Merge pull request #3877 from MaxMcAdam/anax-3714

Issue 3714 - NodeSecret: agbot verifies that the node secret exists b…
open-horizon · Aug 21, 2023 · 964f7a7 · 964f7a7
2 parents c08acda + 638feae
commit 964f7a7
Show file tree

Hide file tree

Showing 7 changed files with 289 additions and 276 deletions.
diff --git a/agreementbot/agreementworker.go b/agreementbot/agreementworker.go
@@ -922,14 +922,27 @@ func (b *BaseAgreementWorker) ValidateAndExtractSecrets(consumerPolicy *policy.P
 				}
 
 				// The secret name might be a user private or org wide secret. Parse the name to determine which it is.
-				secretUser, secretNode, shortSecretName, err := compcheck.ParseVaultSecretName(secretName, msgPrinter)
+				secretUser, _, shortSecretName, err := compcheck.ParseVaultSecretName(secretName, msgPrinter)
 				if err != nil {
 					glog.Errorf(BAWlogstring(workerId, fmt.Sprintf("error parsing secret %v for policy %v, service %v/%v %v, error: %v", secretName, consumerPolicy.Header.Name, binding.ServiceOrgid, binding.ServiceUrl, binding.ServiceVersionRange, err)))
 					return err
 				}
 
 				// Call the secret manager plugin to get the secret details.
-				details, err := b.secretsMgr.GetSecretDetails(b.GetExchangeId(), b.GetExchangeToken(), exchange.GetOrg(deviceId), secretUser, secretNode, shortSecretName)
+				details := secrets.SecretDetails{}
+				if binding.EnableNodeLevelSecrets {
+					details, err = b.secretsMgr.GetSecretDetails(b.GetExchangeId(), b.GetExchangeToken(), exchange.GetOrg(deviceId), secretUser, exchange.GetId(deviceId), shortSecretName)
+					switch err.(type) {
+					case *secrets.NoSecretFound:
+						details, err = b.secretsMgr.GetSecretDetails(b.GetExchangeId(), b.GetExchangeToken(), exchange.GetOrg(deviceId), secretUser, "", shortSecretName)
+					}
+				} else {
+					details, err = b.secretsMgr.GetSecretDetails(b.GetExchangeId(), b.GetExchangeToken(), exchange.GetOrg(deviceId), secretUser, "", shortSecretName)
+				}
+
+				if err != nil {
+					return err
+				}
 
 				if err != nil {
 					glog.Errorf(BAWlogstring(workerId, fmt.Sprintf("error retrieving secret %v for policy %v, service %v/%v %v, error: %v", secretName, consumerPolicy.Header.Name, binding.ServiceOrgid, binding.ServiceUrl, binding.ServiceVersionRange, err)))

diff --git a/agreementbot/secrets/secrets.go b/agreementbot/secrets/secrets.go
@@ -35,9 +35,9 @@ type AgbotSecrets interface {
 	DeleteOrgNodeSecret(user, token, org, path string) error
 
 	ListUserNodeSecret(user, token, org, path string) error
-        ListUserNodeSecrets(user, token, org, node, path string) ([]string, error)
-        CreateUserNodeSecret(user, token, org, path string, data SecretDetails) error
-        DeleteUserNodeSecret(user, token, org, path string) error
+	ListUserNodeSecrets(user, token, org, node, path string) ([]string, error)
+	CreateUserNodeSecret(user, token, org, path string, data SecretDetails) error
+	DeleteUserNodeSecret(user, token, org, path string) error
 
 	// This function assumes that the plugin maintains an authentication to the secret manager that it can use
 	// when it doesnt need to call APIs with user creds. The creds used instead have the ability to READ secrets.

diff --git a/agreementbot/secrets/vault/vault.go b/agreementbot/secrets/vault/vault.go
@@ -53,16 +53,16 @@ func (vs *AgbotVaultSecrets) ListOrgSecret(user, token, org, path string) error
 
 // Available to all users in the org
 func (vs *AgbotVaultSecrets) ListOrgNodeSecret(user, token, org, path string) error {
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("list secret %v in org %v", path, org)))
-        url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        return vs.listSecret(user, token, org, path, url)
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("list secret %v in org %v", path, org)))
+	url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	return vs.listSecret(user, token, org, path, url)
 }
 
 // Available to admins and the user that owns the secret
 func (vs *AgbotVaultSecrets) ListUserNodeSecret(user, token, org, path string) error {
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("list secret %v in org %v as user %v", path, org, user)))
-        url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        return vs.listSecret(user, token, org, path, url)
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("list secret %v in org %v as user %v", path, org, user)))
+	url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	return vs.listSecret(user, token, org, path, url)
 }
 
