-
Notifications
You must be signed in to change notification settings - Fork 74
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
203 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
hoplite-vault/src/main/kotlin/com/sksamuel/hoplite/vault/VaultContextResolver.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
package com.sksamuel.hoplite.vault | ||
|
||
import com.sksamuel.hoplite.ConfigFailure | ||
import com.sksamuel.hoplite.ConfigResult | ||
import com.sksamuel.hoplite.DecoderContext | ||
import com.sksamuel.hoplite.Node | ||
import com.sksamuel.hoplite.Reporter | ||
import com.sksamuel.hoplite.StringNode | ||
import com.sksamuel.hoplite.fp.invalid | ||
import com.sksamuel.hoplite.fp.valid | ||
import com.sksamuel.hoplite.resolver.ContextResolver | ||
import org.springframework.vault.core.VaultKeyValueOperationsSupport | ||
import org.springframework.vault.core.VaultTemplate | ||
|
||
class VaultContextResolver( | ||
private val createClient: () -> VaultTemplate, | ||
private val report: Boolean = false, | ||
private val apiVersion: VaultKeyValueOperationsSupport.KeyValueBackend = VaultKeyValueOperationsSupport.KeyValueBackend.KV_2 | ||
) : ContextResolver() { | ||
|
||
private val client by lazy { createClient() } | ||
|
||
override val contextKey: String = "vault" | ||
override val default: Boolean = false | ||
|
||
private val tokenRegex = "(.+)\\s+(.+)".toRegex() | ||
|
||
override fun lookup(path: String, node: StringNode, root: Node, context: DecoderContext): ConfigResult<String?> { | ||
return when (val match = tokenRegex.matchEntire(path)) { | ||
null -> ConfigFailure.ResolverFailure("Must specify vault key at '${path}'").invalid() | ||
else -> fetchSecret(match.groupValues[1], match.groupValues[2], context.reporter) | ||
} | ||
} | ||
|
||
private fun fetchSecret( | ||
path: String, | ||
key: String, | ||
reporter: Reporter, | ||
): ConfigResult<String> = runCatching { | ||
|
||
val paths = path.split("/") | ||
if (paths.size < 2) return ConfigFailure.ResolverFailure("Invalid vault path '$path'").invalid() | ||
|
||
val ops = client.opsForKeyValue(paths[0], apiVersion) | ||
val pathSecret = ops.get(paths.drop(1).joinToString("/")) | ||
?: return ConfigFailure.ResolverFailure("Vault path '$path' not found").invalid() | ||
|
||
if (report) { | ||
reporter.report( | ||
"Vault Lookups", | ||
mapOf("Path" to path, "Key" to key, "Lease Id" to pathSecret.leaseId) | ||
) | ||
} | ||
|
||
val data = pathSecret.data | ||
if (data == null) { | ||
ConfigFailure.ResolverFailure("No data at path '$path' in Vault").invalid() | ||
} else { | ||
val value = data[key] | ||
value?.toString()?.valid() | ||
?: ConfigFailure.ResolverFailure("Vault key '$key' not found in path '$path'").invalid() | ||
} | ||
}.getOrElse { | ||
ConfigFailure.ResolverException("Failed loading secret '$path $key' from Vault", it).invalid() | ||
} | ||
} |
121 changes: 121 additions & 0 deletions
121
hoplite-vault/src/test/kotlin/com/sksamuel/hoplite/vault/VaultContextResolverTest.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
package com.sksamuel.hoplite.vault | ||
|
||
import com.sksamuel.hoplite.ConfigException | ||
import com.sksamuel.hoplite.ConfigLoaderBuilder | ||
import com.sksamuel.hoplite.parsers.PropsPropertySource | ||
import io.kotest.assertions.throwables.shouldThrow | ||
import io.kotest.core.extensions.install | ||
import io.kotest.core.spec.style.FunSpec | ||
import io.kotest.extensions.testcontainers.TestContainerExtension | ||
import io.kotest.matchers.shouldBe | ||
import io.kotest.matchers.string.shouldContain | ||
import org.springframework.vault.authentication.TokenAuthentication | ||
import org.springframework.vault.client.VaultEndpoint | ||
import org.springframework.vault.core.VaultTemplate | ||
import org.testcontainers.utility.DockerImageName | ||
