-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathsetup.go
135 lines (115 loc) · 3.75 KB
/
setup.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// SPDX-License-Identifier: Apache-2.0
package secret
import (
"fmt"
"strings"
"time"
"github.com/sirupsen/logrus"
"github.com/go-vela/server/constants"
"github.com/go-vela/server/database"
"github.com/go-vela/server/secret/native"
"github.com/go-vela/server/secret/vault"
)
// Setup represents the configuration necessary for
// creating a Vela service capable of integrating
// with a configured secret system.
type Setup struct {
// Secret Configuration
// specifies the driver to use for the secret client
Driver string
// specifies the database service to use for the secret client
Database database.Interface
// specifies the address to use for the secret client
Address string
// specifies the authentication method to use for the secret client
AuthMethod string
// specifies the AWS role to use for the secret client
AwsRole string
// specifies the prefix to use for the secret client
Prefix string
// specifies the token to use for the secret client
Token string
// specifies the token duration to use for the secret client
TokenDuration time.Duration
// specifies the version to use for the secret client
Version string
}
// Native creates and returns a Vela service capable of
// integrating with a Native (Database) secret system.
func (s *Setup) Native() (Service, error) {
logrus.Trace("creating native secret client from setup")
// create new native secret service
//
// https://pkg.go.dev/github.com/go-vela/server/secret/native?tab=doc#New
return native.New(
native.WithDatabase(s.Database),
)
}
// Vault creates and returns a Vela service capable of
// integrating with a Hashicorp Vault secret system.
func (s *Setup) Vault() (Service, error) {
logrus.Trace("creating vault secret client from setup")
// create new Vault secret service
//
// https://pkg.go.dev/github.com/go-vela/server/secret/vault?tab=doc#New
return vault.New(
vault.WithAddress(s.Address),
vault.WithAuthMethod(s.AuthMethod),
vault.WithAWSRole(s.AwsRole),
vault.WithPrefix(s.Prefix),
vault.WithToken(s.Token),
vault.WithTokenDuration(s.TokenDuration),
vault.WithVersion(s.Version),
)
}
// Validate verifies the necessary fields for the
// provided configuration are populated correctly.
func (s *Setup) Validate() error {
logrus.Trace("validating secret setup for client")
// verify a secret driver was provided
if len(s.Driver) == 0 {
return fmt.Errorf("no secret driver provided")
}
// process the secret driver being provided
switch s.Driver {
case constants.DriverNative:
// verify a secret database was provided
if s.Database == nil {
return fmt.Errorf("no secret database service provided")
}
case constants.DriverVault:
fallthrough
default:
// verify a secret address was provided
if len(s.Address) == 0 {
return fmt.Errorf("no secret address provided")
}
// check if the secret address has a scheme
if !strings.Contains(s.Address, "://") {
return fmt.Errorf("secret address must be fully qualified (<scheme>://<host>)")
}
// check if the secret address has a trailing slash
if strings.HasSuffix(s.Address, "/") {
return fmt.Errorf("secret address must not have trailing slash")
}
// verify a secret token or authentication method was provided
if len(s.Token) == 0 && len(s.AuthMethod) == 0 {
return fmt.Errorf("no secret token or authentication method provided")
}
// check if the secret token is empty
if len(s.Token) == 0 {
// process the secret authentication method being provided
switch s.AuthMethod {
case "aws":
// verify a secret AWS role was provided
if len(s.AwsRole) == 0 {
return fmt.Errorf("no secret AWS role provided")
}
default:
return fmt.Errorf("invalid secret authentication method provided: %s", s.AuthMethod)
}
}
}
// setup is valid
return nil
}