if len(parts) == 0 {
j.Event = audit.BadPeerSvid
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Status: Problem with spiffeid", spiffeid)
}
return
}
if collection.KeystoneInitialized(cid) {
log.TraceLn(&cid, "Status: keystone initialized")
res := reqres.KeystoneStatusResponse{
Status: data.Ready,
}
j.Event = audit.Ok
journal.Log(j)
resp, err := json.Marshal(res)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "Status: Problem marshalling response")
if err != nil {
log.ErrorLn(&cid, "Status: Problem sending response", err.Error())
}
return
}
_, err = io.WriteString(w, string(resp))
if err != nil {
log.ErrorLn(&cid, "Status: Problem sending response", err.Error())
}
log.DebugLn(&cid, "Status: after response")
return
}
// Below: not initialized
log.TraceLn(&cid, "Status: keystone not initialized")
res := reqres.KeystoneStatusResponse{
Status: data.Pending,
}
j.Event = audit.Ok
journal.Log(j)
resp, err := json.Marshal(res)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "Status: Problem marshalling response")
if err != nil {
log.ErrorLn(&cid, "Status: Problem sending response", err.Error())
}
return
}
_, err = io.WriteString(w, string(resp))
if err != nil {
log.ErrorLn(&cid, "Status: Problem sending response", err.Error())
}
log.DebugLn(&cid, "Status: after response")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package list
import (
"encoding/json"
"io"
"net/http"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/collection"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
algo "github.com/vmware-tanzu/secrets-manager/core/constants/crypto"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
func doList(
cid string, w http.ResponseWriter, r *http.Request, encrypted bool,
) {
spiffeid := s.IdAsString(r)
if !crypto.RootKeySetInMemory() {
log.InfoLn(&cid, "Masked: Root key not set")
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Masked: Problem with spiffeid", spiffeid)
}
return
}
j := data.JournalEntry{
CorrelationId: cid,
Method: r.Method,
Url: r.RequestURI,
SpiffeId: spiffeid,
Event: audit.Enter,
}
journal.Log(j)
// Only sentinel can list.
if ok, respond := validation.IsSentinel(j, cid, spiffeid); !ok {
j.Event = audit.NotSentinel
journal.Log(j)
respond(w)
return
}
log.TraceLn(&cid, "Masked: before defer")
defer func(b io.ReadCloser) {
err := b.Close()
if err != nil {
log.InfoLn(&cid, "Masked: Problem closing body")
}
}(r.Body)
log.TraceLn(&cid, "Masked: after defer")
secrets := collection.AllSecrets(cid)
if encrypted {
a := algo.Age
if env.FipsCompliantModeForSafe() {
a = algo.Aes
}
secrets := collection.AllSecretsEncrypted(cid)
sfr := reqres.SecretEncryptedListResponse{
Secrets: secrets,
Algorithm: a,
}
j.Event = audit.Ok
journal.Log(j)
resp, err := json.Marshal(sfr)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "Masked: Problem marshalling response")
if err != nil {
log.ErrorLn(&cid,
"Masked: Problem sending response", err.Error())
}
return
}
_, err = io.WriteString(w, string(resp))
if err != nil {
log.ErrorLn(&cid, "Masked: Problem sending response", err.Error())
}
log.DebugLn(&cid, "Masked: after response")
return
}
sfr := reqres.SecretListResponse{
Secrets: secrets,
}
j.Event = audit.Ok
journal.Log(j)
resp, err := json.Marshal(sfr)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "Masked: Problem marshalling response")
if err != nil {
log.ErrorLn(&cid, "Masked: Problem sending response", err.Error())
}
return
}
_, err = io.WriteString(w, string(resp))
if err != nil {
log.ErrorLn(&cid, "Masked: Problem sending response", err.Error())
}
log.DebugLn(&cid, "Masked: after response")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package list
import (
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
"net/http"
ioState "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// Masked returns all registered workloads to the system with some metadata
// that is secure to share. For example, it returns secret names but not values.
//
// - cid: A string representing the client identifier.
// - w: An http.ResponseWriter used to write the HTTP response.
// - r: A pointer to an http.Request representing the received HTTP request.
// - spiffeid: spiffe id of the caller.
func Masked(
cid string, r *http.Request, w http.ResponseWriter,
) {
log.InfoLn(&cid, "route:Masked")
log.InfoLn(&cid, "Masked: Backing store:", env.BackingStoreForSafe())
log.InfoLn(&cid, "Masked: Postgres ready:", ioState.PostgresReady())
log.InfoLn(&cid, "Masked: entity:", entity.Postgres)
if !validation.CheckDatabaseReadiness(cid, w) {
return
}
doList(cid, w, r, false)
}
// Encrypted returns all registered workloads to the system. Similar to `Masked`
// it return meta information; however, it also returns encrypted secret values
// where an operator can decrypt if they know the VSecM root key.
//
// - cid: A string representing the client identifier.
// - w: An http.ResponseWriter used to write the HTTP response.
// - r: A pointer to an http.Request representing the received HTTP request.
// - spiffeid: spiffe id of the caller.
func Encrypted(
cid string, r *http.Request, w http.ResponseWriter,
) {
log.TraceLn(&cid, "route:Encrypted")
if !validation.CheckDatabaseReadiness(cid, w) {
return
}
doList(cid, w, r, true)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package receive
import (
"io"
"net/http"
"strings"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/bootstrap"
httq "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/http"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/json"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
// Keys processes a request to set root cryptographic keys within the application,
// validating the SPIFFE ID of the requester and the payload structure before
// proceeding.
//
// This function is pivotal in scenarios where updating the application's
// cryptographic foundation is required, often performed by a trusted
// VSecM Sentinel entity.
//
// The returned keys need to be protected and kept secret, as they are the
// foundation for the cryptographic operations within the application. The keys
// are used to encrypt and decrypt secrets, and to sign and verify the integrity
// of the data.
//
// Parameters:
// - cid (string): Correlation ID for operation tracing and logging.
// - w (http.ResponseWriter): The HTTP response writer to send back responses
// or errors.
// - r (*http.Request): The incoming HTTP request containing the payload.
// - spiffeid (string): The SPIFFE ID associated with the requester, used for
// authorization validation.
func Keys(cid string, r *http.Request, w http.ResponseWriter) {
spiffeid := s.IdAsString(r)
j := journal.CreateDefaultEntry(cid, spiffeid, r)
journal.Log(j)
// Only sentinel can set keys.
if ok, respond := validation.IsSentinel(j, cid, spiffeid); !ok {
respond(w)
j.Event = audit.NotSentinel
journal.Log(j)
return
}
if !validation.CheckDatabaseReadiness(cid, w) {
return
}
log.DebugLn(&cid, "Keys: sentinel spiffeid:", spiffeid)
body, _ := httq.ReadBody(cid, r)
if body == nil {
j.Event = audit.BrokenBody
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Keys: Problem sending response", err.Error())
}
return
}
ur, _ := json.UnmarshalKeyInputRequest(body)
if ur == nil {
j.Event = audit.BadPayload
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Keys: Problem sending response", err.Error())
}
return
}
sr := *ur
aesCipherKey := strings.TrimSpace(sr.AesCipherKey)
agePrivateKey := strings.TrimSpace(sr.AgeSecretKey)
agePublicKey := strings.TrimSpace(sr.AgePublicKey)
if aesCipherKey == "" || agePrivateKey == "" || agePublicKey == "" {
j.Event = audit.BadPayload
journal.Log(j)
return
}
rkt := data.RootKeyCollection{
PrivateKey: agePrivateKey,
PublicKey: agePublicKey,
AesSeed: aesCipherKey,
}
crypto.SetRootKeyInMemory(rkt.Combine())
if err := bootstrap.PersistRootKeysToRootKeyBackingStore(
data.RootKeyCollection{
PrivateKey: agePrivateKey,
PublicKey: agePublicKey,
AesSeed: aesCipherKey,
},
); err != nil {
log.ErrorLn(&cid, "Keys: Problem persisting keys", err.Error())
}
log.DebugLn(&cid, "Keys: before response")
_, err := io.WriteString(w, "OK")
if err != nil {
log.InfoLn(&cid, "Keys: Problem sending response", err.Error())
}
log.DebugLn(&cid, "Keys: after response")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package secret
import (
"io"
"net/http"
"strings"
"time"
net "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/http"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/json"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/state"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/base/validation"
ioState "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/core/audit/journal"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
data "github.com/vmware-tanzu/secrets-manager/lib/entity"
s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
)
// Secret handles the creation, updating, and management of secrets.
// It performs several checks and operations based on the request parameters.
//
// Parameters:
// - cid: A string representing the correlation ID for the request, used for
// logging and tracking purposes.
// - w: An http.ResponseWriter object used to send responses back to the
// client.
// - r: An http.Request object containing the details of the client's request.
// - spiffeid: A string representing the SPIFFE ID of the client making the
// request.
func Secret(cid string, r *http.Request, w http.ResponseWriter) {
spiffeid := s.IdAsString(r)
if spiffeid == "" {
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, val.NotOk)
if err != nil {
log.ErrorLn(&cid, "error writing response", err.Error())
}
return
}
if !crypto.RootKeySetInMemory() {
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, val.NotOk)
if err != nil {
log.ErrorLn(&cid, "error writing response", err.Error())
}
log.InfoLn(&cid, "Secret: Root key not set")
return
}
j := journal.CreateDefaultEntry(cid, spiffeid, r)
journal.Log(j)
isSentinelOrScout, respond := validation.IsSentinelOrScout(j, cid, spiffeid)
// Only sentinel or scout can do this
if !isSentinelOrScout {
j.Event = audit.NotSentinelOrScout
journal.Log(j)
respond(w)
return
}
log.DebugLn(&cid, "Secret: sentinel spiffeid:", spiffeid)
body, _ := net.ReadBody(cid, r)
if body == nil {
j.Event = audit.BadPayload
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
return
}
log.DebugLn(&cid, "Secret: Parsed request body")
ur, _ := json.UnmarshalSecretUpsertRequest(body)
if ur == nil {
j.Event = audit.BadPayload
journal.Log(j)
w.WriteHeader(http.StatusBadRequest)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid, "Secret: Problem sending response", err.Error())
}
return
}
sr := *ur
workloadIds := sr.WorkloadIds
value := sr.Value
namespaces := sr.Namespaces
template := sr.Template
format := sr.Format
encrypt := sr.Encrypt
notBefore := sr.NotBefore
expiresAfter := sr.Expires
// The next check is only for non-vsecm-safe workloads.
if len(workloadIds) == 0 || workloadIds[0] != "vsecm-safe" {
log.TraceLn(&cid, "Secret: workloadIds is empty or not vsecm-safe")
// If postgres mode enabled and db is not initialized, return error.
if env.BackingStoreForSafe() == entity.Postgres && !ioState.PostgresReady() {
w.WriteHeader(http.StatusServiceUnavailable)
_, err := io.WriteString(w, val.NotOk)
if err != nil {
log.ErrorLn(&cid, "error writing response", err.Error())
}
log.InfoLn(&cid, "Secret: Database not initialized")
return
}
} else {
log.TraceLn(&cid, "Secret: vsecm-safe workload detected")
}
if len(workloadIds) == 0 && encrypt {
isSentinel, respond := validation.IsSentinel(j, cid, spiffeid)
if !isSentinel {
j.Event = audit.NotSentinel
journal.Log(j)
respond(w)
}
net.SendEncryptedValue(cid, value, j, w)
return
}
if len(namespaces) == 0 {
namespaces = []string{"default"}
}
log.DebugLn(&cid, "Secret:Upsert: ", "workloadIds:", workloadIds,
"namespaces:", namespaces,
"template:", template, "format:", format, "encrypt:", encrypt,
"notBefore:", notBefore, "expiresAfter:", expiresAfter)
if len(workloadIds) == 0 && !encrypt {
log.TraceLn(&cid, "Secret:Upsert: No workload id. Exiting")
j.Event = audit.NoWorkloadId
journal.Log(j)
return
}
// `encrypt` means that the value is encrypted, so we need to decrypt it.
if encrypt {
log.TraceLn(&cid, "Secret: Value is encrypted")
decrypted, err := crypto.DecryptValue(value)
// If decryption failed, return an error response.
if err != nil {
log.InfoLn(&cid, "Secret: Decryption failed", err.Error())
w.WriteHeader(http.StatusInternalServerError)
_, err := io.WriteString(w, "")
if err != nil {
log.InfoLn(&cid,
"Secret: Problem sending response", err.Error())
}
return
}
// Update the value of the request to the decoded value.
sr.Value = decrypted
value = sr.Value
} else {
log.TraceLn(&cid, "Secret: Value is not encrypted")
}
nb := data.JsonTime{}
exp := data.JsonTime{}
if notBefore == "now" {
nb = data.JsonTime(time.Now())
} else {
nbTime, err := time.Parse(time.RFC3339, notBefore)
if err != nil {
nb = data.JsonTime(time.Now())
} else {
nb = data.JsonTime(nbTime)
}
}
if expiresAfter == "never" {
// This is the largest time go stdlib can represent.
// It is far enough into the future that the author does not care
// what happens after.
exp = data.JsonTime(
time.Date(9999, time.December,
31, 23, 59, 59, 999999999, time.UTC),
)
} else {
expTime, err := time.Parse(time.RFC3339, expiresAfter)
if err != nil {
exp = data.JsonTime(
time.Date(9999, time.December,
31, 23, 59, 59, 999999999, time.UTC),
)
} else {
exp = data.JsonTime(expTime)
}
}
for _, workloadId := range workloadIds {
isClerk, _ := validation.IsClerk(j, cid, spiffeid)
// Clerk can only set `raw:` secrets.
if isClerk && !strings.HasPrefix(workloadId, "raw:") {
log.WarnLn(&cid, "Clerk is trying to upsert non-raw secrets."+
" Skipping:", workloadId)
continue
}
secretToStore := entity.SecretStored{
Name: workloadId,
Meta: entity.SecretMeta{
Namespaces: namespaces,
Template: template,
Format: format,
CorrelationId: cid,
},
Value: value,
NotBefore: time.Time(nb),
ExpiresAfter: time.Time(exp),
}
state.Upsert(secretToStore, workloadId, cid, j, w)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
"math"
"path"
"strconv"
"github.com/vmware-tanzu/secrets-manager/core/constants/file"
"github.com/vmware-tanzu/secrets-manager/core/constants/symbol"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
// PersistToDisk saves a given secret to disk and also creates a backup copy
// of the secret. The function is designed to enhance data durability through
// retries and backup management based on environmental configurations.
//
// Parameters:
// - secret (entity.SecretStored): The secret to be saved, which is a
// structured entity containing the secret's name and possibly other
// metadata or the secret data itself.
// - errChan (chan<- error): A channel through which errors are reported. This
// channel allows the function to operate asynchronously, notifying the
// caller of any issues in the process of persisting the secret.
func PersistToDisk(secret entity.SecretStored, errChan chan<- error) {
if env.BackingStoreForSafe() != entity.File {
panic("Attempted to save to disk when backing store is not file")
}
backupCount := env.SecretBackupCountForSafe()
// Save the secret
dataPath := path.Join(env.DataPathForSafe(), secret.Name+file.AgeExtension)
err := backoff.RetryExponential("PersistToDisk", func() error {
return saveSecretToDisk(secret, dataPath)
})
if err != nil {
errChan <- err
// Do not proceed, since the primary save was not successful.
return
}
lastBackupIndexLock.Lock()
index, found := lastBackedUpIndex[secret.Name]
if !found {
lastBackedUpIndex[secret.Name] = 0
index = 0
}
lastBackupIndexLock.Unlock()
newIndex := math.Mod(float64(index+1), float64(backupCount))
// Save a copy
dataPath = path.Join(
env.DataPathForSafe(),
secret.Name+symbol.FileNameSectionDelimiter+
strconv.Itoa(int(newIndex))+
symbol.FileNameSectionDelimiter+file.AgeBackupExtension,
)
err = backoff.RetryExponential(
"PersistBackupToDisk", func() error {
return saveSecretToDisk(secret, dataPath)
})
if err != nil {
errChan <- err
// Do not change lastBackedUpIndex
// since the backup was not successful.
return
}
lastBackupIndexLock.Lock()
lastBackedUpIndex[secret.Name] = int(newIndex)
lastBackupIndexLock.Unlock()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
s "github.com/vmware-tanzu/secrets-manager/core/constants/secret"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
// PersistToK8s attempts to save a provided secret entity into a Kubernetes
// cluster. The function is structured to handle potential errors through
// retries and communicates any persistent issues back to the caller via an
// error channel. It employs logging for traceability of the operation's
// progress and outcomes.
//
// Parameters:
// - secret (entity.SecretStored): A structured entity containing the secret's
// metadata and values to be persisted. The metadata includes a
// CorrelationId for tracing the operation.
// - errChan (chan<- error): A channel through which errors are reported. This
// channel allows the function to notify the caller of any failures in
// persisting the secret, enabling asynchronous error handling.
func PersistToK8s(secret entity.SecretStored, errChan chan<- error) {
cid := secret.Meta.CorrelationId
log.TraceLn(&cid, "persistK8s: Will persist k8s secret.")
// Defensive coding:
// secret's value is never empty because when the value is set to an
// empty secret, it is scheduled for deletion and not persisted to the
// file system or the cluster. However, it that happens, we would at least
// want an indicator that it happened.
if secret.Value == "" {
secret.Value = s.InitialValue
}
log.TraceLn(&cid, "persistK8s: Will try saving secret to k8s.")
err := backoff.RetryExponential("PersistToK8s", func() error {
return saveSecretToKubernetes(secret)
})
if err != nil {
log.TraceLn(
&cid, "persistK8s: still error, pushing the error to errChan")
errChan <- err
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
"database/sql"
"encoding/base64"
"encoding/json"
"errors"
"sync"
"sync/atomic"
_ "github.com/lib/pq"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
var (
db atomic.Pointer[sql.DB]
initMu sync.Mutex
)
// InitDB initializes the database connection
func InitDB(dataSourceName string) error {
initMu.Lock()
defer initMu.Unlock()
// Check if db is already initialized
if db.Load() != nil {
return nil
}
newDB, err := sql.Open("postgres", dataSourceName)
if err != nil {
return err
}
if err := newDB.Ping(); err != nil {
_ = newDB.Close()
return err
}
db.Store(newDB)
return nil
}
func PostgresReady() bool {
currentDB := db.Load()
if currentDB == nil {
return false
}
return currentDB.Ping() == nil
}
// DB returns the current database connection
func DB() *sql.DB {
return db.Load()
}
// PersistToPostgres saves a given secret to the Postgres database
func PersistToPostgres(secret entity.SecretStored, errChan chan<- error) {
cid := secret.Meta.CorrelationId
log.TraceLn(&cid, "PersistToPostgres: Persisting secret to database")
// Serialize the secret to JSON
jsonData, err := json.Marshal(secret)
if err != nil {
errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to marshal secret"))
log.ErrorLn(&cid, "PersistToPostgres: Error marshaling secret:", err.Error())
return
}
// Encrypt the JSON data
var encryptedData string
fipsMode := env.FipsCompliantModeForSafe()
if fipsMode {
encryptedBytes, err := crypto.EncryptBytesAes(jsonData)
if err != nil {
errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to encrypt secret with AES"))
log.ErrorLn(&cid, "PersistToPostgres: Error encrypting secret with AES:", err.Error())
return
}
encryptedData = base64.StdEncoding.EncodeToString(encryptedBytes)
} else {
encryptedBytes, err := crypto.EncryptBytesAge(jsonData)
if err != nil {
errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to encrypt secret with Age"))
log.ErrorLn(&cid, "PersistToPostgres: Error encrypting secret with Age:", err.Error())
return
}
encryptedData = base64.StdEncoding.EncodeToString(encryptedBytes)
}
err = backoff.RetryExponential("PersistToPostgres", func() error {
pg := DB()
_, err := pg.Exec(
`INSERT INTO "vsecm-secrets" (name, data)
VALUES ($1, $2) ON CONFLICT (name) DO UPDATE SET data = $2`,
secret.Name, encryptedData)
return err
})
if err != nil {
errChan <- errors.Join(err, errors.New("PersistToPostgres: Failed to persist secret to database"))
log.ErrorLn(&cid, "PersistToPostgres: Error persisting secret to database:", err.Error())
return
}
log.TraceLn(&cid, "PersistToPostgres: Secret persisted to database successfully")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
"encoding/json"
"errors"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// ReadFromDisk retrieves and decrypts a secret stored on disk, identified by
// the provided key, and deserializes it into a SecretStored entity. This
// is critical for secure retrieval of persisted secrets, ensuring both
// confidentiality and integrity by decrypting and validating the secret's
// structure.
//
// Parameters:
// - key (string): A unique identifier for the secret. This key is used to
// locate the encrypted file on the disk which contains the secret's data.
//
// Returns:
// - '(*entity.SecretStored, error)': This function returns a pointer to a
// SecretStored entity if the operation is successful. The SecretStored
// entity represents the decrypted and deserialized secret. If any error
// occurs during the process, a nil pointer and an error object are
// returned. The error provides context about the nature of the failure,
// such as issues with decryption or data deserialization.
func ReadFromDisk(key string) (*entity.SecretStored, error) {
if env.BackingStoreForSafe() != entity.File {
panic("Attempted to read from disk when backing store is not file")
}
contents, err := crypto.DecryptDataFromDisk(key)
if err != nil {
return nil, errors.Join(
err,
errors.New("readFromDisk: error decrypting file"),
)
}
var secret entity.SecretStored
err = json.Unmarshal(contents, &secret)
if err != nil {
return nil, errors.Join(
err,
errors.New("readFromDisk: Failed to unmarshal secret"),
)
}
return &secret, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
"encoding/json"
"errors"
"io"
"os"
"sync"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
var lastBackedUpIndex = make(map[string]int)
// Only one thread reaches lastBackupIndex at a time;
// but still using this lock for defensive programming.
var lastBackupIndexLock = sync.Mutex{}
func saveSecretToDisk(secret entity.SecretStored, dataPath string) error {
data, err := json.Marshal(secret)
if err != nil {
return errors.Join(
err,
errors.New("saveSecretToDisk: failed to marshal secret"),
)
}
file, err := os.Create(dataPath)
if err != nil {
return errors.Join(
err,
errors.New("saveSecretToDisk: failed to create file"),
)
}
defer func(f io.ReadCloser) {
err := f.Close()
if err != nil {
id := crypto.Id()
log.InfoLn(&id, "saveSecretToDisk: problem closing file", err.Error())
}
}(file)
if env.FipsCompliantModeForSafe() {
return crypto.EncryptToWriterAes(file, string(data))
}
return crypto.EncryptToWriterAge(file, string(data))
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
"context"
"errors"
"strings"
apiV1 "k8s.io/api/core/v1"
kErrors "k8s.io/apimachinery/pkg/api/errors"
metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
ec "github.com/vmware-tanzu/secrets-manager/core/constants/env"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
// saveSecretToKubernetes saves a given SecretStored entity to a Kubernetes
// cluster. It handles the process of configuring a Kubernetes client,
// determining the appropriate secret name, and either creating or updating the
// secret in the specified namespace.
//
// The secret data is prepared by converting the input secret entity into a
// map suitable for Kubernetes. The namespace for the secret is extracted from
// the secret's metadata.
//
// Parameters:
// - secret: An entity.SecretStored object containing the secret data to be
// stored.
//
// Returns:
// - error: An error object that will be non-nil if an error occurs at any
// step of the process.
//
// Note: This function assumes it is running within a Kubernetes cluster as it
// uses InClusterConfig to generate the Kubernetes client configuration.
func saveSecretToKubernetes(secret entity.SecretStored) error {
config, err := rest.InClusterConfig()
if err != nil {
return errors.Join(
err,
errors.New("could not create client config"),
)
}
// If the secret does not have the k8s: prefix, then it is not a k8s secret;
// do not save it in the cluster.
if !strings.HasPrefix(secret.Name, env.StoreWorkloadAsK8sSecretPrefix()) {
return errors.New("secret does not have k8s: prefix")
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
return errors.Join(
err,
errors.New("could not create client"),
)
}
k8sSecretName := secret.Name
// If the secret has k8s: prefix, then do not append a prefix; use the name
// as is.
if strings.HasPrefix(secret.Name, env.StoreWorkloadAsK8sSecretPrefix()) {
k8sSecretName = strings.TrimPrefix(
secret.Name, env.StoreWorkloadAsK8sSecretPrefix(),
)
}
// Transform the data if there is a transformation defined.
data := secret.ToMapForK8s()
namespaces := secret.Meta.Namespaces
for i, ns := range namespaces {
if ns == "" {
namespaces[i] = string(ec.Default)
}
// First, try to get the existing secret
_, err = clientset.CoreV1().Secrets(ns).Get(
context.Background(), k8sSecretName, metaV1.GetOptions{})
if kErrors.IsNotFound(err) {
// Create the Secret in the cluster with a backoff.
err = backoff.RetryFixed(
ns,
func() error {
// Create the Secret in the cluster
_, err = clientset.CoreV1().Secrets(ns).Create(
context.Background(),
&apiV1.Secret{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
ObjectMeta: metaV1.ObjectMeta{
Name: k8sSecretName,
Namespace: ns,
Labels: map[string]string{
"app.kubernetes.io/operated-by": "vsecm",
},
},
Data: data,
},
metaV1.CreateOptions{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
},
)
return err
},
)
if err != nil {
return errors.Join(
err,
errors.New("error creating the secret"),
)
}
continue
}
// Secret is found in the cluster.
// Update the Secret in the cluster:
err = backoff.RetryFixed(
ns,
func() error {
_, err = clientset.CoreV1().Secrets(ns).Update(
context.Background(),
&apiV1.Secret{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
ObjectMeta: metaV1.ObjectMeta{
Name: k8sSecretName,
Namespace: ns,
Labels: map[string]string{
"app.kubernetes.io/operated-by": "vsecm",
},
},
Data: data,
},
metaV1.UpdateOptions{
TypeMeta: metaV1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
},
)
return err
},
)
if err != nil {
return errors.Join(
err,
errors.New("error updating the secret"),
)
}
}
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package queue
import (
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/queue/deletion"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/queue/insertion"
)
// Initialize starts two goroutines: one to process the secret queue and
// another to process the Kubernetes secret queue. These goroutines are
// responsible for handling queued secrets and persisting them to disk.
func Initialize() {
go insertion.ProcessSecretBackingStoreQueue()
go insertion.ProcessK8sPrefixedSecretQueue()
go deletion.ProcessSecretBackingStoreQueue()
}
package collection
import (
"database/sql"
"encoding/base64"
"encoding/json"
"errors"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"os"
"strings"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/stats"
f "github.com/vmware-tanzu/secrets-manager/core/constants/file"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
func populateSecretsFromFileStore(cid string) error {
root := env.DataPathForSafe()
files, err := os.ReadDir(root)
if err != nil {
return errors.Join(
err,
errors.New("populateSecrets: problem reading secrets directory"),
)
}
for _, file := range files {
if file.IsDir() {
continue
}
fn := file.Name()
if strings.HasSuffix(fn, f.AgeBackupExtension) {
continue
}
key := strings.Replace(fn, f.AgeExtension, "", 1)
_, exists := Secrets.Load(key)
if exists {
continue
}
secretOnDisk, err := io.ReadFromDisk(key)
if err != nil {
log.ErrorLn(&cid,
"populateSecrets: problem reading secret from disk:",
err.Error())
continue
}
if secretOnDisk != nil {
stats.CurrentState.Increment(key, Secrets.Load)
Secrets.Store(key, *secretOnDisk)
}
}
return nil
}
func populateSecretsFromPostgresqlDb(cid string) error {
if !io.PostgresReady() {
return errors.New("populateSecretsFromPostgresqlDb: Database connection is not ready")
}
pg := io.DB()
rows, err := pg.Query(`SELECT name, data FROM "vsecm-secrets"`)
if err != nil {
return errors.Join(
err,
errors.New("populateSecretsFromPostgresqlDb: problem querying secrets from database"),
)
}
defer func(rows *sql.Rows) {
err := rows.Close()
if err != nil {
log.ErrorLn(&cid, "populateSecretsFromPostgresqlDb: problem closing rows:",
err.Error())
}
}(rows)
for rows.Next() {
var name string
var encryptedData string
err := rows.Scan(&name, &encryptedData)
if err != nil {
log.ErrorLn(&cid,
"populateSecretsFromPostgresqlDb: problem scanning row:",
err.Error())
continue
}
_, exists := Secrets.Load(name)
if exists {
continue
}
// Decode the base64 encoded data
encryptedBytes, err := base64.StdEncoding.DecodeString(encryptedData)
if err != nil {
log.ErrorLn(&cid,
"populateSecretsFromPostgresqlDb: problem decoding base64 data:",
err.Error())
continue
}
// Decrypt the data
var decryptedBytes []byte
fipsMode := env.FipsCompliantModeForSafe()
if fipsMode {
decryptedBytes, err = crypto.DecryptBytesAes(encryptedBytes)
} else {
decryptedBytes, err = crypto.DecryptBytesAge(encryptedBytes)
}
if err != nil {
log.ErrorLn(&cid,
"populateSecretsFromPostgresqlDb: problem decrypting secret:",
err.Error())
continue
}
// Unmarshal the JSON data
var secret entity.SecretStored
err = json.Unmarshal(decryptedBytes, &secret)
if err != nil {
log.ErrorLn(&cid,
"populateSecretsFromPostgresqlDb: problem unmarshaling secret:",
err.Error())
continue
}
stats.CurrentState.Increment(name, Secrets.Load)
Secrets.Store(name, secret)
}
if err := rows.Err(); err != nil {
return errors.Join(
err,
errors.New("populateSecretsFromPostgresqlDb: problem iterating over rows"),
)
}
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package collection
import (
"sync"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// Secrets is where all the secrets are stored.
var Secrets sync.Map
var secretsPopulated = false
var secretsPopulatedLock = sync.Mutex{}
// SecretsPopulated returns a boolean indicating whether the secrets have been
// populated.
func SecretsPopulated() bool {
secretsPopulatedLock.Lock()
defer secretsPopulatedLock.Unlock()
return secretsPopulated
}
// PopulateSecrets scans the designated secrets storage directory on disk,
// reading each secret file that is not marked as a backup, and loads the
// secrets into a global store if they have not already been loaded. This
// ensures that the application's current session has access to all persisted
// secrets. It uses a locking mechanism to prevent concurrent execution and
// ensure data consistency.
//
// Parameters:
// - cid (string): A correlation ID that is used for logging purposes,
// allowing for the tracing of the populate operation through logs.
//
// Returns:
// - error: If an error occurs during the directory reading or secret reading
// process, it returns an error wrapped with context about the failure
// point. If no errors occur, it returns nil to indicate successful
// completion.
func PopulateSecrets(cid string) error {
log.TraceLn(&cid, "populateSecrets: populating secrets...")
secretsPopulatedLock.Lock()
defer secretsPopulatedLock.Unlock()
// Already populated, nothing to do.
if secretsPopulated {
return nil
}
store := env.BackingStoreForSafe()
populated := false
switch store {
case data.Memory:
log.TraceLn(&cid, "populateSecrets: using in-memory store.")
case data.File:
err := populateSecretsFromFileStore(cid)
populated = err == nil
if err != nil {
log.ErrorLn(&cid, "populateSecrets:error", err.Error())
}
case data.Postgres:
err := populateSecretsFromPostgresqlDb(cid)
populated = err == nil
if err != nil {
log.ErrorLn(&cid, "populateSecrets:error", err.Error())
}
case data.Kubernetes:
panic("implement kubernetes store")
case data.AwsSecretStore:
panic("implement aws secret store")
case data.AzureSecretStore:
panic("implement azure secret store")
case data.GcpSecretStore:
panic("implement gcp secret store")
}
secretsPopulated = populated
log.TraceLn(&cid, "populateSecrets: secrets populated.")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package collection
import (
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"strings"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/stats"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
data "github.com/vmware-tanzu/secrets-manager/lib/entity"
)
// SecretByName retrieves a secret by its name.
// This function first checks if the secrets have been populated in the cache.
// If not, it populates the secrets using the root key triplet. It then attempts
// to load the secret by name from the populated cache.
//
// Parameters:
// - cid string: A correlation ID used to track the request and associated
// logging. This ID helps in tracing and debugging operations across
// different components or services that handle the secret data.
// - name string: The name of the secret to be retrieved.
//
// Returns:
// - *entity.Secret: A pointer to the Secret entity if found. The Secret
// structure includes fields such as Name, Created, Updated, NotBefore, and
// ExpiresAfter. Each of these timestamp fields is converted from the stored
// format to a JSON compatible format. Returns nil if no secret with the
// provided name is found in the cache.
//
// Error Handling:
// - If there is an error in populating the secrets from the disk (e.g., due
// to read errors or data corruption), the function logs a warning message
// with the correlation ID and the error message but continues execution.
// This does not halt the function, and it subsequently tries to fetch the
// secret if already available in the cache.
func SecretByName(cid string, name string) *entity.Secret {
// Check existing stored secrets files.
// If VSecM pod is evicted and revived, it will not have knowledge about
// the secret it has. This loop helps it re-populate its cache.
if !SecretsPopulated() {
err := PopulateSecrets(cid)
if err != nil {
log.WarnLn(&cid,
"Failed to populate secrets from disk", err.Error())
}
}
s, ok := Secrets.Load(name)
if !ok {
return nil
}
v := s.(entity.SecretStored)
return &entity.Secret{
Name: v.Name,
Created: data.JsonTime(v.Created),
Updated: data.JsonTime(v.Updated),
NotBefore: data.JsonTime(v.NotBefore),
ExpiresAfter: data.JsonTime(v.ExpiresAfter),
}
}
const keystoneWorkloadId = "vsecm-keystone"
// KeystoneInitialized checks whether the keystone secret is registered.
//
// This is a utility function that depends on the SecretByName function to check
// for the presence of the specific secret. A return value of true indicates
// that the keystone is initialized and ready for use, while false indicates it
// is not.
//
// Parameters:
// - cid string: A correlation ID used for logging and tracing.
//
// Returns:
// - bool: True if the keystone secret is present, false otherwise.
func KeystoneInitialized(cid string) bool {
ks := SecretByName(cid, keystoneWorkloadId)
return ks != nil
}
// AllSecrets returns a slice of entity.Secret containing all secrets
// currently stored. If no secrets are found, an empty slice is
// returned.
func AllSecrets(cid string) []entity.Secret {
var result []entity.Secret
// Check existing stored secrets files.
// If VSecM pod is evicted and revived, it will not have knowledge about
// the secret it has. This loop helps it re-populate its cache.
if !SecretsPopulated() {
err := PopulateSecrets(cid)
if err != nil {
log.WarnLn(&cid,
"Failed to populate secrets from disk", err.Error())
}
}
// Range over all existing secrets.
Secrets.Range(func(key any, value any) bool {
v := value.(entity.SecretStored)
result = append(result, entity.Secret{
Name: v.Name,
Created: data.JsonTime(v.Created),
Updated: data.JsonTime(v.Updated),
NotBefore: data.JsonTime(v.NotBefore),
ExpiresAfter: data.JsonTime(v.ExpiresAfter),
})
return true
})
if result == nil {
return []entity.Secret{}
}
return result
}
// AllSecretsEncrypted returns a slice of entity.SecretEncrypted containing all
// secrets currently stored. If no secrets are found, an empty slice is
// returned.
func AllSecretsEncrypted(cid string) []entity.SecretEncrypted {
var result []entity.SecretEncrypted
// Check existing stored secrets files.
// If VSecM pod is evicted and revived, it will not have knowledge about
// the secret it has. This loop helps it re-populate its cache.
if !SecretsPopulated() {
err := PopulateSecrets(cid)
if err != nil {
log.WarnLn(&cid,
"Failed to populate secrets from disk", err.Error())
}
}
// Range over all existing secrets.
Secrets.Range(func(key any, value any) bool {
v := value.(entity.SecretStored)
// For debugging purposes, if you want to see the plain secret,
// you can remove this wrapper. But remember, this is a security
// leak; DO NOT expose this in the final source code.
ev, _ := crypto.EncryptValue(v.Value)
result = append(result, entity.SecretEncrypted{
Name: v.Name,
EncryptedValue: ev,
Created: data.JsonTime(v.Created),
Updated: data.JsonTime(v.Updated),
NotBefore: data.JsonTime(v.NotBefore),
ExpiresAfter: data.JsonTime(v.ExpiresAfter),
})
return true
})
if result == nil {
return []entity.SecretEncrypted{}
}
return result
}
func contains(s []string, e string) bool {
for _, a := range s {
if a == e {
return true
}
}
return false
}
// RawSecrets returns a slice of entity.Secret containing all secrets
// currently stored with keys prefixed by "raw:". If no raw secrets are found,
// an empty slice is returned.
func RawSecrets(cid string) []entity.SecretStored {
var result []entity.SecretStored
// Check existing stored secrets files.
// If VSecM pod is evicted and revived, it will not have knowledge about
// the secret it has. This loop helps it re-populate its cache.
if !SecretsPopulated() {
err := PopulateSecrets(cid)
if err != nil {
log.WarnLn(&cid,
"Failed to populate secrets from disk", err.Error())
}
}
// Range over all existing secrets.
Secrets.Range(func(key any, value any) bool {
k := key.(string)
v := value.(entity.SecretStored)
// Check if the key is prefixed with "raw:"
if strings.HasPrefix(k, "raw:") {
result = append(result, v)
}
return true
})
if result == nil {
return []entity.SecretStored{}
}
return result
}
// ReadSecret takes a key string and returns a pointer to an entity.SecretStored
// object if the secret exists in the in-memory store. If the secret is not
// found in memory, it attempts to read it from disk, store it in memory, and
// return it. If the secret is not found on disk, it returns nil.
func ReadSecret(cid string, key string) (*entity.SecretStored, error) {
log.TraceLn(&cid, "ReadSecret:begin")
result, secretFoundInMemory := Secrets.Load(key)
if secretFoundInMemory {
s := result.(entity.SecretStored)
log.TraceLn(&cid,
"ReadSecret: returning from memory.", "len", len(s.Value))
return &s, nil
}
store := env.BackingStoreForSafe()
switch store {
case entity.File:
log.TraceLn(&cid, "will read from file store.")
case entity.Postgres:
log.WarnLn(&cid, "TODO: fetch from postgres store")
return nil, nil
}
stored, err := io.ReadFromDisk(key)
if err != nil {
return nil, err
}
if stored == nil {
return nil, nil
}
stats.CurrentState.Increment(stored.Name, Secrets.Load)
Secrets.Store(stored.Name, *stored)
log.TraceLn(&cid,
"ReadSecret: returning from disk.", "len", len(stored.Value))
//res := []entity.SecretStored{*stored}
//res = append(res, *stored)
return stored, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package collection
import (
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/queue/deletion"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/stats"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// DeleteSecret orchestrates the deletion of a specified secret from both the
// application's internal cache and its persisted storage locations, which may
// include local filesystem and Kubernetes secrets. The deletion process is
// contingent upon the secret's metadata, specifically its backing store and
// whether it is used as a Kubernetes secret.
