secret management

Author: piotrek-janus

go.mod

@@ -6,7 +6,7 @@ toolchain go1.22.0
 
 require (
 	github.com/Masterminds/sprig/v3 v3.2.3
-	github.com/cloudentity/acp-client-go v0.0.0-20240618142147-15447bea0396
+	github.com/cloudentity/acp-client-go v0.0.0-20241209151610-14608290c460
 	github.com/corvus-ch/zbase32 v1.0.0
 	github.com/go-json-experiment/json v0.0.0-20240524174822-2d9f40f7385b
 	github.com/go-openapi/strfmt v0.22.0

go.sum

@@ -7,8 +7,8 @@ github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/cloudentity/acp-client-go v0.0.0-20240618142147-15447bea0396 h1:nWtlxPLa9os1mp4ASp3R9a+hcQo6hJWv15kYqNXXGyA=
-github.com/cloudentity/acp-client-go v0.0.0-20240618142147-15447bea0396/go.mod h1:dTHIsfs5YtDOH2CgeoHFlhfnnU1X+ohn+TIU30WlWQQ=
+github.com/cloudentity/acp-client-go v0.0.0-20241209151610-14608290c460 h1:ViagTxoPaC+H0R1QrjnTlXGuqR9PT4VZAI7o8v3c2KU=
+github.com/cloudentity/acp-client-go v0.0.0-20241209151610-14608290c460/go.mod h1:dTHIsfs5YtDOH2CgeoHFlhfnnU1X+ohn+TIU30WlWQQ=
 github.com/corvus-ch/zbase32 v1.0.0 h1:pDV0qZ1g+HYA8P0PbULsgUg/tZue1FIjsZ7r7h4nZeU=
 github.com/corvus-ch/zbase32 v1.0.0/go.mod h1:A7KLRecF1tysURyoqiJBvMJFmt/ccqkRdDTLjlQeVsU=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -55,8 +55,6 @@ github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD87
 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
 github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE=
 github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
-github.com/goccy/go-yaml v1.11.2 h1:joq77SxuyIs9zzxEjgyLBugMQ9NEgTWxXfz2wVqwAaQ=
-github.com/goccy/go-yaml v1.11.2/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
 github.com/goccy/go-yaml v1.12.0/go.mod h1:wKnAMd44+9JAAnGQpWVEgBzGt3YuTaQ4uXoHvE4m7WU=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=

internal/cac/storage/server_storage.go

@@ -150,6 +150,12 @@ func (s *ServerStorage) Write(ctx context.Context, input models.Rfc7396PatchOper
 		return err
 	}
 
+	if err = writeFiles(data.Secrets,
+		filepath.Join(workspacePath, "secrets"),
+		func(id string, it models.TreeSecret) string { return id }); err != nil {
+		return err
+	}
+
 	slog.Info("Workspace configuration successfully stored", "workspace", workspace, "path", workspacePath)
 
 	return nil
@@ -257,6 +263,10 @@ func (s *ServerStorage) Read(ctx context.Context, opts ...api.SourceOpt) (models
 		return nil, err
 	}
 
+	if err = readFilesToMap(server, "secrets", filepath.Join(path, "secrets")); err != nil {
+		return nil, err
+	}
+
 	if server, err = utils.FilterPatch(server, options.Filters); err != nil {
 		return nil, err
 	}

internal/cac/storage/server_storage_test.go

@@ -41,7 +41,9 @@ func TestStorage(t *testing.T) {
             },
             assert: func(t *testing.T, path string, bts []byte) {
                 require.YAMLEq(t, `access_token_ttl: 10m0s
+authentication_mechanisms: []
 authorization_code_ttl: 0s
+scope_claim_formats: []
 backchannel_token_delivery_modes_supported: []
 backchannel_user_code_parameter_supported: false
 cookie_max_age: 0s
@@ -93,6 +95,7 @@ client_id_issued_at: 0
 client_name: Demo Portal
 client_secret_expires_at: 0
 created_at: 0001-01-01T00:00:00.000Z
+default_acr_values: []
 dpop_bound_access_tokens: false
 dynamically_registered: false
 grant_types: []
@@ -232,6 +235,7 @@ identifier_case_insensitive: false
 mfa_session_ttl: 0s
 name: Some Pool
 public_registration_allowed: false
+second_factor_threshold: 0
 system: false`, string(bts))
             },
         },
@@ -587,10 +591,30 @@ identifier_case_insensitive: false
 mfa_session_ttl: 0s
 name: Some Pool
 public_registration_allowed: false
+second_factor_threshold: 0
 system: false`, string(bts))
                 }
             },
         },
+        {
+            desc: "secrets",
+            data: &models.TreeServer{
+                Secrets: models.TreeSecrets{
+                    "Some_secret": models.TreeSecret{
+                        CreatedAt: dateTime,
+                        Secret: "test",
+                    },
+                },
+            },
+            files: []string{
+                "workspaces/demo/secrets/Some_secret.yaml",
+            },
+            assert: func(t *testing.T, path string, bts []byte) {
+                    require.YAMLEq(t, `created_at: 2024-01-23T23:19:30.004+01:00
+id: Some_secret
+secret: test`, string(bts))
+            },
+        },
     }
 
     for _, tc := range tcs {

internal/cac/storage/tenant_storage_test.go

@@ -60,7 +60,9 @@ id: sms
 mechanism: sms`, string(bts))
                 case "workspaces/demo/server.yaml":
                     require.YAMLEq(t, `access_token_ttl: 10m0s
+authentication_mechanisms: []
 authorization_code_ttl: 0s
+scope_claim_formats: []
 backchannel_token_delivery_modes_supported: []
 backchannel_user_code_parameter_supported: false
 cookie_max_age: 0s