Skip to content

Commit b64cdba

Browse files
committed
Lint, shellcheck
1 parent a97cebb commit b64cdba

6 files changed

Lines changed: 87 additions & 32 deletions

File tree

src/vscode-secrets/README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
2+
# Vscode with Secrets (vscode-secrets)
3+
4+
A Template to run vscode on workbench with WSM secret support.
5+
6+
This is a sample app demonstrating how to use the secret receiver to inject
7+
secrets from Workspace Manager into a devcontainer. See `secrets.yml` for the
8+
secret configuration and `docker-compose.yaml` for how the secret receiver
9+
binary is built and injected as the container entrypoint.
10+
11+
## Options
12+
13+
| Options Id | Description | Type | Default Value |
14+
|-----|-----|-----|-----|
15+
| cloud | VM cloud environment | string | gcp |
16+
| login | Whether to log in to workbench CLI | string | false |
17+
18+
---
19+
20+
_Note: This file was auto-generated from the [devcontainer-template.json](https://github.com/verily-src/workbench-app-devcontainers/blob/main/src/vscode-secrets/devcontainer-template.json). Add additional notes to a `NOTES.md`._
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"id": "vscode-secrets",
3+
"version": "0.0.1",
4+
"name": "Vscode with Secrets",
5+
"description": "A Template to run vscode on workbench with WSM secret support",
6+
"documentationURL": "https://github.com/verily-src/workbench-app-devcontainers/tree/master/src/vscode-secrets",
7+
"licenseURL": "https://github.com/verily-src/workbench-app-devcontainers/blob/master/LICENSE",
8+
"options": {
9+
"cloud": {
10+
"type": "string",
11+
"description": "VM cloud environment",
12+
"proposals": ["gcp", "aws"],
13+
"default": "gcp"
14+
},
15+
"login": {
16+
"type": "string",
17+
"description": "Whether to log in to workbench CLI",
18+
"proposals": ["true", "false"],
19+
"default": "false"
20+
}
21+
},
22+
"platforms": ["Any"]
23+
}

startupscript/butane/055-provide-secrets.sh

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,6 @@ WORKSPACE_ID="$(curl_with_auth TOKEN -s -f \
9292
"${WSM_URL}/api/workspaces/v1/workspaceByUserFacingId/${WORKSPACE_UFID}" \
9393
| jq -r '.id')"
9494
readonly WORKSPACE_ID
95-
9695
if [[ -z "${WORKSPACE_ID}" || "${WORKSPACE_ID}" == "null" ]]; then
9796
>&2 echo "ERROR: Failed to resolve workspace UUID for '${WORKSPACE_UFID}'."
9897
exit 1

startupscript/butane/docker-auth-secrets.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,9 @@ if [[ -z "${DOCKER_REGISTRIES}" ]]; then
3232
fi
3333

3434
DOCKER_CONFIG_DIR="${HOME:-/root}/.docker"
35+
readonly DOCKER_CONFIG_DIR
3536
DOCKER_CONFIG_FILE="${DOCKER_CONFIG_DIR}/config.json"
37+
readonly DOCKER_CONFIG_FILE
3638

3739
mkdir -p "${DOCKER_CONFIG_DIR}"
3840

startupscript/butane/docker-credential-secrets.sh

Lines changed: 36 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -47,25 +47,29 @@ esac
4747

4848
# --- get: retrieve credentials for the requested registry ---
4949

50-
read -r server_url || true
51-
registry_hostname="$(echo "${server_url}" | sed -E 's|^https?://([^/]+).*|\1|')"
50+
read -r SERVER_URL || true
51+
readonly SERVER_URL
52+
REGISTRY_HOSTNAME="$(echo "${SERVER_URL}" | sed -E 's|^https?://([^/]+).*|\1|')"
53+
readonly REGISTRY_HOSTNAME
5254

5355
readonly SECRETS_JSON="/home/core/secrets.json"
5456
if [[ ! -f "${SECRETS_JSON}" ]]; then
5557
echo "Error: ${SECRETS_JSON} not found" >&2
5658
exit 1
5759
fi
5860

59-
secret_entry="$(jq --arg registry "${registry_hostname}" \
61+
SECRET_ENTRY="$(jq --arg registry "${REGISTRY_HOSTNAME}" \
6062
'.[] | select(.dockerRegistry == $registry)' \
6163
"${SECRETS_JSON}")"
64+
readonly SECRET_ENTRY
6265