//
// Parameters:
// - secretToDelete (entity.SecretStored): The secret entity marked for
// deletion, containing necessary metadata such as the name of the secret,
// its correlation ID for logging, and metadata specifying where and how
// the secret is stored.
func DeleteSecret(secretToDelete entity.SecretStored) {
cid := secretToDelete.Meta.CorrelationId
_, exists := Secrets.Load(secretToDelete.Name)
if !exists {
log.WarnLn(&cid,
"DeleteSecret: Secret does not exist. Cannot delete.",
secretToDelete.Name)
return
}
log.TraceLn(
&cid, "DeleteSecret: Will delete secret. len",
len(deletion.SecretDeleteQueue),
"cap", cap(deletion.SecretDeleteQueue))
// The deletion queue will remove the secret from the backing store.
// The backing store is determined by the env.BackingStoreForSafe()
// function.
deletion.SecretDeleteQueue <- secretToDelete
log.TraceLn(
&cid, "DeleteSecret: Pushed secret to delete. len",
len(deletion.SecretDeleteQueue), "cap",
cap(deletion.SecretDeleteQueue))
// Remove the secret from the memory.
stats.CurrentState.Decrement(secretToDelete.Name, Secrets.Load)
Secrets.Delete(secretToDelete.Name)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package collection
import (
"strings"
"time"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/queue/insertion"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/stats"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// UpsertSecret takes an entity.SecretStored object and inserts it into
// the in-memory store if it doesn't exist, or updates it if it does. It also
// handles updating the backing store and Kubernetes secrets if necessary.
// If appendValue is true, the new value will be appended to the existing
// values, otherwise it will replace the existing values.
func UpsertSecret(secretStored entity.SecretStored) {
cid := secretStored.Meta.CorrelationId
val := secretStored.Value
if len(val) == 0 {
log.InfoLn(&cid,
"UpsertSecret: nothing to upsert. exiting.", "len(vs)", len(val))
return
}
s, exists := Secrets.Load(secretStored.Name)
now := time.Now()
if exists {
log.TraceLn(&cid, "UpsertSecret: Secret exists. Will update.")
ss := s.(entity.SecretStored)
secretStored.Created = ss.Created
} else {
secretStored.Created = now
}
secretStored.Updated = now
log.InfoLn(&cid, "UpsertSecret:",
"created", secretStored.Created, "updated", secretStored.Updated,
"name", secretStored.Name, "len(vs)", len(val),
)
log.TraceLn(&cid, "UpsertSecret: Will parse secret.")
parsedStr, err := secretStored.Parse()
if err != nil {
log.InfoLn(&cid,
"UpsertSecret: Error parsing secret. Will use fallback value.",
err.Error(),
)
}
log.TraceLn(&cid,
"UpsertSecret: Parsed secret. Will set transformed value.")
secretStored.ValueTransformed = parsedStr
stats.CurrentState.Increment(secretStored.Name, Secrets.Load)
Secrets.Store(secretStored.Name, secretStored)
log.TraceLn(
&cid, "UpsertSecret: Will push secret. len",
len(insertion.SecretUpsertQueue),
"cap", cap(insertion.SecretUpsertQueue))
// The insertion queue will add the secret to the backing store.
// The backing store is determined by the env.BackingStoreForSafe()
// function.
insertion.SecretUpsertQueue <- secretStored
log.TraceLn(
&cid, "UpsertSecret: Pushed secret. len",
len(insertion.SecretUpsertQueue), "cap",
cap(insertion.SecretUpsertQueue))
// A "raw" secret cannot be queried by regular workloads, you will need a
// special Kubernetes Operator to access it.
if strings.HasPrefix(secretStored.Name, env.RawSecretPrefix()) {
log.TraceLn(&cid,
"UpsertSecret: the secret will not be associated with a workload.",
)
return
}
// If the "name" of the secret has the prefix "k8s:", then store it as a
// Kubernetes secret too.
if strings.HasPrefix(secretStored.Name,
env.StoreWorkloadAsK8sSecretPrefix()) {
log.TraceLn(
&cid,
"UpsertSecret: will push Kubernetes secret. len",
len(insertion.K8sSecretUpsertQueue),
"cap", cap(insertion.K8sSecretUpsertQueue),
)
insertion.K8sSecretUpsertQueue <- secretStored
log.TraceLn(
&cid,
"UpsertSecret: pushed Kubernetes secret. len",
len(insertion.K8sSecretUpsertQueue),
"cap", cap(insertion.K8sSecretUpsertQueue),
)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package deletion
import (
"os"
"path"
"github.com/vmware-tanzu/secrets-manager/core/constants/file"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// SecretDeleteQueue items are persisted to files. They are buffered, so that
// they can be written in the order they are queued and there are no concurrent
// writes to the same file at a time.
var SecretDeleteQueue = make(
chan entity.SecretStored,
env.SecretDeleteBufferSizeForSafe(),
)
// ProcessSecretBackingStoreQueue continuously processes a queue of secrets
// scheduled for deletion, removing each secret from disk. This function plays
// a crucial role in the secure management of secrets by ensuring that outdated
// or unnecessary secrets are not left stored, potentially posing a security risk.
//
// It operates in an endless loop, monitoring a global queue of secrets to be
// deleted.
func ProcessSecretBackingStoreQueue() {
cid := crypto.Id()
errChan := make(chan error)
go func() {
for e := range errChan {
// If the `delete` operation spews out an error, log it.
log.ErrorLn(&cid,
"processSecretDeleteQueue: error deleting secret:", e.Error())
}
}()
for {
// Buffer overflow check.
if len(SecretDeleteQueue) == env.SecretBufferSizeForSafe() {
log.ErrorLn(
&cid,
"processSecretDeleteQueue: "+
"there are too many k8s secrets queued. "+
"The goroutine will BLOCK until the queue is cleared.",
)
}
// Get a secret to be removed from the disk.
secret := <-SecretDeleteQueue
store := env.BackingStoreForSafe()
switch store {
case entity.Memory:
log.TraceLn(&cid, "ProcessSecretQueue: using in-memory store.")
return
case entity.File:
log.TraceLn(&cid, "ProcessSecretQueue: Will delete secret from disk.")
case entity.Kubernetes:
panic("implement kubernetes store")
case entity.AwsSecretStore:
panic("implement aws secret store")
case entity.AzureSecretStore:
panic("implement azure secret store")
case entity.GcpSecretStore:
panic("implement gcp secret store")
case entity.Postgres:
log.WarnLn(&cid, "Delete operation has not been implemented for postgres backing store yet.")
return
}
if secret.Name == "" {
log.WarnLn(&cid,
"processSecretDeleteQueue: trying to delete an empty secret. "+
"Possibly picked a nil secret", len(SecretDeleteQueue))
return
}
log.TraceLn(&cid,
"processSecretDeleteQueue: picked a secret", len(SecretDeleteQueue))
// Remove secret from disk.
dataPath := path.Join(env.DataPathForSafe(), secret.Name+file.AgeExtension)
log.TraceLn(&cid,
"processSecretDeleteQueue: removing secret from disk:", dataPath)
err := os.Remove(dataPath)
if err != nil && !os.IsNotExist(err) {
log.WarnLn(&cid,
"processSecretDeleteQueue: failed to remove secret", err.Error())
}
log.TraceLn(&cid,
"processSecretDeleteQueue: should have deleted the secret.")
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package insertion
import (
"time"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// SecretUpsertQueue items are persisted to files. They are buffered, so
// that they can be written in the order they are queued and there are
// no concurrent writes to the same file at a time. An alternative
// approach would be to have a map of queues of `SecretsStored`s per file
// name but that feels like an overkill.
var SecretUpsertQueue = make(
chan entity.SecretStored,
env.SecretBufferSizeForSafe(),
)
func pickSecretFromQueue(cid string) entity.SecretStored {
// Get a secret to be persisted.
secret := <-SecretUpsertQueue
log.TraceLn(&cid, "ProcessSecretQueue: Will persist to Postgres.",
len(SecretUpsertQueue))
return secret
}
// ProcessSecretBackingStoreQueue manages a continuous loop that processes
// secrets from the SecretUpsertQueue, persisting each secret to disk storage.
// This function is crucial for ensuring that changes to secrets are reliably
// stored, supporting both new secrets and updates to existing ones. The
// operations of this function is critical for maintaining the integrity and
// consistency of secret data within the system.
func ProcessSecretBackingStoreQueue() {
errChan := make(chan error)
cid := crypto.Id()
go func() {
for e := range errChan {
// If the `persist` operation spews out an error, log it.
log.ErrorLn(
&cid, "processSecretQueue: error persisting secret:", e.Error(),
)
}
}()
for {
// Buffer overflow check.
if len(SecretUpsertQueue) == env.SecretBufferSizeForSafe() {
log.ErrorLn(
&cid,
"processSecretQueue: there are too many k8s secrets queued. "+
"The goroutine will BLOCK until the queue is cleared.",
)
}
// Persist the secret:
//
// Each secret is persisted one at a time, with the order they come in.
//
// DO NOT call `PersistToXyz()` functions (i.e.,[1],[2]) elsewhere.
// They mean to be called inside this goroutine that
// `ProcessSecretBackingStoreQueue` owns.
store := env.BackingStoreForSafe()
switch store {
case entity.Memory:
log.TraceLn(&cid, "ProcessSecretQueue: using in-memory store.")
return
case entity.Kubernetes:
panic("implement kubernetes store")
case entity.AwsSecretStore:
panic("implement aws secret store")
case entity.AzureSecretStore:
panic("implement azure secret store")
case entity.GcpSecretStore:
panic("implement gcp secret store")
case entity.File:
log.TraceLn(&cid, "ProcessSecretQueue: Will persist to disk.")
// This is blocking. [1]
io.PersistToDisk(pickSecretFromQueue(cid), errChan)
case entity.Postgres:
if !io.PostgresReady() {
log.TraceLn(&cid, "ProcessSecretQueue: Postgres is not ready. Waiting...")
// Give the loop some time to breathe.
// This is to prevent the loop from spinning too fast.
time.Sleep(5 * time.Second)
continue
}
log.TraceLn(&cid, "ProcessSecretQueue: Postgres is ready. Persisting...")
// This is blocking. [2]
io.PersistToPostgres(pickSecretFromQueue(cid), errChan)
}
log.TraceLn(&cid, "processSecretQueue: should have persisted the secret.")
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package insertion
import (
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/io"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// K8sSecretUpsertQueue has the secrets to be synced with their Kubernetes
// `Secret` counterparts.
var K8sSecretUpsertQueue = make(
chan entity.SecretStored, env.K8sSecretBufferSizeForSafe())
// ProcessK8sPrefixedSecretQueue continuously processes a queue of Kubernetes
// secrets (K8sSecretUpsertQueue), attempting to persist each secret into the
// Kubernetes cluster, specifically into etcd as a Kubernetes Secret. The
// function employs asynchronous error handling and is designed to operate
// continuously within a dedicated goroutine.
//
// This queue is for secrets that are generated via the `k8s:` prefix in their
// workload name. When the workload name starts with a `k8s:` prefix, VSecM will
// create an actual Kubernetes secret along with the secret it stores locally.
// This is especially useful for legacy use cases where a workload cannot
// directly consume vsecm-minted secrets.
func ProcessK8sPrefixedSecretQueue() {
errChan := make(chan error)
id := crypto.Id()
go func() {
for e := range errChan {
// If the `persistK8s` operation spews out an error, log it.
log.ErrorLn(&id,
"processK8sSecretQueue: error persisting secret:", e.Error())
}
}()
for {
// Buffer overflow check.
if len(SecretUpsertQueue) == env.SecretBufferSizeForSafe() {
log.ErrorLn(
&id,
"processK8sSecretQueue:"+
" there are too many k8s secrets queued. "+
"The goroutine will BLOCK until the queue is cleared.",
)
}
// Get a secret to be persisted to the disk.
secret := <-K8sSecretUpsertQueue
cid := secret.Meta.CorrelationId
log.TraceLn(&cid, "processK8sSecretQueue: picked k8s secret")
// Sync up the secret to etcd as a Kubernetes Secret.
//
// Each secret is synced one at a time, with the order they
// come in.
//
// Do not call this function elsewhere.
// It is meant to be called inside this `processK8sSecretQueue`
// goroutine.
io.PersistToK8s(secret, errChan)
log.TraceLn(&cid,
"processK8sSecretQueue: Should have persisted k8s secret")
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package stats
import (
"sync"
"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/secret/queue/insertion"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// CurrentState is a global Status object that represents the current state of
// the Secrets Manager.
var CurrentState = data.Status{
SecretQueueLen: 0,
SecretQueueCap: 0,
K8sQueueLen: 0,
K8sQueueCap: 0,
NumSecrets: 0,
}
var currentStateLock sync.RWMutex // Protects access to the CurrentState object.
// Stats returns a copy of the CurrentState Status object, providing a snapshot
// of the current status of VSecM.
func Stats() data.Status {
currentStateLock.RLock()
defer currentStateLock.RUnlock()
// Note that this is a side effect.
// Another alternative would be to update these values in a
// background process, but that will be an overkill, and it will
// consume more resources.
//
// This approach is a more pragmatic alternative.
CurrentState.K8sQueueCap = cap(insertion.K8sSecretUpsertQueue)
CurrentState.K8sQueueLen = len(insertion.K8sSecretUpsertQueue)
CurrentState.SecretQueueCap = cap(insertion.K8sSecretUpsertQueue)
CurrentState.SecretQueueLen = len(insertion.K8sSecretUpsertQueue)
// Note that this is a copy, and it is intended to be read, not
// modified. Also note that, since it is a copy, it maintains a
// separate .Lock instance.
return CurrentState
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"net/http"
nets "github.com/vmware-tanzu/secrets-manager/app/scout/internal/net"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
func main() {
id := crypto.Id()
http.HandleFunc("/webhook", nets.Webhook)
if env.ScoutTlsEnabled() {
log.InfoLn(&id, "scout: TLS enabled")
tlsConfig := nets.TlsConfig()
server := &http.Server{
Addr: env.ScoutHttpPort(),
TLSConfig: tlsConfig,
}
log.InfoLn(&id, "Server is running on",
env.ScoutHttpPort(), "with TLS enabled")
fmt.Println("Server is running on :8443 with TLS enabled")
if err := server.ListenAndServeTLS("", ""); err != nil {
log.InfoLn(&id, "Failed", err.Error())
}
return
} else {
log.InfoLn(&id, "scout: TLS disabled")
}
log.InfoLn(&id, "Server is running on", env.ScoutHttpPort())
server := &http.Server{
Addr: env.ScoutHttpPort(),
}
if err := server.ListenAndServe(); err != nil {
log.InfoLn(&id, "Failed", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package filter
import (
"fmt"
"strings"
)
func ValueFromPath(data any, path string) (any, error) {
parts := strings.Split(path, ".")
// If no path specified, return the data as is.
if path == "" || !strings.Contains(path, ".") {
return data, nil
}
var current = data
for _, part := range parts {
switch v := current.(type) {
case map[string]interface{}:
if val, ok := v[part]; ok {
current = val
} else {
return nil, fmt.Errorf("key not found: %s", part)
}
case []interface{}:
return nil, fmt.Errorf("arrays are not supported in path queries")
default:
return nil, fmt.Errorf("cannot navigate further from %v", current)
}
}
return current, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package net
import (
"encoding/json"
"fmt"
"log"
"net/http"
"net/url"
"strings"
"github.com/golang-jwt/jwt/v4"
"github.com/vmware-tanzu/secrets-manager/app/scout/internal/filter"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
func Webhook(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
log.Println("webhookHandler: Method not allowed")
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Default to JWT for now. Eventually we'll support other auth methods.
if env.ScoutAuthenticationMode() != env.AuthenticationModeNone {
// Extract the token from the Authorization header
authHeader := r.Header.Get("Authorization")
if authHeader == "" {
log.Println("webhookHandler: Missing Authorization header")
http.Error(w, "Missing Authorization header",
http.StatusUnauthorized)
return
}
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
// Parse and validate the token
token, err := jwt.Parse(tokenString,
func(token *jwt.Token) (interface{}, error) {
// Validate the algorithm
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil,
fmt.Errorf(
"unexpected signing method: %v", token.Header["alg"])
}
return []byte(jwtSecret), nil
})
if err != nil {
log.Print("webhookHandler: Nil token")
http.Error(w, "Invalid token", http.StatusUnauthorized)
return
}
if !token.Valid {
log.Println("webhookHandler: Invalid token")
http.Error(w, "Invalid token", http.StatusUnauthorized)
return
}
}
// Get the 'key' query parameter
encodedKey := r.URL.Query().Get("key")
// Unescape the key parameter
decodedKey, err := url.QueryUnescape(encodedKey)
if err != nil {
http.Error(w, "Failed to decode key parameter", http.StatusBadRequest)
return
}
// Parse the decoded key as a query string
values, err := url.ParseQuery(decodedKey)
if err != nil {
log.Println("webhookHandler: Invalid key format")
http.Error(w, "Invalid key format", http.StatusBadRequest)
return
}
key := values.Get("key")
path := values.Get("path")
secretValue, exists := secretsToServe[key]
if !exists {
log.Println("webhookHandler: Invalid key")
http.Error(w, "Invalid key", http.StatusUnauthorized)
return
}
if path == "" {
log.Println("webhookHandler: Path is required")
http.Error(w, "Path is required", http.StatusBadRequest)
return
}
var data interface{}
err = json.Unmarshal([]byte(secretValue), &data)
if err != nil {
log.Println("webhookHandler: Error parsing secret data")
http.Error(w, "Error parsing secret data", http.StatusInternalServerError)
return
}
result, err := filter.ValueFromPath(data, path)
if err != nil {
log.Println("webhookHandler: Error getting value from path")
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(result)
}
package net
import (
"crypto/tls"
"encoding/base64"
"encoding/json"
"fmt"
"github.com/spiffe/vsecm-sdk-go/sentry"
"log"
)
var (
jwtSecret string
secretsToServe map[string]string
)
func TlsConfig() *tls.Config {
fmt.Println("Fetching secrets...")
sfr, err := sentry.Fetch()
if err != nil {
log.Fatalf("Error fetching secrets: %v", err)
}
var secrets []map[string]interface{}
err = json.Unmarshal([]byte(sfr.Data), &secrets)
if err != nil {
log.Fatalf("Error unmarshalling secrets: %v", err.Error())
}
secretsToServe = make(map[string]string)
var serverCert, serverKey string
for _, secret := range secrets {
name := secret["name"].(string)
value := secret["value"].(string)
switch name {
// do this initialization elsewhere
// also you might need a lock since jwtsecret is a shared resource.
//case "raw:vsecm-scout-jwt-secret":
// jwtSecret = value
case "raw:vsecm-scout-crt":
serverCert = value
case "raw:vsecm-scout-key":
serverKey = value
// This is not related to TLS config. Move it elsewhere.
// Ideally, update it in a loop. Also, `secretsToServe` is a shared
// resource; so you might want a thread-safe map for it.
//default:
// if strings.HasPrefix(name, "raw:") &&
// !strings.HasPrefix(name, "raw:vsecm-scout") {
// secretsToServe[strings.TrimPrefix(name, "raw:")] = value
// }
}
}
// Decode base64 encoded certificate and key
decodedCert, err := base64.StdEncoding.DecodeString(serverCert)
if err != nil {
log.Fatalf("Error decoding server certificate: %v", err)
}
decodedKey, err := base64.StdEncoding.DecodeString(serverKey)
if err != nil {
log.Fatalf("Error decoding server key: %v", err)
}
// Configure TLS with decoded certificate and key
cert, err := tls.X509KeyPair(decodedCert, decodedKey)
if err != nil {
log.Fatalf("Error loading server certificate and key: %v", err)
}
return &tls.Config{
Certificates: []tls.Certificate{cert},
// Further configuration options to strengthen the server's security.
// Can be applied via env configuration.
//
// Minimum TLS version
// MinVersion: tls.VersionTLS12,
//
// Preferred cipher suites
// CipherSuites: []uint16{
// tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
// tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
// tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
// tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
// },
//
// Disable TLS renegotiation
// Renegotiation: tls.RenegotiateNever,
//
// Enable HTTP/2
// NextProtos: []string{"h2", "http/1.1"},
//
// Enable client authentication if needed
// ClientAuth: tls.RequireAndVerifyClientCert,
//
// Curve preferences
// CurvePreferences: []tls.CurveID{tls.X25519, tls.CurveP256},
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"context"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/initialization"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/oidc/server"
e "github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/core/log/rpc"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/probe"
"github.com/vmware-tanzu/secrets-manager/lib/system"
)
func main() {
id := crypto.Id()
//Print the diagnostic information about the environment.
log.PrintEnvironmentInfo(&id, []string{
string(e.AppVersion),
string(e.VSecMLogLevel),
})
<-probe.CreateLiveness()
go rpc.CreateLogServer()
log.InfoLn(&id, "Executing the initialization commands (if any)")
ctx := context.WithValue(context.Background(),
key.CorrelationId, &id)
log.TraceLn(&id, "before RunInitCommands")
// Create the Initializer with all dependencies and run init commands
initialization.NewDefaultInitializer().RunInitCommands(ctx)
log.InfoLn(&id, "Initialization commands executed successfully")
if env.SentinelEnableOIDCResourceServer() {
go server.Serve()
}
// Run on the main thread to wait forever.
system.KeepAlive()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"context"
"fmt"
"os"
"os/signal"
"syscall"
"github.com/akamensky/argparse"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/cli"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/safe"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/constants/sentinel"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
func main() {
id := crypto.Id()
parser := argparse.NewParser(
sentinel.CmdName,
"Assigns secrets to workloads.",
)
ctx, cancel := context.WithCancel(
context.WithValue(context.Background(),
key.CorrelationId, &id),
)
defer cancel()
c := make(chan os.Signal, 1)
signal.Notify(c, syscall.SIGTERM, syscall.SIGINT)
go func() {
select {
case <-c:
fmt.Println("Operation was cancelled.")
// It is okay to cancel a cancelled context.
cancel()
}
}()
list := cli.ParseList(parser)
deleteSecret := cli.ParseDeleteSecret(parser)
namespaces := cli.ParseNamespaces(parser)
inputKeys := cli.ParseInputKeys(parser)
workloadIds := cli.ParseWorkload(parser)
secret := cli.ParseSecret(parser)
template := cli.ParseTemplate(parser)
format := cli.ParseFormat(parser)
encrypt := cli.ParseEncrypt(parser)
notBefore := cli.ParseNotBefore(parser)
expires := cli.ParseExpires(parser)
err := parser.Parse(os.Args)
if err != nil {
fmt.Println(err.Error())
fmt.Println()
cli.PrintUsage(parser)
return
}
if *list {
if *encrypt {
err = safe.Get(ctx, true)
if err != nil {
fmt.Println("Error getting from VSecM Safe:", err.Error())
return
}
return
}
err = safe.Get(ctx, false)
if err != nil {
fmt.Println("Error getting from VSecM Safe:", err.Error())
return
}
return
}
if *namespaces == nil || len(*namespaces) == 0 {
*namespaces = []string{string(env.Default)}
}
if cli.InputValidationFailure(
workloadIds, encrypt, inputKeys, secret, deleteSecret,
) {
return
}
err = safe.Post(ctx, entity.SentinelCommand{
WorkloadIds: *workloadIds,
Secret: *secret,
Namespaces: *namespaces,
Template: *template,
Format: *format,
Encrypt: *encrypt,
DeleteSecret: *deleteSecret,
SerializedRootKeys: *inputKeys,
NotBefore: *notBefore,
Expires: *expires,
})
if err != nil {
fmt.Println("Error posting to VSecM Safe:", err.Error())
return
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package cli
import (
"fmt"
"github.com/akamensky/argparse"
"github.com/vmware-tanzu/secrets-manager/core/constants/sentinel"
)
// PrintUsage prints the usage of the CLI.
func PrintUsage(parser *argparse.Parser) {
fmt.Print(parser.Usage(sentinel.CmdName))
}
// InputValidationFailure checks if the input provided by the user is valid.
func InputValidationFailure(
workload *[]string, encrypt *bool, inputKeys *string,
secret *string, deleteSecret *bool) bool {
// You need to provide a workload name if you are not encrypting a secret,
// or if you are not providing input keys.
if len(*workload) == 0 &&
!*encrypt &&
*inputKeys == "" {
printWorkloadNameNeeded()
return true
}
// You need to provide a secret value if you are not deleting a secret,
// or if you are not providing input keys.
if *secret == "" &&
!*deleteSecret &&
*inputKeys == "" {
printSecretNeeded()
return true
}
return false
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package cli
import (
"github.com/akamensky/argparse"
"github.com/vmware-tanzu/secrets-manager/core/constants/sentinel"
)
// ParseList adds a flag to the parser for listing all registered workloads.
// It returns a pointer to a boolean that will be set to true if the flag is
// used.
func ParseList(parser *argparse.Parser) *bool {
return parser.Flag(
string(sentinel.List),
string(sentinel.ListExp), &argparse.Options{
Required: false, Help: "lists all registered workloads",
})
}
// ParseDeleteSecret adds a flag to the parser for deleting a secret associated
// with a workload.
// It returns a pointer to a boolean that will be set to true if the flag is
// used.
func ParseDeleteSecret(parser *argparse.Parser) *bool {
return parser.Flag(
string(sentinel.Remove),
string(sentinel.RemoveExp), &argparse.Options{
Required: false, Default: false,
Help: "delete the secret associated with the workload",
})
}
// ParseNamespaces adds a string list argument to the parser for specifying
// namespaces.
// It returns a pointer to a slice of strings containing the specified
// namespaces.
func ParseNamespaces(parser *argparse.Parser) *[]string {
return parser.StringList(
string(sentinel.Namespace),
string(sentinel.NamespaceExp), &argparse.Options{
Required: false, Default: []string{"default"},
Help: "the namespaces of the workloads or Kubernetes secrets",
})
}
// ParseInputKeys adds a string argument to the parser for inputting keys.
// It returns a pointer to a string containing the input keys.
func ParseInputKeys(parser *argparse.Parser) *string {
return parser.String(
string(sentinel.Keys),
string(sentinel.KeysExp), &argparse.Options{
Required: false,
Help: "A string containing the private and public " +
"Age keys and AES seed, each separated by '\\n'",
})
}
// ParseWorkload adds a string list argument to the parser for specifying
// workload names.
// It returns a pointer to a slice of strings containing the workload names.
func ParseWorkload(parser *argparse.Parser) *[]string {
return parser.StringList(
string(sentinel.Workload),
string(sentinel.WorkloadExp), &argparse.Options{
Required: false,
Help: "names of the workloads",
})
}
// ParseSecret adds a string argument to the parser for specifying a secret.
// It returns a pointer to a string containing the secret.
func ParseSecret(parser *argparse.Parser) *string {
return parser.String(
string(sentinel.Secret),
string(sentinel.SecretExp), &argparse.Options{
Required: false,
Help: "the secret to store for the workload",
})
}
// ParseTemplate adds a string argument to the parser for specifying a
// transformation template.
// It returns a pointer to a string containing the template.
func ParseTemplate(parser *argparse.Parser) *string {
return parser.String(
string(sentinel.Transformation),
string(sentinel.TransformationExp), &argparse.Options{
Required: false,
Help: "the template used to transform the secret stored",
})
}
// ParseFormat adds a string argument to the parser for specifying the output
// format.
// It returns a pointer to a string containing the format.
func ParseFormat(parser *argparse.Parser) *string {
return parser.String(
string(sentinel.Format),
string(sentinel.FormatExp), &argparse.Options{
Required: false,
Help: "the format to display the secrets in." +
" Has effect only when `-t` is provided. " +
"Valid values: yaml, json, and none. Defaults to none",
})
}
// ParseEncrypt adds a flag to the parser for encrypting or decrypting secrets.
// It returns a pointer to a boolean that will be set to true if the flag is
// used.
func ParseEncrypt(parser *argparse.Parser) *bool {
return parser.Flag(
string(sentinel.Encrypt),
string(sentinel.EncryptExp), &argparse.Options{
Required: false, Default: false,
Help: "returns an encrypted version of the secret if used with " +
"`-s`; decrypts the secret before registering it to the " +
"workload if used with `-s` and `-w`",
})
}
// ParseExpires adds a string argument to the parser for specifying the
// expiration date of a secret.
// It returns a pointer to a string containing the expiration date.
func ParseExpires(parser *argparse.Parser) *string {
return parser.String(
string(sentinel.Expires),
string(sentinel.ExpiresExp), &argparse.Options{
Required: false, Default: "never",
Help: "is the expiration date of the secret",
})
}
// ParseNotBefore adds a string argument to the parser for specifying the
// start date of a secret's validity.
// It returns a pointer to a string containing the start date.
func ParseNotBefore(parser *argparse.Parser) *string {
return parser.String(
string(sentinel.NotBefore),
string(sentinel.NotBeforeExp), &argparse.Options{
Required: false, Default: "now",
Help: "secret is not valid before this time",
})
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package cli
import "fmt"
func printWorkloadNameNeeded() {
fmt.Println("Please provide a workload name.")
fmt.Println("")
fmt.Println("type `safe -h` (without backticks) and press return for help.")
fmt.Println("")
}
func printSecretNeeded() {
fmt.Println("Please provide a secret.")
fmt.Println("")
fmt.Println("type `safe -h` (without backticks) and press return for help.")
fmt.Println("")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"time"
)
func (i *Initializer) doSleep(seconds int) {
time.Sleep(time.Duration(seconds) * time.Millisecond)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"context"
"errors"
"time"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
func (i *Initializer) ensureApiConnectivity(ctx context.Context, cid *string) {
i.Logger.TraceLn(cid, "Before checking api connectivity")
for {
err := backoff.RetryExponential(
"RunInitCommands:CheckConnectivity",
func() error {
i.Logger.TraceLn(cid,
"RunInitCommands:CheckConnectivity: checking connectivity to safe")
src, acquired := i.Spiffe.AcquireSourceForSentinel(ctx)
if !acquired {
i.Logger.TraceLn(cid,
"RunInitCommands:CheckConnectivity: failed to acquire source.")
return errors.New(
"RunInitCommands:CheckConnectivity: failed to acquire source")
}
i.Logger.TraceLn(cid,
"RunInitCommands:CheckConnectivity"+
": acquired source successfully")
code, body, err := i.Safe.Check(ctx, src)
i.Logger.TraceLn(cid, "RunInitCommands:CheckConnectivity",
"code:", code, "body:", body, "err?", err != nil)
if err != nil {
i.Logger.TraceLn(cid,
"RunInitCommands:CheckConnectivity: "+
"failed to verify connection to safe:", err.Error())
return errors.New("runInitCommands:CheckConnectivity:" +
" cannot establish connection to safe 001")
}
i.Logger.TraceLn(cid, "RunInitCommands:CheckConnectivity: success")
return nil
})
if err == nil {
i.Logger.TraceLn(cid, "exiting backoffs")
return
}
// Instead of panicking and exiting, we will wait for 5 minutes and then
// retry. This approach is useful because when VSecM Safe is using an
// external database, it might not be ready yet. To configure the
// database, we need VSecM Sentinel to be up and running. So, if we panic
// here, there is a slight chance that a human operator might be trying
// to configure VSecM Safe via VSecM Sentinel, and VSecM Sentinel crashes
// instead of passing the configuration over.
i.Logger.ErrorLn(cid, "All retries exhausted. Last error:", err.Error())
i.Logger.InfoLn(cid, "Entering extended retry mode. "+
"Will attempt again in 1 minute.")
select {
case <-ctx.Done():
i.Logger.WarnLn(cid, "Context canceled, stopping retry attempts")
return
case <-time.After(1 * time.Minute):
i.Logger.InfoLn(cid, "Resuming connectivity check after extended wait")
}
}
}
func (i *Initializer) ensureSourceAcquisition(
ctx context.Context) *workloadapi.X509Source {
cid := ctx.Value(key.CorrelationId).(*string)
i.Logger.TraceLn(cid, "RunInitCommands: acquiring source 001")
var src *workloadapi.X509Source
err := backoff.RetryExponential("RunInitCommands:AcquireSource",
func() error {
i.Logger.TraceLn(cid, "RunInitCommands:AcquireSource"+
": acquireSourceForSentinel: 000")
acq, acquired := i.Spiffe.AcquireSourceForSentinel(ctx)
src = acq
if !acquired {
i.Logger.TraceLn(cid, "RunInitCommands:AcquireSource"+
": failed to acquire source.")
return errors.New("RunInitCommands:AcquireSource" +
": failed to acquire source 000")
}
return nil
})
if err == nil {
i.Logger.TraceLn(cid, "RunInitCommands:AcquireSource"+
": got source. breaking.")
return src
}
panic("RunInitCommands:AcquireSource: failed to acquire source")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"context"
"os"
"time"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/safe"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/spiffe"
)
// OSFileOpener is a struct that provides a method to open files.
type OSFileOpener struct{}
// Open opens the named file and returns an *os.File.
func (OSFileOpener) Open(name string) (*os.File, error) {
return os.Open(name)
}
// EnvConfigReader is a struct that provides methods to read environment
// configurations.
type EnvConfigReader struct{}
// InitCommandPathForSentinel returns the path for the sentinel
// initialization command.
func (EnvConfigReader) InitCommandPathForSentinel() string {
return env.InitCommandPathForSentinel()
}
// InitCommandRunnerWaitBeforeExecIntervalForSentinel returns the wait interval
// before executing the sentinel initialization command.
func (EnvConfigReader) InitCommandRunnerWaitBeforeExecIntervalForSentinel() time.Duration {
return env.InitCommandRunnerWaitBeforeExecIntervalForSentinel()
}
// InitCommandRunnerWaitIntervalBeforeInitComplete returns the wait interval
// before the initialization is complete.
func (EnvConfigReader) InitCommandRunnerWaitIntervalBeforeInitComplete() time.Duration {
return env.InitCommandRunnerWaitIntervalBeforeInitComplete()
}
// NamespaceForVSecMSystem returns the namespace for the VSecM system.
func (EnvConfigReader) NamespaceForVSecMSystem() string {
return env.NamespaceForVSecMSystem()
}
// StandardLogger is a struct that provides logging methods.
type StandardLogger struct{}
// InfoLn logs info level messages.
func (StandardLogger) InfoLn(correlationID *string, v ...interface{}) {
std.InfoLn(correlationID, v...)
}
// ErrorLn logs error level messages.
func (StandardLogger) ErrorLn(correlationID *string, v ...interface{}) {
std.ErrorLn(correlationID, v...)
}
// TraceLn logs trace level messages.
func (StandardLogger) TraceLn(correlationID *string, v ...interface{}) {
std.TraceLn(correlationID, v...)
}
// WarnLn logs warning level messages.
func (StandardLogger) WarnLn(correlationID *string, v ...interface{}) {
std.WarnLn(correlationID, v...)
}
// FatalLn logs fatal level messages.
func (StandardLogger) FatalLn(correlationID *string, v ...interface{}) {
std.FatalLn(correlationID, v...)
}
// SafeClient is a struct that provides methods to interact with the safe.
type SafeClient struct{}
// Check performs a check operation using the provided context and X509Source.
func (SafeClient) Check(ctx context.Context,
src *workloadapi.X509Source) (int, string, error) {
return safe.Check(ctx, src)
}
// CheckInitialization checks the initialization status using the provided
// context and X509Source.
func (SafeClient) CheckInitialization(ctx context.Context,
src *workloadapi.X509Source) (bool, error) {
return safe.CheckInitialization(ctx, src)
}
// Post sends a SentinelCommand to the safe using the provided context.
func (SafeClient) Post(ctx context.Context, sc data.SentinelCommand) error {
return safe.Post(ctx, sc)
}
// SpiffeClient is a struct that provides methods to interact with SPIFFE.
type SpiffeClient struct{}
// AcquireSourceForSentinel acquires an X509Source for the sentinel using
// the provided context.
func (SpiffeClient) AcquireSourceForSentinel(
ctx context.Context) (*workloadapi.X509Source, bool) {
return spiffe.AcquireSourceForSentinel(ctx)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"bufio"
"context"
"os"
"strconv"
"strings"
"github.com/vmware-tanzu/secrets-manager/core/constants/sentinel"
"github.com/vmware-tanzu/secrets-manager/core/constants/symbol"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
func (i *Initializer) commandFileScanner(
cid *string) (*os.File, *bufio.Scanner) {
filePath := i.EnvReader.InitCommandPathForSentinel()
file, err := i.FileOpener.Open(filePath)
if err != nil {
i.Logger.InfoLn(
cid,
"RunInitCommands: no initialization file found... "+
"skipping custom initialization.",
)
return nil, nil
}
i.Logger.TraceLn(cid, "Before parsing commands 001")
return file, bufio.NewScanner(file)
}
func (i *Initializer) parseCommandsFile(
ctx context.Context, cid *string, scanner *bufio.Scanner,
) {
i.Logger.TraceLn(cid, "Before parsing commands 002")
i.Logger.TraceLn(cid, "Created blank sentinel command")
sc := entity.SentinelCommand{}
if scanner == nil {
panic("RunInitCommands: error scanning commands file")
}
i.Logger.TraceLn(cid, "beginning scan")
dance:
for scanner.Scan() {
i.Logger.TraceLn(cid, "scan:for")
line := strings.TrimSpace(scanner.Text())
i.Logger.TraceLn(cid, "line:", line)
if line == "" {
continue
}
parts := strings.SplitN(line, symbol.Separator, 2)
if len(parts) == 1 && sentinel.Command(parts[0]) == sentinel.Exit {
i.Logger.InfoLn(
cid,
"exit found during initialization.",
"skipping the rest of the commands.",
"skipping post initialization.",
)
// Move out of the loop to allow the keystone secret to be
// registered.
break dance
}
if len(parts) != 2 && line != symbol.LineDelimiter {
continue
}
if line == symbol.LineDelimiter {
i.Logger.TraceLn(cid, "scanner: delimiter found")
if sc.ShouldSleep {
i.doSleep(sc.SleepIntervalMs)
i.Logger.TraceLn(cid, "scanner: resetting sentinel command")
sc = entity.SentinelCommand{}
continue
}
err := backoff.RetryExponential(
"RunInitCommands:ProcessCommandBlock",
func() error {
i.Logger.TraceLn(
cid,
"RunInitCommands:ProcessCommandBlock"+
": retrying with exponential backoff",
)
i.Logger.TraceLn(cid, "scanner: posting sentinel command")
if len(sc.WorkloadIds) == 0 {
i.Logger.InfoLn(cid, "RunInitCommands:ProcessCommandBlock: "+
"empty command block. Nothing to do.")
return nil
}
err := i.Safe.Post(ctx, sc)
if err != nil {
i.Logger.ErrorLn(
cid,
"RunInitCommands:ProcessCommandBlock:error:",
err.Error(),
)
}
return err
})
if err != nil {
i.Logger.ErrorLn(
cid,
"RunInitCommands: error processing command block: ",
err.Error(),
)
// If command failed, then the initialization is not totally
// successful.