import org.testcontainers.vault.VaultContainer | ||
import java.util.Properties | ||
import kotlin.collections.set | ||
|
||
class VaultContextResolverTest : FunSpec({ | ||
|
||
val image = DockerImageName.parse("vault:1.9.7") | ||
val container = VaultContainer(image) | ||
.withVaultToken("my-token") | ||
.withSecretInVault("secret/testing", "secret1=topsecret!") | ||
.withSecretInVault("secret/testing/nested", "secret2=bottomsecret!") | ||
|
||
val ext = TestContainerExtension(container) | ||
install(ext) | ||
|
||
test("placeholder should be detected and used") { | ||
|
||
val props = Properties() | ||
props["foo"] = "vault://secret/testing secret1" | ||
props["bar"] = "vault://secret/testing/nested secret2" | ||
|
||
val endpoint = VaultEndpoint.create(container.host, container.firstMappedPort) | ||
endpoint.scheme = "http" // test container doesn't use https | ||
|
||
val template = VaultTemplate(endpoint, TokenAuthentication("my-token")) | ||
|
||
val config = ConfigLoaderBuilder.default() | ||
.removePreprocessors() | ||
.addResolver(VaultContextResolver({ template })) | ||
.addPropertySource(PropsPropertySource(props)) | ||
.build() | ||
.loadConfigOrThrow<ConfigHolder>() | ||
|
||
config.foo.shouldBe("topsecret!") | ||
config.bar.shouldBe("bottomsecret!") | ||
} | ||
|
||
test("invalid vault placeholder error") { | ||
|
||
val props = Properties() | ||
props["foo"] = "vault://secret qwerty" | ||
props["bar"] = "vault://secret/testing/nested" | ||
|
||
val endpoint = VaultEndpoint.create(container.host, container.firstMappedPort) | ||
endpoint.scheme = "http" // test container doesn't use https | ||
|
||
val template = VaultTemplate(endpoint, TokenAuthentication("my-token")) | ||
|
||
shouldThrow<ConfigException> { | ||
ConfigLoaderBuilder.default() | ||
.removePreprocessors() | ||
.addResolver(VaultContextResolver({ template })) | ||
.addPropertySource(PropsPropertySource(props)) | ||
.build() | ||
.loadConfigOrThrow<ConfigHolder>() | ||
}.message | ||
.shouldContain("Invalid vault path 'secret'") | ||
.shouldContain("Must specify vault key at 'secret/testing/nested'") | ||
} | ||
|
||
test("missing keys error message") { | ||
|
||
val props = Properties() | ||
props["foo"] = "vault://secret/testing a" | ||
props["bar"] = "vault://secret/testing b" | ||
|
||
val endpoint = VaultEndpoint.create(container.host, container.firstMappedPort) | ||
endpoint.scheme = "http" // test container doesn't use https | ||
|
||
val template = VaultTemplate(endpoint, TokenAuthentication("my-token")) | ||
|
||
shouldThrow<ConfigException> { | ||
ConfigLoaderBuilder.default() | ||
.removePreprocessors() | ||
.addResolver(VaultContextResolver({ template })) | ||
.addPropertySource(PropsPropertySource(props)) | ||
.build() | ||
.loadConfigOrThrow<ConfigHolder>() | ||
}.message | ||
.shouldContain("Vault key 'a' not found in path 'secret/testing'") | ||
.shouldContain("Vault key 'b' not found in path 'secret/testing'") | ||
} | ||
|
||
test("missing path error message") { | ||
|
||
val props = Properties() | ||
props["foo"] = "vault://secret/foo secret1" | ||
props["bar"] = "vault://secret/bar secret2" | ||
|
||
val endpoint = VaultEndpoint.create(container.host, container.firstMappedPort) | ||
endpoint.scheme = "http" // test container doesn't use https | ||
|
||
val template = VaultTemplate(endpoint, TokenAuthentication("my-token")) | ||
|
||
shouldThrow<ConfigException> { | ||
ConfigLoaderBuilder.default() | ||
.removePreprocessors() | ||
.addResolver(VaultContextResolver({ template })) | ||
.addPropertySource(PropsPropertySource(props)) | ||
.build() | ||
.loadConfigOrThrow<ConfigHolder>() | ||
}.message | ||
.shouldContain("Vault path 'secret/foo' not found") | ||
.shouldContain("Vault path 'secret/bar' not found") | ||
} | ||
}) |