63-
if [[ -z "${secret_entry}" || "${secret_entry}" == "null" ]]; then
64-
echo "Error: No secret configured for registry ${registry_hostname}" >&2
66+
if [[ -z "${SECRET_ENTRY}" || "${SECRET_ENTRY}" == "null" ]]; then
67+
echo "Error: No secret configured for registry ${REGISTRY_HOSTNAME}" >&2
6568
exit 1
6669
fi
6770

68-
secret_name="$(echo "${secret_entry}" | jq -r '.name')"
71+
SECRET_NAME="$(echo "${SECRET_ENTRY}" | jq -r '.name')"
72+
readonly SECRET_NAME
6973

7074
# shellcheck source=/dev/null
7175
source /home/core/metadata-utils.sh
@@ -75,56 +79,69 @@ source /home/core/service-utils.sh
7579
source /home/core/secret-utils.sh
7680

7781
CLI_SERVER="$(get_metadata_value "terra-cli-server" "prod")"
82+
readonly CLI_SERVER
83+
7884
WSM_URL="$(get_service_url "wsm" "${CLI_SERVER}")"
85+
readonly WSM_URL
7986

8087
WORKSPACE_UFID="$(get_metadata_value "terra-workspace-id" "")"
88+
readonly WORKSPACE_UFID
8189
if [[ -z "${WORKSPACE_UFID}" ]]; then
8290
echo "Error: No workspace ID found in metadata" >&2
8391
exit 1
8492
fi
8593

8694
RESOURCE_ID="$(get_metadata_value "wb-resource-id" "")"
95+
readonly RESOURCE_ID
8796
if [[ -z "${RESOURCE_ID}" ]]; then
8897
echo "Error: No resource ID found in metadata" >&2
8998
exit 1
9099
fi
91100

92101
TOKEN="$(/home/core/wb.sh auth print-access-token)"
102+
# shellcheck disable=SC2034
103+
readonly TOKEN
93104

94105
WORKSPACE_ID="$(curl_with_auth TOKEN -s -f \
95106
"${WSM_URL}/api/workspaces/v1/workspaceByUserFacingId/${WORKSPACE_UFID}" \
96107
| jq -r '.id')"
108+
readonly WORKSPACE_ID
97109
if [[ -z "${WORKSPACE_ID}" || "${WORKSPACE_ID}" == "null" ]]; then
98110
echo "Error: Failed to resolve workspace UUID for '${WORKSPACE_UFID}'" >&2
99111
exit 1
100112
fi
101113

102-
readonly KEY_FILE="/home/core/signing-key/signing.key"
114+
KEY_FILE="/home/core/signing-key/signing.key"
115+
readonly KEY_FILE
103116
if [[ ! -f "${KEY_FILE}" ]]; then
104117
echo "Error: Signing key not found at ${KEY_FILE}" >&2
105118
exit 1
106119
fi
107120

108-
app_resource="$(curl_with_auth TOKEN -s -f \
121+
APP_RESOURCE="$(curl_with_auth TOKEN -s -f \
109122
"${WSM_URL}/api/workspaces/v1/${WORKSPACE_ID}/${RESOURCE_PATH}/${RESOURCE_ID}")"
123+
readonly APP_RESOURCE
110124

111-
secret_workspace_id="$(echo "${app_resource}" | jq -r --arg name "${secret_name}" '.attributes.secrets[$name].workspaceId')"
112-
secret_resource_id="$(echo "${app_resource}" | jq -r --arg name "${secret_name}" '.attributes.secrets[$name].resourceId')"
125+
SECRET_WORKSPACE_ID="$(echo "${APP_RESOURCE}" | jq -r --arg name "${SECRET_NAME}" '.attributes.secrets[$name].workspaceId')"
126+
readonly SECRET_WORKSPACE_ID
127+
SECRET_RESOURCE_ID="$(echo "${APP_RESOURCE}" | jq -r --arg name "${SECRET_NAME}" '.attributes.secrets[$name].resourceId')"
128+
readonly SECRET_RESOURCE_ID
113129