// Thus, it is best to crash the container to restart the
// initialization.
panic("RunInitCommands:ProcessCommandBlock failed")
}
i.Logger.TraceLn(cid, "scanner: after delimiter")
sc = entity.SentinelCommand{}
continue
}
key := parts[0]
value := parts[1]
i.Logger.TraceLn(cid, "command found.", "key", key, "value", value)
switch sentinel.Command(key) {
case sentinel.Workload:
sc.WorkloadIds = strings.SplitN(value, symbol.ItemSeparator, -1)
case sentinel.Namespace:
sc.Namespaces = strings.SplitN(value, symbol.ItemSeparator, -1)
case sentinel.Secret:
sc.Secret = value
case sentinel.Transformation:
sc.Template = value
case sentinel.Encrypt:
sc.Encrypt = true
case sentinel.Remove:
sc.DeleteSecret = true
case sentinel.Format:
sc.Format = value
case sentinel.Keys:
sc.SerializedRootKeys = value
case sentinel.NotBefore:
sc.NotBefore = value
case sentinel.Expires:
sc.Expires = value
case sentinel.Sleep:
sc.ShouldSleep = true
intervalMs, err := strconv.Atoi(value)
if err != nil {
i.Logger.ErrorLn(cid, "RunInitCommands"+
": Error parsing sleep interval: ", err.Error())
}
sc.SleepIntervalMs = intervalMs
default:
i.Logger.InfoLn(cid, "RunInitCommands: unknown command: ", key)
}
}
i.Logger.TraceLn(cid, "scan finished")
if err := scanner.Err(); err != nil {
i.Logger.ErrorLn(
cid,
"RunInitCommands: Error reading initialization file: ",
err.Error(),
)
// If command failed, then the initialization is not totally successful.
// Thus, it is best to crash the container to restart the
// initialization.
panic("RunInitCommands: Error in scanning the file")
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"context"
"github.com/vmware-tanzu/secrets-manager/core/constants/keystone"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
func (i *Initializer) markKeystone(ctx context.Context, cid *string) bool {
err := backoff.RetryExponential(
"RunInitCommands:MarkKeystone",
func() error {
i.Logger.TraceLn(cid, "RunInitCommands:MarkKeystone"+
": retrying with exponential backoff")
// Assign a secret for VSecM Keystone
err := i.Safe.Post(ctx, entity.SentinelCommand{
WorkloadIds: []string{keystone.WorkloadId},
Namespaces: []string{i.EnvReader.NamespaceForVSecMSystem()},
Secret: keystone.InitSecretValue,
})
return err
})
if err == nil {
return true
}
i.Logger.ErrorLn(
cid, "RunInitCommands: error setting keystone secret: ",
err.Error())
panic("RunInitCommands: error setting keystone secret")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"context"
"os"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
)
// RunInitCommands reads and processes initialization commands from a file.
//
// This function is designed to execute an initial set of commands that are
// declaratively defined in a file. The end result will be as if an operator
// manually entered those commands using the Sentinel CLI.
//
// The function opens the file and reads it line by line using a `bufio.Scanner`.
// Each line is expected to be a command in a specific format, typically
// key-value pairs separated by a defined separator. Lines that do not conform
// to the expected format are ignored.
//
// Special handling is applied for commands that require sleeping (pause
// execution for a specified duration) or processing a block of commands.
//
// The function supports dynamic commands, which are defined in the
// 'entity.SentinelCommand' struct.
//
// Key commands include:
// - workload: (w) Sets the WorkloadIds field in the SentinelCommand.
// - namespace: (n) Sets the Namespaces field.
// - secret: (s) Sets the Secret field.
// - transformation: (t) Sets the Template field.
// - sleep: (sleep) Enables sleep mode and sets the SleepIntervalMs field.
//
// If the file cannot be opened, the function logs an informational message and
// returns early. Errors encountered while reading the file or closing it are
// logged as errors.
func (i *Initializer) RunInitCommands(ctx context.Context) {
cid := ctx.Value(key.CorrelationId).(*string)
waitInterval := i.EnvReader.InitCommandRunnerWaitBeforeExecIntervalForSentinel()
time.Sleep(waitInterval)
// Ensure that we can acquire a source before proceeding.
source := i.ensureSourceAcquisition(ctx)
// Now, we are sure that we can acquire a source.
// Try to do a VSecM Safe API request with the source.
i.ensureApiConnectivity(ctx, cid)
// No need to proceed if initialization has been completed already.
if i.initCommandsExecutedAlready(ctx, source) {
i.Logger.TraceLn(cid, "RunInitCommands: executed already. exiting")
return
}
i.Logger.TraceLn(cid, "RunInitCommands: starting the init flow")
// Now we know that we can establish a connection to VSecM Safe
// and execute API requests. So, we can safely run init commands.
i.Logger.TraceLn(cid, "RunInitCommands: before getting the scanner")
// Parse the commands file and execute the commands in it.
file, scanner := i.commandFileScanner(cid)
if file == nil {
i.Logger.ErrorLn(cid, "file is nil, exiting")
return
}
if scanner == nil {
i.Logger.ErrorLn(cid, "scanner is nil, exiting")
return
}
defer func(file *os.File) {
err := file.Close()
if err != nil {
i.Logger.ErrorLn(cid,
"RunInitCommands: Error closing initialization file: ",
err.Error(),
)
}
}(file)
i.Logger.TraceLn(cid, "RunInitCommands: before parsing commands file")
i.parseCommandsFile(ctx, cid, scanner)
i.Logger.TraceLn(cid, "RunInitCommands: before marking keystone")
// Mark the keystone secret.
success := i.markKeystone(ctx, cid)
if !success {
i.Logger.TraceLn(cid, "RunInitCommands: failed to mark keystone. exiting")
// If we cannot set the keystone secret, better to retry everything.
panic("RunInitCommands: failed to set keystone secret")
}
// Wait before notifying Keystone. This way, if there are things that
// take time to reconcile, they have a chance to do so.
waitInterval = i.EnvReader.InitCommandRunnerWaitIntervalBeforeInitComplete()
time.Sleep(waitInterval)
// Everything is set up.
i.Logger.InfoLn(cid, "RunInitCommands: keystone secret set successfully.")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"context"
"os"
"time"
"github.com/spiffe/go-spiffe/v2/workloadapi"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// TODO: some of these type may need to go to a common package
// FileOpener is an interface for the file operations that the Sentinel
// needs to perform.
type FileOpener interface {
Open(name string) (*os.File, error)
}
// EnvReader is an interface for the environment variables that VSecM Sentinel
// needs to read.
type EnvReader interface {
InitCommandPathForSentinel() string
InitCommandRunnerWaitBeforeExecIntervalForSentinel() time.Duration
InitCommandRunnerWaitIntervalBeforeInitComplete() time.Duration
NamespaceForVSecMSystem() string
}
// Logger is an interface for the logging operations that the Sentinel
// needs to perform.
type Logger interface {
InfoLn(correlationID *string, v ...any)
ErrorLn(correlationID *string, v ...any)
TraceLn(correlationID *string, v ...any)
WarnLn(correlationID *string, v ...any)
FatalLn(correlationID *string, v ...any)
}
// SafeOps is an interface for the Safe operations that the Sentinel needs
// to perform.
type SafeOps interface {
Check(ctx context.Context, src *workloadapi.X509Source) (int, string, error)
CheckInitialization(ctx context.Context,
src *workloadapi.X509Source) (bool, error)
Post(ctx context.Context, sc entity.SentinelCommand) error
}
// SpiffeOps is an interface for the Spiffe operations that the Sentinel needs
// to perform.
type SpiffeOps interface {
AcquireSourceForSentinel(
ctx context.Context) (*workloadapi.X509Source, bool)
}
type Initializer struct {
FileOpener FileOpener
EnvReader EnvReader
Logger Logger
Safe SafeOps
Spiffe SpiffeOps
}
func NewInitializer(
fileOpener FileOpener,
envReader EnvReader,
logger Logger,
safe SafeOps,
spiffe SpiffeOps,
) *Initializer {
return &Initializer{
FileOpener: fileOpener,
EnvReader: envReader,
Logger: logger,
Safe: safe,
Spiffe: spiffe,
}
}
func NewDefaultInitializer() *Initializer {
return NewInitializer(
&OSFileOpener{},
&EnvConfigReader{},
&StandardLogger{},
&SafeClient{},
&SpiffeClient{},
)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package initialization
import (
"context"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/lib/backoff"
)
func (i *Initializer) initCommandsExecutedAlready(
ctx context.Context, src *workloadapi.X509Source,
) bool {
cid := ctx.Value(key.CorrelationId).(*string)
i.Logger.TraceLn(cid, "check:initCommandsExecutedAlready")
initialized := false
err := backoff.RetryExponential(
"RunInitCommands:CheckConnectivity",
func() error {
var err error
initialized, err = i.Safe.CheckInitialization(ctx, src)
return err
})
if err == nil {
return initialized
}
// I shouldn't be here.
panic("RunInitCommands" +
":initCommandsExecutedAlready: failed to check command initialization")
}
package engine
import (
"encoding/json"
"net/http"
"net/url"
"strings"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// httpClient is a minimal interface for making HTTP requests.
type httpClient interface {
Do(req *http.Request) (*http.Response, error)
}
// Auth is the default implementation of the Authorizer interface.
type auth struct {
httpClient httpClient
log logger
}
// Ensure Auth implements Authorizer
var _ authorizer = (*auth)(nil)
// newAuth creates a new Auth instance with the provided options.
func newAuth(opts ...authOption) authorizer {
a := &auth{httpClient: &http.Client{}}
for _, opt := range opts {
opt(a)
}
return a
}
// authOption is a functional option type for configuring Auth.
type authOption func(*auth)
// withHTTPClient sets a custom HTTP client for Auth.
func withHTTPClient(client httpClient) authOption {
return func(a *auth) {
if client != nil {
a.httpClient = client
}
}
}
// withLogger sets a custom logger for Auth.
func withLogger(logger logger) authOption {
return func(a *auth) {
if logger != nil {
a.log = logger
}
}
}
// IsAuthorized checks if the JWT (access token) is authorized based on the
// OAuth 2.0 Token Introspection standard.
func (a *auth) IsAuthorized(id string, r *http.Request) bool {
return a.isAuthorizedJWT(id, r)
}
// isAuthorizedJWT determines if the provided JWT (access token) is authorized
// based on the OAuth 2.0 Token Introspection standard. It makes an HTTP POST
// request to an introspection endpoint with the required credentials and token,
// expecting a TokenIntrospectionResponse.
//
// Parameters:
// - cid: a client identifier used for logging purposes.
// - r: the http.Request containing necessary headers such as Authorization
// (Bearer token), ClientId, ClientSecret, and UserName.
//
// Returns true if the token is active and authorized, false otherwise.
// This function logs detailed error messages using a custom logger and handles
// the request lifecycle, including closing response bodies and error handling.
//
// Usage:
//
// a := NewAuth()
//
// if a.IsAuthorized("client_id", r) {
// // Proceed with the request
// } else {
//
// // Handle unauthorized access
// }
func (a *auth) isAuthorizedJWT(cid string, r *http.Request) bool {
// headers is a list of key-value pairs that are required to be sent to the
// introspection endpoint.
headers := []struct {
key, value string
}{
{"client_id", "ClientId"},
{"client_secret", "ClientSecret"},
{"token", "Authorization"},
{"username", "UserName"},
}
// data is a list of key-value pairs that are required to be sent to the
// introspection endpoint.
data := url.Values{}
for _, h := range headers {
if value := strings.TrimSpace(r.Header.Get(h.value)); value != "" {
data.Set(h.key, value)
}
}
// If the number of headers is not equal to the number of data, then some
// required headers are missing.
if len(data) != len(headers) {
a.log.ErrorLn(&cid, "isAuthorizedJWT: missing required headers")
return false
}
// Create a new HTTP request to the introspection endpoint with the required
// data.
req, err := http.NewRequest("POST",
env.OIDCProviderBaseUrlForSentinel(), strings.NewReader(data.Encode()))
if err != nil {
a.log.ErrorLn(&cid, "isAuthorizedJWT: error creating request:", err)
return false
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
resp, err := a.httpClient.Do(req)
if err != nil {
a.log.ErrorLn(&cid, "isAuthorizedJWT: error sending request:", err)
return false
}
defer func() {
if err := resp.Body.Close(); err != nil {
a.log.ErrorLn(&cid,
"isAuthorizedJWT: error closing response body:", err)
}
}()
// TokenIntrospectionResponse represents the JSON structure received from an
// OAuth 2.0 Token Introspection endpoint.
// It contains the active state of the token which determines if it is valid
// or expired.
var tokenResponse struct {
Active bool `json:"active"`
}
if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil {
a.log.ErrorLn(&cid, "isAuthorizedJWT: error decoding response:", err)
return false
}
a.log.InfoLn(&cid,
"isAuthorizedJWT: token is active:", tokenResponse.Active)
return tokenResponse.Active
}
package engine
import (
"context"
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// safeOperations is an interface that defines the methods for safe operations.
type safeOperations interface {
GetSecrets(ctx context.Context, r *http.Request, encrypt bool) (string, error)
UpdateSecrets(ctx context.Context,
r *http.Request, cmd data.SentinelCommand) (string, error)
}
// Authorizer is an interface that defines the methods for authorizing requests.
type authorizer interface {
IsAuthorized(id string, r *http.Request) bool
}
// Logger is an interface that defines the methods for logging.
type logger interface {
InfoLn(correlationID *string, v ...any)
ErrorLn(correlationID *string, v ...any)
}
type Engine struct {
safeOperations safeOperations
authorizer authorizer
logger logger
}
// New creates a new Engine instance with the provided safe operations and logger.
// It internally uses the newEngine function to create the Engine instance.
func New(safeOps safeOperations, log logger) *Engine {
return newEngine(safeOps, newAuth(withLogger(log)), log)
}
// newEngine creates a new Engine instance with the provided safe operations,
// authorizer, and logger.
// It is used internally by the NewEngine function to create the Engine instance.
// Better to use NewEngine function to create the Engine instance for unit testing.
func newEngine(safeOps safeOperations, auth authorizer, log logger) *Engine {
return &Engine{
safeOperations: safeOps,
authorizer: auth,
logger: log,
}
}
func (e *Engine) createContext() (context.Context, context.CancelFunc) {
id := crypto.Id()
return context.WithCancel(
context.WithValue(context.Background(), key.CorrelationId, id),
)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets… secret
>/
<>/' Copyright 2023–present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package engine
import (
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/sentinel"
)
const defaultNamespace = "default"
var (
ErrUnsupportedMethod = errors.New("unsupported method")
ErrInvalidInput = errors.New("invalid input for secret modification")
ErrInvalidRequestBody = errors.New("invalid request body")
ErrUnauthorized = errors.New("unauthorized: please provide correct credentials")
)
// HandleSecrets processes incoming HTTP requests related to secrets management.
// This function is specifically designed to handle POST requests.
// It handles both listing and modifying secrets based on the provided SecretRequest.
// It ensures that the request is authorized using JWT and processes
// the request accordingly.
//
// Parameters:
// - w: the http.ResponseWriter used to write the HTTP response.
// - r: the *http.Request containing all the request data including headers,
// query parameters, and the body.
//
// The function performs the following steps:
// 1. Checks if the request method is POST.
// 2. Decodes the request body into a SecretRequest struct.
// 3. Generates a unique correlation ID for the request.
// 4. Creates a context with the correlation ID for logging and tracing.
// 5. Checks if the request is authorized using JWT.
// 6. If the request is authorized, it processes the request based on the
// `req.List` flag.
// - If `req.List` is true, it retrieves and sends the list of secrets.
// - If `req.List` is false, it validates the input and performs the
// requested secret management action (e.g., create, update, delete).
//
// The function returns appropriate HTTP status codes and messages in case
// of errors.
//
// Example request body:
//
// {
// "list": true,
// "encrypt": false,
// "workloads": ["workload1"],
// "secret": "my-secret",
// "namespaces": ["namespace1"],
// }
//
// Usage:
//
// http.HandleFunc("/api/secrets", engine.HandleSecrets)
//
// Errors:
// - Returns HTTP 400 if the request body cannot be decoded into
// SecretRequest.
// - Returns HTTP 400 if the request body is invalid for secret modification.
// - Returns HTTP 401 if the request is not authorized.
// - Returns HTTP 405 if the method is not POST.
// - Returns HTTP 500 if there is an error during secret retrieval or modification.
func (e *Engine) HandleSecrets(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, ErrUnsupportedMethod.Error(), http.StatusMethodNotAllowed)
return
}
var req sentinel.SecretRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, ErrInvalidRequestBody.Error(), http.StatusBadRequest)
return
}
ctx, cancel := e.createContext()
defer cancel()
if !e.authorizer.IsAuthorized(ctx.Value(key.CorrelationId).(string), r) {
http.Error(w, ErrUnauthorized.Error(), http.StatusUnauthorized)
return
}
if req.List {
e.handleListSecrets(ctx, w, r, &req)
} else {
e.handleModifySecrets(ctx, w, r, &req)
}
}
// handleListSecrets handles the listing of secrets.
// It retrieves the secrets from the safe and sends them to the client.
func (e *Engine) handleListSecrets(ctx context.Context,
w http.ResponseWriter, r *http.Request, req *sentinel.SecretRequest) {
secrets, err := e.safeOperations.GetSecrets(ctx, r, req.Encrypt)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
e.sendJSONResponse(w, secrets)
}
// handleModifySecrets handles the modification of secrets.
// It validates the input and performs the requested secret management action.
func (e *Engine) handleModifySecrets(ctx context.Context, w http.ResponseWriter, r *http.Request, req *sentinel.SecretRequest) {
if err := e.validateModifyRequest(req); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
cmd := e.createSentinelCommand(req)
result, err := e.safeOperations.UpdateSecrets(ctx, r, cmd)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
e.sendJSONResponse(w, result)
}
// validateModifyRequest validates the input for secret modification.
func (e *Engine) validateModifyRequest(req *sentinel.SecretRequest) error {
if len(req.Namespaces) == 0 {
req.Namespaces = []string{defaultNamespace}
}
if !isValidSecretModification(req.Workloads, req.Encrypt,
req.SerializedRootKeys, req.Secret, req.Delete) {
return ErrInvalidInput
}
return nil
}
// createSentinelCommand creates a SentinelCommand from a SecretRequest.
func (e *Engine) createSentinelCommand(
req *sentinel.SecretRequest) data.SentinelCommand {
return data.SentinelCommand{
WorkloadIds: req.Workloads,
Secret: req.Secret,
Namespaces: req.Namespaces,
Template: req.Template,
Format: req.Format,
Encrypt: req.Encrypt,
DeleteSecret: req.Delete,
SerializedRootKeys: req.SerializedRootKeys,
NotBefore: req.NotBefore,
Expires: req.Expires,
}
}
// sendJSONResponse sends the response to the client.
// It sets the content type to application/json and writes the response body.
// If there is an error in writing the response, it logs the error.
func (e *Engine) sendJSONResponse(w http.ResponseWriter, data string) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
if _, err := fmt.Fprint(w, data); err != nil {
e.logger.ErrorLn(nil, "Error in writing response", err.Error())
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets… secret
>/
<>/' Copyright 2023–present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package engine
// isValidSecretModification validates the secret modification request.
// It returns true if the request is valid, false otherwise.
func isValidSecretModification(
workloads []string,
encrypt bool,
serializedRootKeys string,
secret string,
delete bool,
) bool {
// You need to provide a workload collection if you are not encrypting
// a secret, or if you are not providing input keys.
if len(workloads) == 0 && !encrypt && serializedRootKeys == "" {
return false
}
// You need to provide a secret value if you are not deleting a secret,
// or if you are not providing input keys.
if secret == "" && !delete && serializedRootKeys == "" {
return false
}
return true
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets… secret
>/
<>/' Copyright 2023–present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"context"
"errors"
"fmt"
"io"
"log"
"net/http"
"net/url"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// Get fetches secrets from the VSecM Safe API, optionally including encrypted
// secrets in the response. This function constructs a secure client and makes
// a GET request to the API based on the input parameters. The response is then
// returned as a string, or an error is generated if the process fails at any
// step.
//
// Parameters:
// - ctx: a context.Context that must contain a 'correlationId' used for
// logging.
// - r: the *http.Request containing the original HTTP request details.
// Headers from this request may be propagated to the API request.
// - showEncryptedSecrets: a boolean indicating whether to retrieve encrypted
// secrets.
//
// Returns:
// - A string containing the API response if the request is successful.
// - An error detailing what went wrong during the operation if unsuccessful.
//
// Usage:
//
// response, err := secrets.Get(ctx, req, true)
// if err != nil {
// log.Println("Error fetching secrets:", err)
// } else {
// log.Println("Fetched secrets:", response)
// }
func Get(
ctx context.Context, r *http.Request, showEncryptedSecrets bool,
) (string, error) {
cid := ctx.Value(key.CorrelationId).(*string)
log.Println(cid, "Get: start")
source, proceed := acquireSource(ctx)
defer func(s *workloadapi.X509Source) {
if s == nil {
return
}
err := s.Close()
if err != nil {
log.Println(cid,
"Get: Problem closing the workload source.", err.Error())
}
}(source)
if !proceed {
return "", errors.New("could not proceed")
}
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsSafe(id.String()) {
return nil
}
return errors.New("I don't know you, and it's crazy: '" +
id.String() + "'")
})
safeUrl := "/sentinel/v1/secrets"
if showEncryptedSecrets {
safeUrl = "/sentinel/v1/secrets?reveal=true"
}
p, err := url.JoinPath(env.EndpointUrlForSafe(), safeUrl)
if err != nil {
log.Println(cid, "Get: I am having problem generating "+
"VSecM Safe secrets api endpoint URL.", err.Error())
return "", fmt.Errorf("get: I am having problem "+
"generating VSecM Safe secrets api endpoint URL: %v", err.Error())
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
req, err := http.NewRequest(http.MethodGet, p, nil)
if err != nil {
log.Println(cid, "Get: Problem creating request.", err.Error())
return "", fmt.Errorf("get: Problem creating request: %v", err.Error())
}
selectedHeaders := []string{"Authorization",
"Content-Type", "ClientId", "ClientSecret", "UserName"}
for _, headerName := range selectedHeaders {
if value := r.Header.Get(headerName); value != "" {
req.Header.Set(headerName, value)
}
}
response, err := client.Do(req)
if err != nil {
log.Println(cid,
"Get: Problem connecting to VSecM Safe API endpoint URL.",
err.Error())
return "",
fmt.Errorf("get: Problem connecting to VSecM"+
" Safe API endpoint URL: %v",
err.Error())
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.Println(cid, "Get: Problem closing request body.", err.Error())
}
}(response.Body)
body, err := io.ReadAll(response.Body)
if err != nil {
log.Println(cid,
"Get: Unable to read the response body from VSecM Safe.",
err.Error())
return "",
fmt.Errorf("get: Unable to read"+
" the response body from VSecM Safe: %v",
err.Error())
}
return string(body), nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"bytes"
"errors"
"fmt"
"io"
"log"
"net/http"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
func createAuthorizer() tlsconfig.Authorizer {
return tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsSafe(id.String()) {
return nil
}
return errors.New("Post: I don't know you, and it's crazy: '" +
id.String() + "'")
})
}
func decideSecretFormat(format string) data.SecretFormat {
switch data.SecretFormat(format) {
case data.Json:
return data.Json
case data.Yaml:
return data.Yaml
default:
return data.Json
}
}
func newInputKeysRequest(ageSecretKey, agePublicKey, aesCipherKey string,
) reqres.KeyInputRequest {
return reqres.KeyInputRequest{
AgeSecretKey: ageSecretKey,
AgePublicKey: agePublicKey,
AesCipherKey: aesCipherKey,
}
}
func newSecretUpsertRequest(
workloadIds []string, secret string, namespaces []string,
template string, format string,
encrypt bool, notBefore string, expires string,
) reqres.SecretUpsertRequest {
f := decideSecretFormat(format)
if notBefore == "" {
notBefore = "now"
}
if expires == "" {
expires = "never"
}
return reqres.SecretUpsertRequest{
WorkloadIds: workloadIds,
Namespaces: namespaces,
Template: template,
Format: f,
Encrypt: encrypt,
Value: secret,
NotBefore: notBefore,
Expires: expires,
}
}
func respond(cid *string, r *http.Response) (string, error) {
if r == nil {
return "", errors.New("post: Response is null")
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.Println(cid, "Post: Problem closing request body : %v",
err.Error())
}
}(r.Body)
body, err := io.ReadAll(r.Body)
if err != nil {
log.Println(cid,
"Post: Unable to read the response body from VSecM Safe : %v",
err.Error())
return "",
fmt.Errorf("post: Unable to read the"+
" response body from VSecM Safe : %v",
err.Error())
}
return string(body), nil
}
func printEndpointError(cid *string, err error) error {
log.Println(cid,
"Post: I am having problem generating"+
" VSecM Safe secrets api endpoint URL : %v", err.Error())
return fmt.Errorf(
"post: I am having problem generating"+
" VSecM Safe secrets api endpoint URL: %v", err.Error())
}
func printPayloadError(cid *string, err error) error {
log.Println(cid,
"Post: I am having problem generating the payload : %v", err.Error())
return fmt.Errorf(
"post: I am having problem generating the payload: %v", err.Error())
}
func doDelete(
cid *string, client *http.Client, r *http.Request, p string, md []byte,
) (string, error) {
req, err := http.NewRequest(http.MethodDelete, p, bytes.NewBuffer(md))
if err != nil {
log.Println(cid, "Post:Delete: Problem creating request : %v",
err.Error())
return "", fmt.Errorf("post:Delete: Problem creating request : %v",
err.Error())
}
selectedHeaders := []string{
"Authorization", "Content-Type", "ClientId", "ClientSecret", "UserName",
}
for _, headerName := range selectedHeaders {
if value := r.Header.Get(headerName); value != "" {
req.Header.Set(headerName, value)
}
}
req.Header.Set("Content-Type", "application/json")
response, err := client.Do(req)
if err != nil {
log.Println(cid,
"Post:Delete: Problem connecting"+
" to VSecM Safe API endpoint URL : %v", err.Error())
return "", fmt.Errorf("post:Delete: Problem connecting"+
" to VSecM Safe API endpoint URL : %v", err.Error())
}
return respond(cid, response)
}
func doPost(
cid *string, client *http.Client, r *http.Request, p string, md []byte,
) (string, error) {
req, err := http.NewRequest(http.MethodPost, p, bytes.NewBuffer(md))
if err != nil {
log.Println(cid, "Post: Problem creating request : %v", err.Error())
return "", fmt.Errorf("post: Problem creating request : %v",
err.Error())
}
selectedHeaders := []string{
"Authorization", "Content-Type", "ClientId", "ClientSecret", "UserName",
}
for _, headerName := range selectedHeaders {
if value := r.Header.Get(headerName); value != "" {
req.Header.Set(headerName, value)
}
}
response, err := client.Do(req)
if err != nil {
log.Println(cid,
"Post: Problem connecting to"+
" VSecM Safe API endpoint URL : %v", err.Error())
return "", fmt.Errorf(
"post:doPost: Problem connecting to"+
" VSecM Safe API endpoint URL : %v", err.Error())
}
return respond(cid, response)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets… secret
>/
<>/' Copyright 2023–present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"context"
"encoding/json"
"errors"
"fmt"
"log"
"net/http"
"net/url"
"strings"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
"github.com/vmware-tanzu/secrets-manager/lib/template"
)
// Post handles the HTTP POST request for secret management using the provided
// SentinelCommand.
//
// This function performs the following steps:
// 1. Creates a context with a timeout based on the parent context and
// environment settings.
// 2. Acquires a workload source and proceeds only if the source acquisition
// is successful.
// 3. Depending on the SentinelCommand, it either posts new secrets or deletes
// existing ones.
//
// Parameters:
// - parentContext: The parent context for the request, used for tracing and
// cancellation.
// - r: The HTTP request being processed.
// - sc: The SentinelCommand containing details for the secret management
// operation.
//
// Returns:
// - A string representing the response body or an error if the operation
// fails.
//
// Example usage:
//
// parentContext := context.Background()
// r, _ := http.NewRequest("POST", "http://example.com", nil)
// sc := data.SentinelCommand{
// WorkloadIds: []string{"workload1"},
// Secret: "my-secret",
// Namespaces: []string{"namespace1"},
// SerializedRootKeys: "key1\nkey2\nkey3",
// }
// response, err := Post(parentContext, r, sc)
// if err != nil {
// log.Fatal(err)
// }
// fmt.Println(response)
//
// Error Handling:
// - If the context times out or is canceled, it logs the error and returns
// an appropriate message.
// - If there is an error during source acquisition, secret generation, or
// payload processing, it returns an error with details.
func Post(
parentContext context.Context, r *http.Request, sc data.SentinelCommand,
) (string, error) {
ctxWithTimeout, cancel := context.WithTimeout(
parentContext,
env.SourceAcquisitionTimeoutForSafe(),
)
defer cancel()
cid := ctxWithTimeout.Value(key.CorrelationId).(*string)
sourceChan := make(chan *workloadapi.X509Source)
proceedChan := make(chan bool)
go func() {
source, proceed := acquireSource(ctxWithTimeout)
sourceChan <- source
proceedChan <- proceed
}()
select {
case <-ctxWithTimeout.Done():
if errors.Is(ctxWithTimeout.Err(), context.DeadlineExceeded) {
log.Println(cid,
"Post: I cannot execute command because I cannot talk to SPIRE.")
return "",
errors.New(
"post: I cannot execute command because I cannot talk to SPIRE")
}
log.Println(cid, "Post: Operation was cancelled due to an unknown reason.")
case source := <-sourceChan:
defer func(s *workloadapi.X509Source) {
if s == nil {
return
}
err := s.Close()
if err != nil {
log.Println(cid, "Post: Problem closing the workload source.")
}
}(source)
proceed := <-proceedChan
if !proceed {
return "", printPayloadError(cid,
errors.New("post: Could not proceed"))
}
authorizer := createAuthorizer()
if sc.SerializedRootKeys != "" {
p, err := url.JoinPath(env.EndpointUrlForSafe(), "/sentinel/v1/keys")
if err != nil {
return "", printEndpointError(cid, err)
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
parts := sc.SplitRootKeys()
if len(parts) != 3 {
return "", printPayloadError(
cid, errors.New("post: Bad data! Very bad data"))
}
sr := newInputKeysRequest(parts[0], parts[1], parts[2])
md, err := json.Marshal(sr)
if err != nil {
return "", printPayloadError(cid, err)
}
return doPost(cid, client, r, p, md)
}
// Generate pattern-based random secrets if the secret has the prefix.
if strings.HasPrefix(sc.Secret, env.SecretGenerationPrefix()) {
sc.Secret = strings.Replace(
sc.Secret, env.SecretGenerationPrefix(), "", 1,
)
newSecret, err := template.Value(sc.Secret)
if err != nil {
sc.Secret = "ParseError:" + sc.Secret
} else {
sc.Secret = newSecret
}
}
p, err := url.JoinPath(env.EndpointUrlForSafe(), "/sentinel/v1/secrets")
if err != nil {
return "", printEndpointError(cid, err)
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
log.Println(cid, "Post: newSecretUpsertRequest")
sr := newSecretUpsertRequest(sc.WorkloadIds, sc.Secret, sc.Namespaces,
sc.Template, sc.Format,
sc.Encrypt, sc.NotBefore, sc.Expires)
md, err := json.Marshal(sr)
if err != nil {
return "", printPayloadError(cid, err)
}
if sc.DeleteSecret {
return doDelete(cid, client, r, p, md)
}
return doPost(cid, client, r, p, md)
}
return "", fmt.Errorf("post: An error occured")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"context"
"log"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
func acquireSource(ctx context.Context) (*workloadapi.X509Source, bool) {
resultChan := make(chan *workloadapi.X509Source)
errorChan := make(chan error)
cid := ctx.Value(key.CorrelationId).(*string)
go func() {
source, err := workloadapi.NewX509Source(
ctx, workloadapi.WithClientOptions(
workloadapi.WithAddr(env.SpiffeSocketUrl()),
),
)
if err != nil {
errorChan <- err
return
}
if err != nil {
log.Println(cid, "acquireSource: "+
"I am having trouble fetching my identity from SPIRE.",
err.Error())
log.Println(cid,
"acquireSource: "+
"I won't proceed until you put me in a secured container.",
err.Error())
errorChan <- err
return
}
resultChan <- source
}()
select {
case source := <-resultChan:
return source, true
case err := <-errorChan:
log.Println(cid, "acquireSource: "+
"I cannot execute command because I cannot talk to SPIRE.",
err.Error())
return nil, false
case <-ctx.Done():
log.Println(cid, "acquireSource: Operation was cancelled.")
return nil, false
}
}
package server
import (
"context"
"net/http"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/oidc/safe"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/log/rpc"
)
// SafeOperations is an interface that defines the methods for safe operations.
type SafeOperations interface {
GetSecrets(ctx context.Context,
r *http.Request, encrypt bool) (string, error)
UpdateSecrets(ctx context.Context,
r *http.Request, cmd data.SentinelCommand) (string, error)
}
// Authorizer is an interface that defines the methods for authorizing requests.
type Authorizer interface {
IsAuthorized(id string, r *http.Request) bool
}
// Logger is an interface that defines the methods for logging.
type Logger interface {
InfoLn(correlationID *string, v ...any)
ErrorLn(correlationID *string, v ...any)
}
// SafeClient implements the SafeOperations interface for interacting
// with the VSecM Safe.
type SafeClient struct{}
var _ SafeOperations = (*SafeClient)(nil)
// GetSecrets retrieves secrets from the safe.
// It takes a context, an HTTP request, and a boolean indicating whether to
// encrypt the secrets.
// It returns the secrets as a string and any error encountered.
func (SafeClient) GetSecrets(ctx context.Context,
r *http.Request, encrypt bool) (string, error) {
return safe.Get(ctx, r, encrypt)
}
// UpdateSecrets updates secrets in the safe.
// It takes a context, an HTTP request, and a SentinelCommand containing
// the update details.
// It returns the result as a string and any error encountered.
func (SafeClient) UpdateSecrets(ctx context.Context,
r *http.Request, cmd data.SentinelCommand) (string, error) {
return safe.Post(ctx, r, cmd)
}
// RpcLogger implements the Logger interface for RPC logging.
type RpcLogger struct{}
var _ Logger = (*RpcLogger)(nil)
// InfoLn logs information messages.
// It takes a correlation ID and a variable number of arguments to log.
func (RpcLogger) InfoLn(correlationID *string, v ...any) {
rpc.InfoLn(correlationID, v...)
}
// ErrorLn logs error messages.
// It takes a correlation ID and a variable number of arguments to log.
func (RpcLogger) ErrorLn(correlationID *string, v ...any) {
rpc.ErrorLn(correlationID, v...)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets… secret
>/
<>/' Copyright 2023–present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package server
import (
"log"
"net/http"
"github.com/vmware-tanzu/secrets-manager/app/sentinel/internal/oidc/engine"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// Serve initializes and starts an HTTP server for VSecM Sentinel.
//
// This function sets up an HTTP server with a multiplexer for handling requests.
// It specifically registers the "/secrets" endpoint with the HandleSecrets
// function from the engine package.
//
// Example usage:
//
// Serve() // This will start the server and listen for incoming requests.
//
// Details:
// - mux: An HTTP request multiplexer that routes incoming requests to the
// registered handler functions.
// - HandleSecrets: A function from the engine package that processes
// requests to the "/secrets" endpoint.
func Serve() {
mux := http.NewServeMux()
srv := engine.New(&SafeClient{}, &RpcLogger{})
mux.HandleFunc("/secrets", srv.HandleSecrets)
port := env.SentinelOIDCResourceServerPort()
log.Println("VSecM Server started at " + port)
log.Fatal(http.ListenAndServe(port, mux))
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"bytes"
"errors"
"net/http"
)
func doDelete(cid *string, client *http.Client, p string, md []byte) error {
req, err := http.NewRequest(http.MethodDelete, p, bytes.NewBuffer(md))
if err != nil {
return errors.Join(
err,
errors.New("post:Delete: Problem connecting"+
" to VSecM Safe API endpoint URL"),
)
}
req.Header.Set("Content-Type", "application/json")
r, err := client.Do(req)
if err != nil {
return errors.Join(
err,
errors.New("post:Delete: Problem connecting"+
" to VSecM Safe API endpoint URL"),
)
}
if r.StatusCode != http.StatusOK {
return errors.New("post: Problem connecting to VSecM Safe API endpoint URL")
}
respond(cid, r)
return nil
}
func doPost(cid *string, client *http.Client, p string, md []byte) error {
r, err := client.Post(p, "application/json", bytes.NewBuffer(md))
if err != nil {
return errors.Join(
err,
errors.New("post: Problem connecting to VSecM Safe API endpoint URL"),
)
}
if r.StatusCode != http.StatusOK {
return errors.New("post: Problem connecting to VSecM Safe API endpoint URL")
}
respond(cid, r)
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
func decideSecretFormat(format string) data.SecretFormat {
switch data.SecretFormat(format) {
case data.Json:
return data.Json
case data.Yaml:
return data.Yaml
default:
return data.Json
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"context"
"errors"
"fmt"
"io"
"net/http"
"net/url"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
u "github.com/vmware-tanzu/secrets-manager/core/constants/url"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/rpc"
"github.com/vmware-tanzu/secrets-manager/core/spiffe"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// Check validates the connectivity to VSecM Safe by calling the "list secrets"
// API and expecting a successful response. The successful return (`nil`) from
// this method means that VSecM Safe is up, and VSecM Sentinel is able to
// establish an authorized request and get a meaningful response body.
//
// Parameters:
// - ctx: Context used for operation cancellation and passing metadata such as
// "correlationId" for logging purposes.
// - source: A pointer to a workloadapi.X509Source that provides the necessary
// credentials for mTLS communication.
//
// Returns:
// - An error if the validation fails, the workload source is nil, there's an
// issue with constructing the API endpoint URL, problems occur during the
// HTTP request to the VSecM Safe API endpoint, or the response body cannot
// be read. The error includes a descriptive message indicating the nature
// of the failure.
func Check(ctx context.Context, source *workloadapi.X509Source) (int, string, error) {
cid := ctx.Value(key.CorrelationId).(*string)
if source == nil {
return -1, "", errors.New("check: workload source is nil")
}
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsSafe(id.String()) {
return nil
}
return errors.New(
"I don't know you, and it's crazy: '" + id.String() + "'",
)
})
safeUrl := u.SentinelSecrets
p, err := url.JoinPath(env.EndpointUrlForSafe(), safeUrl)
if err != nil {
return -1, "", errors.Join(
err,
fmt.Errorf(
"check: I am having problem generating"+
" VSecM Safe secrets api endpoint URL: %s\n",
safeUrl,
),
)
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
r, err := client.Get(p)
if err != nil {
return -1, "", errors.Join(
err,
fmt.Errorf(
"check: Problem connecting to"+
" VSecM Safe API endpoint URL: %s\n",
safeUrl,
),
)
}
if r.StatusCode != http.StatusOK {
return r.StatusCode, "", errors.New(
"check: VSecM Safe API endpoint returned an unexpected status: " +
r.Status,
)
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.ErrorLn(cid, "Get: Problem closing request body.")
}
}(r.Body)
body, err := io.ReadAll(r.Body)
if err != nil {
return r.StatusCode, "", errors.Join(
err,
errors.New("check: Unable to read the response body from VSecM Safe"),
)
}
return r.StatusCode, string(body), nil
}
// Get retrieves secrets from a VSecM Safe API endpoint based on the context and
// whether encrypted secrets should be shown.
// The function uses SPIFFE for secure communication, establishing mTLS with
// the server.
//
// Parameters:
// - ctx: Context used for operation cancellation and passing metadata across
// API boundaries. It must contain a "correlationId" value.