 // Get the secret at a specified path within the vault
@@ -151,39 +151,39 @@ func (vs *AgbotVaultSecrets) ListOrgUserSecrets(user, token, org, path string) (
 // List all org-level node secrets at a specified path in vault.
 func (vs *AgbotVaultSecrets) ListOrgNodeSecrets(user, token, org, node, path string) ([]string, error) {
 
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("listing secrets for node %v in %v", node, org)))
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("listing secrets for node %v in %v", node, org)))
 
-        url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        secrets, err := vs.listSecrets(user, token, org, url, path)
-        if err != nil {
-                return nil, err
-        }
+	url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	secrets, err := vs.listSecrets(user, token, org, url, path)
+	if err != nil {
+		return nil, err
+	}
 
-        // trim the node/<node> prefix from the names
-        secretList := make([]string, 0)
-        for _, secret := range secrets {
-                secretList = append(secretList, strings.TrimPrefix(secret, path+"/"))
-        }
-        return secretList, nil
+	// trim the node/<node> prefix from the names
+	secretList := make([]string, 0)
+	for _, secret := range secrets {
+		secretList = append(secretList, strings.TrimPrefix(secret, path+"/"))
+	}
+	return secretList, nil
 }
 
 // List all user-level node secrets at a specified path in vault.
 func (vs *AgbotVaultSecrets) ListUserNodeSecrets(user, token, org, node, path string) ([]string, error) {
 
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("listing secrets for node %v in %v as user %v", node, org, user)))
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("listing secrets for node %v in %v as user %v", node, org, user)))
 
-        url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        secrets, err := vs.listSecrets(user, token, org, url, path)
-        if err != nil {
-                return nil, err
-        }
+	url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	secrets, err := vs.listSecrets(user, token, org, url, path)
+	if err != nil {
+		return nil, err
+	}
 
-        // trim the user/<user>/node/<node> prefix from the names
-        secretList := make([]string, 0)
-        for _, secret := range secrets {
-                secretList = append(secretList, strings.TrimPrefix(secret, path+"/"))
-        }
-        return secretList, nil
+	// trim the user/<user>/node/<node> prefix from the names
+	secretList := make([]string, 0)
+	for _, secret := range secrets {
+		secretList = append(secretList, strings.TrimPrefix(secret, path+"/"))
+	}
+	return secretList, nil
 }
 
 // the input queue is a list of secret names and directories. this function gathers the secret names provided
@@ -308,18 +308,18 @@ func (vs *AgbotVaultSecrets) CreateOrgSecret(user, token, org, path string, data
 
 // Available only to org admins
 func (vs *AgbotVaultSecrets) CreateOrgNodeSecret(user, token, org, path string, data secrets.SecretDetails) error {
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("creating secret %s in org %s", path, org)))
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("creating secret %s in org %s", path, org)))
 
-        url := fmt.Sprintf("%s/v1/openhorizon/data/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        return vs.createSecret(user, token, org, path, url, data)
+	url := fmt.Sprintf("%s/v1/openhorizon/data/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	return vs.createSecret(user, token, org, path, url, data)
 }
 
 // Available only to all users in an org
 func (vs *AgbotVaultSecrets) CreateUserNodeSecret(user, token, org, path string, data secrets.SecretDetails) error {
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("creating secret %s in org %s", path, org)))
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("creating secret %s in org %s", path, org)))
 
-        url := fmt.Sprintf("%s/v1/openhorizon/data/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        return vs.createSecret(user, token, org, path, url, data)
+	url := fmt.Sprintf("%s/v1/openhorizon/data/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	return vs.createSecret(user, token, org, path, url, data)
 }
 
 // This utility will be used to create secrets.
@@ -396,18 +396,18 @@ func (vs *AgbotVaultSecrets) DeleteOrgSecret(user, token, org, path string) erro
 
 // Available to only org admin users
 func (vs *AgbotVaultSecrets) DeleteOrgNodeSecret(user, token, org, path string) error {
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("delete secret %s in org %s", path, org)))
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("delete secret %s in org %s", path, org)))
 
-        url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        return vs.deleteSecret(user, token, org, path, url)
+	url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	return vs.deleteSecret(user, token, org, path, url)
 }
 
 // Available to all users in the org
 func (vs *AgbotVaultSecrets) DeleteUserNodeSecret(user, token, org, path string) error {
-        glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("delete secret %s in org %s", path, org)))
+	glog.V(3).Infof(vaultPluginLogString(fmt.Sprintf("delete secret %s in org %s", path, org)))
 
-        url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
-        return vs.deleteSecret(user, token, org, path, url)
+	url := fmt.Sprintf("%s/v1/openhorizon/metadata/%s"+cliutils.AddSlash(path), vs.cfg.GetAgbotVaultURL(), org)
+	return vs.deleteSecret(user, token, org, path, url)
 }
 
 // This utility will be used to delete secrets.