fix: add dataFrom support to vault backend (refactor kv-backend) (#206)

* refactor: make kv backend more generic
* refactor: vault to make use of kv backend, and support dataFrom

Author: Flydiverny

lib/backends/kv-backend.js

@@ -20,62 +20,65 @@ class KVBackend extends AbstractBackend {
    * @param {string} data[].name - Kubernetes Secret property name.
    * @param {string} data[].property - If the backend secret is an
    *   object, this is the property name of the value to use.
-   * @param {string} roleArn - If the client should assume a role before fetching the secret
+   * @param {Object} specOptions - Options set on spec level.
    * @returns {Promise} Promise object representing secret property values.
    */
-  _fetchDataValues ({ data, roleArn }) {
-    return Promise.all(data.map(async secretProperty => {
-      this._logger.info(`fetching secret property ${secretProperty.name} with role: ${roleArn || 'no role set'}`)
-      const plainOrObjValue = await this._get({ secretKey: secretProperty.key, roleArn })
-      const shouldParseValue = 'property' in secretProperty
+  _fetchDataValues ({ data, specOptions }) {
+    return Promise.all(data.map(async dataItem => {
+      const { name, property = null, key, ...keyOptions } = dataItem
+      const plainOrObjValue = await this._get({ key, keyOptions, specOptions })
+      const shouldParseValue = 'property' in dataItem
 
       let value = plainOrObjValue
       if (shouldParseValue) {
         let parsedValue
         try {
           parsedValue = JSON.parse(value)
         } catch (err) {
-          this._logger.warn(`Failed to JSON.parse value for '${secretProperty.key}',` +
+          this._logger.warn(`Failed to JSON.parse value for '${key}',` +
            ` please verify that your secret value is correctly formatted as JSON.` +
-           ` To use plain text secret remove the 'property: ${secretProperty.property}'`)
+           ` To use plain text secret remove the 'property: ${property}'`)
           return
         }
 
-        if (!(secretProperty.property in parsedValue)) {
-          throw new Error(`Could not find property ${secretProperty.property} in ${secretProperty.key}`)
+        if (!(property in parsedValue)) {
+          throw new Error(`Could not find property ${property} in ${key}`)
         }
 
-        value = parsedValue[secretProperty.property]
+        value = parsedValue[property]
       }
 
-      return { [secretProperty.name]: value }
+      return { [name]: value }
     }))
   }
 
   /**
    * Fetch Kubernetes secret property values.
    * @param {string[]} dataFrom - Array of secret keys in the backend
-   * @param {string} roleArn - If the client should assume a role before fetching the secret
+   * @param {string} specOptions - Options set on spec level that might be interesting for the backend
    * @returns {Promise} Promise object representing secret property values.
    */
-  _fetchDataFromValues ({ dataFrom, roleArn }) {
-    return Promise.all(dataFrom.map(async secretKey => {
-      this._logger.info(`fetching secret ${secretKey} with role: ${roleArn || 'no role set'}`)
-      const value = await this._get({ secretKey, roleArn })
+  _fetchDataFromValues ({ dataFrom, specOptions }) {
+    return Promise.all(dataFrom.map(async key => {
+      const value = await this._get({ key, specOptions })
 
       try {
         return JSON.parse(value)
       } catch (err) {
-        this._logger.warn(`Failed to JSON.parse value for '${secretKey}',` +
+        this._logger.warn(`Failed to JSON.parse value for '${key}',` +
            ` please verify that your secret value is correctly formatted as JSON.`)
       }
     }))
   }
 
   /**
    * Get a secret property value from Key Value backend.
+   * @param {string} key - Secret key in the backend.
+   * @param {string} keyOptions - Options for this specific key, eg version etc.
+   * @param {string} specOptions - Options for this external secret, eg role
+   * @returns {Promise} Promise object representing secret property values.
    */
-  _get () {
+  _get ({ key, keyOptions, specOptions }) {
     throw new Error('_get not implemented')
   }
 
@@ -90,12 +93,12 @@ class KVBackend extends AbstractBackend {
       properties = [],
       data = properties,
       dataFrom = [],
-      roleArn
+      ...specOptions
     }
   }) {
     const [dataFromValues, dataValues] = await Promise.all([
-      this._fetchDataFromValues({ dataFrom, roleArn }),
-      this._fetchDataValues({ data, roleArn })
+      this._fetchDataFromValues({ dataFrom, specOptions }),
+      this._fetchDataValues({ data, specOptions })
     ])
 
     const plainValues = dataFromValues.concat(dataValues)