// - showEncryptedSecrets: A boolean flag indicating whether to retrieve
// encrypted secrets. If true, secrets are shown in encrypted form.
func Get(ctx context.Context, showEncryptedSecrets bool) error {
cid := ctx.Value(key.CorrelationId).(*string)
log.AuditLn(cid, "Sentinel:Get")
source, proceed := spiffe.AcquireSourceForSentinel(ctx)
defer func(s *workloadapi.X509Source) {
if s == nil {
return
}
err := s.Close()
if err != nil {
log.ErrorLn(cid, "Get: Problem closing the workload source.")
}
}(source)
if !proceed {
return errors.New("get: Problem acquiring source")
}
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsSafe(id.String()) {
return nil
}
return errors.New("I don't know you, and it's crazy: '" +
id.String() + "'")
})
safeUrl := u.SentinelSecrets
if showEncryptedSecrets {
safeUrl = u.SentinelSecretsWithReveal
}
p, err := url.JoinPath(env.EndpointUrlForSafe(), safeUrl)
if err != nil {
return errors.Join(
err,
errors.New("problem generating VSecM Safe secrets api endpoint URL"),
)
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
r, err := client.Get(p)
if err != nil {
return errors.Join(
err,
errors.New("problem connecting to VSecM Safe API endpoint URL"),
)
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.ErrorLn(cid, "Get: Problem closing request body.")
}
}(r.Body)
body, err := io.ReadAll(r.Body)
if err != nil {
return errors.Join(
err,
errors.New("unable to read the response body from VSecM Safe"),
)
}
fmt.Println("")
fmt.Println(string(body))
fmt.Println("")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"net/url"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
u "github.com/vmware-tanzu/secrets-manager/core/constants/url"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// CheckInitialization verifies if VSecM Sentinel has executed its init commands
// stanza successfully. This function utilizes a SPIFFE-based mTLS
// authentication mechanism to securely connect to a specified API endpoint.
//
// Parameters:
// - ctx context.Context: The context carrying the correlation ID used for
// logging and tracing the operation across different system components.
// The correlation ID is extracted from the context for error logging
// purposes.
// - source *workloadapi.X509Source: A pointer to an X509Source, which
// provides the credentials necessary for mTLS configuration. The source
// must not be nil, as it is essential for establishing the TLS connection.
//
// Returns:
// - bool: Returns true if VSecM Sentinel is initialized; false otherwise .
// - error: Returns an error if the workload source is nil, URL joining fails,
// the API call fails, the response body cannot be read, or the JSON
// response cannot be unmarshalled. The error will provide a detailed
// message about the nature of the failure.
func CheckInitialization(
ctx context.Context, source *workloadapi.X509Source,
) (bool, error) {
cid := ctx.Value(key.CorrelationId).(*string)
if source == nil {
return false, errors.New("check: workload source is nil")
}
authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsSafe(id.String()) {
return nil
}
return errors.New(
"I don't know you, and it's crazy: '" + id.String() + "'",
)
})
checkUrl := u.SentinelKeystone
p, err := url.JoinPath(env.EndpointUrlForSafe(), checkUrl)
if err != nil {
return false, errors.Join(
err,
fmt.Errorf(
"check: I am having problem"+
" generating VSecM Safe secrets api endpoint URL: %s\n",
checkUrl,
),
)
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
r, err := client.Get(p)
if err != nil {
return false, errors.Join(
err,
fmt.Errorf(
"check: Problem connecting"+
" to VSecM Safe API endpoint URL: %s\n",
checkUrl,
),
)
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.ErrorLn(cid, "Get: Problem closing request body.")
}
}(r.Body)
res, err := io.ReadAll(r.Body)
if err != nil {
return false, errors.Join(
err,
errors.New("check: Unable to read the response body from VSecM Safe"),
)
}
log.TraceLn(cid, "json result: ' ", string(res), " ' status: ",
r.Status, "code", r.StatusCode)
var result entity.KeystoneStatusResponse
if err := json.Unmarshal(res, &result); err != nil {
log.ErrorLn(cid, "error unmarshalling JSON: %v", err.Error())
return false, err
}
return result.Status == data.Ready, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"context"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"time"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
u "github.com/vmware-tanzu/secrets-manager/core/constants/url"
entity "github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/rpc"
"github.com/vmware-tanzu/secrets-manager/core/spiffe"
"github.com/vmware-tanzu/secrets-manager/lib/template"
)
var seed = time.Now().UnixNano()
// Post handles the posting of secrets to the VSecM Safe API using the
// provided SentinelCommand.
//
// This function performs the following steps:
// 1. Creates a context with a timeout based on the parent context and
// environment settings.
// 2. Computes a hash of the secret for logging purposes if configured to do so.
// 3. Acquires a workload source and proceeds only if the source acquisition
// is successful.
// 4. Depending on the SentinelCommand, it either posts new secrets or deletes
// existing ones.
//
// Parameters:
// - parentContext: The parent context for the request, used for tracing and
// cancellation.
// - sc: The SentinelCommand containing details for the secret management
// operation.
//
// Returns:
// - An error if the operation fails, or nil if successful.
//
// Example usage:
//
// parentContext := context.Background()
// sc := entity.SentinelCommand{
// WorkloadIds: []string{"workload1"},
// Secret: "my-secret",
// Namespaces: []string{"namespace1"},
// SerializedRootKeys: "key1\nkey2\nkey3",
// }
// err := Post(parentContext, sc)
// if err != nil {
// log.Fatal(err)
// }
//
// Error Handling:
// - If the context times out or is canceled, it logs the error and returns
// an appropriate message.
// - If there is an error during source acquisition, secret generation, or
// payload processing, it returns an error with details.
func Post(parentContext context.Context,
sc entity.SentinelCommand,
) error {
ctxWithTimeout, cancel := context.WithTimeout(
parentContext,
env.SourceAcquisitionTimeoutForSafe(),
)
defer cancel()
cid := ctxWithTimeout.Value(key.CorrelationId).(*string)
ids := ""
for _, id := range sc.WorkloadIds {
ids += id + ", "
}
hashString := "<>"
if env.LogSecretFingerprints() {
secret := sc.Secret
uniqueData := fmt.Sprintf("%s-%d", secret, seed)
dataBytes := []byte(uniqueData)
hasher := sha256.New()
hasher.Write(dataBytes)
hashBytes := hasher.Sum(nil)
hashString = hex.EncodeToString(hashBytes)
}
log.AuditLn(cid, "Sentinel:Post: ws:", ids, "h:", hashString)
sourceChan := make(chan *workloadapi.X509Source)
proceedChan := make(chan bool)
go func() {
source, proceed := spiffe.AcquireSourceForSentinel(ctxWithTimeout)
sourceChan <- source
proceedChan <- proceed
}()
select {
case <-ctxWithTimeout.Done():
if errors.Is(ctxWithTimeout.Err(), context.DeadlineExceeded) {
return errors.Join(
ctxWithTimeout.Err(),
errors.New("post:"+
" I cannot execute command because I cannot talk to SPIRE"),
)
}
return errors.New("post: Operation was cancelled due to an unknown reason")
case source := <-sourceChan:
defer func(s *workloadapi.X509Source) {
if s == nil {
return
}
err := s.Close()
if err != nil {
log.ErrorLn(cid, "post: Problem closing the workload source")
}
}(source)
proceed := <-proceedChan
if !proceed {
return errors.New("post: Could not acquire source for Sentinel")
}
authorizer := createAuthorizer()
if sc.SerializedRootKeys != "" {
log.InfoLn(cid, "Post: I am going to post the root keys.")
p, err := url.JoinPath(env.EndpointUrlForSafe(), "/sentinel/v1/keys")
if err != nil {
return errors.New("post: I am having problem" +
" generating VSecM Safe secrets api endpoint URL")
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
parts := sc.SplitRootKeys()
if len(parts) != 3 {
return errors.New("post: Bad data! Very bad data")
}
sr := newRootKeyUpdateRequest(parts[0], parts[1], parts[2])
md, err := json.Marshal(sr)
if err != nil {
return errors.Join(
err,
errors.New("post: I am having problem generating the payload"),
)
}
return doPost(cid, client, p, md)
}
log.InfoLn(cid, "Post: I am going to post the secrets.")
// Generate pattern-based random secrets if the secret has the prefix.
if strings.HasPrefix(sc.Secret, env.SecretGenerationPrefix()) {
sc.Secret = strings.Replace(
sc.Secret, env.SecretGenerationPrefix(), "", 1,
)
newSecret, err := template.Value(sc.Secret)
if err != nil {
sc.Secret = "ParseError:" + sc.Secret
} else {
sc.Secret = newSecret
}
}
p, err := url.JoinPath(env.EndpointUrlForSafe(), u.SentinelSecrets)
if err != nil {
return errors.Join(
err,
errors.New("post: I am having problem "+
"generating VSecM Safe secrets api endpoint URL"),
)
}
tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
},
}
sr := newSecretUpsertRequest(sc.WorkloadIds, sc.Secret, sc.Namespaces,
sc.Template, sc.Format,
sc.Encrypt, sc.NotBefore, sc.Expires)
md, err := json.Marshal(sr)
if err != nil {
return errors.Join(
err,
errors.New("post: I am having problem generating the payload"),
)
}
if sc.DeleteSecret {
return doDelete(cid, client, p, md)
}
log.TraceLn(cid, "doPost", "workload-ids", sc.WorkloadIds, "secret",
sc.Secret, "namespaces", sc.Namespaces)
return doPost(cid, client, p, md)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
reqres "github.com/vmware-tanzu/secrets-manager/core/entity/v1/reqres/safe"
)
func newRootKeyUpdateRequest(
ageSecretKey, agePublicKey, aesCipherKey string,
) reqres.KeyInputRequest {
return reqres.KeyInputRequest{
AgeSecretKey: ageSecretKey,
AgePublicKey: agePublicKey,
AesCipherKey: aesCipherKey,
}
}
func newSecretUpsertRequest(workloadIds []string, secret string,
namespaces []string, template string, format string,
encrypt bool, notBefore string, expires string,
) reqres.SecretUpsertRequest {
f := decideSecretFormat(format)
if notBefore == "" {
notBefore = val.TimeNow
}
if expires == "" {
expires = val.TimeNever
}
return reqres.SecretUpsertRequest{
WorkloadIds: workloadIds,
Namespaces: namespaces,
Template: template,
Format: f,
Encrypt: encrypt,
Value: secret,
NotBefore: notBefore,
Expires: expires,
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"fmt"
"io"
"net/http"
log "github.com/vmware-tanzu/secrets-manager/core/log/rpc"
)
func respond(cid *string, r *http.Response) {
if r == nil {
return
}
defer func(b io.ReadCloser) {
if b == nil {
return
}
err := b.Close()
if err != nil {
log.ErrorLn(cid, "Post: Problem closing request body.", err.Error())
}
}(r.Body)
body, err := io.ReadAll(r.Body)
if err != nil {
log.ErrorLn(cid,
"Post: Unable to read the response body from VSecM Safe.",
err.Error())
return
}
fmt.Println("")
fmt.Println(string(body))
fmt.Println("")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package safe
import (
"errors"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
func createAuthorizer() tlsconfig.Authorizer {
return tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
if validation.IsSafe(id.String()) {
return nil
}
return errors.New("Post: I don't know you, and it's crazy: '" +
id.String() + "'",
)
})
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"github.com/spiffe/vsecm-sdk-go/sentry"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
env3 "github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/lib/system"
"os"
)
func main() {
id := crypto.Id()
log.InfoLn(&id, "Starting VSecM Sidecar")
//Print the diagnostic information about the environment.
envVarsToPrint := []string{
string(env.AppVersion),
string(env.VSecMLogLevel),
}
log.PrintEnvironmentInfo(&id, envVarsToPrint)
fmt.Println("-----")
fmt.Println("Environment info", env3.PollIntervalForSidecar())
fmt.Println("env", os.Getenv("VSECM_SIDECAR_POLL_INTERVAL"))
fmt.Println("-----")
// Periodically update secret values:
go sentry.Watch()
// Keep the main routine alive:
system.KeepAlive()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"encoding/json"
"fmt"
"io"
"log"
"net/http"
)
var (
githubAPIURL = "https://api.github.com/repos/vmware-tanzu/secrets-manager/git/refs/heads/main"
)
type GitHubResponse struct {
Object struct {
SHA string `json:"sha"`
} `json:"object"`
}
func getLatestCommitHash() (string, error) {
resp, err := http.Get(githubAPIURL)
if err != nil {
return "", err
}
defer func(Body io.ReadCloser) {
err := Body.Close()
if err != nil {
log.Printf("Error closing response body: %s", err)
}
}(resp.Body)
body, err := io.ReadAll(resp.Body)
if err != nil {
return "", err
}
if resp.StatusCode != http.StatusOK {
return "", fmt.Errorf("error fetching latest commit hash: %s", body)
}
var gitHubResponse GitHubResponse
err = json.Unmarshal(body, &gitHubResponse)
if err != nil {
return "", err
}
return gitHubResponse.Object.SHA, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"bufio"
"os"
"os/exec"
"strings"
)
func setMinikubeDockerEnv() error {
cmd := exec.Command("minikube", "-p", "minikube", "docker-env")
out, err := cmd.Output()
if err != nil {
return err
}
scanner := bufio.NewScanner(strings.NewReader(string(out)))
for scanner.Scan() {
line := scanner.Text()
if !strings.HasPrefix(line, "export ") {
continue
}
parts := strings.SplitN(line, " ", 3)
if len(parts) != 2 {
continue
}
keyValue := strings.SplitN(parts[1], "=", 2)
if len(keyValue) != 2 {
continue
}
key := keyValue[0]
value := strings.Trim(keyValue[1], "\"")
err := os.Setenv(key, value)
if err != nil {
return err
}
}
if scanner.Err() != nil {
return scanner.Err()
}
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"io"
"log"
"os"
"time"
)
var lockFilePath = "/opt/vsecm/git_poller.lock"
// createLockFile tries to create a lock file and returns an error if it
// already exists
func createLockFile() error {
lockFile, err := os.OpenFile(lockFilePath, os.O_CREATE|os.O_EXCL, 0666)
if err == nil {
return nil
}
defer func(l io.ReadCloser) {
err := l.Close()
if err != nil {
log.Printf("Error closing lock file: %s", err)
}
}(lockFile)
if !os.IsExist(err) {
return err
}
// Check if the lock file is more than one day old
fileInfo, statErr := os.Stat(lockFilePath)
if statErr != nil {
return statErr
}
if time.Since(fileInfo.ModTime()) > 24*time.Hour {
// File is older than one day, attempt to remove it and create a new one
removeErr := os.Remove(lockFilePath)
if removeErr != nil {
return removeErr
}
return createLockFile()
}
// File is new; return the error instead.
return err
}
// removeLockFile deletes the lock file
func removeLockFile() {
err := os.Remove(lockFilePath)
if err != nil {
log.Printf("Error removing lock file: %s", err)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"log"
)
func main() {
if err := createLockFile(); err != nil {
log.Println("Another instance is already running. Exiting.")
return
}
defer removeLockFile()
move, currentCommitHash := proceed()
if !move {
log.Println("No commit hash change... exiting.")
return
}
done := runPipeline()
if !done {
log.Println("Pipeline failed: exiting.")
notifyBuildFailure()
return
}
if err := writeCommitHashToFile(currentCommitHash); err != nil {
log.Println("Error writing to file:", err)
return
}
}
package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"log"
"net/http"
"os"
"strings"
)
const apiKeyPath = "/opt/vsecm/ifttt.key"
func notifyBuildFailure() {
log.Println("Build failed, notifying interested parties...")
// Read the API key from a file
apiKeyBytes, err := os.ReadFile(apiKeyPath)
if err != nil {
fmt.Println("Error reading API key file:", err)
return
}
apiKey := strings.TrimSpace(string(apiKeyBytes))
urlTemplate := "https://maker.ifttt.com/trigger/{event}/json/with/key/%s"
event := "vsecm-build-failed"
url := fmt.Sprintf(urlTemplate, apiKey)
url = strings.Replace(url, "{state}", event, 1)
payload := map[string]interface{}{}
jsonData, err := json.Marshal(payload)
if err != nil {
log.Println("Error encoding JSON:", err)
return
}
req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
if err != nil {
log.Println("Error creating request:", err)
return
}
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
log.Println("Error sending request:", err)
return
}
defer func(Body io.ReadCloser) {
err := Body.Close()
if err != nil {
log.Println("Error closing response body:", err)
}
}(resp.Body)
body, err := io.ReadAll(resp.Body)
if err != nil {
log.Println("Error reading response body:", err)
return
}
log.Println("Response:", string(body))
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"log"
"os"
)
func proceed() (bool, string) {
err := os.Setenv("PATH", osPath)
if err != nil {
log.Println("Error setting PATH:", err)
return false, ""
}
err = os.Chdir(projectDirectory)
if err != nil {
log.Println("Error changing directory:", err)
return false, ""
}
lastKnownCommitHash, err := readCommitHashFromFile()
if err != nil && !os.IsNotExist(err) {
log.Println("Error reading from file:", err)
return false, ""
}
currentCommitHash, err := getLatestCommitHash()
if err != nil {
log.Println("Error fetching latest commit hash:", err)
return false, ""
}
if currentCommitHash == lastKnownCommitHash {
// Nothing to do here.
return false, ""
}
log.Println("New commit detected:", currentCommitHash)
return true, currentCommitHash
}
func runPipeline() bool {
if err := runCommand("make", "k8s-delete"); err != nil {
log.Printf("make build-local failed: %s", err)
return false
}
if err := runCommand("make", "k8s-start"); err != nil {
log.Printf("make build-local failed: %s", err)
return false
}
if err := setMinikubeDockerEnv(); err != nil {
log.Printf("Failed to set Minikube Docker environment: %s", err)
}
if err := runCommand("make", "build-local"); err != nil {
log.Printf("make build-local failed: %s", err)
return false
}
if err := runCommand("make", "deploy-local"); err != nil {
log.Printf("make deploy-local failed: %s", err)
return false
}
if err := runCommand("make", "test-local-ci"); err != nil {
log.Printf("make test-local failed: %s", err)
return false
}
return true
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"log"
"os"
"os/exec"
)
func runCommand(command string, args ...string) error {
cmd := exec.Command(command, args...)
cmd.Stdout = os.Stdout // Forward stdout
cmd.Stderr = os.Stderr // Forward stderr
log.Printf("Executing command: %s %v", command, args)
if err := cmd.Run(); err != nil {
return err
}
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import "os"
var commitHashFile = "/opt/vsecm/commit-hash"
func readCommitHashFromFile() (string, error) {
data, err := os.ReadFile(commitHashFile)
if err != nil {
return "", err
}
return string(data), nil
}
func writeCommitHashToFile(commitHash string) error {
return os.WriteFile(commitHashFile, []byte(commitHash), 0644)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package assert
import (
"errors"
"fmt"
"strings"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
"github.com/vmware-tanzu/secrets-manager/ci/test/vsecm"
"github.com/vmware-tanzu/secrets-manager/ci/test/workload"
)
func SentinelCanEncryptSecret(value string) error {
sentinel, err := vsecm.Sentinel()
if err != nil || sentinel == "" || value == "" {
return errors.Join(
err,
errors.New("encryptedSecret: Failed to define sentinel or value"),
)
}
// Execute the encryption command within the sentinel pod.
res, err := io.Exec("kubectl", "exec", sentinel,
"-n", "vsecm-system", "--", "safe", "-s", value, "-e")
if err != nil {
return errors.Join(
err,
errors.New("EncryptedSecret: Failed to exec kubectl"),
)
}
// Assert that the result exists.
if strings.TrimSpace(res) == "" {
return errors.New("EncryptedSecret: Encrypted secret is empty")
}
return nil
}
func InitContainerIsRunning() error {
w, err := workload.Example()
if err != nil || w == "" {
return errors.Join(
err,
errors.New("InitContainerIsRunning: Failed to define workload"),
)
}
podStatus, err := io.Exec("kubectl", "get", "pod", "-n", "default", w,
"-o", "jsonpath={.status.initContainerStatuses[0].state.running}")
if err != nil {
return errors.Join(
err,
errors.New("InitContainerIsRunning: Failed to exec kubectl"),
)
}
if podStatus == "" {
return errors.New("InitContainerIsRunning: Init container is not running")
}
return nil
}
func WorkloadIsRunning() error {
fmt.Println("Asserting workload is running...")
// Define the workload pod.
w, err := workload.Example()
if err != nil || w == "" {
return errors.Join(
err,
errors.New("WorkloadIsRunning: Failed to define workload"),
)
}
// Fetch all pods in the 'default' namespace and count how many are in
// 'Running' status for the defined workload.
cmdOutput, err := io.Exec("kubectl", "get", "po", "-n", "default", "-o",
"jsonpath={.items[*].status.phase}", "-l", "app.kubernetes.io/instance!=my-postgres")
if err != nil {
return errors.Join(
err,
errors.New("WorkloadIsRunning: Failed to exec kubectl"),
)
}
// Count how many times 'Running' appears in the command output.
podCount := strings.Count(cmdOutput, "Running")
if podCount == 0 {
return errors.New("WorkloadIsRunning: No running pods found")
}
if podCount != 1 {
return fmt.Errorf("expected 1 running pod for workload, found %d", podCount)
}
return nil
}
func WorkloadSecretHasNoValue() error {
w, err := workload.Example()
if err != nil || w == "" {
return errors.Join(
err,
errors.New("WorkloadSecretHasNoValue: Failed to define workload"),
)
}
// Execute the command within the workload pod to check the environment or secret.
res, err := io.Exec("kubectl", "exec", w, "-n", "default",
"-c", "main", "--", "./env")
if err != nil {
return errors.Join(
err,
errors.New("WorkloadSecretHasNoValue: Failed to exec kubectl"),
)
}
res = strings.TrimSpace(res)
if len(res) == 0 {
return nil
}
// Check if the response indicates that no secret is set.
if strings.Contains(res, "NO_SECRET") {
return nil
}
return errors.New("workloadSecretHasNoValue: Secret should not have a value")
}
func WorkloadSecretHasValue(expectedValue string) error {
if expectedValue == "" {
return errors.New("workloadSecretHasValue: Expected value is empty")
}
w, err := workload.Example()
if err != nil {
return errors.Join(
err,
errors.New("workloadSecretHasValue: Failed to define workload"),
)
}
res, err := io.Exec("kubectl", "exec", w, "-n", "default", "-c", "main", "--", "./env")
if err != nil {
return errors.Join(
err,
errors.New("WorkloadSecretHasValue: Failed to exec kubectl"),
)
}
if strings.Contains(res, expectedValue) {
return nil
}
return errors.New("workloadSecretHasValue: Secret value does not match expected")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package deploy
import (
"fmt"
"os"
"strings"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
)
func WorkloadUsingSDK() error {
fmt.Println("Deploying workload that uses the SDK...")
origin := os.Getenv("ORIGIN")
var deployCommand string
switch origin {
case "remote":
deployCommand = "make example-sdk-deploy"
default:
deployCommand = "make example-sdk-deploy-local"
}
// Splitting command and arguments
parts := strings.Fields(deployCommand)
command := parts[0]
args := parts[1:]
if output, err := io.Exec(command, args...); err != nil {
return fmt.Errorf("deploy command failed: %w\nOutput: %s", err, output)
}
// Wait for the workload to be ready.
if err := io.Wait(10); err != nil {
return fmt.Errorf("waiting for workload failed: %w", err)
}
fmt.Println("Deployed workload that uses the SDK.")
return nil
}
func WorkloadUsingSidecar() error {
fmt.Println("Deploying workload that uses the sidecar...")
origin := os.Getenv("ORIGIN")
var command string
switch origin {
case "remote":
command = "make example-sidecar-deploy"
default:
command = "make example-sidecar-deploy-local"
}
// Splitting command and arguments for executeCommand
parts := strings.Fields(command)
cmd, args := parts[0], parts[1:]
if output, err := io.Exec(cmd, args...); err != nil {
return fmt.Errorf("deploy command failed: %v\nOutput: %s", err, output)
}
// Wait for the workload to be ready.
if err := io.Wait(10); err != nil {
return fmt.Errorf("waiting for workload failed: %w", err)
}
fmt.Println("Deployed workload that uses the sidecar.")
return nil
}
func WorkloadUsingInitContainer() error {
fmt.Println("Deploying workload that uses the init container...")
origin := os.Getenv("ORIGIN")
var command string
// Determine the deployment command based on the ORIGIN environment variable.
switch origin {
case "remote":
command = "make example-init-container-deploy"
default:
command = "make example-init-container-deploy-local"
}
// Split the command to pass to executeCommand.
parts := strings.Fields(command)
cmd, args := parts[0], parts[1:]
// Execute the deployment command.
output, err := io.Exec(cmd, args...)
if err != nil {
return fmt.Errorf("deployment command failed: %v\nOutput: %s", err, output)
}
// Pause for deployment to settle.
time.Sleep(10 * time.Second)
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/deploy"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
"github.com/vmware-tanzu/secrets-manager/ci/test/workload"
)
func InitContainer() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Init Container...")
if err := deploy.WorkloadUsingInitContainer(); err != nil {
return errors.Join(
err,
errors.New("deployWorkloadUsingInitContainer failed"),
)
}
// Pause for deployment to reconcile.
time.Sleep(10 * time.Second)
_, err := workload.Example()
if err != nil {
return errors.Join(
err,
errors.New("workload.Example failed"),
)
}
if err := assert.InitContainerIsRunning(); err != nil {
return errors.Join(
err,
errors.New("assertInitContainerRunning failed"),
)
}
// Additional pause just in case.
time.Sleep(30 * time.Second)
// Set a Kubernetes secret via Sentinel.
if err := sentinel.SetKubernetesSecretToTriggerInitContainer(); err != nil {
return errors.Join(
err,
errors.New("setKubernetesSecret failed"),
)
}
// Assert the workload is running.
if err := assert.WorkloadIsRunning(); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadIsRunning failed"),
)
}
fmt.Println("🟢 PASS: Init Container test passed.")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretDeletion() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret deletion...")
if err := sentinel.DeleteSecret(); err != nil {
return errors.Join(
err,
errors.New("deleting secret"),
)
}
if err := assert.WorkloadSecretHasNoValue(); err != nil {
return errors.Join(
err,
errors.New("asserting workload secret no value"),
)
}
fmt.Println("🟢 PASS: Secret deletion successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretDeletionSidecar() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret deletion (sidecar)...")
if err := sentinel.DeleteSecret(); err != nil {
return errors.Join(
err,
errors.New("deleteSecret failed"),
)
}
// Pause to simulate waiting for the system to process the secret deletion.
time.Sleep(5 * time.Second) // Adjust the duration as needed for your environment.
if err := assert.WorkloadSecretHasNoValue(); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadSecretNoValue failed"),
)
}
fmt.Println("🟢 PASS: Secret deletion (sidecar) successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/deploy"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretEncryption() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Encrypting secrets...")
value := "!VSecMRocks!"
if err := assert.SentinelCanEncryptSecret(value); err != nil {
return errors.Join(
err,
errors.New("asserting encrypted secret"),
)
}
if err := deploy.WorkloadUsingSDK(); err != nil {
return errors.Join(
err,
errors.New("deploying workload using SDK"),
)
}
if err := sentinel.SetEncryptedSecret(value); err != nil {
return errors.Join(
err,
errors.New("setting encrypted secret"),
)
}
if err := assert.WorkloadSecretHasValue(value); err != nil {
return errors.Join(
err,
errors.New("asserting workload secret value"),
)
}
fmt.Println("🟢 PASS: Secret encryption successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretRegistration() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret registration...")
value := "!VSecMRocks!"
if err := sentinel.SetSecret(value); err != nil {
return errors.Join(
err,
errors.New("setting secret"),
)
}
if err := assert.WorkloadSecretHasValue(value); err != nil {
return errors.Join(
err,
errors.New("asserting workload secret value"),
)
}
fmt.Println("🟢 PASS: Secret registration successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretRegistrationJSONFormat() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret registration (JSON transformation)...")
value := `{"username": "*root*", "password": "*CasHC0w*"}`
transform := `{"USERNAME":"*root*", "PASSWORD":"*CasHC0w*"}`
if err := sentinel.SetJSONSecret(value, transform); err != nil {
return errors.Join(
err,
errors.New("setJSONSecret failed"),
)
}
if err := assert.WorkloadSecretHasValue(transform); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadSecretValue failed"),
)
}
if err := sentinel.DeleteSecret(); err != nil {
return errors.Join(
err,
errors.New("deleteSecret failed"),
)
}
fmt.Println("🟢 PASS: Secret registration (JSON transformation) successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretRegistrationJSONFormatSidecar() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret registration (JSON transformation)...")
value := `{"username": "*root*", "password": "*CasHC0w*"}`
transform := `{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}"}`
// Simulate setting a JSON secret with a transformation.
if err := sentinel.SetJSONSecret(value, transform); err != nil {
return errors.Join(
err,
errors.New("setJSONSecret failed"),
)
}
// Pause to allow time for the secret to be processed by the system.
time.Sleep(5 * time.Second)
transformed := `{"USERNAME":"*root*", "PASSWORD":"*CasHC0w*"}`
// Assert the transformed secret's value.
if err := assert.WorkloadSecretHasValue(transformed); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadSecretValue failed"),
)
}
// Delete the secret as part of cleanup.
if err := sentinel.DeleteSecret(); err != nil {
return fmt.Errorf("deleteSecret failed: %w", err)
}
fmt.Println("🟢 PASS: Secret registration (JSON transformation sidecar) successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretRegistrationSidecar() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret registration (sidecar)...")
value := "!VSecMRocks!"
if err := sentinel.SetSecret(value); err != nil {
return errors.Join(
err,
errors.New("setSecret failed"),
)
}
// Pause to simulate waiting for the secret to propagate or system to update.
time.Sleep(5 * time.Second)
if err := assert.WorkloadSecretHasValue(value); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadSecretValue failed"),
)
}
fmt.Println("🟢 PASS: Secret registration (sidecar) successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"strings"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
"github.com/vmware-tanzu/secrets-manager/ci/test/vsecm"
)
func setYAMLSecret(value, transform string) error {
if value == "" || transform == "" {
return errors.New("setYAMLSecret: Value or transform is empty")
}
s, err := vsecm.Sentinel()
if err != nil || s == "" {
return errors.Join(
err,
errors.New("setYAMLSecret: Failed to get sentinel"),
)
}
// Executing command within the sentinel pod to set the YAML secret with
// transformation.
_, err = io.Exec("kubectl", "exec", s, "-n", "vsecm-system",
"--", "safe", "-w", "example", "-n", "default", "-s", value,
"-t", transform, "-f", "yaml")
if err != nil {
return errors.Join(
err,
errors.New("setYAMLSecret: Failed to exec kubectl"),
)
}
return nil
}
func SecretRegistrationYAMLFormat() error {
fmt.Println("----")
fmt.Println("🧪 Testing: Secret registration (YAML transformation)...")
value := `{"username": "*root*", "password": "*CasHC0w*"}`
transform := `{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}"}`
err := setYAMLSecret(value, transform)
if err != nil {
return errors.Join(
err,
errors.New("setYAMLSecret failed"),
)
}
expectedTransformed := `
PASSWORD: '*CasHC0w*'
USERNAME: '*root*'
`
if err := assert.WorkloadSecretHasValue(
strings.TrimSpace(expectedTransformed),
); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadSecretValue failed"),
)
}
if err := sentinel.DeleteSecret(); err != nil {
return errors.Join(
err,
errors.New("deleteSecret failed"),
)
}
fmt.Println("🟢 PASS: Secret registration (YAML transformation) successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package eval
import (
"errors"
"fmt"
"strings"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/assert"
"github.com/vmware-tanzu/secrets-manager/ci/test/sentinel"
)
func SecretRegistrationYAMLFormatSidecar() error {
fmt.Println("----")
fmt.Println("🧪 Testing Secret registration (YAML transformation)...")
value := `{"username": "*root*", "password": "*CasHC0w*"}`
transform := `{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}"}`
// Simulate setting a YAML secret with transformation.
if err := setYAMLSecret(value, transform); err != nil {
return errors.Join(
err,
errors.New("setYAMLSecret failed"),
)
}
// Simulated transformed YAML as a string
transformed := `
PASSWORD: '*CasHC0w*'
USERNAME: '*root*'
`
// Pause to allow time for the system to process the secret.
time.Sleep(5 * time.Second)
// Assert the transformed secret's value.
if err := assert.WorkloadSecretHasValue(
strings.TrimSpace(transformed),
); err != nil {
return errors.Join(
err,
errors.New("assertWorkloadSecretValue failed"),
)
}
// Delete the secret as part of cleanup.
if err := sentinel.DeleteSecret(); err != nil {
return errors.Join(
err,
errors.New("deleteSecret failed"),
)
}
fmt.Println("🟢 PASS: Secret registration (YAML transformation sidecar) successful")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package io
import (
"fmt"
"os/exec"
"strings"
"time"
)
// Wait is a placeholder for the workload readiness check.
// Placeholder for the workload readiness check. Replace this with your actual readiness check logic.
func Wait(seconds time.Duration) error {
// This is a simplification. In a real scenario, you would check the workload's readiness more robustly.
fmt.Println("Waiting for the workload to be ready...")
time.Sleep(seconds * time.Second) // Simulate waiting for readiness with a sleep.
fmt.Println("Workload is now ready.")
return nil
}
func Exec(command string, args ...string) (string, error) {
fmt.Println("Executing: `", command, strings.Join(args, " "), "`")
cmd := exec.Command(command, args...)
out, err := cmd.CombinedOutput()
return strings.TrimSpace(string(out)), err
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"flag"
"fmt"
"os"
)
func main() {
origin := flag.String("origin", "local",
"The origin of the operation, can be 'remote' or 'local'.")
ci := flag.String("ci", "", "CI mode")
flag.Parse()
// Validate origin
if *origin != "remote" && *origin != "local" {
fmt.Println("Invalid origin. Must be 'remote', or 'local'.")
os.Exit(1)
}
_ = os.Setenv("ORIGIN", *origin)
fmt.Println("---- VSecM Integration Tests ----")
fmt.Printf("Running tests for %s origin\n", *origin)
if *ci == "" {
fmt.Println(`
This script assumes that you have a local minikube cluster running,
and you have already installed SPIRE and VMware Secrets Manager.
Also, make sure you have executed 'eval $(minikube docker-env)'
before running this script.
Press Enter to proceed...`)
// Wait for user to press enter
_, _ = fmt.Scanln()
}
// Run tests
run()
}
package main
import (
"fmt"
"os"
"github.com/vmware-tanzu/secrets-manager/ci/test/deploy"
"github.com/vmware-tanzu/secrets-manager/ci/test/eval"
"github.com/vmware-tanzu/secrets-manager/ci/test/state"
)
func sadCuddle(err error) {
fmt.Println("Error running tests:", err.Error())
os.Exit(1)
}
func try(fn func() error) {
if err := fn(); err != nil {
sadCuddle(err)
}
}
func tryAll(fns ...func() error) {
for _, fn := range fns {
try(fn)
}
}
func run() {
tryAll(
eval.SecretEncryption,
state.Cleanup,
deploy.WorkloadUsingSDK,
eval.SecretRegistration,
eval.SecretDeletion,
eval.SecretRegistrationJSONFormat,
eval.SecretRegistrationYAMLFormat,
state.Cleanup,
deploy.WorkloadUsingSidecar,
eval.SecretRegistrationSidecar,
eval.SecretDeletionSidecar,
eval.SecretRegistrationJSONFormatSidecar,
eval.SecretRegistrationYAMLFormatSidecar,
state.Cleanup,
eval.InitContainer,
state.Cleanup,
)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package sentinel
import (
"errors"
"fmt"
"regexp"
"strings"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
"github.com/vmware-tanzu/secrets-manager/ci/test/vsecm"
"github.com/vmware-tanzu/secrets-manager/ci/test/wait"
)
func DeleteSecret() error {
sentinel, err := vsecm.Sentinel()
if err != nil || sentinel == "" {
return errors.Join(
err,
errors.New("deleteSecret: Failed to define sentinel"),
)
}
_, err = io.Exec("kubectl", "exec", sentinel, "-n", "vsecm-system",
"--", "safe", "-w", "example", "-n", "default", "-d")
if err != nil {
return errors.Join(
err,
errors.New("deleteSecret: Failed to exec kubectl"),
)
}
return nil
}
func SetKubernetesSecretToTriggerInitContainer() error {
// Define the sentinel pod.
sentinel, err := vsecm.Sentinel()
if err != nil {
return fmt.Errorf(
"SetKubernetesSecretToTriggerInitContainer: "+
"Failed to define sentinel: %w", err)
}
if sentinel == "" {
return errors.New("SetKubernetesSecretToTriggerInitContainer: " +
"Failed to define sentinel")
}
// Construct the command to execute within the sentinel pod.
secretData := `{"username": "root", "password": "SuperSecret", "value": "VSecMRocks"}`
transformTemplate := `{"USERNAME":"{{.username}}", "PASSWORD":"{{.password}}", "VALUE": "{{.value}}"}`
_, err = io.Exec("kubectl", "exec", sentinel, "-n", "vsecm-system",
"--", "safe", "-w", "example", "-n", "default",
"-s", secretData, "-t", transformTemplate,
)
if err != nil {
return errors.Join(
err,
errors.New("setKubernetesSecretToTriggerInitContainer:"+
" Failed to exec kubectl"),
)
}
// Wait for the workload to be ready.
if err := wait.ForExampleWorkload(); err != nil {
return fmt.Errorf("set_kubernetes_secret:"+
" Failed to wait for workload readiness: %w", err)
}
fmt.Println("done: set_kubernetes_secret()")
return nil
}
func SetSecret(value string) error {
if value == "" {
return errors.New("SetSecret: Value is empty")
}
sentinel, err := vsecm.Sentinel()
if err != nil || sentinel == "" {
return errors.Join(
err,
errors.New("setSecret: Failed to define sentinel"),
)
}
// Executing command within the sentinel pod to set the secret.
_, err = io.Exec("kubectl", "exec", sentinel, "-n", "vsecm-system",
"--", "safe", "-w", "example", "-n", "default", "-s", value)
if err != nil {
return errors.Join(
err,
errors.New("setSecret: Failed to exec kubectl"),
)
}
return nil
}
func SetEncryptedSecret(value string) error {
if value == "" {
return errors.New("SetEncryptedSecret: Value is empty")
}
sentinel, err := vsecm.Sentinel()
if err != nil || sentinel == "" {
return errors.Join(
err,
errors.New("setEncryptedSecret: Failed to define sentinel"),
)
}
// Execute the command to encrypt and set the secret.
res, err := io.Exec("kubectl", "exec", sentinel, "-n", "vsecm-system",
"--", "safe", "-s", value, "-e")
if err != nil {
return errors.Join(
err,
errors.New("setEncryptedSecret: Failed to exec kubectl"),
)
}
if res == "" {
return errors.New("SetEncryptedSecret: Encrypted secret is empty")
}
lines := strings.Split(res, "\n")
out := ""
// Remove the lines that do not contain the secret to encrypt.
for _, line := range lines {
logLinePattern := regexp.MustCompile(`\[(INFO|DEBUG|WARN|ERROR)]`)
if !logLinePattern.MatchString(line) && strings.TrimSpace(line) != "" {
out += line
}
}
// Assuming res is the encrypted secret, now setting it.