114-
if [[ -z "${secret_workspace_id}" || "${secret_workspace_id}" == "null" || \
115-
-z "${secret_resource_id}" || "${secret_resource_id}" == "null" ]]; then
116-
echo "Error: Secret '${secret_name}' not found in app resource's attached secrets" >&2
130+
if [[ -z "${SECRET_WORKSPACE_ID}" || "${SECRET_WORKSPACE_ID}" == "null" || \
131+
-z "${SECRET_RESOURCE_ID}" || "${SECRET_RESOURCE_ID}" == "null" ]]; then
132+
echo "Error: Secret '${SECRET_NAME}' not found in app resource's attached secrets" >&2
117133
exit 1
118134
fi
119135

120-
validate_allowed_secret "${secret_entry}" "${secret_workspace_id}" "${secret_resource_id}"
136+
validate_allowed_secret "${SECRET_ENTRY}" "${SECRET_WORKSPACE_ID}" "${SECRET_RESOURCE_ID}"
121137

122-
credential="$(retrieve_secret TOKEN "${WSM_URL}" "${RESOURCE_ID}" "${KEY_FILE}" \
123-
"${secret_workspace_id}" "${secret_resource_id}")"
138+
CREDENTIAL="$(retrieve_secret TOKEN "${WSM_URL}" "${RESOURCE_ID}" "${KEY_FILE}" \
139+
"${SECRET_WORKSPACE_ID}" "${SECRET_RESOURCE_ID}")"
140+
readonly CREDENTIAL
124141

125-
if ! echo "${credential}" | jq -e '.Username and .Secret' >/dev/null 2>&1; then
126-
echo "Error: Secret '${secret_name}' is not valid docker credential JSON (expected Username and Secret fields)" >&2
142+
if ! echo "${CREDENTIAL}" | jq -e '.Username and .Secret' >/dev/null 2>&1; then
143+
echo "Error: Secret '${SECRET_NAME}' is not valid docker credential JSON (expected Username and Secret fields)" >&2
127144
exit 1
128145
fi
129146

130-
echo "${credential}" | jq --arg url "${server_url}" '. + {"ServerURL": $url}'
147+
echo "${CREDENTIAL}" | jq --arg url "${SERVER_URL}" '. + {"ServerURL": $url}'

startupscript/butane/secret-utils.sh

Lines changed: 6 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -46,14 +46,11 @@ function retrieve_secret() {
4646
challenge_request="$(jq -n --arg appResourceId "${app_resource_id}" \
4747
'{"identifier": {"appResourceId": $appResourceId}}')"
4848

49-
local challenge_response
50-
challenge_response="$(curl_with_auth "${token_var}" -s -f -X POST \
49+
local nonce
50+
nonce="$(curl_with_auth "${token_var}" -s -f -X POST \
5151
-H "Content-Type: application/json" \
5252
"${wsm_url}/api/workspaces/v1/${secret_workspace_id}/secrets/${secret_resource_id}/challenge" \
53-
-d "${challenge_request}")"
54-
55-
local nonce
56-
nonce="$(echo "${challenge_response}" | jq -r '.nonce')"
53+
-d "${challenge_request}" | jq -r '.nonce')"
5754

5855
if [[ -z "${nonce}" || "${nonce}" == "null" ]]; then
5956
>&2 echo "ERROR: Failed to get challenge nonce for secret ${secret_resource_id}."
@@ -79,14 +76,11 @@ function retrieve_secret() {
7976
trap 'set -o xtrace' RETURN
8077
fi
8178

82-
local read_response
83-
read_response="$(curl_with_auth "${token_var}" -s -f -X POST \
79+
local secret_value_b64
80+
secret_value_b64="$(curl_with_auth "${token_var}" -s -f -X POST \
8481
-H "Content-Type: application/json" \
8582
"${wsm_url}/api/workspaces/v1/${secret_workspace_id}/secrets/${secret_resource_id}/read" \
86-
-d "${read_request}")"
87-
88-
local secret_value_b64
89-
secret_value_b64="$(echo "${read_response}" | jq -r '.base64EncodedSecretValue')"
83+
-d "${read_request}" | jq -r '.base64EncodedSecretValue')"
9084

9185
if [[ -z "${secret_value_b64}" || "${secret_value_b64}" == "null" ]]; then
9286
>&2 echo "ERROR: Failed to read secret ${secret_resource_id}."

0 commit comments

Comments
 (0)