lib/backends/kv-backend.test.js

@@ -34,12 +34,19 @@ describe('kv-backend', () => {
             key: 'mocked-key',
             name: 'mocked-name',
             property: 'oops'
-          }]
+          }],
+          specOptions: {}
         })
         expect.fail('Should not reach')
       } catch (err) {
         expect(err).to.be.an('error')
       }
+      expect(kvBackend._get.calledOnce).to.equal(true)
+      expect(kvBackend._get.getCall(0).args[0]).to.deep.equal({
+        key: 'mocked-key',
+        keyOptions: {},
+        specOptions: {}
+      })
     })
 
     it('handles secrets values that are objects', async () => {
@@ -77,19 +84,22 @@ describe('kv-backend', () => {
         }, {
           key: 'fakePropertyKey2',
           name: 'fakePropertyName2'
-        }]
+        }],
+        specOptions: {
+          passMeAlong: true
+        }
       })
 
-      expect(loggerMock.info.calledWith('fetching secret property fakePropertyName1 with role: no role set')).to.equal(true)
-      expect(loggerMock.info.calledWith('fetching secret property fakePropertyName2 with role: no role set')).to.equal(true)
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey1',
-        roleArn: undefined
-      })).to.equal(true)
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey2',
-        roleArn: undefined
-      })).to.equal(true)
+      expect(kvBackend._get.getCall(0).args[0]).to.deep.equal({
+        key: 'fakePropertyKey1',
+        keyOptions: {},
+        specOptions: { passMeAlong: true }
+      })
+      expect(kvBackend._get.getCall(1).args[0]).to.deep.equal({
+        key: 'fakePropertyKey2',
+        keyOptions: {},
+        specOptions: { passMeAlong: true }
+      })
       expect(secretPropertyValues).deep.equals([{ fakePropertyName1: 'fakePropertyValue1' }, { fakePropertyName2: 'fakePropertyValue2' }])
     })
 
@@ -105,19 +115,19 @@ describe('kv-backend', () => {
           key: 'fakePropertyKey2',
           name: 'fakePropertyName2'
         }],
-        roleArn: 'secretDescriptiorRole'
+        specOptions: { roleArn: 'secretDescriptiorRole' }
       })
 
-      expect(loggerMock.info.calledWith('fetching secret property fakePropertyName1 with role: secretDescriptiorRole')).to.equal(true)
-      expect(loggerMock.info.calledWith('fetching secret property fakePropertyName2 with role: secretDescriptiorRole')).to.equal(true)
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey1',
-        roleArn: 'secretDescriptiorRole'
-      })).to.equal(true)
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey2',
-        roleArn: 'secretDescriptiorRole'
-      })).to.equal(true)
+      expect(kvBackend._get.getCall(0).args[0]).to.deep.equal({
+        key: 'fakePropertyKey1',
+        keyOptions: {},
+        specOptions: { roleArn: 'secretDescriptiorRole' }
+      })
+      expect(kvBackend._get.getCall(1).args[0]).to.deep.equal({
+        key: 'fakePropertyKey2',
+        keyOptions: {},
+        specOptions: { roleArn: 'secretDescriptiorRole' }
+      })
       expect(secretPropertyValues).deep.equals([{ fakePropertyName1: 'fakePropertyValue1' }, { fakePropertyName2: 'fakePropertyValue2' }])
     })
   })
@@ -147,33 +157,34 @@ describe('kv-backend', () => {
       kvBackend._get.onFirstCall().resolves('fakePropertyValue1')
 
       const dataFromValues = await kvBackend._fetchDataFromValues({
-        dataFrom: ['fakePropertyKey1']
+        dataFrom: ['fakePropertyKey1'],
+        specOptions: { passMeAlong: true }
       })
 
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey1',
-        roleArn: undefined
-      })).to.equal(true)
+      expect(kvBackend._get.getCall(0).args[0]).to.deep.equal({
+        key: 'fakePropertyKey1',
+        specOptions: { passMeAlong: true }
+      })
       expect(dataFromValues).deep.equals([undefined])
     })
 
-    it('fetches secret property values using the specified role', async () => {
+    it('fetches secret property values using the specified options', async () => {
       kvBackend._get.onFirstCall().resolves('{"fakePropertyName1":"fakePropertyValue1"}')
       kvBackend._get.onSecondCall().resolves('{"fakePropertyName2":"fakePropertyValue2"}')
 
       const dataFromValues = await kvBackend._fetchDataFromValues({
         dataFrom: ['fakePropertyKey1', 'fakePropertyKey2'],
-        roleArn: 'secretDescriptiorRole'
+        specOptions: { roleArn: 'secretDescriptiorRole' }
       })
 