_, err = io.Exec("kubectl", "exec", sentinel, "-n", "vsecm-system",
"--", "safe", "-w", "example", "-n", "default", "-s", out, "-e")
if err != nil {
return errors.Join(
err,
errors.New("setEncryptedSecret: Failed to set encrypted secret"),
)
}
return nil
}
func SetJSONSecret(value, transform string) error {
if value == "" || transform == "" {
return errors.New("setJSONSecret: Value or transform is empty")
}
sentinel, err := vsecm.Sentinel()
if err != nil || sentinel == "" {
return errors.Join(
err,
errors.New("setJSONSecret: Failed to define sentinel"),
)
}
// Executing command within the sentinel pod to set the JSON secret with transformation.
_, err = io.Exec("kubectl", "exec", sentinel, "-n", "vsecm-system",
"--", "safe", "-w", "example", "-n", "default",
"-s", value, "-t", transform, "-f", "json")
if err != nil {
return errors.Join(
err,
errors.New("setJSONSecret: Failed to exec kubectl"),
)
}
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package state
import (
"errors"
"fmt"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
"github.com/vmware-tanzu/secrets-manager/ci/test/vsecm"
"github.com/vmware-tanzu/secrets-manager/ci/test/wait"
)
func Cleanup() error {
fmt.Println("----")
fmt.Println("🧹 Cleanup...")
// Determine the sentinel pod.
sentinel, err := vsecm.Sentinel()
if err != nil {
return errors.Join(
err,
errors.New("cleanup: Failed to determine sentinel"),
)
}
// Execute command within the sentinel pod to delete the secret.
_, err = io.Exec("kubectl", "exec",
sentinel, "-n", "vsecm-system", "--", "safe", "-w", "example", "-d")
if err != nil {
return errors.Join(
err,
errors.New("cleanup: Failed to delete secret"),
)
}
// Check if the deployment exists before attempting to delete.
_, err = io.Exec("kubectl", "get", "deployment", "example", "-n", "default")
if err == nil {
_, err = io.Exec(
"kubectl", "delete", "deployment", "example", "-n", "default",
)
if err != nil {
return errors.Join(
err,
errors.New("cleanup: Failed to delete deployment"),
)
}
}
// Wait for the workload to be gone.
if err := wait.ForExampleWorkloadDeletion(); err != nil {
return errors.Join(
err,
errors.New("cleanup: Failed to wait for workload deletion"),
)
}
fmt.Println("✨ All clean and shiny!")
fmt.Println("----")
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package vsecm
import (
"errors"
"fmt"
"strings"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
)
func Sentinel() (string, error) {
const maxRetries = 5
var sentinel string
for retryCount := 0; retryCount < maxRetries; retryCount++ {
output, err := io.Exec("kubectl", "get", "pods", "-n", "vsecm-system",
"--selector=app.kubernetes.io/name=vsecm-sentinel",
"--output=jsonpath={.items[*].metadata.name}")
if err != nil {
fmt.Printf("Attempt %d failed: %v\n", retryCount+1, err)
time.Sleep(10 * time.Second) // Wait before retrying
continue
}
// Split output to handle potential multiple pod names
sentinelNames := strings.Fields(output)
if len(sentinelNames) == 1 {
sentinel = sentinelNames[0]
break // Successfully defined sentinel
} else if len(sentinelNames) > 1 {
// Handle case where multiple sentinel pods are returned
fmt.Println("Multiple sentinel pods found, selecting the first one.")
sentinel = sentinelNames[0]
break
}
// If no sentinel pod was found, wait before retrying
fmt.Println("No sentinel pod found, retrying...")
time.Sleep(10 * time.Second)
}
if sentinel == "" {
return "", errors.New(
"defineSentinel: Maximum retries reached without defining a sentinel pod",
)
}
return sentinel, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package wait
import (
"errors"
"fmt"
"time"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
)
func ForExampleWorkloadDeletion() error {
fmt.Println("Waiting for example workload deletion...")
_, err := io.Exec("kubectl", "wait",
"--for=delete", "deployment", "-n",
"default", "--selector=app.kubernetes.io/name=example")
if err != nil {
return errors.Join(
err,
errors.New("waitForExampleWorkloadDeletion: Failed to wait for deletion"),
)
}
return nil
}
func ForExampleWorkload() error {
fmt.Println("Waiting for example workload...")
const maxRetries = 5
for retries := 0; retries < maxRetries; retries++ {
_, err := io.Exec("kubectl", "wait", "--for=condition=Ready",
"pod", "-n", "default", "--selector=app.kubernetes.io/name=example")
if err == nil {
return nil // Success
}
if retries < maxRetries-1 {
fmt.Printf("Retry %d/%d: Failed to wait for condition. Retrying in 5 seconds...\n",
retries+1, maxRetries)
time.Sleep(5 * time.Second)
continue
}
}
return errors.New("waitForExampleWorkload: Failed to wait for condition after 5 retries")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package workload
import (
"errors"
"strings"
"github.com/vmware-tanzu/secrets-manager/ci/test/io"
)
func Example() (string, error) {
cmd := "kubectl"
args := []string{"get", "pods", "-n", "default", "-o", "name"}
output, err := io.Exec(cmd, args...)
if err != nil {
return "", errors.Join(
err,
errors.New("example: Failed to execute command"),
)
}
lines := strings.Split(output, "\n")
for _, line := range lines {
if strings.Contains(line, "example-") {
podName := strings.TrimPrefix(line, "pod/")
return podName, nil
}
}
return "", errors.New("example: No workload matching 'example-' prefix found")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package journal
import (
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// Log prints an audit log entry to the standard output. The log entry includes
// the correlation ID, event type, request method, request URI, SPIFFE ID, and
// payload. The function is intended for use in logging and auditing
// request-related events, providing a standardized format for capturing and
// recording essential request handling information.
func Log(e data.JournalEntry) {
printAudit(
e.CorrelationId, e.Event,
e.Method, e.Url, e.SpiffeId, e.Payload,
)
}
// CreateDefaultEntry constructs a default audit journal entry for HTTP requests.
// This entry includes basic request information and identifiers, serving as a
// foundational record for auditing and logging purposes. The function
// encapsulates details like the request method, URI, SPIFFE ID, and correlation
// ID into an audit journal entry.
//
// Parameters:
// - cid (string): The correlation ID associated with the request, used for
// tracking and correlating logs and audit entries.
// - spiffeid (string): The SPIFFE ID associated with the requestor or the
// service, providing a security context.
// - r (*http.Request): The HTTP request from which method and request URI
// information are extracted.
//
// Returns:
// - audit.JournalEntry: An audit journal entry populated with the request's
// method, URI, correlation ID, SPIFFE ID, and a default event type of
// 'Enter'.
//
// The returned audit.JournalEntry object is intended for use in logging and
// audit trails, providing essential context about the request handling process.
// It serves as a standardized format for capturing request-related information,
// facilitating easier analysis and review of logged events.
func CreateDefaultEntry(
cid, spiffeid string, r *http.Request,
) data.JournalEntry {
return data.JournalEntry{
CorrelationId: cid,
Method: r.Method,
Url: r.RequestURI,
SpiffeId: spiffeid,
Event: audit.Enter,
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package journal
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/audit"
"github.com/vmware-tanzu/secrets-manager/core/log/std"
)
func printAudit(correlationId string, e audit.Event,
method, url, spiffeid, payload string) {
std.AuditLn(
&correlationId,
string(e),
"{{"+
"method:[["+method+"]],"+
"url:[["+url+"]],"+
"spiffeid:[["+spiffeid+"]],"+
"payload:[["+payload+"]]}}",
)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"os"
)
type VarName string
const AppVersion VarName = "APP_VERSION"
const SpiffeEndpointSocket VarName = "SPIFFE_ENDPOINT_SOCKET"
const SpiffeTrustDomain VarName = "SPIFFE_TRUST_DOMAIN"
const VSecMBackoffDelay VarName = "VSECM_BACKOFF_DELAY"
const VSecMBackoffMaxRetries VarName = "VSECM_BACKOFF_MAX_RETRIES"
const VSecMBackoffMaxWait VarName = "VSECM_BACKOFF_MAX_WAIT"
const VSecMBackoffMode VarName = "VSECM_BACKOFF_MODE"
const VSecMInitContainerPollInterval VarName = "VSECM_INIT_CONTAINER_POLL_INTERVAL"
const VSecMInitContainerWaitBeforeExit VarName = "VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT"
const VSecMKeygenDecrypt VarName = "VSECM_KEYGEN_DECRYPT"
const VSecMKeygenExportedSecretPath VarName = "VSECM_KEYGEN_EXPORTED_SECRET_PATH"
const VSecMKeygenRootKeyPath VarName = "VSECM_KEYGEN_ROOT_KEY_PATH"
const VSecMLogLevel VarName = "VSECM_LOG_LEVEL"
const VSecMLogSecretFingerprints VarName = "VSECM_LOG_SECRET_FINGERPRINTS"
const VSecMNamespaceSystem VarName = "VSECM_NAMESPACE_SYSTEM"
const VSecMProbeLivenessPort VarName = "VSECM_PROBE_LIVENESS_PORT"
const VSecMProbeReadinessPort VarName = "VSECM_PROBE_READINESS_PORT"
const VSecMRootKeyInputModeManual VarName = "VSECM_ROOT_KEY_INPUT_MODE_MANUAL"
const VSecMRootKeyName VarName = "VSECM_ROOT_KEY_NAME"
const VSecMRootKeyPath VarName = "VSECM_ROOT_KEY_PATH"
const VSecMSafeBackingStore VarName = "VSECM_SAFE_BACKING_STORE"
const VSecMSafeBootstrapTimeout VarName = "VSECM_SAFE_BOOTSTRAP_TIMEOUT"
const VSecMSafeDataPath VarName = "VSECM_SAFE_DATA_PATH"
const VSecMSafeEndpointUrl VarName = "VSECM_SAFE_ENDPOINT_URL"
const VSecMSafeFipsCompliant VarName = "VSECM_SAFE_FIPS_COMPLIANT"
const VSecMSafeIvInitializationInterval VarName = "VSECM_SAFE_IV_INITIALIZATION_INTERVAL"
const VSecMSafeK8sSecretBufferSize VarName = "VSECM_SAFE_K8S_SECRET_BUFFER_SIZE"
const VSecMSafeRootKeyStore VarName = "VSECM_SAFE_ROOT_KEY_STORE"
const VSecMSafeSecretBackupCount VarName = "VSECM_SAFE_SECRET_BACKUP_COUNT"
const VSecMSafeSecretBufferSize VarName = "VSECM_SAFE_SECRET_BUFFER_SIZE"
const VSecMSafeSecretDeleteBufferSize VarName = "VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE"
const VSecMSafeSourceAcquisitionTimeout VarName = "VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT"
const VSecMSafeStoreWorkloadSecretAsK8sSecretPrefix = "VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX"
const VSecMSafeSyncDeletedSecrets VarName = "VSECM_SAFE_SYNC_DELETED_SECRETS"
const VSecMSafeSyncExpiredSecrets VarName = "VSECM_SAFE_SYNC_EXPIRED_SECRETS"
const VSecMSafeSyncInterpolatedK8sSecrets VarName = "VSECM_SAFE_SYNC_INTERPOLATED_K8S_SECRETS"
const VSecMSafeSyncRootKeyInterval VarName = "VSECM_SAFE_SYNC_ROOT_KEY_INTERVAL"
const VSecMSafeSyncSecretsInterval VarName = "VSECM_SAFE_SYNC_SECRETS_INTERVAL"
const VSecMSafeTlsPort VarName = "VSECM_SAFE_TLS_PORT"
const VSecMSentinelInitCommandPath VarName = "VSECM_SENTINEL_INIT_COMMAND_PATH"
const VSecMSentinelInitCommandWaitAfterInitComplete VarName = "VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE"
const VSecMSentinelInitCommandWaitBeforeExec VarName = "VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC"
const VSecMRelayServerUrl VarName = "VSECM_RELAY_SERVER_URL"
// See ADR-0017 for a discussion about important security considerations when
// using OIDC.
const VSecMSentinelOidcEnableResourceServer VarName = "VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER"
const VSecMSentinelOidcProviderBaseUrl VarName = "VSECM_SENTINEL_OIDC_PROVIDER_BASE_URL"
const VSecMSentinelOidcResourceServerPort VarName = "VSECM_SENTINEL_OIDC_RESOURCE_SERVER_PORT"
const VSecMSentinelSecretGenerationPrefix VarName = "VSECM_SENTINEL_SECRET_GENERATION_PREFIX"
const VSecMSafeRawSecretPrefix VarName = "VSECM_SAFE_RAW_SECRET_PREFIX"
const VSecMSidecarErrorThreshold VarName = "VSECM_SIDECAR_ERROR_THRESHOLD"
const VSecMSidecarExponentialBackoffMultiplier VarName = "VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER"
const VSecMSidecarMaxPollInterval VarName = "VSECM_SIDECAR_MAX_POLL_INTERVAL"
const VSecMSidecarPollInterval VarName = "VSECM_SIDECAR_POLL_INTERVAL"
const VSecMSidecarSecretsPath VarName = "VSECM_SIDECAR_SECRETS_PATH"
const VSecMSidecarSuccessThreshold VarName = "VSECM_SIDECAR_SUCCESS_THRESHOLD"
const VSecMSpiffeIdPrefixRelayClient VarName = "VSECM_SPIFFEID_PREFIX_RELAY_CLIENT"
const VSecMSpiffeIdPrefixRelayServer VarName = "VSECM_SPIFFEID_PREFIX_RELAY_SERVER"
const VSecMSpiffeIdPrefixSafe VarName = "VSECM_SPIFFEID_PREFIX_SAFE"
const VSecMSpiffeIdPrefixSentinel VarName = "VSECM_SPIFFEID_PREFIX_SENTINEL"
const VSecMSpiffeIdPrefixScout VarName = "VSECM_SPIFFEID_PREFIX_SCOUT"
const VSecMSpiffeIdPrefixClerk VarName = "VSECM_SPIFFEID_PREFIX_CLERK"
const VSecMSpiffeIdPrefixWorkload VarName = "VSECM_SPIFFEID_PREFIX_WORKLOAD"
const VSecMWorkloadNameRegExp VarName = "VSECM_WORKLOAD_NAME_REGEXP"
type VarValue string
const SpiffeEndpointSocketDefault VarValue = "unix:///spire-agent-socket/spire-agent.sock"
const SpiffeTrustDomainDefault VarValue = "vsecm.com"
const VSecMBackoffDelayDefault VarValue = "1000"
const VSecMBackoffMaxRetriesDefault VarValue = "10"
const VSecMBackoffMaxWaitDefault VarValue = "30000"
const VSecMInitContainerPollIntervalDefault VarValue = "5000"
const VSecMInitContainerWaitBeforeExitDefault VarValue = "0"
const VSecMKeygenExportedSecretPathDefault VarValue = "/opt/vsecm/secrets.json"
const VSecMKeygenRootKeyPathDefault VarValue = "/opt/vsecm/keys.txt"
const VSecMProbeLivenessPortDefault VarValue = ":8081"
const VSecMProbeReadinessPortDefault VarValue = ":8082"
const VSecMRootKeyNameDefault VarValue = "vsecm-root-key"
const VSecMRootKeyPathDefault VarValue = "/key/key.txt"
const VSecMSafeBootstrapTimeoutDefault VarValue = "300000"
const VSecMSafeDataPathDefault VarValue = "/var/local/vsecm/data"
const VSecMSafeEndpointUrlDefault VarValue = "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"
const VSecMSafeIvInitializationIntervalDefault VarValue = "50"
const VSecMSafeK8sSecretBufferSizeDefault VarValue = "10"
const VSecMSafeSecretBackupCountDefault VarValue = "3"
const VSecMSafeSecretBufferSizeDefault VarValue = "10"
const VSecMSafeSecretDeleteBufferSizeDefault VarValue = "10"
const VSecMSafeSourceAcquisitionTimeoutDefault VarValue = "10000"
const VSecMSafeStoreWorkloadSecretAsK8sSecretPrefixDefault VarValue = "k8s:"
const VSecMSafeTlsPortDefault VarValue = ":8443"
const VSecMSentinelInitCommandPathDefault VarValue = "/opt/vsecm-sentinel/init/data"
const VSecMSentinelInitCommandWaitAfterInitCompleteDefault VarValue = "0"
const VSecMSentinelInitCommandWaitBeforeExecDefault VarValue = "0"
const VSecMSentinelSecretGenerationPrefixDefault VarValue = "gen:"
const VSecMSafeRawSecretPrefixDefault VarValue = "raw:"
const VSecMSentinelOidcResourceServerPortDefault VarValue = ":8085"
const VSecMSidecarErrorThresholdDefault VarValue = "3"
const VSecMSidecarExponentialBackoffMultiplierDefault VarValue = "2"
const VSecMSidecarMaxPollIntervalDefault VarValue = "300000"
const VSecMSidecarPollIntervalDefault VarValue = "20000"
const VSecMSidecarSecretsPathDefault VarValue = "/opt/vsecm/secrets.json"
const VSecMSidecarSuccessThresholdDefault VarValue = "3"
const VSecMSpiffeIdPrefixRelayClientDefault VarValue = "^spiffe://[^/]/workload/vsecm-relay-client/ns/vsecm-system/sa/vsecm-relay-client/n/[^/]+$"
const VSecMSpiffeIdPrefixRelayServerDefault VarValue = "^spiffe://[^/]/workload/vsecm-relay-server/ns/vsecm-system/sa/vsecm-relay-server/n/[^/]+$"
const VSecMSpiffeIdPrefixSafeDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$"
const VSecMSpiffeIdPrefixSentinelDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$"
const VSecMSpiffeIdPrefixScoutDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-scout/ns/vsecm-system/sa/vsecm-scout/n/[^/]+$"
const VSecMSpiffeIdPrefixClerkDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-clerk/ns/default/sa/vsecm-clerk/n/[^/]+$"
const VSecMSpiffeIdPrefixWorkloadDefault VarValue = "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$"
const VSecMNameRegExpForWorkloadDefault VarValue = "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$"
const VSecMRelayServerUrlDefault VarValue = "https://vsecm-relay.vsecm-system.svc.cluster.local:443/"
type Namespace string
const Default Namespace = "default"
const VSecMSystem Namespace = "vsecm-system"
const SpireSystem Namespace = "spire-system"
const SpireServer Namespace = "spire-server"
func Value(name VarName) string {
return os.Getenv(string(name))
}
type FieldName string
const RootKeyText FieldName = "KEY_TXT"
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package val
import "strings"
const TimeNow = "now"
const TimeNever = "never"
const BlankRootKey = "{}"
const Ok = "OK"
const NotOk = "NOK!"
// JsonEmpty is a constant string representing an empty value.
// This value is generated by the go templating engine
// when a key-value pair has no value. Don't change this value.
const JsonEmpty = "<no value>"
// Never returns true if the string is "never".
func Never(s string) bool {
return TimeNever == strings.ToLower(strings.TrimSpace(s))
}
// True returns true if the string is "true".
func True(s string) bool {
return "true" == strings.ToLower(strings.TrimSpace(s))
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package crypto
import (
"fmt"
"github.com/vmware-tanzu/secrets-manager/lib/crypto"
)
// Id generates a cryptographically-unique secure random string.
func Id() string {
id, err := crypto.RandomString(8)
if err != nil {
id = fmt.Sprintf("CRYPTO-ERR: %s", err.Error())
}
return id
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package crypto
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"encoding/hex"
"errors"
"io"
"os"
"path"
"filippo.io/age"
c "github.com/vmware-tanzu/secrets-manager/core/constants/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// DecryptValue takes a base64-encoded and encrypted string value and returns
// the original, decrypted string. If the decryption process encounters any
// error, it will return an empty string and the corresponding error.
func DecryptValue(value string) (string, error) {
decoded, err := base64.StdEncoding.DecodeString(value)
if err != nil {
return "", err
}
if env.FipsCompliantModeForSafe() {
decrypted, err := DecryptBytesAes(decoded)
if err != nil {
return "", err
}
return string(decrypted), nil
}
decrypted, err := DecryptBytesAge(decoded)
if err != nil {
return "", err
}
return string(decrypted), nil
}
// DecryptBytesAge decrypts data using an X25519 private key extracted
// from memory. This function is intended to decrypt a slice of bytes that have
// been encrypted using the age encryption tool, specifically formatted for
// X25519 keys.
//
// Parameters:
// - data: the byte slice containing the encrypted data.
//
// Returns:
// - A byte slice containing the decrypted data if successful.
// - An error if decryption fails at any stage, including issues with key
// parsing, opening the encrypted content, or reading the decrypted data.
//
// Usage:
//
// decryptedData, err := cryptography.DecryptBytesAge(encryptedBytes)
// if err != nil {
// log.Fatalf("Failed to decrypt: %v", err)
// }
// fmt.Println("Decrypted data:", string(decryptedData))
func DecryptBytesAge(data []byte) ([]byte, error) {
rkt := RootKeyCollectionFromMemory()
privateKey := rkt.PrivateKey
identity, err := age.ParseX25519Identity(privateKey)
if err != nil {
return nil, errors.Join(
err,
errors.New("decryptBytes: failed to parse private key"),
)
}
if len(data) == 0 {
return nil, errors.Join(
err,
errors.New("decryptBytes: file on disk appears to be empty"),
)
}
out := &bytes.Buffer{}
f := bytes.NewReader(data)
r, err := age.Decrypt(f, identity)
if err != nil {
return nil, errors.Join(
err,
errors.New("decryptBytes: failed to open encrypted file"),
)
}
if _, err := io.Copy(out, r); err != nil {
return nil, errors.Join(
err,
errors.New("decryptBytes: failed to read encrypted file"),
)
}
return out.Bytes(), nil
}
// DecryptBytesAes decrypts data that has been encrypted using AES encryption.
// This function assumes that the AES key is retrieved from a key-holder in
// memory and that the initial vector (IV) is prepended to the ciphertext. The
// function supports AES encryption modes that use CFB (Cipher Feedback Mode).
//
// Parameters:
// - data: a byte slice containing the encrypted data, with the IV at the
// beginning.
//
// Returns:
// - A byte slice containing the decrypted data if the process is successful.
// - An error if any step of the decryption process fails, including key
// retrieval, key decoding, cipher block creation, or data processing.
//
// Usage:
//
// decryptedData, err := crypto.DecryptBytesAes(encryptedData)
// if err != nil {
// log.Fatalf("Failed to decrypt: %v", err)
// }
// fmt.Println("Decrypted data:", string(decryptedData))
func DecryptBytesAes(data []byte) ([]byte, error) {
rkt := RootKeyCollectionFromMemory()
aesKey := rkt.AesSeed
aesKeyDecoded, err := hex.DecodeString(aesKey)
if err != nil {
return nil, errors.Join(
err,
errors.New("encryptToWriter: failed to decode AES key"),
)
}
block, err := aes.NewCipher(aesKeyDecoded)
if err != nil {
return nil, errors.Join(
err,
errors.New("decryptBytes: failed to create AES cipher block"),
)
}
// The IV is included in the beginning of the ciphertext.
if len(data) < aes.BlockSize {
return nil, errors.New("decryptBytes: ciphertext too short")
}
iv := data[:aes.BlockSize]
data = data[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(block, iv)
// XORKeyStream can work in-place if the two arguments are the same.
stream.XORKeyStream(data, data)
return data, nil
}
// Decrypt decrypts the provided base64-encoded value using the specified
// algorithm. This function first decodes the base64-encoded input, and then
// depending on the algorithm specified, it either decrypts using age or AES.
//
// Parameters:
// - value: a byte slice containing the base64-encoded data to be decrypted.
// - algorithm: the Algorithm type specifying which decryption method to use.
//
// Returns:
// - A string containing the decrypted data if successful.
// - An error if decoding fails, or if the decryption process encounters an
// issue.
//
// Usage:
//
// decryptedText, err := crypto.Decrypt(encodedValue, cryptography.AES)
// if err != nil {
// log.Fatalf("Failed to decrypt: %v", err)
// }
// fmt.Println("Decrypted text:", decryptedText)
func Decrypt(value []byte, algorithm c.Algorithm) (string, error) {
decodedValue, err := base64.StdEncoding.DecodeString(string(value))
if err != nil {
return "", err
}
if algorithm == c.Age {
res, err := DecryptBytesAge(decodedValue)
if err != nil {
return "", err
}
return string(res), nil
}
res, err := DecryptBytesAes(decodedValue)
if err != nil {
return "", err
}
return string(res), nil
}
// DecryptDataFromDisk takes a key as input and attempts to decrypt the data
// associated with that key from the disk. The key is used to locate the data
// file, which is expected to have a ".age" extension
// and to be stored in a directory specified by the environment's data path for
// safe storage.
//
// Parameters:
// - key (string): A string representing the unique identifier for the data
// to be decrypted. The actual data file is expected to be named using this
// key with a ".age" extension.
//
// Returns:
// - ([]byte, error): This function returns two values. The first value is a
// byte slice containing the decrypted data if the process is successful.
// The second value is an error object that will be non-nil if any step of
// the decryption process fails. Possible errors include the absence of the
// target data file on disk and failures related to reading the file or the
// decryption process itself.
func DecryptDataFromDisk(key string) ([]byte, error) {
dataPath := path.Join(env.DataPathForSafe(), key+".age")
if _, err := os.Stat(dataPath); os.IsNotExist(err) {
return nil, errors.Join(
err,
errors.New("decryptDataFromDisk: No file at: "+dataPath),
)
}
data, err := os.ReadFile(dataPath)
if err != nil {
return nil, errors.Join(
err,
errors.New("decryptDataFromDisk: Error reading file"),
)
}
if env.FipsCompliantModeForSafe() {
return DecryptBytesAes(data)
}
return DecryptBytesAge(data)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package crypto
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
"io"
"math"
"time"
"filippo.io/age"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// EncryptValue takes a string value and returns an encrypted and base64-encoded
// representation of the input value. If the encryption process encounters any
// error, it will return an empty string and the corresponding error.
func EncryptValue(value string) (string, error) {
var out bytes.Buffer
fipsMode := env.FipsCompliantModeForSafe()
if fipsMode {
err := EncryptToWriterAes(&out, value)
if err != nil {
return "", err
}
} else {
err := EncryptToWriterAge(&out, value)
if err != nil {
return "", err
}
}
base64Str := base64.StdEncoding.EncodeToString(out.Bytes())
return base64Str, nil
}
// EncryptToWriterAge encrypts the provided data using a public key and writes
// the encrypted data to the specified io.Writer. The encryption is performed
// using the age encryption protocol, which is designed for simple, secure, and
// modern encryption.
//
// Parameters:
// - out (io.Writer): The writer interface where the encrypted data will be
// written. This could be a file, a network connection, or any other type
// that implements the io.Writer interface.
// - data (string): The plaintext data that needs to be encrypted. This
// function converts the string to a byte slice and encrypts it.
//
// Returns:
// - error: If any step in the encryption or writing process fails, an error
// is returned. Possible errors include issues with the public key (such as
// being empty or unparseable) and failures related to the encryption
// process or writing to the writer interface.
func EncryptToWriterAge(out io.Writer, data string) error {
rkt := RootKeyCollectionFromMemory()
publicKey := rkt.PublicKey
if publicKey == "" {
return errors.New("encryptToWriterAge: no public key")
}
recipient, err := age.ParseX25519Recipient(publicKey)
if err != nil {
return errors.Join(
err,
errors.New("encryptToWriterAge: failed to parse public key"),
)
}
wrappedWriter, err := age.Encrypt(out, recipient)
if err != nil {
return errors.Join(
err,
errors.New("encryptToWriterAge: failed to create encrypted file"),
)
}
defer func(w io.WriteCloser) {
err := w.Close()
if err != nil {
fmt.Printf("encryptToWriterAge: problem closing stream: %s\n", err.Error())
}
}(wrappedWriter)
if _, err := io.WriteString(wrappedWriter, data); err != nil {
return errors.Join(
err,
errors.New("encryptToWriterAge: failed to write to encrypted file"),
)
}
return nil
}
var lastEncryptToWriterAesCall time.Time
// EncryptToWriterAes encrypts the given data string using the AES encryption
// standard and writes the encrypted data to the specified io.Writer. This
// function emphasizes secure encryption practices, including the management
// of the Initialization Vector (IV) and the AES key.
//
// Parameters:
// - out (io.Writer): The output writer where the encrypted data will be
// written. This writer can represent various types of data sinks, such
// as files, network connections, or in-memory buffers.
// - data (string): The plaintext data to be encrypted. This data is
// converted to a byte slice and then encrypted using AES.
//
// Returns:
// - error: An error is returned if any step of the encryption or writing
// process encounters an issue. This includes errors related to call
// frequency, key management, encryption initialization, and data writing.
func EncryptToWriterAes(out io.Writer, data string) error {
rkt := RootKeyCollectionFromMemory()
// Calling this method too frequently can result in a less-than random IV,
// which can be used to break the encryption when combined with other
// attack vectors. Therefore, we throttle calls to this method.
if time.Since(lastEncryptToWriterAesCall) < time.Millisecond*time.Duration(
env.IvInitializationIntervalForSafe(),
) {
return errors.New("calls too frequent")
}
lastEncryptToWriterAesCall = time.Now()
aesKey := rkt.AesSeed
if aesKey == "" {
return errors.New("encryptToWriter: no AES key")
}
aesKeyDecoded, err := hex.DecodeString(aesKey)
defer func() {
// Clear the key from memory for security reasons.
for i := range aesKeyDecoded {
aesKeyDecoded[i] = 0
}
}()
if err != nil {
return errors.Join(
err,
errors.New("encryptToWriter: failed to decode AES key"),
)
}
block, err := aes.NewCipher(aesKeyDecoded)
if err != nil {
return errors.Join(
err,
errors.New("encryptToWriter: failed to create AES cipher block"),
)
}
totalSize := uint64(aes.BlockSize) + uint64(len(data))
if totalSize > uint64(math.MaxInt64) {
return errors.New("encryptToWriter: data too large")
}
// The IV needs to be unique, but not secure. Therefore, it's common to
// include it at the beginning of the ciphertext.
ciphertext := make([]byte, totalSize)
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return err
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], []byte(data))
_, err = out.Write(ciphertext)
if err != nil {
return errors.Join(
err,
errors.New("encryptToWriter: failed to write to encrypted file"),
)
}
return nil
}
var lastEncryptBytesAesCall time.Time
// EncryptBytesAes encrypts the given data using AES encryption and returns the encrypted bytes.
func EncryptBytesAes(data []byte) ([]byte, error) {
rkt := RootKeyCollectionFromMemory()
// Throttle calls to this method to ensure IV randomness
if time.Since(lastEncryptBytesAesCall) < time.Millisecond*time.Duration(
env.IvInitializationIntervalForSafe(),
) {
return nil, errors.New("calls too frequent")
}
lastEncryptBytesAesCall = time.Now()
aesKey := rkt.AesSeed
if aesKey == "" {
return nil, errors.New("EncryptBytesAes: no AES key")
}
aesKeyDecoded, err := hex.DecodeString(aesKey)
defer func() {
// Clear the key from memory for security reasons.
for i := range aesKeyDecoded {
aesKeyDecoded[i] = 0
}
}()
if err != nil {
return nil, errors.Join(
err,
errors.New("EncryptBytesAes: failed to decode AES key"),
)
}
block, err := aes.NewCipher(aesKeyDecoded)
if err != nil {
return nil, errors.Join(
err,
errors.New("EncryptBytesAes: failed to create AES cipher block"),
)
}
totalSize := uint64(aes.BlockSize) + uint64(len(data))
if totalSize > uint64(math.MaxInt64) {
return nil, errors.New("EncryptBytesAes: data too large")
}
ciphertext := make([]byte, totalSize)
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, err
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], data)
return ciphertext, nil
}
// EncryptBytesAge encrypts the given data using the age encryption protocol and returns the encrypted bytes.
func EncryptBytesAge(data []byte) ([]byte, error) {
rkt := RootKeyCollectionFromMemory()
publicKey := rkt.PublicKey
if publicKey == "" {
return nil, errors.New("EncryptBytesAge: no public key")
}
recipient, err := age.ParseX25519Recipient(publicKey)
if err != nil {
return nil, errors.Join(
err,
errors.New("EncryptBytesAge: failed to parse public key"),
)
}
var buf bytes.Buffer
wrappedWriter, err := age.Encrypt(&buf, recipient)
if err != nil {
return nil, errors.Join(
err,
errors.New("EncryptBytesAge: failed to create encrypted buffer"),
)
}
if _, err := wrappedWriter.Write(data); err != nil {
return nil, errors.Join(
err,
errors.New("EncryptBytesAge: failed to write to encrypted buffer"),
)
}
if err := wrappedWriter.Close(); err != nil {
return nil, errors.Join(
err,
errors.New("EncryptBytesAge: failed to close encrypted writer"),
)
}
return buf.Bytes(), nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package crypto
import (
"sync"
"filippo.io/age"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// rootKey is the key used for encryption, decryption, backup, and restore.
var rootKey = data.RootKeyCollection{
PrivateKey: "",
PublicKey: "",
AesSeed: "",
}
var rootKeyLock sync.RWMutex
// SetRootKeyInMemory sets the age key to be used for encryption and decryption.
// This function is called in several instances:
//
// 1. During bootstrapping of VSecM Safe to set the initial root key from
// a mounted backing store.
// 2. When an operator sets a new root key through VSecM Sentinel or other
// similar means.
func SetRootKeyInMemory(k string) {
rootKeyLock.Lock()
defer rootKeyLock.Unlock()
rootKey.UpdateFromSerialized(k)
}
// RootKeySetInMemory returns true if the root key has been set.
func RootKeySetInMemory() bool {
rootKeyLock.RLock()
defer rootKeyLock.RUnlock()
return !rootKey.Empty()
}
// RootKeyCollectionFromMemory creates a new Rkt struct from the
// rootKey stored in memory.
func RootKeyCollectionFromMemory() data.RootKeyCollection {
rootKeyLock.RLock()
defer rootKeyLock.RUnlock()
if rootKey.Empty() {
return data.RootKeyCollection{}
}
return data.RootKeyCollection{
PrivateKey: rootKey.PrivateKey,
PublicKey: rootKey.PublicKey,
AesSeed: rootKey.AesSeed,
}
}
// NewRootKeyCollection creates a new cryptographic key pair and an AES seed.
// It utilizes the X25519 algorithm for key generation and includes both the
// private and public keys in the returned Rkt structure. The function also
// generates an AES seed that can be used for symmetric encryption.
//
// Returns:
// - Rkt: A struct containing the private key, public key, and AES seed. The
// Rkt struct should be defined elsewhere in your codebase with the
// respective fields: PrivateKey, PublicKey, and AesSeed.
// - error: An error object that reports issues in the key generation process,
// such as failures in generating the X25519 identity or the AES seed. If
// the function executes without encountering any issues, the error will be
// nil.
//
// Example usage:
//
// keys, err := NewRootKeyCollection()
// if err != nil {
// log.Fatalf("Key generation failed: %v", err)
// }
// fmt.Printf("Private Key: %s\n", keys.PrivateKey)
// fmt.Printf("Public Key: %s\n", keys.PublicKey)
// fmt.Printf("AES Seed: %s\n", keys.AesSeed)
//
// Note:
//
// The NewRkt function depends on the 'age' package for generating the
// X25519 identity and an implementation of generateAesSeed, which must be
// provided in your codebase or through an external library.
func NewRootKeyCollection() (data.RootKeyCollection, error) {
identity, err := age.GenerateX25519Identity()
if err != nil {
return data.RootKeyCollection{}, err
}
privateKey := identity.String()
publicKey := identity.Recipient().String()
aesSeed, err := generateAesSeed()
if err != nil {
return data.RootKeyCollection{}, err
}
return data.RootKeyCollection{
PrivateKey: privateKey,
PublicKey: publicKey,
AesSeed: aesSeed,
}, nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package crypto
import (
"crypto/rand"
"encoding/hex"
"errors"
)
var reader = rand.Read
// generateAesSeed generates a random 256-bit AES key, and returns it as a
// hexadecimal encoded string.
//
// Returns:
// 1. A hexadecimal string representation of the generated 256-bit AES key.
// 2. An error value that indicates if any error occurs during key generation
// or encoding. A non-nil error indicates failure.
//
// Usage:
//
// hexKey, err := generateAesSeed()
// if err != nil {
// log.Fatal("Failed to generate AES key:", err)
// }
//
// Example output:
//
// hexKey: "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
//
// Note:
//
// The function uses the crypto/rand package for secure random number
// generation, suitable for cryptographic purposes.
func generateAesSeed() (string, error) {
// Generate a 256-bit key
key := make([]byte, 32)
_, err := reader(key)
if err != nil {
return "", errors.Join(
err,
errors.New("generateAesSeed: failed to generate random key"),
)
}
return hex.EncodeToString(key), nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package data
import "strings"
// VSecMInternalCommand is the command that VSecM uses to perform
// internal operations.
type VSecMInternalCommand struct {
LogLevel int `json:"logLevel"`
}
// VSecMSafeInternalConfig is the configuration of VSecM Safe that
// set up the backing store and data source name.
type VSecMSafeInternalConfig struct {
Config struct {
BackingStore string `json:"backingStore"`
DataSourceName string `json:"dataSourceName"`
} `json:"config"`
}
// SentinelCommand is the command that VSecM Sentinel uses to perform
// REST API operations on VSecM Safe.
type SentinelCommand struct {
WorkloadIds []string
Namespaces []string
Secret string
Template string
DeleteSecret bool
Format string
Encrypt bool
NotBefore string
Expires string
SerializedRootKeys string
ShouldSleep bool
SleepIntervalMs int
}
// SplitRootKeys splits the SerializedRootKeys of the SentinelCommand
// into a slice of strings based on newline characters.
//
// It returns a slice of strings, where each string represents a root key.
// If there are no newline characters in SerializedRootKeys, the returned
// slice will contain a single element.
//
// Example:
//
// sc := SentinelCommand{SerializedRootKeys: "key1\nkey2\nkey3"}
// keys := sc.SplitRootKeys() // returns []string{"key1", "key2", "key3"}
func (sc SentinelCommand) SplitRootKeys() []string {
return strings.Split(sc.SerializedRootKeys, "\n")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package data
import (
"bytes"
"encoding/json"
"fmt"
"strings"
"text/template"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
tpl "github.com/vmware-tanzu/secrets-manager/core/template"
)
// convertMapToStringBytes converts a map[string]string into a map[string][]byte,
// by converting each string value into a []byte, and returns the resulting map.
func convertMapToStringBytes(inputMap map[string]string) map[string][]byte {
data := make(map[string][]byte)
for k, v := range inputMap {
data[k] = []byte(v)
}
return data
}
// handleTemplateFailure is used when applying a template to the secret's value
// fails. It attempts to unmarshal the 'value' string as JSON into the 'data'
// map. If the unmarshalling fails, it creates a new empty 'data' map and
// populates it with a single entry, "VALUE", containing the original 'value' as
// []byte.
func convertValueToMap(value string) map[string][]byte {
var data map[string][]byte
val := value
err := json.Unmarshal([]byte(val), &data)
if err != nil {
data = map[string][]byte{}
data[key.SecretDataValue] = []byte(val)
}
return data
}
// handleNoTemplate is used when there is no template defined.
// It attempts to unmarshal the 'value' string as JSON. If successful, it
// returns a map with the JSON key-value pairs converted to []byte values;
// otherwise, it returns a map with a single entry, "VALUE", containing the
// original 'value' as []byte.
func convertValueNoTemplate(value string) map[string][]byte {
var data = make(map[string][]byte)
var jsonData map[string]string
val := value
if val == "" {
return data
}
err := json.Unmarshal(([]byte)(val), &jsonData)
if err != nil {
//If error in unmarshalling, add the whole as a part of VALUE
data[key.SecretDataValue] = ([]byte)(val)
return data
}
//Use the secret's value as a key-val pair
return convertMapToStringBytes(jsonData)
}
// parseForK8sSecret parses the provided `SecretStored` and applies a template
// if one is defined.
