-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathget.go
129 lines (111 loc) · 3.15 KB
/
get.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
// SPDX-License-Identifier: Apache-2.0
package secret
import (
"fmt"
"net/http"
"strings"
"github.com/gin-gonic/gin"
"github.com/sirupsen/logrus"
"github.com/go-vela/server/constants"
"github.com/go-vela/server/router/middleware/claims"
"github.com/go-vela/server/secret"
"github.com/go-vela/server/util"
)
// swagger:operation GET /api/v1/secrets/{engine}/{type}/{org}/{name}/{secret} secrets GetSecret
//
// Get a secret
//
// ---
// produces:
// - application/json
// parameters:
// - in: path
// name: engine
// description: Secret engine to create a secret in, eg. "native"
// required: true
// type: string
// - in: path
// name: type
// description: Secret type to create
// enum:
// - org
// - repo
// - shared
// required: true
// type: string
// - in: path
// name: org
// description: Name of the organization
// required: true
// type: string
// - in: path
// name: name
// description: Name of the repository if a repository secret, team name if a shared secret, or '*' if an organization secret
// required: true
// type: string
// - in: path
// name: secret
// description: Name of the secret
// required: true
// type: string
// security:
// - ApiKeyAuth: []
// responses:
// '200':
// description: Successfully retrieved the secret
// schema:
// "$ref": "#/definitions/Secret"
// '401':
// description: Unauthorized
// schema:
// "$ref": "#/definitions/Error"
// '500':
// description: Unexpected server error
// schema:
// "$ref": "#/definitions/Error"
// GetSecret gets a secret from the provided secrets service.
func GetSecret(c *gin.Context) {
// capture middleware values
l := c.MustGet("logger").(*logrus.Entry)
cl := claims.Retrieve(c)
e := util.PathParameter(c, "engine")
t := util.PathParameter(c, "type")
o := util.PathParameter(c, "org")
n := util.PathParameter(c, "name")
s := strings.TrimPrefix(util.PathParameter(c, "secret"), "/")
ctx := c.Request.Context()
entry := fmt.Sprintf("%s/%s/%s/%s", t, o, n, s)
// create log fields from API metadata
fields := logrus.Fields{
"secret_engine": e,
"secret_org": o,
"secret_repo": n,
"secret_name": s,
"secret_type": t,
}
// check if secret is a shared secret
if strings.EqualFold(t, constants.SecretShared) {
// update log fields from API metadata
delete(fields, "secret_repo")
fields["secret_team"] = n
}
// update engine logger with API metadata
//
// https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Entry.WithFields
logger := l.WithFields(fields)
logger.Debugf("reading secret %s from %s service", entry, e)
// send API call to capture the secret
secret, err := secret.FromContext(c, e).Get(ctx, t, o, n, s)
if err != nil {
retErr := fmt.Errorf("unable to get secret %s from %s service: %w", entry, e, err)
util.HandleError(c, http.StatusInternalServerError, retErr)
return
}
// only allow workers to access the full secret with the value
if strings.EqualFold(cl.TokenType, constants.WorkerBuildTokenType) {
c.JSON(http.StatusOK, secret)
return
}
logger.Infof("retrieved secret %s from %s service", entry, e)
c.JSON(http.StatusOK, secret.Sanitize())
}