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey1',
-        roleArn: 'secretDescriptiorRole'
-      })).to.equal(true)
-      expect(kvBackend._get.calledWith({
-        secretKey: 'fakePropertyKey2',
-        roleArn: 'secretDescriptiorRole'
-      })).to.equal(true)
+      expect(kvBackend._get.getCall(0).args[0]).to.deep.equal({
+        key: 'fakePropertyKey1',
+        specOptions: { roleArn: 'secretDescriptiorRole' }
+      })
+      expect(kvBackend._get.getCall(1).args[0]).to.deep.equal({
+        key: 'fakePropertyKey2',
+        specOptions: { roleArn: 'secretDescriptiorRole' }
+      })
       expect(dataFromValues).deep.equals([{ fakePropertyName1: 'fakePropertyValue1' }, { fakePropertyName2: 'fakePropertyValue2' }])
     })
   })
@@ -183,7 +194,7 @@ describe('kv-backend', () => {
       let error
 
       try {
-        kvBackend._get()
+        kvBackend._get({})
       } catch (err) {
         error = err
       }
@@ -267,12 +278,12 @@ describe('kv-backend', () => {
           key: 'fakePropertyKey2',
           name: 'fakePropertyName2'
         }],
-        roleArn: 'my-role'
+        specOptions: { roleArn: 'my-role' }
       })).to.equal(true)
 
       expect(kvBackend._fetchDataFromValues.calledWith({
         dataFrom: [],
-        roleArn: 'my-role'
+        specOptions: { roleArn: 'my-role' }
       })).to.equal(true)
     })
 
@@ -290,24 +301,32 @@ describe('kv-backend', () => {
           ],
           dataFrom: [
             'fakeDataFromKey1'
-          ]
+          ],
+          roleArn: 'this-should-be-passed-along',
+          magicSetting: 'this as well'
         }
       })
 
-      expect(kvBackend._fetchDataValues.calledWith({
+      expect(kvBackend._fetchDataValues.getCall(0).args[0]).to.deep.equal({
         data: [{
           key: 'fakePropertyKey1',
           name: 'fakePropertyName1'
         }, {
           key: 'fakePropertyKey2',
           name: 'fakePropertyName2'
         }],
-        roleArn: undefined
-      })).to.equal(true)
+        specOptions: {
+          roleArn: 'this-should-be-passed-along',
+          magicSetting: 'this as well'
+        }
+      })
 
       expect(kvBackend._fetchDataFromValues.calledWith({
         dataFrom: ['fakeDataFromKey1'],
-        roleArn: undefined
+        specOptions: {
+          roleArn: 'this-should-be-passed-along',
+          magicSetting: 'this as well'
+        }
       })).to.equal(true)
     })
 
@@ -321,15 +340,15 @@ describe('kv-backend', () => {
         }
       })
 
-      expect(kvBackend._fetchDataValues.calledWith({
+      expect(kvBackend._fetchDataValues.getCall(0).args[0]).to.deep.equal({
         data: [],
-        roleArn: undefined
-      })).to.equal(true)
+        specOptions: { }
+      })
 
-      expect(kvBackend._fetchDataFromValues.calledWith({
+      expect(kvBackend._fetchDataFromValues.getCall(0).args[0]).to.deep.equal({
         dataFrom: ['fakeDataFromKey1', 'fakeDataFromKey2'],
-        roleArn: undefined
-      })).to.equal(true)
+        specOptions: { }
+      })
     })
   })
 })

lib/backends/secrets-manager-backend.js

@@ -18,10 +18,15 @@ class SecretsManagerBackend extends KVBackend {
 
   /**
    * Get secret property value from Secrets Manager.
-   * @param {string} secretKey - Key used to store secret property value in Secrets Manager.
+   * @param {string} key - Key used to store secret property value in Secrets Manager.
+   * @param {object} keyOptions - Options for this specific key, eg version etc.
+   * @param {object} specOptions - Options for this external secret, eg role
+   * @param {string} specOptions.roleArn - IAM role arn to assume
    * @returns {Promise} Promise object representing secret property value.
    */
-  async _get ({ secretKey, roleArn }) {
+  async _get ({ key, specOptions: { roleArn } }) {
+    this._logger.info(`fetching secret property ${key} with role: ${roleArn || 'pods role'}`)
+
     let client = this._client
     if (roleArn) {
       const res = await this._assumeRole({
@@ -36,7 +41,7 @@ class SecretsManagerBackend extends KVBackend {
     }
 
     const data = await client
-      .getSecretValue({ SecretId: secretKey })
+      .getSecretValue({ SecretId: key })
       .promise()
 
     if ('SecretBinary' in data) {
@@ -45,7 +50,7 @@ class SecretsManagerBackend extends KVBackend {
       return data.SecretString
     }
 
-    this._logger.error(`Unexpected data from Secrets Manager secret ${secretKey}`)
+    this._logger.error(`Unexpected data from Secrets Manager secret ${key}`)
     return null
   }
 }