//
// Args:
//
// secret: A SecretStored struct containing the secret data and metadata.
//
// Returns:
//
// A map of string keys to string values, containing the parsed secret data.
//
// If there is an error during parsing or applying the template, an error
// will be returned.
//
// Note that this function will consider only the first value in the `Values`
// collection. If there are multiple values, only the first value will be
// parsed and transformed.
func parseForK8sSecret(secret SecretStored) (map[string]string, error) {
// cannot move this to /core/template because of circular dependency.
secretData := make(map[string]string)
if len(secret.Value) == 0 {
return secretData, fmt.Errorf("no value found for secret %s",
secret.Name)
}
jsonData := strings.TrimSpace(secret.Value)
tmpStr := strings.TrimSpace(secret.Meta.Template)
err := json.Unmarshal([]byte(jsonData), &secretData)
if err != nil {
return secretData, err
}
if tmpStr == "" {
return secretData, err
}
tmpl, err := template.New("secret").Parse(tmpStr)
if err != nil {
return secretData, err
}
var t bytes.Buffer
err = tmpl.Execute(&t, secretData)
if err != nil {
return secretData, err
}
output := make(map[string]string)
err = json.Unmarshal(t.Bytes(), &output)
if err != nil {
return output, err
}
return output, nil
}
func transform(
value string, tmpStr string, f SecretFormat,
) (string, error) {
jsonData := strings.TrimSpace(value)
parsedString := ""
if tmpStr == "" {
parsedString = jsonData
} else {
parsedString = tpl.TryParse(tmpStr, jsonData)
}
switch f {
case Json:
// If the parsed string is a valid JSON, return it as is.
// Otherwise, assume the parsing failed and return the original
// JSON string.
if tpl.ValidJSON(parsedString) {
return parsedString, nil
} else {
return jsonData, nil
}
case Yaml:
if tpl.ValidJSON(parsedString) {
yml, err := tpl.JsonToYaml(parsedString)
if err != nil {
return parsedString, err
}
return yml, nil
} else {
// Parsed string is not a valid JSON, so return it as is.
// It can be either a valid YAML already, or some random string.
// There is not much can be done at this point other than
// returning it.
return parsedString, nil
}
case Raw:
// If the format is Raw, return the parsed string as is.
return parsedString, nil
default:
// The program flow shall never enter here.
return parsedString, fmt.Errorf("unknown format: %s", f)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package data
import (
"strings"
"github.com/vmware-tanzu/secrets-manager/core/constants/symbol"
)
type RootKeyCollection struct {
PrivateKey string
PublicKey string
AesSeed string
}
// Combine takes the private key, a public key, and an AES seed,
// and combines them into a single string, separating each with a newline.
//
// Returns:
// - A single string containing the private key, public key, and AES seed,
// each separated by a newline.
func (rkt *RootKeyCollection) Combine() string {
if rkt.PrivateKey == "" || rkt.PublicKey == "" || rkt.AesSeed == "" {
return ""
}
return rkt.PrivateKey +
symbol.RootKeySeparator + rkt.PublicKey +
symbol.RootKeySeparator + rkt.AesSeed
}
// Empty checks if the RootKeyCollection contains any key data.
// It returns true if the PrivateKey, PublicKey, and AesSeed fields are all
// empty.
func (rkt *RootKeyCollection) Empty() bool {
return rkt.PrivateKey == "" && rkt.PublicKey == "" && rkt.AesSeed == ""
}
// UpdateFromSerialized updates the RootKeyCollection from a serialized string.
//
// The serialized string is expected to be a concatenation of the private key,
// public key, and AES seed separated by the RootKeySeparator symbol. If the
// serialized string is empty, the PrivateKey, PublicKey, and AesSeed fields
// will be set to empty strings. If the serialized string is improperly
// formatted, the function will not update the fields.
//
// Parameters:
// - serialized: A string containing the serialized key data.
func (rkt *RootKeyCollection) UpdateFromSerialized(serialized string) {
serialized = strings.TrimSpace(serialized)
if serialized == "" {
rkt.PrivateKey = ""
rkt.PublicKey = ""
rkt.AesSeed = ""
}
parts := strings.Split(serialized, symbol.RootKeySeparator)
if len(parts) < 3 {
return
}
rkt.PrivateKey = parts[0]
rkt.PublicKey = parts[1]
rkt.AesSeed = parts[2]
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package data
import (
"fmt"
"time"
)
// SecretStored represents a secret stored in VSecM Safe.
type SecretStored struct {
// Name of the secret.
Name string `json:"name"`
// Raw value. A secret can have multiple values. Sentinel returns
// a single value if there is a single value in this array. Sentinel
// will return an array of values if there are multiple values in the array.
Value string `json:"value"`
// Transformed values. This value is the value that workloads see.
//
// Apply transformation (if needed) and then store the value in
// one of the supported formats. If the format is json, ensure that
// a valid JSON is stored here. If the format is yaml, ensure that
// a valid YAML is stored here. If the format is none, then just
// apply transformation (if needed) and do not do any validity check.
ValueTransformed string `json:"valueTransformed"`
// Additional information that helps format and store the secret.
Meta SecretMeta `json:"meta"`
// Timestamps
Created time.Time `json:"created"`
Updated time.Time `json:"updated"`
// Invalid before this time.
NotBefore time.Time `json:"notBefore"`
// Invalid after this time.
ExpiresAfter time.Time `json:"expiresAfter"`
}
// ToMapForK8s returns a map that can be used to create a Kubernetes secret.
//
// 1. If there is no template, attempt to unmarshal the secret's value
// into a map. If that fails, store the secret's value under the "VALUE" key.
// 2. If there is a template, attempt to parse it. If parsing is successful,
// create a new map with the parsed data. If parsing fails, follow the same
// logic as in case 1, attempting to unmarshal the secret's value into a map,
// and if that fails, storing the secret's value under the "VALUE" key.
func (secret SecretStored) ToMapForK8s() map[string][]byte {
// If there is no template, use the secret's value as is.
if secret.Meta.Template == "" {
return convertValueNoTemplate(secret.Value)
}
// Otherwise, apply the template.
newData, err := parseForK8sSecret(secret)
if err == nil {
return convertMapToStringBytes(newData)
}
// If the template fails, use the secret's value as is.
return convertValueToMap(secret.Value)
}
// ToMap converts the SecretStored struct to a map[string]any.
// The resulting map contains the following key-value pairs:
//
// "Name": the Name field of the SecretStored struct
// "Values": the Values field of the SecretStored struct
// "Created": the Created field of the SecretStored struct
// "Updated": the Updated field of the SecretStored struct
func (secret SecretStored) ToMap() map[string]any {
return map[string]any{
"Name": secret.Name,
"Value": secret.Value,
"Created": secret.Created,
"Updated": secret.Updated,
}
}
// Parse takes a data.SecretStored type as input and returns the parsed
// string or an error.
//
// It parses all the `.Values` of the secret, and for each value tries to apply
// a template transformation.
//
// Here is how the template transformation is applied:
//
// 1. Compute parsedString:
// If the Meta.Template field is empty, then parsedString is the original
// value. Otherwise, parsedString is the result of applying the template
// transformation to the original value.
//
// 2. Compute the output string:
// - If the Meta.Format field is Json, then the output string is parsedString
// if parsedString is a valid JSON, otherwise it's the original value.
// - If the Meta.Format field is Yaml, then the output string is the result of
// transforming parsedString into Yaml if parsedString is a valid JSON,
// otherwise it's parsedString.
// - If the Meta.Format field is Raw, then the output string is simply the
// parsedString, without any specific format checks or transformations.
func (secret SecretStored) Parse() (string, error) {
if len(secret.Value) == 0 {
return "", fmt.Errorf("no value found for secret %s", secret.Name)
}
transformed, err := transform(secret.Value, secret.Meta.Template,
secret.Meta.Format)
if transformed == "" {
return secret.Value, fmt.Errorf("failed to parse secret %s", secret.Name)
}
return transformed, err
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package data
import "sync"
// InitStatus is the initialization status of VSecM Sentinel
// and other VSecM components.
type InitStatus string
var (
Pending InitStatus = "pending"
Ready InitStatus = "ready"
)
// Status is a struct representing the current state of the secret manager,
// including the lengths and capacities of the secret queues and the total
// number of secrets stored.
type Status struct {
SecretQueueLen int
SecretQueueCap int
K8sQueueLen int
K8sQueueCap int
NumSecrets int
}
var statusLock sync.RWMutex // Protects access to the Status struct.
// Increment is a method for the Status struct that increments the NumSecrets
// field by 1 if the provided secret name is not found in the in-memory store.
func (s *Status) Increment(name string, loader func(name any) (any, bool)) {
statusLock.Lock()
defer statusLock.Unlock()
_, ok := loader(name)
if !ok {
s.NumSecrets++
}
}
// Decrement is a method for the Status struct that decrements the NumSecrets
// field by 1 if the provided secret name is found in the in-memory store.
func (s *Status) Decrement(name string, loader func(name any) (any, bool)) {
statusLock.Lock()
defer statusLock.Unlock()
_, ok := loader(name)
if ok {
s.NumSecrets--
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"strconv"
"strings"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// Redefine some constants to avoid import cycle.
// Mode is the type for backoff mode.
type Mode string
var Exponential Mode = "exponential"
var Linear Mode = "linear"
var backoff = struct {
Exponential Mode
Linear Mode
}{
Exponential: Exponential,
Linear: Linear,
}
// BackoffMaxRetries reads the "VSECM_BACKOFF_MAX_RETRIES" environment variable,
// parses its value as an int64, and returns the parsed number. If the
// environment variable is not set or cannot be parsed, a default value of
// 10 is returned. This function is useful for configuring the maximum number
// of retries in backoff algorithms, particularly in scenarios where operations
// might fail transiently and require repeated attempts to succeed.
//
// Returns:
// int64 - the maximum number of retries.
func BackoffMaxRetries() int64 {
p := env.Value(env.VSecMBackoffMaxRetries)
if p == "" {
p = string(env.VSecMBackoffMaxRetriesDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i, _ := strconv.Atoi(string(env.VSecMBackoffMaxRetriesDefault))
return int64(i)
}
return i
}
// BackoffDelay reads the "VSECM_BACKOFF_DELAY" environment variable, parses its
// value as an int64, and returns the parsed number as a time.Duration in
// milliseconds. If the environment variable is not set or cannot be parsed,
// a default delay of 1000 milliseconds is returned. This function facilitates
// configuring the initial delay for backoff algorithms, which is essential for
// handling operations that might need a waiting period before retrying after
// a failure.
//
// Returns:
// time.Duration - the initial backoff delay duration.
func BackoffDelay() time.Duration {
p := env.Value(env.VSecMBackoffDelay)
if p == "" {
p = string(env.VSecMBackoffDelayDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
return 1000 * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
// BackoffMode reads the "VSECM_BACKOFF_MODE" environment variable and determines
// the backoff strategy to be used. If the environment variable is not set, or if
// its value is "exponential", "exponential" is returned. For any other non-empty
// value, "linear" is returned. This allows for dynamic adjustment of the backoff
// strategy based on external configuration, supporting both linear and
// exponential backoff modes depending on the requirements of the operation or
// the system.
//
// Returns:
// string - the backoff mode, either "exponential" or "linear".
func BackoffMode() string {
p := env.Value(env.VSecMBackoffMode)
p = strings.TrimSpace(p)
if p == "" {
return string(backoff.Exponential)
}
if p != string(backoff.Exponential) {
return string(backoff.Linear)
}
return string(backoff.Exponential)
}
// BackoffMaxWait reads the "VSECM_BACKOFF_MAX_WAIT" environment variable,
// parses its value as an int64, and returns the parsed number as a time.Duration
// in milliseconds. If the environment variable is not set or cannot be parsed,
// a default maximum duration of 30000 milliseconds is returned. This function is
// crucial for defining the upper limit on the duration to which backoff delay can
// grow, ensuring that retry mechanisms do not result in excessively long wait
// times.
//
// Returns:
// time.Duration - the maximum backoff duration.
func BackoffMaxWait() time.Duration {
p := env.Value(env.VSecMBackoffMaxWait)
if p == "" {
p = string(env.VSecMBackoffMaxWaitDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
return 30000 * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// EndpointUrlForSafe returns the URL for the VSecM Safe endpoint
// used in the VMware Secrets Manager system.
// The URL is obtained from the environment variable VSECM_SAFE_ENDPOINT_URL.
// If the variable is not set, the default URL is used.
func EndpointUrlForSafe() string {
u := env.Value(env.VSecMSafeEndpointUrl)
if u == "" {
u = string(env.VSecMSafeEndpointUrlDefault)
}
return u
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"strconv"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// PollIntervalForInitContainer returns the time interval between each poll in
// the Watch function. The interval is specified in milliseconds as the
// VSECM_INIT_CONTAINER_POLL_INTERVAL environment variable. If the environment
// variable is not set or is not a valid integer value, the function returns the
// default interval of 5000 milliseconds.
func PollIntervalForInitContainer() time.Duration {
p := env.Value(env.VSecMInitContainerPollInterval)
d, _ := strconv.Atoi(string(env.VSecMInitContainerPollIntervalDefault))
if p == "" {
p = string(env.VSecMInitContainerPollIntervalDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return time.Duration(i) * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
// WaitBeforeExitForInitContainer retrieves the wait time before exit for an
// init container. The duration is determined by the environment variable
// "VSECM_INIT_CONTAINER_WAIT_BEFORE_EXIT" and defaults to zero if the variable
// is not set or cannot be parsed.
//
// The environment variable is expected to be an integer value representing the
// wait time in milliseconds. If parsing fails, the function will return 0
// milliseconds.
//
// Returns:
//
// time.Duration: The wait time before exit, in milliseconds.
func WaitBeforeExitForInitContainer() time.Duration {
p := env.Value(env.VSecMInitContainerWaitBeforeExit)
d, _ := strconv.Atoi(string(env.VSecMInitContainerWaitBeforeExitDefault))
if p == "" {
p = string(env.VSecMInitContainerWaitBeforeExitDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return time.Duration(i) * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
// RootKeyPathForKeyGen returns the root key path. Root key is used to decrypt
// VSecM-encrypted secrets.
// It reads the environment variable VSECM_KEYGEN_ROOT_KEY_PATH to determine
// the path.
// If the environment variable is not set, it defaults to "/opt/vsecm/keys.txt".
//
// Returns:
//
// string: The path to the root key.
func RootKeyPathForKeyGen() string {
p := env.Value(env.VSecMKeygenRootKeyPath)
if p == "" {
return string(env.VSecMKeygenRootKeyPathDefault)
}
return p
}
// ExportedSecretPathForKeyGen returns the path where the exported secrets are
// stored. It reads the environment variable VSECM_KEYGEN_EXPORTED_SECRET_PATH
// to determine the path.
//
// If the environment variable is not set, it defaults to
// "/opt/vsecm/secrets.json".
//
// Returns:
//
// string: The path to the exported secrets.
func ExportedSecretPathForKeyGen() string {
p := env.Value(env.VSecMKeygenExportedSecretPath)
if p == "" {
return string(env.VSecMKeygenExportedSecretPathDefault)
}
return p
}
// KeyGenDecrypt determines if VSecM Keygen should decrypt the secrets json
// file instead of generating a new root key (which is its default behavior).
//
// It reads the environment variable VSECM_KEYGEN_DECRYPT and checks if it is
// set to "true".
//
// If this value is `false`, VSecM Keygen will generate a new root key.
//
// If this value is `true`, VSecM Keygen will attempt to decrypt the secrets
// provided to it.
//
// Returns:
//
// bool: True if decryption should proceed, false otherwise.
func KeyGenDecrypt() bool {
p := env.Value(env.VSecMKeygenDecrypt)
return val.True(p)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"strconv"
"strings"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
type Level int
// Redefine log levels to avoid import cycle.
const (
Off Level = iota
Fatal
Error
Warn
Info
Audit
Debug
Trace
)
var level = struct {
Off Level
Fatal Level
Error Level
Warn Level
Info Level
Audit Level
Debug Level
Trace Level
}{
Off: Off,
Fatal: Fatal,
Error: Error,
Warn: Warn,
Info: Info,
Audit: Audit,
Debug: Debug,
Trace: Trace,
}
// LogLevel returns the value set by VSECM_LOG_LEVEL environment
// variable, or a default level.
//
// VSECM_LOG_LEVEL determines the verbosity of the logs.
// 0: logs are off, 7: highest verbosity (TRACE).
func LogLevel() int {
p := env.Value(env.VSecMLogLevel)
if p == "" {
return int(level.Warn)
}
l, _ := strconv.Atoi(p)
if l == int(level.Off) {
return int(level.Warn)
}
if l < int(level.Off) || l > int(level.Trace) {
return int(level.Warn)
}
return l
}
// LogSecretFingerprints checks the "VSECM_LOG_SECRET_FINGERPRINTS" environment
// variable, normalizes its value by trimming whitespace and converting it to
// lowercase, and evaluates whether logging of secret fingerprints is enabled
// or not. The function returns true if the environment variable is explicitly
// set to "true", otherwise, it defaults to false.
//
// When `true`, VSecM logs will include partial hashes for the secrets. This
// approach will be useful to verify changes to a secret without revealing it
// in the logs. The partial hash is a cryptographically secure string, and there
// is no way to retrieve the original secret from it.
//
// If not provided in the environment variables, this flag will be set to `false`
// by default.
//
// Returns:
// bool - true if logging of secret fingerprints is enabled, false otherwise.
func LogSecretFingerprints() bool {
p := env.Value(env.VSecMLogSecretFingerprints)
p = strings.ToLower(strings.TrimSpace(p))
if p == "" {
return false
}
return val.True(p)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// NamespaceForVSecMSystem returns the namespace for the VSecM apps.
// The namespace is determined by the environment variable
// "VSECM_NAMESPACE_SYSTEM". If the variable is not set or is empty,
// it defaults to "vsecm-system".
//
// Returns:
//
// string: The namespace to be used for the VSecM system.
func NamespaceForVSecMSystem() string {
u := env.Value(env.VSecMNamespaceSystem)
if u == "" {
u = string(env.VSecMSystem)
}
return u
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"strconv"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// MaxPollIntervalForSidecar returns the maximum interval for polling by the
// sidecar process. The value is read from the environment variable
// `VSECM_SIDECAR_MAX_POLL_INTERVAL` or returns 300000 milliseconds as default.
func MaxPollIntervalForSidecar() time.Duration {
p := env.Value(env.VSecMSidecarMaxPollInterval)
d, _ := strconv.Atoi(string(env.VSecMSidecarMaxPollIntervalDefault))
if p == "" {
p = string(env.VSecMSidecarMaxPollIntervalDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return time.Duration(i) * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
// ExponentialBackoffMultiplierForSidecar returns the multiplier for exponential
// backoff by the sidecar process.
// The value is read from the environment variable
// `VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER` or returns 2 as default.
func ExponentialBackoffMultiplierForSidecar() int64 {
p := env.Value(env.VSecMSidecarExponentialBackoffMultiplier)
d, _ := strconv.Atoi(string(
env.VSecMSidecarExponentialBackoffMultiplierDefault))
if p == "" {
p = string(env.VSecMSidecarExponentialBackoffMultiplierDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return i
}
return i
}
// SuccessThresholdForSidecar returns the number of consecutive successful
// polls before reducing the interval. The value is read from the environment
// variable `VSECM_SIDECAR_SUCCESS_THRESHOLD` or returns 3 as default.
func SuccessThresholdForSidecar() int64 {
p := env.Value(env.VSecMSidecarSuccessThreshold)
d, _ := strconv.Atoi(string(env.VSecMSidecarSuccessThresholdDefault))
if p == "" {
p = string(env.VSecMSidecarSuccessThresholdDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return i
}
return i
}
// ErrorThresholdForSidecar returns the number of consecutive failed polls
// before increasing the interval. The value is read from the environment
// variable `VSECM_SIDECAR_ERROR_THRESHOLD` or returns 2 as default.
func ErrorThresholdForSidecar() int64 {
p := env.Value(env.VSecMSidecarErrorThreshold)
d, _ := strconv.Atoi(string(env.VSecMSidecarErrorThresholdDefault))
if p == "" {
p = string(env.VSecMSidecarErrorThresholdDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return i
}
return i
}
// PollIntervalForSidecar returns the polling interval for sentry in time.Duration
// The interval is determined by the VSECM_SIDECAR_POLL_INTERVAL environment
// variable, with a default value of 20000 milliseconds if the variable is not
// set or if there is an error in parsing the value.
func PollIntervalForSidecar() time.Duration {
p := env.Value(env.VSecMSidecarPollInterval)
d, _ := strconv.Atoi(string(env.VSecMSidecarPollIntervalDefault))
if p == "" {
p = string(env.VSecMSidecarPollIntervalDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return time.Duration(i) * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// ProbeLivenessPort returns the port for liveness probe.
// It first checks the environment variable VSECM_PROBE_LIVENESS_PORT.
// If the variable is not set, it returns the default value ":8081".
func ProbeLivenessPort() string {
u := env.Value(env.VSecMProbeLivenessPort)
if u == "" {
u = string(env.VSecMProbeLivenessPortDefault)
}
return u
}
// ProbeReadinessPort returns the port for readiness probe.
// It first checks the environment variable VSECM_PROBE_READINESS_PORT.
// If the variable is not set, it returns the default value ":8082".
func ProbeReadinessPort() string {
u := env.Value(env.VSecMProbeReadinessPort)
if u == "" {
u = string(env.VSecMProbeReadinessPortDefault)
}
return u
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"strconv"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
// IvInitializationIntervalForSafe fetches the Initialization Vector (IV)
// interval from an environment variable. IV is used in AES encryption.
//
// The environment variable used is VSECM_SAFE_IV_INITIALIZATION_INTERVAL.
// If the environment variable is not set or contains an invalid integer, the
// function returns a default value of 50.
// The returned value is intended to be used for rate-limiting or throttling the
// initialization of IVs.
//
// Returns:
// int: The IV initialization interval in milliseconds.
func IvInitializationIntervalForSafe() int {
envInterval := env.Value(env.VSecMSafeIvInitializationInterval)
d, _ := strconv.Atoi(string(env.VSecMSafeIvInitializationIntervalDefault))
if envInterval == "" {
return d
}
parsedInterval, err := strconv.Atoi(envInterval)
if err != nil {
return d
}
return parsedInterval
}
// SecretBufferSizeForSafe returns the buffer size for the VSecM Safe secret
// queue.
//
// The buffer size is determined by the environment variable
// VSECM_SAFE_SECRET_BUFFER_SIZE.
//
// If the environment variable is not set, the default buffer size is 10.
// If the environment variable is set and can be parsed as an integer,
// it will be used as the buffer size.
// If the environment variable is set but cannot be parsed as an integer,
// the default buffer size is used.
func SecretBufferSizeForSafe() int {
p := env.Value(env.VSecMSafeSecretBufferSize)
d, _ := strconv.Atoi(string(env.VSecMSafeSecretBufferSizeDefault))
if p == "" {
return d
}
l, err := strconv.Atoi(p)
if err != nil {
return d
}
return l
}
// K8sSecretBufferSizeForSafe returns the buffer size for the VSecM Safe
// Kubernetes secret queue.
//
// The buffer size is determined by the environment variable
// VSECM_SAFE_K8S_SECRET_BUFFER_SIZE.
//
// If the environment variable is not set, the default buffer size is 10.
// If the environment variable is set and can be parsed as an integer,
// it will be used as the buffer size.
// If the environment variable is set but cannot be parsed as an integer,
// the default buffer size is used.
func K8sSecretBufferSizeForSafe() int {
p := env.Value(env.VSecMSafeK8sSecretBufferSize)
d, _ := strconv.Atoi(string(env.VSecMSafeK8sSecretBufferSizeDefault))
if p == "" {
return d
}
l, err := strconv.Atoi(p)
if err != nil {
return d
}
return l
}
// SecretDeleteBufferSizeForSafe returns the buffer size for the VSecM Safe
// secret deletion queue.
//
// The buffer size is determined by the environment variable
// VSECM_SAFE_SECRET_DELETE_BUFFER_SIZE.
//
// If the environment variable is not set, the default buffer size is 10.
// If the environment variable is set and can be parsed as an integer,
// it will be used as the buffer size.
// If the environment variable is set but cannot be parsed as an integer,
// the default buffer size is used.
func SecretDeleteBufferSizeForSafe() int {
p := env.Value(env.VSecMSafeSecretDeleteBufferSize)
d, _ := strconv.Atoi(string(env.VSecMSafeSecretDeleteBufferSizeDefault))
if p == "" {
return d
}
l, err := strconv.Atoi(p)
if err != nil {
return d
}
return l
}
// FipsCompliantModeForSafe returns a boolean indicating whether VSecM Safe
// should run in FIPS compliant mode. Note that this is not a guarantee that
// VSecM Safe will run in FIPS compliant mode, as it depends on the underlying
// base image. If you are using one of the official FIPS-complaint
// VMware Secrets Manager Docker images, then it will be FIPS-compliant.
// Check https://vsecm.com/configuration/ for more details.
func FipsCompliantModeForSafe() bool {
p := env.Value(env.VSecMSafeFipsCompliant)
return val.True(p)
}
// SecretBackupCountForSafe retrieves the number of backups to keep for VSecM
// Safe secrets. If the environment variable VSECM_SAFE_SECRET_BACKUP_COUNT
// is not set or is not a valid integer, the default value of 3 will be returned.
//
// Note: there are plans to deprecate this feature in the future in favor of
// a more robust database-driven changelog solution for secrets.
func SecretBackupCountForSafe() int {
p := env.Value(env.VSecMSafeSecretBackupCount)
d, _ := strconv.Atoi(string(env.VSecMSafeSecretBackupCountDefault))
if p == "" {
return d
}
l, err := strconv.Atoi(p)
if err != nil {
return d
}
return l
}
// RootKeyInputModeManual returns a boolean indicating whether to use manual
// cryptographic key input for VSecM Safe, instead of letting it bootstrap
// automatically. If the environment variable is not set or its value is
// not "true", the function returns false. Otherwise, the function returns true.
func RootKeyInputModeManual() bool {
p := env.Value(env.VSecMRootKeyInputModeManual)
return val.True(p)
}
// DataPathForSafe returns the path to the safe data directory.
// The path is determined by the VSECM_SAFE_DATA_PATH environment variable.
// If the environment variable is not set, the default path "/var/local/vsecm/data"
// is returned.
func DataPathForSafe() string {
p := env.Value(env.VSecMSafeDataPath)
if p == "" {
p = string(env.VSecMSafeDataPathDefault)
}
return p
}
// RootKeyPathForSafe returns the path to the safe age key directory.
// The path is determined by the VSECM_ROOT_KEY_PATH environment variable.
// If the environment variable is not set, the default path "/key/key.txt"
// is returned.
func RootKeyPathForSafe() string {
p := env.Value(env.VSecMRootKeyPath)
if p == "" {
p = string(env.VSecMRootKeyPathDefault)
}
return p
}
// SourceAcquisitionTimeoutForSafe returns the timeout duration for acquiring
// a SPIFFE source bundle.
// It reads an environment variable `VSECM_SAFE_SOURCE_ACQUISITION_TIMEOUT`
// to determine the timeout.
// If the environment variable is not set, or cannot be parsed, it defaults to
// 10000 milliseconds.
//
// The returned duration is in milliseconds.
//
// Returns:
//
// time.Duration: The time duration in milliseconds for acquiring the source.
func SourceAcquisitionTimeoutForSafe() time.Duration {
p := env.Value(env.VSecMSafeSourceAcquisitionTimeout)
d, _ := strconv.Atoi(string(env.VSecMSafeSourceAcquisitionTimeoutDefault))
if p == "" {
p = string(env.VSecMSafeSourceAcquisitionTimeoutDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return time.Duration(i) * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
// BootstrapTimeoutForSafe returns the allowed time for VSecM Safe to wait
// before killing the pod to retrieve an SVID, in time.Duration.
// The interval is determined by the VSECM_SAFE_BOOTSTRAP_TIMEOUT environment
// variable, with a default value of 300000 milliseconds if the variable is not
// set or if there is an error in parsing the value.
func BootstrapTimeoutForSafe() time.Duration {
p := env.Value(env.VSecMSafeBootstrapTimeout)
d, _ := strconv.Atoi(string(env.VSecMSafeBootstrapTimeoutDefault))
if p == "" {
p = string(env.VSecMSafeBootstrapTimeoutDefault)
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
i = int64(d)
return time.Duration(i) * time.Millisecond
}
return time.Duration(i) * time.Millisecond
}
// RootKeySecretNameForSafe returns the name of the environment variable that
// holds the VSecM Safe age key. The value is retrieved using the
// "VSECM_ROOT_KEY_NAME" environment variable. If this variable is
// not set or is empty, the default value "vsecm-root-key" is returned.
func RootKeySecretNameForSafe() string {
p := env.Value(env.VSecMRootKeyName)
if p == "" {
p = string(env.VSecMRootKeyNameDefault)
}
return p
}
package env
func ScoutEnableTls() bool {
return false
}
type AuthenticationMode string
var AuthenticationModeNone AuthenticationMode = "none"
var AuthenticationModeJwt AuthenticationMode = "jwt"
var AuthenticationModeBasic AuthenticationMode = "basic"
func ScoutAuthenticationMode() AuthenticationMode {
return AuthenticationModeNone
}
func ScoutTlsEnabled() bool {
return false
}
func ScoutHttpPort() string {
return ":8080"
}
func ScoutHttpsPort() string {
return ":8443"
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// SecretGenerationPrefix returns a prefix that's used by VSecM Sentinel to
// generate random pattern-based secrets. If a secret is prefixed with this value,
// then VSecM Sentinel will consider it as a "template" rather than a literal value.
//
// It retrieves this prefix from the environment variable
// "VSECM_SENTINEL_SECRET_GENERATION_PREFIX".
// If the environment variable is not set or is empty, it defaults to "gen:".
func SecretGenerationPrefix() string {
p := env.Value(env.VSecMSentinelSecretGenerationPrefix)
if p == "" {
return string(env.VSecMSentinelSecretGenerationPrefixDefault)
}
return p
}
// RawSecretPrefix returns the prefix that's used by VSecM Safe to store
// raw secrets. Raw secrets are not associated with any workload and no
// workload can access them. They are meant to be harvested by external
// operators.
func RawSecretPrefix() string {
p := env.Value(env.VSecMSafeRawSecretPrefix)
if p == "" {
return string(env.VSecMSafeRawSecretPrefixDefault)
}
return p
}
// StoreWorkloadAsK8sSecretPrefix retrieves the prefix for storing workload data
// as a Kubernetes secret.
//
// It fetches the value of the environment variable
// VSECM_SAFE_STORE_WORKLOAD_SECRET_AS_K8S_SECRET_PREFIX.
// If this environment variable is not set or is empty, it defaults to "k8s:".
//
// This way, you can use VSecM to generate Kubernetes Secrets instead of
// associating secrets to workloads. This approach is especially useful in
// legacy use case where you cannot use VSecM SDK, or VSecM Sidecar
// to associate secrets to workloads, or doing so is not feasible because it
// would introduce deviation from the upstream dependencies.
//
// Returns:
// - A string representing the prefix for Kubernetes secrets.
// The default value is "k8s:" if the environment variable is not set or empty.
func StoreWorkloadAsK8sSecretPrefix() string {
p := env.Value(env.VSecMSafeStoreWorkloadSecretAsK8sSecretPrefix)
if p == "" {
return string(env.VSecMSafeStoreWorkloadSecretAsK8sSecretPrefixDefault)
}
return p
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"strconv"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
// InitCommandPathForSentinel returns the path to the initialization commands file
// for VSecM Sentinel.
//
// It checks for an environment variable "VSECM_SENTINEL_INIT_COMMAND_PATH" and
// uses its value as the path. If the environment variable is not set, it
// defaults to "/opt/vsecm-sentinel/init/data".
//
// Returns:
//
// string: The path to the Sentinel initialization commands file.
func InitCommandPathForSentinel() string {
p := env.Value(env.VSecMSentinelInitCommandPath)
if p == "" {
p = string(env.VSecMSentinelInitCommandPathDefault)
}
return p
}
// InitCommandRunnerWaitBeforeExecIntervalForSentinel retrieves the interval
// to wait before executing an init command stanza of Sentinel. The interval is
// determined by the environment variable
// "VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC", which is expected to contain
// an integer value representing the wait time in milliseconds.
// If the environment variable is not set or cannot be parsed, it defaults to
// zero milliseconds.
//
// Returns:
//
// time.Duration: The wait interval in milliseconds before executing an init command.
func InitCommandRunnerWaitBeforeExecIntervalForSentinel() time.Duration {
p := env.Value(env.VSecMSentinelInitCommandWaitBeforeExec)
if p == "" {
p = string(env.VSecMSentinelInitCommandWaitBeforeExecDefault)
}
i, _ := strconv.ParseInt(p, 10, 32)
return time.Duration(i) * time.Millisecond
}
// InitCommandRunnerWaitIntervalBeforeInitComplete retrieves the interval
// to wait after the init command stanza of Sentinel has been completed. The
// interval is determined by the environment variable
// "VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE",
// which is expected to contain an integer value representing the wait time
// in milliseconds. If the environment variable is not set or cannot be parsed,
// it defaults to zero milliseconds.
//
// Returns:
//
// time.Duration: The wait interval in milliseconds after initialization is
// complete.
func InitCommandRunnerWaitIntervalBeforeInitComplete() time.Duration {
p := env.Value(env.VSecMSentinelInitCommandWaitAfterInitComplete)
if p == "" {
p = string(env.VSecMSentinelInitCommandWaitAfterInitCompleteDefault)
}
i, _ := strconv.ParseInt(p, 10, 32)
return time.Duration(i) * time.Millisecond
}
// OIDCProviderBaseUrlForSentinel returns the url to be used for the
// OIDC provider base URL for VSecM Sentinel. This url is used when
// VSECM_SENTINEL_OIDC_ENABLE_RESOURCE_SERVER is set to "true".
func OIDCProviderBaseUrlForSentinel() string {
p := env.Value(env.VSecMSentinelOidcProviderBaseUrl)
return p
}
// SentinelEnableOIDCResourceServer is a flag that enables the OIDC resource
// server functionality in VSecM Sentinel.
func SentinelEnableOIDCResourceServer() bool {
p := env.Value(env.VSecMSentinelOidcEnableResourceServer)
return val.True(p)
}
// SentinelOIDCResourceServerPort returns the port on which the OIDC resource
// server should listen for requests.
func SentinelOIDCResourceServerPort() string {
p := env.Value(env.VSecMSentinelOidcResourceServerPort)
if p == "" {
p = string(env.VSecMSentinelOidcResourceServerPortDefault)
}
return p
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// SecretsPathForSidecar returns the path to the secrets file used by the sidecar.
// The path is determined by the VSECM_SIDECAR_SECRETS_PATH environment variable,
// with a default value of "/opt/vsecm/secrets.json" if the variable is not set.
func SecretsPathForSidecar() string {
p := env.Value(env.VSecMSidecarSecretsPath)
if p == "" {
p = string(env.VSecMSidecarSecretsPathDefault)
}
return p
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// SpiffeSocketUrl returns the URL for the SPIFFE endpoint socket used in the
// VMware Secrets Manager system. The URL is obtained from the environment variable
// SPIFFE_ENDPOINT_SOCKET. If the variable is not set, the default URL is used.
func SpiffeSocketUrl() string {
p := env.Value(env.SpiffeEndpointSocket)
if p == "" {
p = string(env.SpiffeEndpointSocketDefault)
}
return p
}
// SpiffeTrustDomain retrieves the SPIFFE trust domain from environment
// variables.
//
// This function looks for the trust domain using the environment variable
// defined by `constants.SpiffeTrustDomain`. If the environment variable is not
// set or is an empty string, it defaults to the value specified by
// `constants.SpiffeTrustDomainDefault`.
//
// Returns:
// - A string representing the SPIFFE trust domain.
func SpiffeTrustDomain() string {
p := env.Value(env.SpiffeTrustDomain)
if p == "" {
p = string(env.SpiffeTrustDomainDefault)
}
return p
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// SpiffeIdPrefixForSentinel returns the prefix for the Safe SPIFFE ID.
// The prefix is obtained from the environment variable
// VSECM_SPIFFEID_PREFIX_SENTINEL. If the variable is not set, the default
// prefix is used.
func SpiffeIdPrefixForSentinel() string {
p := env.Value(env.VSecMSpiffeIdPrefixSentinel)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixSentinelDefault)
}
return p
}
func SpiffeIdPrefixForScout() string {
p := env.Value(env.VSecMSpiffeIdPrefixScout)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixScoutDefault)
}
return p
}
func SpiffeIdPrefixForClerk() string {
p := env.Value(env.VSecMSpiffeIdPrefixClerk)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixClerkDefault)
}
return p
}
// SpiffeIdPrefixForSafe returns the prefix for the Safe SPIFFE ID.
// The prefix is obtained from the environment variable
// VSECM_SPIFFEID_PREFIX_SAFE. If the variable is not set, the default prefix is
// used.
func SpiffeIdPrefixForSafe() string {
p := env.Value(env.VSecMSpiffeIdPrefixSafe)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixSafeDefault)
}
return p
}
func SpiffeIdPrefixForRelayServer() string {
p := env.Value(env.VSecMSpiffeIdPrefixRelayServer)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixRelayServerDefault)
}
return p
}
func SpiffeIdPrefixForRelayClient() string {
p := env.Value(env.VSecMSpiffeIdPrefixRelayClient)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixRelayClientDefault)
}
return p
}
// SpiffeIdPrefixForWorkload returns the prefix for the Workload's SPIFFE ID.
// The prefix is obtained from the environment variable
// VSECM_SPIFFEID_PREFIX_WORKLOAD.
// If the variable is not set, the default prefix is used.
func SpiffeIdPrefixForWorkload() string {
p := env.Value(env.VSecMSpiffeIdPrefixWorkload)
if p == "" {
p = string(env.VSecMSpiffeIdPrefixWorkloadDefault)
}
return p
}
// NameRegExpForWorkload returns the regular expression pattern for extracting
// the workload name from the SPIFFE ID.
// The prefix is obtained from the environment variable
// VSECM_NAME_REGEXP_FOR_WORKLOAD.
// If the variable is not set, the default pattern is used.
func NameRegExpForWorkload() string {
p := env.Value(env.VSecMWorkloadNameRegExp)
if p == "" {
p = string(env.VSecMNameRegExpForWorkloadDefault)
}
return p
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"os"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/entity/v1/data"
)
// RootKeyStoreTypeForSafe determines the root key store type for
// VSecM Safe.
//
// The function retrieves this configuration from an environment variable.
// If the variable is not set or is explicitly set to "k8s", which is the
// default.
//
// Returns:
// - The configured root key store as a data.BackingStore.
// - Panics if the environment variable is set to anything other than "k8s",
// as it is currently the only supported root key store type.
