add secret engine to ID

open-component-model · Nov 2, 2023 · a94128e · a94128e
1 parent 8e54109
commit a94128e
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 15 deletions.
diff --git a/docs/reference/ocm_credential-handling.md b/docs/reference/ocm_credential-handling.md
@@ -128,6 +128,7 @@ The following credential consumer types are used/supported:
       - <code>scheme</code>: (optional) URL scheme
       - <code>port</code>: (optional) server port
       - <code>namespace</code>: vault namespace
+      - <code>secretEngine</code>: secret engine
       - <code>pathprefix</code>: path prefix for secret
 
 
@@ -259,6 +260,7 @@ behaviours are described in the following list:
     - <code>scheme</code>: (optional) URL scheme
     - <code>port</code>: (optional) server port
     - <code>namespace</code>: vault namespace
+    - <code>secretEngine</code>: secret engine
     - <code>pathprefix</code>: path prefix for secret
 
 

diff --git a/docs/reference/ocm_get_credentials.md b/docs/reference/ocm_get_credentials.md
@@ -53,6 +53,7 @@ Matchers exist for the following usage contexts or consumer types:
       - <code>scheme</code>: (optional) URL scheme
       - <code>port</code>: (optional) server port
       - <code>namespace</code>: vault namespace
+      - <code>secretEngine</code>: secret engine
       - <code>pathprefix</code>: path prefix for secret
 
 

diff --git a/pkg/contexts/credentials/repositories/vault/identity/identity.go b/pkg/contexts/credentials/repositories/vault/identity/identity.go
@@ -7,7 +7,6 @@ package identity
 import (
 	"net"
 	"net/url"
-	"path"
 	"strings"
 
 	"github.com/open-component-model/ocm/pkg/contexts/credentials/cpi"
@@ -20,11 +19,12 @@ const CONSUMER_TYPE = "HashiCorpVault"
 
 // identity properties.
 const (
-	ID_HOSTNAME   = hostpath.ID_HOSTNAME
-	ID_SCHEMA     = hostpath.ID_SCHEME
-	ID_PORT       = hostpath.ID_PORT
-	ID_PATHPREFIX = hostpath.ID_PATHPREFIX
-	ID_NAMESPACE  = "namespace"
+	ID_HOSTNAME     = hostpath.ID_HOSTNAME
+	ID_SCHEMA       = hostpath.ID_SCHEME
+	ID_PORT         = hostpath.ID_PORT
+	ID_PATHPREFIX   = hostpath.ID_PATHPREFIX
+	ID_SECRETENGINE = "secretEngine"
+	ID_NAMESPACE    = "namespace"
 )
 
 // credential properties.
@@ -46,6 +46,9 @@ func IdentityMatcher(request, cur, id cpi.ConsumerIdentity) bool {
 	if id[ID_NAMESPACE] != request[ID_NAMESPACE] {
 		return false
 	}
+	if id[ID_SECRETENGINE] != "" && id[ID_SECRETENGINE] != request[ID_SECRETENGINE] {
+		return false
+	}
 	return identityMatcher(request, cur, id)
 }
 
@@ -62,6 +65,7 @@ func init() {
 		ID_SCHEMA, "(optional) URL scheme",
 		ID_PORT, "(optional) server port",
 		ID_NAMESPACE, "vault namespace",
+		ID_SECRETENGINE, "secret engine",
 		ID_PATHPREFIX, "path prefix for secret",
 	})
 	cpi.RegisterStandardIdentity(CONSUMER_TYPE, identityMatcher,
@@ -75,7 +79,7 @@ The only supported auth methods, so far, are <code>token</code> and <code>approl
 `)
 }
 
-func GetConsumerId(serverurl string, namespace string, secretpath ...string) (cpi.ConsumerIdentity, error) {
+func GetConsumerId(serverurl string, namespace string, secretengine string, secretpath string) (cpi.ConsumerIdentity, error) {
 	if serverurl == "" {
 		return nil, errors.Newf("server address must be given")
 	}
@@ -105,16 +109,18 @@ func GetConsumerId(serverurl string, namespace string, secretpath ...string) (cp
 	if namespace != "" {
 		id[ID_NAMESPACE] = namespace
 	}
+	if secretengine != "" {
+		id[ID_SECRETENGINE] = secretengine
+	}
 
-	p := path.Join(secretpath...)
-	if p != "" {
-		id[ID_PATHPREFIX] = p
+	if secretpath != "" {
+		id[ID_PATHPREFIX] = secretpath
 	}
 	return id, nil
 }
 
-func GetCredentials(ctx cpi.ContextProvider, serverurl, namespace string, secretpath ...string) (cpi.Credentials, error) {
-	id, err := GetConsumerId(serverurl, namespace, secretpath...)
+func GetCredentials(ctx cpi.ContextProvider, serverurl, namespace string, secretengine, secretpath string) (cpi.Credentials, error) {
+	id, err := GetConsumerId(serverurl, namespace, secretengine, secretpath)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/contexts/credentials/repositories/vault/provider.go b/pkg/contexts/credentials/repositories/vault/provider.go
@@ -100,11 +100,14 @@ func (p *ConsumerProvider) update() error {
 	if err := client.SetToken(token); err != nil {
 		return err
 	}
+	if err := client.SetNamespace(p.repository.spec.Namespace); err != nil {
+		return err
+	}
 
+	// TODO: support for pure path based access for other secret engine types
 	secrets := slices.Clone(p.repository.spec.Secrets)
 	if len(secrets) == 0 {
 		s, err := client.Secrets.KvV2List(ctx, p.repository.spec.Path,
-			vault.WithNamespace(p.repository.spec.Namespace),
 			vault.WithMountPath(p.repository.spec.SecretsEngine))
 		if err != nil {
 			return err
@@ -175,7 +178,6 @@ func (p *ConsumerProvider) read(ctx context.Context, client *vault.Client, secre
 
 	secret = path.Join(p.repository.spec.Path, secret)
 	s, err := client.Secrets.KvV2Read(ctx, secret,
-		vault.WithNamespace(p.repository.spec.Namespace),
 		vault.WithMountPath(p.repository.spec.SecretsEngine))
 	if err != nil {
 		return nil, nil, nil, err

diff --git a/pkg/contexts/credentials/repositories/vault/repository.go b/pkg/contexts/credentials/repositories/vault/repository.go
@@ -24,7 +24,7 @@ var (
 )
 
 func NewRepository(ctx cpi.Context, spec *RepositorySpec) (*Repository, error) {
-	id, err := identity.GetConsumerId(spec.ServerURL, spec.Namespace, spec.Path)
+	id, err := identity.GetConsumerId(spec.ServerURL, spec.Namespace, spec.SecretsEngine, spec.Path)
 	if err != nil {
 		return nil, err
 	}