//
// Usage:
//
// storeType := config.RootKeyStoreTypeForSafe()
func RootKeyStoreTypeForSafe() data.BackingStore {
s := env.Value(env.VSecMSafeRootKeyStore)
if s == "" {
return data.Kubernetes
}
if s != string(data.Kubernetes) {
panic("Only Kubernetes is supported as a root key store")
}
return data.Kubernetes
}
// BackingStoreForSafe determines the backing store type for the VSecM Safe.
// This configuration is retrieved from an environment variable. If the variable
// is not set or explicitly set to "file", and "file" is used as the default and
// only supported backing store.
//
// Returns:
// - The configured backing store as a data.BackingStore.
// - Panics if the environment variable is set to anything other than "file",
// as it is currently the only supported backing store type.
//
// Usage:
//
// backingStore := config.BackingStoreForSafe()
func BackingStoreForSafe() data.BackingStore {
s := os.Getenv(string(env.VSecMSafeBackingStore))
if s == "" {
return data.File
}
switch s {
case string(data.File):
return data.File
case string(data.Postgres):
return data.Postgres
default:
panic("Only File and Postgres are supported as a backing store")
}
return data.File
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"math"
"strconv"
"time"
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
// infiniteDuration is used to indicate that no synchronization should occur.
const infiniteDuration = time.Duration(math.MaxInt64)
// RootKeySyncIntervalForSafe retrieves the synchronization interval for root
// keys from an environment variable.
// If the variable is unset or set to "never", it returns an infinite duration,
// effectively disabling the synchronization.
//
// Returns:
// - A time.Duration representing the interval at which root keys should be
// synchronized.
// - Returns an infinite duration if the interval is set to "never" or if
// there is an error in parsing the interval.
func RootKeySyncIntervalForSafe() time.Duration {
p := env.Value(env.VSecMSafeSyncRootKeyInterval)
if p == "" || val.Never(p) {
return infiniteDuration
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
return infiniteDuration
}
return time.Duration(i) * time.Millisecond
}
// SecretsSyncIntervalForSafe retrieves the synchronization interval for secrets
// from an environment variable.
// Similar to RootKeySyncIntervalForSafe, it returns an infinite duration if
// the interval is set to "never" or on error.
//
// Returns:
// - A time.Duration representing the interval at which secrets should be
// synchronized.
func SecretsSyncIntervalForSafe() time.Duration {
p := env.Value(env.VSecMSafeSyncSecretsInterval)
if p == "" || val.Never(p) {
return infiniteDuration
}
i, err := strconv.ParseInt(p, 10, 32)
if err != nil {
return infiniteDuration
}
return time.Duration(i) * time.Millisecond
}
// SyncDeletedSecretsForSafe checks if deleted secrets should be synchronized.
// It reads from an environment variable and returns true if synchronization
// is enabled.
//
// Returns:
// - A bool indicating whether deleted secrets should be synchronized.
func SyncDeletedSecretsForSafe() bool {
p := env.Value(env.VSecMSafeSyncDeletedSecrets)
if p == "" {
return false
}
return val.True(p)
}
// SyncInterpolatedKubernetesSecretsForSafe checks if interpolated Kubernetes
// secrets should be synchronized. It returns true if the respective environment
// variable is set to "true".
//
// Returns:
// - A bool indicating whether interpolated Kubernetes secrets should be
// synchronized.
func SyncInterpolatedKubernetesSecretsForSafe() bool {
p := env.Value(env.VSecMSafeSyncInterpolatedK8sSecrets)
if p == "" {
return false
}
return val.True(p)
}
// SyncExpiredSecretsSecretsForSafe checks if expired secrets should be
// synchronized. It returns true if the respective environment variable is
// set to "true".
//
// Returns:
// - A bool indicating whether expired secrets should be synchronized.
func SyncExpiredSecretsSecretsForSafe() bool {
p := env.Value(env.VSecMSafeSyncExpiredSecrets)
if p == "" {
return false
}
return val.True(p)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package env
import (
"github.com/vmware-tanzu/secrets-manager/core/constants/env"
)
// TlsPort returns the secure port for VSecM Safe to listen on.
// It checks the VSECM_SAFE_TLS_PORT environment variable. If the variable
// is not set, it defaults to ":8443".
func TlsPort() string {
p := env.Value(env.VSecMSafeTlsPort)
if p == "" {
p = string(env.VSecMSafeTlsPortDefault)
}
return p
}
func RelayServerUrl() string {
u := env.Value(env.VSecMRelayServerUrl)
if u == "" {
u = string(env.VSecMRelayServerUrlDefault)
}
return u
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package level
import (
"sync"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// Level represents log levels.
type Level int
// Define log levels as constants.
const (
Off Level = iota
Fatal
Error
Warn
Info
Audit
Debug
Trace
)
var mux sync.RWMutex // Protects access to currentLevel.
// Initialize currentLevel with the value from the environment.
var currentLevel = Level(env.LogLevel())
// Set updates the global log level to the provided level if it is valid.
func Set(level Level) {
mux.Lock()
defer mux.Unlock()
if level >= Off && level <= Trace {
currentLevel = level
}
}
// Get retrieves the current global log level.
func Get() Level {
mux.RLock()
defer mux.RUnlock()
return currentLevel
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package rpc
import (
"fmt"
"strings"
"time"
)
func currentTime() string {
return time.Now().Local().Format(time.DateTime)
}
func build(logHeader string, correlationId *string, a ...any) string {
logPrefix := fmt.Sprintf("%s[%s]", logHeader, currentTime())
var messageParts []string
if correlationId != nil {
messageParts = append(messageParts, *correlationId)
}
for _, element := range a {
messageParts = append(messageParts, fmt.Sprintf("%v", element))
}
message := strings.Join(messageParts, " ")
finalLog := fmt.Sprintf("%s %s\n", logPrefix, message)
return finalLog
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package rpc
import (
"context"
stdlib "log"
"time"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
"github.com/vmware-tanzu/secrets-manager/core/log/rpc/generated"
)
func log(message string) {
conn, err := grpc.Dial(
SentinelLoggerUrl(),
grpc.WithTransportCredentials(insecure.NewCredentials()),
grpc.WithBlock(),
)
if err != nil {
stdlib.Printf("Logger.log could not connect to server: %v\n", err)
return
}
defer func(conn *grpc.ClientConn) {
err := conn.Close()
if err != nil {
stdlib.Printf("Logger.log could not close connection: %v\n", err)
}
}(conn)
c := generated.NewLogServiceClient(conn)
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
defer cancel()
_, err = c.SendLog(ctx, &generated.LogRequest{Message: message})
if err != nil {
stdlib.Printf("Logger.log could not send message: %v\n", err)
return
}
}
//
//| Protect your secrets, protect your sensitive data.
//: Explore VMware Secrets Manager docs at https://vsecm.com/
//</
//<>/ keep your secrets... secret
//>/
//<>/' Copyright 2023-present VMware Secrets Manager contributors.
//>/' SPDX-License-Identifier: BSD-2-Clause
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.33.0
// protoc v3.21.12
// source: log.proto
package generated
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
type LogRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
}
func (x *LogRequest) Reset() {
*x = LogRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_log_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *LogRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*LogRequest) ProtoMessage() {}
func (x *LogRequest) ProtoReflect() protoreflect.Message {
mi := &file_log_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use LogRequest.ProtoReflect.Descriptor instead.
func (*LogRequest) Descriptor() ([]byte, []int) {
return file_log_proto_rawDescGZIP(), []int{0}
}
func (x *LogRequest) GetMessage() string {
if x != nil {
return x.Message
}
return ""
}
type LogResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"`
}
func (x *LogResponse) Reset() {
*x = LogResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_log_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *LogResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*LogResponse) ProtoMessage() {}
func (x *LogResponse) ProtoReflect() protoreflect.Message {
mi := &file_log_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use LogResponse.ProtoReflect.Descriptor instead.
func (*LogResponse) Descriptor() ([]byte, []int) {
return file_log_proto_rawDescGZIP(), []int{1}
}
func (x *LogResponse) GetMessage() string {
if x != nil {
return x.Message
}
return ""
}
var File_log_proto protoreflect.FileDescriptor
var file_log_proto_rawDesc = []byte{
0x0a, 0x09, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6c, 0x6f, 0x67,
0x22, 0x26, 0x0a, 0x0a, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18,
0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x27, 0x0a, 0x0b, 0x4c, 0x6f, 0x67, 0x52,
0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61,
0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
0x65, 0x32, 0x3c, 0x0a, 0x0a, 0x4c, 0x6f, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
0x2e, 0x0a, 0x07, 0x53, 0x65, 0x6e, 0x64, 0x4c, 0x6f, 0x67, 0x12, 0x0f, 0x2e, 0x6c, 0x6f, 0x67,
0x2e, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x6c, 0x6f,
0x67, 0x2e, 0x4c, 0x6f, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42,
0x0c, 0x5a, 0x0a, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x62, 0x06, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_log_proto_rawDescOnce sync.Once
file_log_proto_rawDescData = file_log_proto_rawDesc
)
func file_log_proto_rawDescGZIP() []byte {
file_log_proto_rawDescOnce.Do(func() {
file_log_proto_rawDescData = protoimpl.X.CompressGZIP(file_log_proto_rawDescData)
})
return file_log_proto_rawDescData
}
var file_log_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_log_proto_goTypes = []interface{}{
(*LogRequest)(nil), // 0: log.LogRequest
(*LogResponse)(nil), // 1: log.LogResponse
}
var file_log_proto_depIdxs = []int32{
0, // 0: log.LogService.SendLog:input_type -> log.LogRequest
1, // 1: log.LogService.SendLog:output_type -> log.LogResponse
1, // [1:2] is the sub-list for method output_type
0, // [0:1] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
}
func init() { file_log_proto_init() }
func file_log_proto_init() {
if File_log_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_log_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*LogRequest); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_log_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*LogResponse); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_log_proto_rawDesc,
NumEnums: 0,
NumMessages: 2,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_log_proto_goTypes,
DependencyIndexes: file_log_proto_depIdxs,
MessageInfos: file_log_proto_msgTypes,
}.Build()
File_log_proto = out.File
file_log_proto_rawDesc = nil
file_log_proto_goTypes = nil
file_log_proto_depIdxs = nil
}
//
//| Protect your secrets, protect your sensitive data.
//: Explore VMware Secrets Manager docs at https://vsecm.com/
//</
//<>/ keep your secrets... secret
//>/
//<>/' Copyright 2023-present VMware Secrets Manager contributors.
//>/' SPDX-License-Identifier: BSD-2-Clause
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.5.1
// - protoc v3.21.12
// source: log.proto
package generated
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
// Requires gRPC-Go v1.64.0 or later.
const _ = grpc.SupportPackageIsVersion9
const (
LogService_SendLog_FullMethodName = "/log.LogService/SendLog"
)
// LogServiceClient is the client API for LogService service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type LogServiceClient interface {
SendLog(ctx context.Context, in *LogRequest, opts ...grpc.CallOption) (*LogResponse, error)
}
type logServiceClient struct {
cc grpc.ClientConnInterface
}
func NewLogServiceClient(cc grpc.ClientConnInterface) LogServiceClient {
return &logServiceClient{cc}
}
func (c *logServiceClient) SendLog(ctx context.Context, in *LogRequest, opts ...grpc.CallOption) (*LogResponse, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(LogResponse)
err := c.cc.Invoke(ctx, LogService_SendLog_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
// LogServiceServer is the server API for LogService service.
// All implementations must embed UnimplementedLogServiceServer
// for forward compatibility.
type LogServiceServer interface {
SendLog(context.Context, *LogRequest) (*LogResponse, error)
mustEmbedUnimplementedLogServiceServer()
}
// UnimplementedLogServiceServer must be embedded to have
// forward compatible implementations.
//
// NOTE: this should be embedded by value instead of pointer to avoid a nil
// pointer dereference when methods are called.
type UnimplementedLogServiceServer struct{}
func (UnimplementedLogServiceServer) SendLog(context.Context, *LogRequest) (*LogResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method SendLog not implemented")
}
func (UnimplementedLogServiceServer) mustEmbedUnimplementedLogServiceServer() {}
func (UnimplementedLogServiceServer) testEmbeddedByValue() {}
// UnsafeLogServiceServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to LogServiceServer will
// result in compilation errors.
type UnsafeLogServiceServer interface {
mustEmbedUnimplementedLogServiceServer()
}
func RegisterLogServiceServer(s grpc.ServiceRegistrar, srv LogServiceServer) {
// If the following call pancis, it indicates UnimplementedLogServiceServer was
// embedded by pointer and is nil. This will cause panics if an
// unimplemented method is ever invoked, so we test this at initialization
// time to prevent it from happening at runtime later due to I/O.
if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
t.testEmbeddedByValue()
}
s.RegisterService(&LogService_ServiceDesc, srv)
}
func _LogService_SendLog_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(LogRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(LogServiceServer).SendLog(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: LogService_SendLog_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(LogServiceServer).SendLog(ctx, req.(*LogRequest))
}
return interceptor(ctx, in, info, handler)
}
// LogService_ServiceDesc is the grpc.ServiceDesc for LogService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var LogService_ServiceDesc = grpc.ServiceDesc{
ServiceName: "log.LogService",
HandlerType: (*LogServiceServer)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "SendLog",
Handler: _LogService_SendLog_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "log.proto",
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package rpc
import (
"github.com/vmware-tanzu/secrets-manager/core/log/level"
)
// FatalLn logs a fatal message with the provided correlationId and message
// arguments. The application will exit after the message is logged.
func FatalLn(correlationId *string, v ...any) {
message := build("[FATAL]", correlationId, v)
log(message)
}
// ErrorLn logs an error message with the provided correlationId and message
// arguments if the current log level is Error or lower.
func ErrorLn(correlationId *string, v ...any) {
l := level.Get()
if l < level.Error {
return
}
message := build("[ERROR]", correlationId, v)
log(message)
}
// WarnLn logs a warning message with the provided correlationId and message
// arguments if the current log level is Warn or lower.
func WarnLn(correlationId *string, v ...any) {
l := level.Get()
if l < level.Warn {
return
}
message := build("[WARN]", correlationId, v)
log(message)
}
// InfoLn logs an informational message with the provided correlationId and
// message arguments if the current log level is Info or lower.
func InfoLn(correlationId *string, v ...any) {
l := level.Get()
if l < level.Info {
return
}
message := build("[INFO]", correlationId, v)
log(message)
}
// AuditLn logs an audit message with the provided correlationId and message
// arguments. Audit messages are always logged, regardless of the current log
// level.
func AuditLn(correlationId *string, v ...any) {
message := build("[AUDIT]", correlationId, v)
log(message)
}
// DebugLn logs a debug message with the provided correlationId and message
// arguments if the current log level is Debug or lower.
func DebugLn(correlationId *string, v ...any) {
l := level.Get()
if l < level.Debug {
return
}
message := build("[DEBUG]", correlationId, v)
log(message)
}
// TraceLn logs a trace message with the provided correlationId and message
// arguments if the current log level is Trace or lower.
func TraceLn(correlationId *string, v ...any) {
l := level.Get()
if l < level.Trace {
return
}
message := build("[TRACE]", correlationId, v)
log(message)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package rpc
import (
"context"
"fmt"
stdlib "log"
"net"
"google.golang.org/grpc"
"github.com/vmware-tanzu/secrets-manager/core/log/rpc/generated"
)
// server struct implements the UnimplementedLogServiceServer interface generated
// by gRPC. It provides the functionality to handle log messages sent over gRPC
// by implementing the SendLog method.
type server struct {
generated.UnimplementedLogServiceServer
}
// SendLog prints the log message contained in the request to the standard output.
// This method demonstrates a simple logging service over gRPC, where log messages
// from clients are received and printed on the server side.
//
// Parameters:
// - ctx (context.Context): The context for the request, which allows for
// cancellation and request scoping.
// - in (*generated.LogRequest): The log request containing the message to
// be logged.
//
// Returns:
// - (*generated.LogResponse, error): Returns an empty LogResponse and nil
// error as the operation is expected to succeed without any conditional
// logic.
func (s *server) SendLog(ctx context.Context, in *generated.LogRequest,
) (*generated.LogResponse, error) {
fmt.Printf("%s", in.Message)
return &generated.LogResponse{}, nil
}
// CreateLogServer initializes and starts a gRPC server for logging services.
// It sets up a TCP listener on the address specified by SentinelLoggerUrl,
// registers the LogServiceServer, and starts serving incoming connections.
//
// Returns:
// - A pointer to the initialized grpc.Server if the server starts successfully.
// - Nil if there is an error in creating the listener or starting the server.
//
// Errors:
// - If it fails to create the TCP listener, it logs the error and returns nil.
// - If the server fails to start serving, it logs the error but still returns
// the server instance, which might not be in a fully operational state.
//
// Usage:
//
// server := logger.CreateLogServer()
// if server == nil {
// fmt.Println("Failed to start log server")
// } else {
// fmt.Println("Log server started successfully")
// }
func CreateLogServer() *grpc.Server {
lis, err := net.Listen("tcp", SentinelLoggerUrl())
if err != nil {
stdlib.Printf(
"Logger.CreateLogServer error creating log server: %v\n", err)
return nil
}
s := grpc.NewServer()
generated.RegisterLogServiceServer(s, &server{})
stdlib.Printf("Logger.CreateLogServer listening at %v", lis.Addr())
if err := s.Serve(lis); err != nil {
stdlib.Printf(
"Logger.CreateLogServer failed to serve log server: %v\n", err)
return s
}
return s
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package rpc
import "os"
// SentinelLoggerUrl retrieves the URL for the VSecM Sentinel Logger from the
// environment variable VSECM_SENTINEL_LOGGER_URL. If this environment variable
// is not set, it defaults to "localhost:50051".
//
// This url is used to configure gRPC logging service, which enables
// VSecM Sentinel's `safe` CLI command to send audit logs to the container's
// standard output.
func SentinelLoggerUrl() string {
u := os.Getenv("VSECM_SENTINEL_LOGGER_URL")
if u == "" {
return "localhost:50051"
}
return u
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package std
import (
"os"
)
func updateInfoWithExpectedEnvVars(
envVarsToPrint []string, info map[string]string) []string {
var nf []string
for _, envVar := range envVarsToPrint {
if value, exists := os.LookupEnv(envVar); exists {
info[envVar] = value
continue
}
nf = append(nf, envVar)
}
return nf
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package std
import (
"os"
"sort"
"strings"
)
// sortKeys returns a sorted list of keys from a map.
func sortKeys(m map[string]string) []string {
var keys []string
for key := range m {
keys = append(keys, key)
}
sort.Strings(keys)
return keys
}
func envVars() []string {
var envVarKeys []string
for _, v := range os.Environ() {
splitEnvVars := strings.Split(v, "=")
envVarKeys = append(envVarKeys, splitEnvVars[0])
}
sort.Strings(envVarKeys)
return envVarKeys
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package std
// PrintEnvironmentInfo prints information about specific environment variables,
// enabled features, and app's version.
func PrintEnvironmentInfo(id *string, envVarsToExpect []string) {
info := make(map[string]string)
notFound := updateInfoWithExpectedEnvVars(envVarsToExpect, info)
for _, v := range notFound {
WarnLn(id, "Environment variable '"+v+"' not found")
}
printFormattedInfo(id, info)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
// Package std provides a simple and flexible logging library with various
// log levels.
package std
import "github.com/vmware-tanzu/secrets-manager/core/log/level"
// FatalLn logs a fatal level message and exits.
func FatalLn(correlationID *string, v ...any) {
logMessage(level.Fatal, "[FATAL]", correlationID, v...)
}
// ErrorLn logs an error level message.
func ErrorLn(correlationID *string, v ...any) {
logMessage(level.Error, "[ERROR]", correlationID, v...)
}
// WarnLn logs a warning level message.
func WarnLn(correlationID *string, v ...any) {
logMessage(level.Warn, "[WARN]", correlationID, v...)
}
// InfoLn logs an info level message.
func InfoLn(correlationID *string, v ...any) {
logMessage(level.Info, "[INFO]", correlationID, v...)
}
// AuditLn logs an audit level message.
func AuditLn(correlationID *string, v ...any) {
logMessage(level.Audit, "[AUDIT]", correlationID, v...)
}
// DebugLn logs a debug level message.
func DebugLn(correlationID *string, v ...any) {
logMessage(level.Debug, "[DEBUG]", correlationID, v...)
}
// TraceLn logs a trace level message.
func TraceLn(correlationID *string, v ...any) {
logMessage(level.Trace, "[TRACE]", correlationID, v...)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package std
import (
"fmt"
"log"
"strings"
"github.com/vmware-tanzu/secrets-manager/core/log/level"
)
// getMaxEnvVarLength finds the maximum length of environment
// variable names dynamically.
func maxLen(envVars []string) int {
maxLength := 0
for _, envVar := range envVars {
if len(envVar) > maxLength {
maxLength = len(envVar)
}
}
return maxLength
}
// printFormattedInfo prints the collected information in a formatted way,
// ensuring proper alignment.
func printFormattedInfo(id *string, info map[string]string) {
infoKeys := sortKeys(info)
maxLength := maxLen(infoKeys)
idp := ""
if id == nil {
idp = "<nil>"
} else {
idp = *id
}
for _, key := range infoKeys {
padding := strings.Repeat(" ", maxLength-len(key))
fmt.Printf("%s %s%s: %s\n", idp, padding, toCustomCase(key), info[key])
}
}
// logMessage logs a message with the specified level, correlation ID, and
// message arguments. It checks the current log level to decide if the message
// should be logged.
func logMessage(l level.Level, prefix string, correlationID *string, v ...any) {
if l != level.Audit && level.Get() < l {
return
}
args := make([]any, 0, len(v)+2)
args = append(args, prefix)
if correlationID != nil {
args = append(args, *correlationID)
}
args = append(args, v...)
if l == level.Fatal {
log.Fatalln(args...)
return
}
log.Println(args...)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package std
import (
"strings"
"golang.org/x/text/cases"
"golang.org/x/text/language"
"github.com/vmware-tanzu/secrets-manager/core/constants/symbol"
)
// toCustomCase formats a string to a custom case, replacing underscores
// with spaces and capitalizing words.
func toCustomCase(input string) string {
caser := cases.Title(language.English)
return strings.ReplaceAll(caser.String(strings.ToLower(input)),
symbol.CustomCaseChangeDelimiter, " ")
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package probe
import (
"fmt"
"log"
"net/http"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
func ok(w http.ResponseWriter, _ *http.Request) {
_, err := fmt.Fprintf(w, val.Ok)
if err != nil {
log.Printf("probe response failure: %s", err.Error())
return
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package probe
import (
"fmt"
"log"
"net/http"
"time"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// CreateLiveness sets up and starts an HTTP server on the port specified by
// env.ProbeLivenessPort() to serve as a liveness probe for the application.
// The server listens for requests at the root path ("/") and responds with an
// "ok" message. If there is an error starting the server, the function logs
// a fatal message and returns.
func CreateLiveness() chan bool {
ready := make(chan bool)
go func() {
mux := http.NewServeMux()
mux.HandleFunc("/", ok)
err := http.ListenAndServe(env.ProbeLivenessPort(), mux)
if err != nil {
log.Fatalf("error creating liveness probe: %s", err.Error())
return
}
}()
go func() {
for {
resp, err := http.Get(fmt.Sprintf(
"http://localhost%s/", env.ProbeLivenessPort()))
if err == nil && resp.StatusCode == http.StatusOK {
ready <- true
return
}
time.Sleep(100 * time.Millisecond) // Wait before retrying
}
}()
return ready
}
// CreateReadiness sets up and starts an HTTP server on the port specified by
// env.ProbeReadinessPort() to serve as a readiness probe for the application.
// The server listens for requests at the root path ("/") and responds with an
// "ok" message. If there is an error starting the server, the function logs
// a fatal message and returns.
func CreateReadiness() chan bool {
ready := make(chan bool)
go func() {
mux := http.NewServeMux()
mux.HandleFunc("/", ok)
err := http.ListenAndServe(env.ProbeReadinessPort(), mux)
if err != nil {
log.Fatalf("error creating readiness probe: %s", err.Error())
return
}
}()
go func() {
for {
resp, err := http.Get(fmt.Sprintf(
"http://localhost%s/", env.ProbeReadinessPort()))
if err == nil && resp.StatusCode == http.StatusOK {
ready <- true
return
}
time.Sleep(100 * time.Millisecond) // Wait before retrying
}
}()
return ready
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package spiffe
import (
"context"
"errors"
"github.com/spiffe/go-spiffe/v2/workloadapi"
"github.com/vmware-tanzu/secrets-manager/core/constants/key"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
"github.com/vmware-tanzu/secrets-manager/core/validation"
)
// AcquireSourceForSentinel initiates an asynchronous operation to obtain an
// X509Source from the SPIFFE workload API, using the context for cancellation
// and a correlation ID for logging purposes.
//
// It attempts to create a new X509Source configured with the SPIRE server
// address from the environment, fetches the X509SVID from the source, and
// validates the SVID against a known VSecM Sentinel value to ensure the caller
// is operating within a trusted environment.
//
// Parameters:
// - ctx: A context.Context object used for cancellation and to carry metadata
// across API boundaries, including a correlation ID for tracking the
// operation in logs.
//
// Returns:
// - A pointer to a workloadapi.X509Source object if the source is
// successfully acquired and validated. This object can be used to obtain
// X.509 SVIDs for secure communication.
// - A boolean flag indicating whether the source was successfully acquired
// (true) or not (false). If false, the source pointer will be nil.
func AcquireSourceForSentinel(
ctx context.Context,
) (*workloadapi.X509Source, bool) {
resultChan := make(chan *workloadapi.X509Source)
errorChan := make(chan error)
cid := ctx.Value(key.CorrelationId).(*string)
go func() {
source, err := workloadapi.NewX509Source(
ctx, workloadapi.WithClientOptions(
workloadapi.WithAddr(env.SpiffeSocketUrl()),
),
)
if err != nil {
errorChan <- err
return
}
svid, err := source.GetX509SVID()
if err != nil {
errorChan <- err
return
}
// Make sure that the binary is enclosed in a Pod that we trust.
if !validation.IsSentinel(svid.ID.String()) {
errorChan <- errors.New(
"acquireSource: I don't know you, and it's crazy: '" +
svid.ID.String() + "'")
return
}
resultChan <- source
}()
select {
case source := <-resultChan:
log.InfoLn(cid, "acquireSource: Source acquired.")
return source, true
case err := <-errorChan:
log.ErrorLn(cid, "acquireSource: "+
"I cannot execute command because I cannot talk to SPIRE.",
err.Error())
return nil, false
case <-ctx.Done():
log.ErrorLn(cid, "acquireSource: Operation was cancelled.")
return nil, false
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package template
import (
"strings"
"github.com/vmware-tanzu/secrets-manager/core/constants/symbol"
"github.com/vmware-tanzu/secrets-manager/core/constants/val"
)
// removeKeyValueWithNoValue takes an input string containing key-value pairs
// and filters out pairs where the value is "<no value>". It splits the input
// string into key-value pairs, iterates through them, and retains only the
// pairs with values that are not equal to "<no value>".
// The function then joins the filtered pairs back into a string and returns the
// resulting string. This function effectively removes key-value pairs with
// "<no value>" from the input string. Helpful for data cleaning and filtering
// when you want to omit certain key/value pairs from a template.
func removeKeyValueWithNoValue(input string) string {
// Split the input string into key-value pairs
pairs := strings.Split(input, symbol.ItemSeparator)
// Initialize a slice to store the filtered pairs
var filteredPairs []string
for _, pair := range pairs {
keyValue := strings.SplitN(pair, symbol.Separator, 2)
if len(keyValue) == 2 && keyValue[1] != val.JsonEmpty {
// Add the pair to the filtered pairs if the value is not
// "<no value>"
filteredPairs = append(filteredPairs, pair)
}
}
// Join the filtered pairs back into a string
result := strings.Join(filteredPairs, ",")
return result
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package template
import (
"bytes"
"encoding/json"
"text/template"
"gopkg.in/yaml.v3"
)
// ValidJSON checks if the provided string is a valid JSON object.
//
// The function takes a string as input and attempts to unmarshal it
// into a map[string]any using the JSON package. If the unmarshalling
// is successful, it returns true, indicating that the string is a valid JSON
// object. Otherwise, it returns false.
func ValidJSON(s string) bool {
var js map[string]any
return json.Unmarshal([]byte(s), &js) == nil
}
// JsonToYaml converts a JSON string into a YAML string.
//
// The function takes a JSON string as input and attempts to unmarshal it
// into an empty interface. If the unmarshalling is successful, it marshals
// the data back into a YAML string using the YAML package.
//
// On success, the function returns the YAML string and a nil error.
// If there is any error during the conversion, it returns an empty string
// and the corresponding error.
func JsonToYaml(js string) (string, error) {
var jsonObj any
err := json.Unmarshal([]byte(js), &jsonObj)
if err != nil {
return "", err
}
yamlBytes, err := yaml.Marshal(jsonObj)
if err != nil {
return "", err
}
return string(yamlBytes), nil
}
// TryParse attempts to parse and execute a template with the given JSON string.
//
// The function takes two string inputs - a template string (tmpStr) and a JSON
// string. It attempts to parse the template string using the "text/template"
// package. If there is any error during parsing, the function returns the
// original JSON string.
//
// If the template is parsed successfully, the function attempts to execute the
// template using the provided JSON string as input data. If there is any error
// during execution, the function returns the original JSON string.
//
// On successful execution, the function returns the resulting string from the
// executed template.
func TryParse(tmpStr, jason string) string {
tmpl, err := template.New("secret").Parse(tmpStr)
if err != nil {
return jason
}
var result map[string]any
err = json.Unmarshal([]byte(jason), &result)
if err != nil {
return jason
}
var tpl bytes.Buffer
err = tmpl.Execute(&tpl, result)
if err != nil {
return jason
}
return removeKeyValueWithNoValue(tpl.String())
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package validation
import (
"fmt"
"regexp"
"strings"
"github.com/spiffe/go-spiffe/v2/workloadapi"
e "github.com/vmware-tanzu/secrets-manager/core/constants/env"
"github.com/vmware-tanzu/secrets-manager/core/env"
)
// Any SPIFFE ID regular expression matcher shall start with the
// `^spiffe://$trustDomain` prefix for extra security.
//
// This variable shall be treated as constant and should not be modified.
var spiffeRegexPrefixStart = "^spiffe://" + env.SpiffeTrustDomain() + "/"
var spiffeIdPrefixStart = "spiffe://" + env.SpiffeTrustDomain() + "/"
// IsWorkload checks if a given SPIFFE ID belongs to a workload.
//
// A SPIFFE ID (SPIFFE IDentifier) is a URI that uniquely identifies a workload
// in a secure, interoperable way. This function verifies if the provided
// SPIFFE ID meets the criteria to be classified as a workload ID based on
// certain environmental settings.
//
// The function performs the following checks:
// 1. If the `spiffeid` starts with a "^", it assumed that it is a regular
// expression pattern, it compiles the expression and checks if the SPIFFE
// ID matches it.
// 2. Otherwise, it checks if the SPIFFE ID starts with the proper prefix.
//
// Parameters:
//
// spiffeid (string): The SPIFFE ID to be checked.
//
// Returns:
//
// bool: `true` if the SPIFFE ID belongs to a workload, `false` otherwise.
func IsWorkload(spiffeid string) bool {
prefix := env.SpiffeIdPrefixForWorkload()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixWorkload) +
" environment variable. " +
" val: " + env.SpiffeIdPrefixForWorkload() +
" trust: " + env.SpiffeTrustDomain(),
)
}
nrw := env.NameRegExpForWorkload()
wre, err := regexp.Compile(nrw)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for SPIFFE ID." +
" Check the " + string(e.VSecMWorkloadNameRegExp) +
" environment variable." +
" val: " + env.NameRegExpForWorkload() +
" trust: " + env.SpiffeTrustDomain(),
)
}
match := wre.FindStringSubmatch(spiffeid)
if len(match) == 0 {
return false
}
return re.MatchString(spiffeid)
}
if !strings.HasPrefix(spiffeid, spiffeIdPrefixStart) {
return false
}
nrw := env.NameRegExpForWorkload()
if !strings.HasPrefix(nrw, spiffeRegexPrefixStart) {
// Insecure configuration detected.
// Panic to prevent further issues:
panic(
"Invalid regular expression pattern for SPIFFE ID." +
" Expected: ^spiffe://<trust_domain>/..." +
" Check the " + string(e.VSecMWorkloadNameRegExp) +
" environment variable." +
" val: " + env.NameRegExpForWorkload() +
" trust: " + env.SpiffeTrustDomain(),
)
}
wre, err := regexp.Compile(nrw)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for SPIFFE ID." +
" Check the " + string(e.VSecMWorkloadNameRegExp) +
" environment variable." +
" val: " + env.NameRegExpForWorkload() +
" trust: " + env.SpiffeTrustDomain(),
)
}
match := wre.FindStringSubmatch(spiffeid)
if len(match) == 0 {
return false
}
return strings.HasPrefix(spiffeid, prefix)
}
// IsSentinel checks if a given SPIFFE ID belongs to VSecM Sentinel.
//
// A SPIFFE ID (SPIFFE IDentifier) is a URI that uniquely identifies a workload
// in a secure, interoperable way. This function verifies if the provided
// SPIFFE ID meets the criteria to be classified as a workload ID based on
// certain environmental settings.
//
// The function performs the following checks:
// 1. If the `spiffeid` starts with a "^", it assumed that it is a regular
// expression pattern, it compiles the expression and checks if the SPIFFE
// ID matches it.
// 2. Otherwise, it checks if the SPIFFE ID starts with the proper prefix.
//
// Parameters:
//
// spiffeid (string): The SPIFFE ID to be checked.
//
// Returns:
//
// bool: `true` if the SPIFFE ID belongs to VSecM Sentinel, `false` otherwise.
func IsSentinel(spiffeid string) bool {
if !IsWorkload(spiffeid) {
return false
}
prefix := env.SpiffeIdPrefixForSentinel()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for VSecM Sentinel SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixSentinel) +
" environment variable." +
" val: " + env.SpiffeIdPrefixForSentinel() +
" trust: " + env.SpiffeTrustDomain(),
)
}
return re.MatchString(spiffeid)
}
return strings.HasPrefix(spiffeid, prefix)
}
func IsScout(spiffeid string) bool {
if !IsWorkload(spiffeid) {
return false
}
prefix := env.SpiffeIdPrefixForScout()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for VSecM Scout SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixScout) +
" environment variable." +
" val: " + env.SpiffeIdPrefixForScout() +
" trust: " + env.SpiffeTrustDomain(),
)
}
return re.MatchString(spiffeid)
}
return strings.HasPrefix(spiffeid, prefix)
}
func IsClerk(spiffeid string) bool {
if !IsWorkload(spiffeid) {
return false
}
prefix := env.SpiffeIdPrefixForClerk()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for VSecM Clerk SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixClerk) +
" environment variable." +
" val: " + env.SpiffeIdPrefixForClerk() +
" trust: " + env.SpiffeTrustDomain(),
)
}
return re.MatchString(spiffeid)
}
return strings.HasPrefix(spiffeid, prefix)
}
// IsSafe checks if a given SPIFFE ID belongs to VSecM Safe.
//
// A SPIFFE ID (SPIFFE IDentifier) is a URI that uniquely identifies a workload
// in a secure, interoperable way. This function verifies if the provided
// SPIFFE ID meets the criteria to be classified as a workload ID based on
// certain environmental settings.
//
// The function performs the following checks:
// 1. If the `spiffeid` starts with a "^", it assumed that it is a regular
// expression pattern, it compiles the expression and checks if the SPIFFE
// ID matches it.
// 2. Otherwise, it checks if the SPIFFE ID starts with the proper prefix.
//
// Parameters:
//
// spiffeid (string): The SPIFFE ID to be checked.
//
// Returns:
//
// bool: `true` if the SPIFFE ID belongs to VSecM Safe, `false` otherwise.
func IsSafe(spiffeid string) bool {
if !IsWorkload(spiffeid) {
return false
}
prefix := env.SpiffeIdPrefixForSafe()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for Sentinel SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixSafe) +
" environment variable." +
" val: " + env.SpiffeIdPrefixForSafe() +
" trust: " + env.SpiffeTrustDomain(),
)
}
return re.MatchString(spiffeid)
}
return strings.HasPrefix(spiffeid, prefix)
}
func IsRelayServer(spiffeid string) bool {
if !IsWorkload(spiffeid) {
return false
}
prefix := env.SpiffeIdPrefixForRelayServer()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for Relay Server SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixRelayServer) +
" environment variable." +
" val: " + env.SpiffeIdPrefixForRelayServer() +
" trust: " + env.SpiffeTrustDomain(),
)
}
return re.MatchString(spiffeid)
}
return strings.HasPrefix(spiffeid, prefix)
}
func IsRelayClient(spiffeid string) bool {
if !IsWorkload(spiffeid) {
return false
}
prefix := env.SpiffeIdPrefixForRelayClient()
if strings.HasPrefix(prefix, spiffeRegexPrefixStart) {
re, err := regexp.Compile(prefix)
if err != nil {
panic(
"Failed to compile the regular expression pattern " +
"for Relay Client SPIFFE ID." +
" Check the " + string(e.VSecMSpiffeIdPrefixRelayClient) +
" environment variable." +
" val: " + env.SpiffeIdPrefixForRelayClient() +
" trust: " + env.SpiffeTrustDomain(),
)
}
return re.MatchString(spiffeid)
}
return strings.HasPrefix(spiffeid, prefix)
}
// EnsureSafe checks the safety of the SPIFFE ID from the provided X509Source.
// It retrieves an X.509 SVID (SPIFFE Verifiable Identity Document) from the
// source, and validates the SPIFFE ID against a predefined safety check.
//
// If the X509Source fails to provide an SVID, the function will panic with an
// error message specifying the inability to retrieve the SVID.
//
// Similarly, if the SPIFFE ID from the retrieved SVID does not pass the safety
// check, the function will panic with an error message indicating that the
// SPIFFE ID is not recognized.
//
// Panicking in this function indicates severe issues with identity verification
// that require immediate attention and resolution.
//
// Usage:
//
// var source *workloadapi.X509Source // Assume source is properly initialized
// EnsureSafe(source)
func EnsureSafe(source *workloadapi.X509Source) {
svid, err := source.GetX509SVID()
if err != nil {
panic(
fmt.Sprintf(
"Unable to get X.509 SVID from source bundle: %s",
err.Error(),
),
)
}
svidId := svid.ID
if !IsSafe(svidId.String()) {
panic(
fmt.Sprintf(
"SpiffeId check: I don't know you, and it's crazy: %s",
svidId.String(),
),
)
}
}
func EnsureRelayServer(source *workloadapi.X509Source) {
svid, err := source.GetX509SVID()
if err != nil {
panic(
fmt.Sprintf(
"Unable to get X.509 SVID from source bundle: %s",
err.Error(),
),
)
}
svidId := svid.ID
if !IsRelayServer(svidId.String()) {
panic(
fmt.Sprintf(
"SpiffeId check: I don't know you, and it's crazy: %s",
svidId.String(),
),
)
}
}
func EnsureRelayClient(source *workloadapi.X509Source) {
svid, err := source.GetX509SVID()
if err != nil {
panic(
fmt.Sprintf(
"Unable to get X.509 SVID from source bundle: %s",
err.Error(),
),
)
}
svidId := svid.ID
if !IsRelayClient(svidId.String()) {
panic(
fmt.Sprintf(
"SpiffeId check: I don't know you, and it's crazy: %s",
svidId.String(),
),
)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"github.com/vmware-tanzu/secrets-manager/lib/system"
)
func main() {
// Run on the main thread to wait forever.
system.KeepAlive()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"encoding/base64"
"encoding/json"
"fmt"
"os"
"os/signal"
"syscall"
"github.com/spiffe/vsecm-sdk-go/sentry"
)
func main() {
go func() {
// Block the process from exiting, but also be graceful and honor the
// termination signals that may come from the orchestrator.
s := make(chan os.Signal, 1)
signal.Notify(s, syscall.SIGINT, syscall.SIGTERM)
select {
case e := <-s:
fmt.Println(e)
panic("bye cruel world!")
}
}()
// Fetch the secret from the VSecM Safe.
d, err := sentry.Fetch()
if err != nil {
fmt.Println("Failed to fetch the secrets. Try again later.")
fmt.Println(err.Error())
return
}
if d.Data == "" {
fmt.Println("No secret yet... Try again later.")
return
}
// Check if d.Data is a JSON array
if string(d.Data[0]) == "[" {
// Convert the array into a slice of strings
var dataSlice []string
err = json.Unmarshal([]byte(d.Data), &dataSlice)
if err != nil {
fmt.Println("Failed to unmarshal the data into a slice of strings. Check the data format.")
fmt.Println(err.Error())
return
}
// Concatenate all members of the slice into one large string
concatString := ""
for _, s := range dataSlice {
concatString += s
}
// Base64 decode the string
decodedString, err := base64.StdEncoding.DecodeString(concatString)
if err != nil {
fmt.Println("Failed to decode the base64 string.")
fmt.Println(err.Error())
fmt.Println("Raw data:")
fmt.Println(d.Data)
return
}
// Print the result
fmt.Println(string(decodedString))
} else {
// d.Data is a collection of Secrets.
fmt.Println(d.Data)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"os"
"os/signal"
"syscall"
"time"
)
func main() {
go func() {
// Block the process from exiting, but also be graceful and honor the
// termination signals that may come from the orchestrator.
s := make(chan os.Signal, 1)
signal.Notify(s, syscall.SIGINT, syscall.SIGTERM)
select {
case e := <-s:
fmt.Println(e)
panic("bye cruel world!")
}
}()
for {
fmt.Printf("My secret: '%s'.\n", os.Getenv("SECRET"))
fmt.Printf("My creds: username:'%s' password:'%s'.\n",
os.Getenv("USERNAME"), os.Getenv("PASSWORD"),
)
fmt.Println("")
// Print the contents of the mounted file, if you
// can read it.
path := "/opt/vsecm/secrets.json"
data, err := os.ReadFile(path)
if err == nil {
fmt.Println("File content: ", string(data))
}
fmt.Println("")
time.Sleep(5 * time.Second)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"github.com/spiffe/vsecm-sdk-go/sentry"
"strings"
)
func main() {
d, err := sentry.Fetch()
if err != nil {
msg := err.Error()
if strings.Contains(strings.ToLower(msg),
"secret does not exist",
) {
fmt.Print("NO_SECRET")
return
}
fmt.Print("ERR_SENTRY_FETCH_FAILED")
fmt.Print(" ", err.Error())
return
}
if strings.TrimSpace(d.Data) == "" {
fmt.Print("NO_SECRET")
}
fmt.Print(d.Data)
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"log"
"os"
"os/signal"
"syscall"
"time"
"github.com/spiffe/vsecm-sdk-go/sentry" // <- SDK
)
func main() {
go func() {
// Block the process from exiting, but also be graceful and honor the
// termination signals that may come from the orchestrator.
s := make(chan os.Signal, 1)
signal.Notify(s, syscall.SIGINT, syscall.SIGTERM)
select {
case e := <-s:
fmt.Println(e)
panic("bye cruel world!")
}
}()
for {
log.Println("fetch")
d, err := sentry.Fetch()
if err != nil {
fmt.Println("Failed to read the secrets file. Will retry in 5 seconds...")
fmt.Println(err.Error())
time.Sleep(5 * time.Second)
continue
}
if d.Data == "" {
fmt.Println("no secret yet... will check again later.")
time.Sleep(5 * time.Second)
continue
}
fmt.Printf(
"secret: updated: %s, created: %s, value: %s\n",
d.Updated, d.Created, d.Data,
)
time.Sleep(5 * time.Second)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"fmt"
"os"
)
func sidecarSecretsPath() string {
p := os.Getenv("VSECM_SIDECAR_SECRETS_PATH")
if p == "" {
p = "/opt/vsecm/secrets.json"
}
return p
}
func main() {
dat, err := os.ReadFile(sidecarSecretsPath())
if err != nil {
fmt.Print("ERR_READ_SECRET")
} else {
fmt.Print(string(dat))
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
// Note that there is no VSecM-specific dependency in the app's code:
// That's the benefit of using "VSecM Sidecar": The application
// has zero idea that `VSecM Safe` exists. From its perspective, it just knows
// that there are secrets in a predefined location that it can read and parse.
// And, that's a good way to separate cross-cutting concerns.
import (
"fmt"
"os"
"os/signal"
"syscall"
"time"
)
func sidecarSecretsPath() string {
p := os.Getenv("VSECM_SIDECAR_SECRETS_PATH")
if p == "" {
p = "/opt/vsecm/secrets.json"
}
return p
}
func main() {
go func() {
// Block the process from exiting, but also be graceful and honor the
// termination signals that may come from the orchestrator.
s := make(chan os.Signal, 1)
signal.Notify(s, syscall.SIGINT, syscall.SIGTERM)
select {
case e := <-s:
fmt.Println(e)
panic("bye cruel world!")
}
}()
for {
dat, err := os.ReadFile(sidecarSecretsPath())
if err != nil {
fmt.Println("Failed to read the secrets file. Will retry in 5 seconds...")
fmt.Println(err.Error())
} else {
fmt.Println("secret: '", string(dat), "'")
}
time.Sleep(5 * time.Second)
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"os/exec"
"strings"
"text/template"
)
type TrustDomainInfo struct {
Name string `json:"name"`
BundleEndpointURL string `json:"bundleEndpointUrl"`
TrustDomain string `json:"trustDomain"`
EndpointSPIFFEID string `json:"endpointSPIFFEID"`
}
type Config struct {
Diablo TrustDomainInfo `json:"diablo"`
Mephisto TrustDomainInfo `json:"mephisto"`
Baal TrustDomainInfo `json:"baal"`
Azmodan TrustDomainInfo `json:"azmodan"`
FederateWith []string `json:"federateWith"`
}
const crTemplate = `apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterFederatedTrustDomain
metadata:
name: {{ .Name }}
spec:
trustDomain: {{ .TrustDomain }}
bundleEndpointURL: {{ .BundleEndpointURL }}
bundleEndpointProfile:
type: https_spiffe
endpointSPIFFEID: {{ .EndpointSPIFFEID }}
trustDomainBundle: |-
{{ .TrustDomainBundle | indent 4 }}
`
func main() {
// Read and parse the JSON configuration file
configFile, err := os.Open("endpoints.json")
if err != nil {
fmt.Println("Error opening config file:", err)
return
}
defer configFile.Close()
var config Config
decoder := json.NewDecoder(configFile)
if err := decoder.Decode(&config); err != nil {
fmt.Println("Error parsing config file:", err)
return
}
// Create ClusterFederatedTrustDomain CRs for each federation target
for _, target := range config.FederateWith {
var info TrustDomainInfo
switch target {
case "diablo":
info = config.Diablo
case "mephisto":
info = config.Mephisto
case "baal":
info = config.Baal
case "azmodan":
info = config.Azmodan
default:
fmt.Printf("Unknown federation target: %s\n", target)
continue
}
// Fetch trust domain bundle
bundle, err := fetchTrustDomainBundle(info.BundleEndpointURL)
if err != nil {
fmt.Printf("Error fetching trust domain bundle for %s: %v\n", target, err)
continue
}
// Create CR
cr, err := createCR(target, info, bundle)
if err != nil {
fmt.Printf("Error creating CR for %s: %v\n", target, err)
continue
}
// Apply CR
err = applyCR(cr)
if err != nil {
fmt.Printf("Error applying CR for %s: %v\n", target, err)
continue
}
fmt.Printf("Successfully created and applied CR for %s\n", target)
}
}
func fetchTrustDomainBundle(url string) (string, error) {
// Create a new HTTP client with InsecureSkipVerify set to true
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
// Make the GET request
resp, err := client.Get(url)
if err != nil {
return "", err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", err
}
return string(body), nil
}
func createCR(name string, info TrustDomainInfo, bundle string) (string, error) {
tmpl, err := template.New("cr").Funcs(template.FuncMap{
"indent": func(spaces int, v string) string {
pad := strings.Repeat(" ", spaces)
return pad + strings.Replace(v, "\n", "\n"+pad, -1)
},
}).Parse(crTemplate)
if err != nil {
return "", err
}
// Pretty print the JSON bundle
var prettyJSON bytes.Buffer
err = json.Indent(&prettyJSON, []byte(bundle), "", " ")
if err != nil {
return "", fmt.Errorf("error formatting JSON: %v", err)
}
data := struct {
Name string
TrustDomain string
BundleEndpointURL string
EndpointSPIFFEID string
TrustDomainBundle string
}{
Name: name,
TrustDomain: info.TrustDomain,
BundleEndpointURL: info.BundleEndpointURL,
EndpointSPIFFEID: info.EndpointSPIFFEID,
TrustDomainBundle: prettyJSON.String(),
}
var buf bytes.Buffer
if err := tmpl.Execute(&buf, data); err != nil {
return "", err
}
return buf.String(), nil
}
func applyCR(cr string) error {
// Create a temporary file to store the CR
tmpfile, err := ioutil.TempFile("", "cr-*.yaml")
if err != nil {
return fmt.Errorf("error creating temporary file: %v", err)
}
// defer os.Remove(tmpfile.Name())
// Write the CR to the temporary file
if _, err := tmpfile.Write([]byte(cr)); err != nil {
return fmt.Errorf("error writing to temporary file: %v", err)
}
if err := tmpfile.Close(); err != nil {
return fmt.Errorf("error closing temporary file: %v", err)
}
// Apply the CR using microk8s kubectl
cmd := exec.Command("microk8s", "kubectl", "apply", "-f", tmpfile.Name())
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("error applying CR: %v, output: %s", err, string(output))
}
fmt.Printf("Successfully applied CR. Output: %s\n", string(output))
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"os/exec"
"strings"
"text/template"
)
type TrustDomainInfo struct {
Name string `json:"name"`
BundleEndpointURL string `json:"bundleEndpointUrl"`
TrustDomain string `json:"trustDomain"`
EndpointSPIFFEID string `json:"endpointSPIFFEID"`
}
type Config struct {
Diablo TrustDomainInfo `json:"diablo"`
Mephisto TrustDomainInfo `json:"mephisto"`
Baal TrustDomainInfo `json:"baal"`
Azmodan TrustDomainInfo `json:"azmodan"`
FederateWith []string `json:"federateWith"`
}
const crTemplate = `apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterFederatedTrustDomain
metadata:
name: {{ .Name }}
spec:
trustDomain: {{ .TrustDomain }}
bundleEndpointURL: {{ .BundleEndpointURL }}
bundleEndpointProfile:
type: https_spiffe
endpointSPIFFEID: {{ .EndpointSPIFFEID }}
trustDomainBundle: |-
{{ .TrustDomainBundle | indent 4 }}
`
func main() {
// Read and parse the JSON configuration file
configFile, err := os.Open("endpoints.json")
if err != nil {
fmt.Println("Error opening config file:", err)
return
}
defer configFile.Close()
var config Config
decoder := json.NewDecoder(configFile)
if err := decoder.Decode(&config); err != nil {
fmt.Println("Error parsing config file:", err)
return
}
// Create ClusterFederatedTrustDomain CRs for each federation target
for _, target := range config.FederateWith {
var info TrustDomainInfo
switch target {
case "diablo":
info = config.Diablo
case "mephisto":
info = config.Mephisto
case "baal":
info = config.Baal
case "azmodan":
info = config.Azmodan
default:
fmt.Printf("Unknown federation target: %s\n", target)
continue
}
// Fetch trust domain bundle
bundle, err := fetchTrustDomainBundle(info.BundleEndpointURL)
if err != nil {
fmt.Printf("Error fetching trust domain bundle for %s: %v\n", target, err)
continue
}
// Create CR
cr, err := createCR(target, info, bundle)
if err != nil {
fmt.Printf("Error creating CR for %s: %v\n", target, err)
continue
}
// Apply CR
err = applyCR(cr)
if err != nil {
fmt.Printf("Error applying CR for %s: %v\n", target, err)
continue
}
fmt.Printf("Successfully created and applied CR for %s\n", target)
}
}
func fetchTrustDomainBundle(url string) (string, error) {
// Create a new HTTP client with InsecureSkipVerify set to true
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
// Make the GET request
resp, err := client.Get(url)
if err != nil {
return "", err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", err
}
return string(body), nil
}
func createCR(name string, info TrustDomainInfo, bundle string) (string, error) {
tmpl, err := template.New("cr").Funcs(template.FuncMap{
"indent": func(spaces int, v string) string {
pad := strings.Repeat(" ", spaces)
return pad + strings.Replace(v, "\n", "\n"+pad, -1)
},
}).Parse(crTemplate)
if err != nil {
return "", err
}
// Pretty print the JSON bundle
var prettyJSON bytes.Buffer
err = json.Indent(&prettyJSON, []byte(bundle), "", " ")
if err != nil {
return "", fmt.Errorf("error formatting JSON: %v", err)
}
data := struct {
Name string
TrustDomain string
BundleEndpointURL string
EndpointSPIFFEID string
TrustDomainBundle string
}{
Name: name,
TrustDomain: info.TrustDomain,
BundleEndpointURL: info.BundleEndpointURL,
EndpointSPIFFEID: info.EndpointSPIFFEID,
TrustDomainBundle: prettyJSON.String(),
}
var buf bytes.Buffer
if err := tmpl.Execute(&buf, data); err != nil {
return "", err
}
return buf.String(), nil
}
func applyCR(cr string) error {
// Create a temporary file to store the CR
tmpfile, err := ioutil.TempFile("", "cr-*.yaml")
if err != nil {
return fmt.Errorf("error creating temporary file: %v", err)
}
// defer os.Remove(tmpfile.Name())
// Write the CR to the temporary file
if _, err := tmpfile.Write([]byte(cr)); err != nil {
return fmt.Errorf("error writing to temporary file: %v", err)
}
if err := tmpfile.Close(); err != nil {
return fmt.Errorf("error closing temporary file: %v", err)
}
// Apply the CR using microk8s kubectl
cmd := exec.Command("microk8s", "kubectl", "apply", "-f", tmpfile.Name())
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("error applying CR: %v, output: %s", err, string(output))
}
fmt.Printf("Successfully applied CR. Output: %s\n", string(output))
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"os/exec"
"strings"
"text/template"
)
type TrustDomainInfo struct {
Name string `json:"name"`
BundleEndpointURL string `json:"bundleEndpointUrl"`
TrustDomain string `json:"trustDomain"`
EndpointSPIFFEID string `json:"endpointSPIFFEID"`
}
type Config struct {
Diablo TrustDomainInfo `json:"diablo"`
Mephisto TrustDomainInfo `json:"mephisto"`
Baal TrustDomainInfo `json:"baal"`
Azmodan TrustDomainInfo `json:"azmodan"`
FederateWith []string `json:"federateWith"`
}
const crTemplate = `apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterFederatedTrustDomain
metadata:
name: {{ .Name }}
spec:
trustDomain: {{ .TrustDomain }}
bundleEndpointURL: {{ .BundleEndpointURL }}
bundleEndpointProfile:
type: https_spiffe
endpointSPIFFEID: {{ .EndpointSPIFFEID }}
trustDomainBundle: |-
{{ .TrustDomainBundle | indent 4 }}
`
func main() {
// Read and parse the JSON configuration file
configFile, err := os.Open("endpoints.json")
if err != nil {
fmt.Println("Error opening config file:", err)
return
}
defer configFile.Close()
var config Config
decoder := json.NewDecoder(configFile)
if err := decoder.Decode(&config); err != nil {
fmt.Println("Error parsing config file:", err)
return
}
// Create ClusterFederatedTrustDomain CRs for each federation target
for _, target := range config.FederateWith {
var info TrustDomainInfo
switch target {
case "diablo":
info = config.Diablo
case "mephisto":
info = config.Mephisto
case "baal":
info = config.Baal
case "azmodan":
info = config.Azmodan
default:
fmt.Printf("Unknown federation target: %s\n", target)
continue
}
// Fetch trust domain bundle
bundle, err := fetchTrustDomainBundle(info.BundleEndpointURL)
if err != nil {
fmt.Printf("Error fetching trust domain bundle for %s: %v\n", target, err)
continue
}
// Create CR
cr, err := createCR(target, info, bundle)
if err != nil {
fmt.Printf("Error creating CR for %s: %v\n", target, err)
continue
}
// Apply CR
err = applyCR(cr)
if err != nil {
fmt.Printf("Error applying CR for %s: %v\n", target, err)
continue
}
fmt.Printf("Successfully created and applied CR for %s\n", target)
}
}
func fetchTrustDomainBundle(url string) (string, error) {
// Create a new HTTP client with InsecureSkipVerify set to true
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
// Make the GET request
resp, err := client.Get(url)
if err != nil {
return "", err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", err
}
return string(body), nil
}
func createCR(name string, info TrustDomainInfo, bundle string) (string, error) {
tmpl, err := template.New("cr").Funcs(template.FuncMap{
"indent": func(spaces int, v string) string {
pad := strings.Repeat(" ", spaces)
return pad + strings.Replace(v, "\n", "\n"+pad, -1)
},
}).Parse(crTemplate)
if err != nil {
return "", err
}
// Pretty print the JSON bundle
var prettyJSON bytes.Buffer
err = json.Indent(&prettyJSON, []byte(bundle), "", " ")
if err != nil {
return "", fmt.Errorf("error formatting JSON: %v", err)
}
data := struct {
Name string
TrustDomain string
BundleEndpointURL string
EndpointSPIFFEID string
TrustDomainBundle string
}{
Name: name,
TrustDomain: info.TrustDomain,
BundleEndpointURL: info.BundleEndpointURL,
EndpointSPIFFEID: info.EndpointSPIFFEID,
TrustDomainBundle: prettyJSON.String(),
}
var buf bytes.Buffer
if err := tmpl.Execute(&buf, data); err != nil {
return "", err
}
return buf.String(), nil
}
func applyCR(cr string) error {
// Create a temporary file to store the CR
tmpfile, err := ioutil.TempFile("", "cr-*.yaml")
if err != nil {
return fmt.Errorf("error creating temporary file: %v", err)
}
// defer os.Remove(tmpfile.Name())
// Write the CR to the temporary file
if _, err := tmpfile.Write([]byte(cr)); err != nil {
return fmt.Errorf("error writing to temporary file: %v", err)
}
if err := tmpfile.Close(); err != nil {
return fmt.Errorf("error closing temporary file: %v", err)
}
// Apply the CR using microk8s kubectl
cmd := exec.Command("microk8s", "kubectl", "apply", "-f", tmpfile.Name())
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("error applying CR: %v, output: %s", err, string(output))
}
fmt.Printf("Successfully applied CR. Output: %s\n", string(output))
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"os/exec"
"strings"
"text/template"
)
type TrustDomainInfo struct {
Name string `json:"name"`
BundleEndpointURL string `json:"bundleEndpointUrl"`
TrustDomain string `json:"trustDomain"`
EndpointSPIFFEID string `json:"endpointSPIFFEID"`
}
type Config struct {
Diablo TrustDomainInfo `json:"diablo"`
Mephisto TrustDomainInfo `json:"mephisto"`
Baal TrustDomainInfo `json:"baal"`
Azmodan TrustDomainInfo `json:"azmodan"`
FederateWith []string `json:"federateWith"`
}
const crTemplate = `apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterFederatedTrustDomain
metadata:
name: {{ .Name }}
spec:
trustDomain: {{ .TrustDomain }}
bundleEndpointURL: {{ .BundleEndpointURL }}
bundleEndpointProfile:
type: https_spiffe
endpointSPIFFEID: {{ .EndpointSPIFFEID }}
trustDomainBundle: |-
{{ .TrustDomainBundle | indent 4 }}
`
func main() {
// Read and parse the JSON configuration file
configFile, err := os.Open("endpoints.json")
if err != nil {
fmt.Println("Error opening config file:", err)
return
}
defer configFile.Close()
var config Config
decoder := json.NewDecoder(configFile)
if err := decoder.Decode(&config); err != nil {
fmt.Println("Error parsing config file:", err)
return
}
// Create ClusterFederatedTrustDomain CRs for each federation target
for _, target := range config.FederateWith {
var info TrustDomainInfo
switch target {
case "diablo":
info = config.Diablo
case "mephisto":
info = config.Mephisto
case "baal":
info = config.Baal
case "azmodan":
info = config.Azmodan
default:
fmt.Printf("Unknown federation target: %s\n", target)
continue
}
// Fetch trust domain bundle
bundle, err := fetchTrustDomainBundle(info.BundleEndpointURL)
if err != nil {
fmt.Printf("Error fetching trust domain bundle for %s: %v\n", target, err)
continue
}
// Create CR
cr, err := createCR(target, info, bundle)
if err != nil {
fmt.Printf("Error creating CR for %s: %v\n", target, err)
continue
}
// Apply CR
err = applyCR(cr)
if err != nil {
fmt.Printf("Error applying CR for %s: %v\n", target, err)
continue
}
fmt.Printf("Successfully created and applied CR for %s\n", target)
}
}
func fetchTrustDomainBundle(url string) (string, error) {
// Create a new HTTP client with InsecureSkipVerify set to true
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
// Make the GET request
resp, err := client.Get(url)
if err != nil {
return "", err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", err
}
return string(body), nil
}
func createCR(name string, info TrustDomainInfo, bundle string) (string, error) {
tmpl, err := template.New("cr").Funcs(template.FuncMap{
"indent": func(spaces int, v string) string {
pad := strings.Repeat(" ", spaces)
return pad + strings.Replace(v, "\n", "\n"+pad, -1)
},
}).Parse(crTemplate)
if err != nil {
return "", err
}
// Pretty print the JSON bundle
var prettyJSON bytes.Buffer
err = json.Indent(&prettyJSON, []byte(bundle), "", " ")
if err != nil {
return "", fmt.Errorf("error formatting JSON: %v", err)
}
data := struct {
Name string
TrustDomain string
BundleEndpointURL string
EndpointSPIFFEID string
TrustDomainBundle string
}{
Name: name,
TrustDomain: info.TrustDomain,
BundleEndpointURL: info.BundleEndpointURL,
EndpointSPIFFEID: info.EndpointSPIFFEID,
TrustDomainBundle: prettyJSON.String(),
}
var buf bytes.Buffer
if err := tmpl.Execute(&buf, data); err != nil {
return "", err
}
return buf.String(), nil
}
func applyCR(cr string) error {
// Create a temporary file to store the CR
tmpfile, err := ioutil.TempFile("", "cr-*.yaml")
if err != nil {
return fmt.Errorf("error creating temporary file: %v", err)
}
// defer os.Remove(tmpfile.Name())
// Write the CR to the temporary file
if _, err := tmpfile.Write([]byte(cr)); err != nil {
return fmt.Errorf("error writing to temporary file: %v", err)
}
if err := tmpfile.Close(); err != nil {
return fmt.Errorf("error closing temporary file: %v", err)
}
// Apply the CR using microk8s kubectl
cmd := exec.Command("microk8s", "kubectl", "apply", "-f", tmpfile.Name())
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("error applying CR: %v, output: %s", err, string(output))
}
fmt.Printf("Successfully applied CR. Output: %s\n", string(output))
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package backoff
import (
"math"
"math/rand"
"time"
"github.com/vmware-tanzu/secrets-manager/core/crypto"
"github.com/vmware-tanzu/secrets-manager/core/env"
log "github.com/vmware-tanzu/secrets-manager/core/log/std"
)
// Strategy is a configuration for the backoff strategy to use when retrying
// operations.
type Strategy struct {
// Maximum number of retries before giving up (inclusive)
// Default is 10
MaxRetries int64 // Maximum number of retries before giving up (inclusive)
// Initial delay between retries (in milliseconds).
Delay time.Duration
// Whether to use exponential backoff or not (if false, constant delay
// (plus a random jitter) is used)
// Default is false
Exponential bool
// Maximum duration to wait between retries (in milliseconds)
// Default is 10 seconds
MaxWait time.Duration
}
// Retry implements a retry mechanism for a function that can fail
// (return an error).
// It accepts a scope for logging or identification purposes, a function that
// it will attempt to execute, and a strategy defining the behavior of the retry
// logic.
//
// The retry strategy allows for setting maximum retries, initial delay, whether
// to use exponential backoff, and a maximum duration for the delay. If
// exponential backoff is enabled, the delay between retries increases
// exponentially with each attempt, combined with a small randomization to
// prevent synchronization issues (thundering herd problem).
// If the function succeeds (returns nil), Retry will terminate early.
// If all retries are exhausted, the last error is returned.
//
// Params:
//
// scope string - A descriptive name or identifier for the context of the retry
// operation.
// f func() error - The function to execute and retry if it fails.
// s Strategy - Struct defining the retry parameters including maximum retries,
// delay strategy, and max delay.
//
// Returns:
//
// error - The last error returned by the function after all retries, or nil
// if the function eventually succeeds.
//
// Example of usage:
//
// err := Retry("database_connection", connectToDatabase, Strategy{
// MaxRetries: 5,
// Delay: 100,
// Exponential: true,
// MaxWait: 10 * time.Second,
// })
// if err != nil {
// fmt.Println("Failed to connect to database after retries:", err)
// }
func Retry(scope string, f func() error, s Strategy) error {
cid := crypto.Id()
s = withDefaults(s)
var err error
log.TraceLn(&cid, "Retry: starting retry loop")
for i := 0; i <= int(s.MaxRetries); i++ {
err = f()
log.TraceLn(&cid, "Retry: executed the function")
if err == nil {
log.TraceLn(&cid, "Retry: success")
return nil
}
var multiplier float64 = 1
// if exponential backoff is enabled then delay increases exponentially:
if s.Exponential {
multiplier = math.Pow(2, float64(i))
}
sDelayMs := s.Delay.Milliseconds()
if sDelayMs == 0 {
sDelayMs = 10
}
delayMs := multiplier * float64(sDelayMs)
delay := time.Duration(delayMs) * time.Millisecond
// Some randomness to avoid the thundering herd problem.
jitter := rand.Intn(int(sDelayMs))
delay += time.Duration(jitter) * time.Millisecond
if delay > s.MaxWait {
delay = s.MaxWait
}
log.TraceLn(&cid, "Retry: will sleep:", delay)
time.Sleep(delay)
log.TraceLn(&cid,
"Retrying after", delay, "ms for the scope",
scope, "-- attempt", i+1, "of", s.MaxRetries+1,
)
}
return err
}
type Mode string
var Exponential Mode = "exponential"
var Linear Mode = "linear"
func BaseStrategy() Strategy {
return Strategy{
MaxRetries: env.BackoffMaxRetries(),
Delay: env.BackoffDelay(),
Exponential: env.BackoffMode() == string(Exponential),
MaxWait: env.BackoffMaxWait(),
}
}
// RetryExponential is a helper function to retry an operation with exponential
// backoff.
func RetryExponential(scope string, f func() error) error {
return Retry(scope, f, BaseStrategy())
}
// RetryFixed is a helper function to retry an operation with fixed backoff.
func RetryFixed(scope string, f func() error) error {
s := BaseStrategy()
s.Exponential = false
return Retry(scope, f, s)
}
// withDefaults sets default values for the strategy if they are not set.
func withDefaults(s Strategy) Strategy {
if s.MaxRetries == 0 {
s.MaxRetries = 5
}
if s.Delay == 0 {
s.Delay = 1000
}
if s.Exponential && s.MaxWait == 0 {
s.MaxWait = 10 * time.Second
}
return s
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package crypto
import "crypto/rand"
const letters = "abcdefghijklmnopqrstuvwxyz" +
"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
var reader = rand.Read
// RandomString generates a cryptographically-unique secure random string.
func RandomString(n int) (string, error) {
bytes := make([]byte, n)
if _, err := reader(bytes); err != nil {
return "", err
}
for i, b := range bytes {
bytes[i] = letters[b%byte(len(letters))]
}
return string(bytes), nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package entity
import (
"fmt"
"strings"
"time"
)
// JsonTime wraps the standard time.Time type to provide JSON serialization and
// deserialization in RFC3339 format. This type ensures that the JSON
// representation of dates and times in Go applications follows a standard and
// easily interchangeable format.
type JsonTime time.Time
// MarshalJSON converts the JsonTime value to a JSON-formatted string in
// RFC3339 format. This method ensures JsonTime can be directly marshaled into
// a JSON string.
//
// Returns:
// - A byte slice containing the JSON-formatted date and time string.
// - An error if the formatting fails, though in practice this method should
// not error out since the time formatting used (RFC3339) is a valid and
// supported format.
func (t *JsonTime) MarshalJSON() ([]byte, error) {
stamp := fmt.Sprintf("\"%s\"", time.Time(*t).Format(time.RFC3339))
return []byte(stamp), nil
}
// String returns the JsonTime as a string formatted according to RFC3339.
// This method provides a standard way to convert a JsonTime object to a
// human-readable string.
func (t *JsonTime) String() string {
return time.Time(*t).Format(time.RFC3339)
}
// UnmarshalJSON parses a JSON-formatted string in RFC3339 format and sets
// the JsonTime accordingly. This method enables JsonTime to directly receive
// and parse time information from JSON data.
//
// Parameters:
// - data: a byte slice containing the JSON string to be parsed.
//
// Returns:
// - An error if the string is not in valid RFC3339 format or if the parsing
// fails.
func (t *JsonTime) UnmarshalJSON(data []byte) error {
str := string(data)
str = strings.Trim(str, "\"")
parsedTime, err := time.Parse(time.RFC3339, str)
if err != nil {
return err
}
*t = JsonTime(parsedTime)
return nil
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package spiffe
import (
"errors"
"net/http"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/svid/x509svid"
)
// IdFromRequest extracts the SPIFFE ID from the TLS peer certificate of
// an HTTP request.
// It checks if the incoming request has a valid TLS connection and at least one
// peer certificate.
// The first certificate in the chain is used to extract the SPIFFE ID.
//
// Params:
//
// r *http.Request - The HTTP request from which the SPIFFE ID is to be
// extracted.
//
// Returns:
//
// *spiffeid.ID - The SPIFFE ID extracted from the first peer certificate,
// or nil if extraction fails.
// error - An error object indicating the failure reason. Possible errors
// include the absence of peer certificates or a failure in extracting the
// SPIFFE ID from the certificate.
//
// Note:
//
// This function assumes that the request is already over a secured TLS
// connection and will fail if the TLS connection state is not available or
// the peer certificates are missing.
func IdFromRequest(r *http.Request) (*spiffeid.ID, error) {
tlsConnectionState := r.TLS
if len(tlsConnectionState.PeerCertificates) == 0 {
return nil, errors.New("no peer certs")
}
id, err := x509svid.IDFromCert(tlsConnectionState.PeerCertificates[0])
if err != nil {
return nil, errors.Join(
err,
errors.New("problem extracting svid"),
)
}
return &id, nil
}
// IdAsString retrieves the SPIFFE ID from an HTTP request and returns it as
// a string.
//
// Parameters:
// - cid: A string representing the context identifier.
// - r: A pointer to an http.Request from which the SPIFFE ID will be extracted.
//
// Returns:
// - A string representing the SPIFFE ID if it can be successfully retrieved;
// otherwise, an empty string.
//
// If the SPIFFE ID cannot be retrieved from the request, it logs an
// informational message and returns an empty string.
//
// Example usage:
//
// func handler(w http.ResponseWriter, r *http.Request) {
// cid := "exampleContextID"
// spiffeID := IdAsString(cid, r)
// fmt.Fprintf(w, "SPIFFE ID: %s", spiffeID)
// }
func IdAsString(r *http.Request) string {
sr, err := IdFromRequest(r)
if err != nil {
return ""
}
return sr.String()
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package system
import (
"fmt"
"os"
"os/signal"
"syscall"
)
// KeepAlive keeps the system alive until a `SIGINT` or `SIGTERM` comes to
// the progress. It does that by opening up a channel and keeping it open
// until a termination signal comes.
//
// Make sure you run it on the main thread (NOT in a goroutine) for it to
// take effect.
func KeepAlive() {
// Block the process from exiting, but also be graceful and honor the
// termination signals that may come from the orchestrator.
s := make(chan os.Signal, 1)
signal.Notify(s, syscall.SIGINT, syscall.SIGTERM)
select {
case e := <-s:
fmt.Println(e)
panic("bye cruel world!")
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package template
import (
"fmt"
"math/rand"
"regexp"
"strconv"
"strings"
"time"
)
// Constants for different character sets used in string generation.
const (
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
numbers = "0123456789"
symbols = "!@#$%^&*()-_+={}[]|<>,.?/"
everything = chars + numbers + symbols
)
// generatorExprRanges represents a range of characters used in string
// generation.
type generatorExprRanges [][]byte
// seedAndReturnRandom returns a random integer based on a newly seeded source.
// The randomness is seeded each time to enhance unpredictability.
//
// Parameters:
// n - The exclusive upper limit for the generated random number.
//
// Returns:
// A random integer within the range [0, n).
func seedAndReturnRandom(n int) int {
return rand.New(rand.NewSource(time.Now().UnixNano())).Intn(n)
}
// everythingSlice returns a substring from the `everything` constant.
// It takes in two bytes representing the start and end of the desired range.
//
// Parameters:
// from - The starting byte of the range.
// to - The ending byte of the range.
//
// Returns:
// A string containing characters from the specified range.
// An error if the specified range is invalid.
func everythingSlice(from, to byte) (string, error) {
l, r := strings.Index(everything, string(from)),
strings.LastIndex(everything, string(to))
if l > r {
return "", fmt.Errorf("invalid range specified: %s-%s", string(from),
string(to))
}
return everything[l:r], nil
}
// replaceWithGenerated replaces a substring in a given string with randomly
// generated characters.
// The generated string adheres to specified character ranges and lengths.
//
// Parameters:
// s - A pointer to the string to be modified.
// expression - The substring to be replaced.
// ranges - A slice of byte slices, each representing a character range.
// length - The length of the generated string.
//
// Returns:
// An error if the character range is empty or invalid.
func replaceWithGenerated(s *string, expression string, ranges [][]byte,
length int) error {
var alphabet string
for _, r := range ranges {
switch string(r[0]) + string(r[1]) {
case `\w`:
alphabet += everything
case `\d`:
alphabet += numbers
case `\x`:
alphabet += symbols
default:
if slice, err := everythingSlice(r[0], r[1]); err != nil {
return err
} else {
alphabet += slice
}
}
}
if len(alphabet) == 0 {
return fmt.Errorf("empty range in expression: %s", expression)
}
result := make([]byte, length)
for i := 0; i <= length-1; i++ {
result[i] = alphabet[seedAndReturnRandom(len(alphabet))]
}
*s = strings.Replace(*s, expression, string(result), 1)
return nil
}
// Matches things like a-z 1-p, \d, \w, etc.
var rangeExp = regexp.MustCompile(`(\\?[a-zA-Z0-9]-?[a-zA-Z0-9]?)`)
// Matches things like [a-z]{8}, [A-Z]{8} \d \w, etc.
var generatorsExp = regexp.MustCompile(`\[([a-zA-Z0-9\-\\]+)](\{([0-9]+)})`)
// findExpressionPos finds the positions of character ranges in a string.
//
// Parameters:
// s - The string containing the character ranges.
//
// Returns:
// A generatorExprRanges representing the found character ranges.
func findExpressionPos(s string) generatorExprRanges {
matches := rangeExp.FindAllStringIndex(s, -1)
result := make(generatorExprRanges, len(matches), len(matches))
for i, r := range matches {
result[i] = []byte{s[r[0]], s[r[1]-1]}
}
return result
}
// rangesAndLength extracts a character range expression and its specified
// length from a string.
//
// Parameters:
// s - The string containing the expression and length specification.
//
// Returns:
// The extracted character range expression.
// The specified length for string generation.
// An error if the length parsing fails.
func rangesAndLength(s string) (string, int, error) {
expr := s[0:strings.LastIndex(s, "{")]
length, err := parseLength(s)
return expr, length, err
}
// parseLength extracts and parses the length part of a generator expression.
//
// Parameters:
// s - The string containing the length specification.
//
// Returns:
// The parsed length as an integer.
// An error if the length parsing fails.
func parseLength(s string) (int, error) {
lengthStr := s[strings.LastIndex(s, "{")+1 : len(s)-1]
if l, err := strconv.Atoi(lengthStr); err != nil {
return 0, fmt.Errorf("unable to parse length from %v", s)
} else {
return l, nil
}
}
/*
| Protect your secrets, protect your sensitive data.
: Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/ keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/' SPDX-License-Identifier: BSD-2-Clause
*/
package template
import (
"errors"
)
// Value creates a string based on a template with embedded generator
// expressions. The generator expressions specify character ranges and lengths
// for random string parts.
//
// Parameters:
// template - The string template containing generator expressions.
//
// Returns:
// The generated string adhering to the template specifications.
// An error if any generator expression is invalid or if the string
// generation fails.
//
// Example Usage:
//
// result, _ := Generate(`football[\w]{8}bartender`)
// log.Printf("result0=%v", result)
// result, _ = Generate(`admin[a-z0-9]{3}`)
// log.Printf("result1=%v", result)
// result, _ = Generate(`admin[a-z0-9]{3}something[\w]{3}`)
// log.Printf("result1=%v", result)
// result, _ = Generate(`pass[a-zA-Z0-9]{12}`)
// log.Printf("result2=%v", result)
// result, _ = Generate(`pass[a-Z]{8}`)
// log.Printf("result3=%v", result)
// result, err := Generate(`pass[z-a]{8}`)
// log.Printf("result4=%v; err=%v", result, err)
// result, _ = Generate(`football[\d]{8}bartender`)
// log.Printf("result5=%v", result)
// result, _ = Generate(`football[\symbol]{4}`)
// log.Printf("result5=%v", result)
//
// Example Output:
//
// 2024/01/04 06:37:30 result0=football{A?1o!u9bartender
// 2024/01/04 06:37:30 result1=admin7sg
// 2024/01/04 06:37:30 result1=adminsw8something^5^
// 2024/01/04 06:37:30 result2=passqWv04txU5sKs
// 2024/01/04 06:37:30 result3=passlRxDTdMz
// 2024/01/04 06:37:30 result4=; err=invalid range specified: z-a
// 2024/01/04 06:37:30 result5=football73579557bartender
func Value(template string) (string, error) {
result := template
matches := generatorsExp.FindAllStringIndex(template, -1)
if matches == nil {
return "", errors.New("no generator expressions found")
}
for _, r := range matches {
ranges, length, err := rangesAndLength(template[r[0]:r[1]])
if err != nil {
return "", err
}
positions := findExpressionPos(ranges)
if err := replaceWithGenerated(&result, template[r[0]:r[1]],
positions, length); err != nil {
return "", err
}
}
return result, nil
}