Skip to content

Commit

Permalink
mod: helper func isSecretDisabledError
Browse files Browse the repository at this point in the history
Signed-off-by: Joshua Duffney <[email protected]>
  • Loading branch information
duffney committed Oct 31, 2024
1 parent b1d8bc1 commit d60fc81
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 19 deletions.
53 changes: 34 additions & 19 deletions pkg/keymanagementprovider/azurekeyvault/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,13 @@ type akvKMProvider struct {
}
type akvKMProviderFactory struct{}

// kvClient is an interface to interact with the keyvault client used for mocking purposes
type kvClient interface {
// GetCertificate retrieves a certificate from the keyvault
GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (kv.CertificateBundle, error)
// GetKey retrieves a key from the keyvault
GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (kv.KeyBundle, error)
// GetSecret retrieves a secret from the keyvault
GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (kv.SecretBundle, error)
}
type kvClientImpl struct {
Expand All @@ -93,9 +97,11 @@ type kvClientImpl struct {
func (c *kvClientImpl) GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (kv.CertificateBundle, error) {
return c.BaseClient.GetCertificate(ctx, vaultBaseURL, certificateName, certificateVersion)
}

func (c *kvClientImpl) GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (kv.KeyBundle, error) {
return c.BaseClient.GetKey(ctx, vaultBaseURL, keyName, keyVersion)
}

func (c *kvClientImpl) GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (kv.SecretBundle, error) {
return c.BaseClient.GetSecret(ctx, vaultBaseURL, secretName, secretVersion)
}
Expand Down Expand Up @@ -170,26 +176,22 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp
// GetSecret is required so we can fetch the entire cert chain. See issue https://github.com/ratify-project/ratify/issues/695 for details
secretBundle, err := s.kvClient.GetSecret(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version)
if err != nil {
// remove the certificate from the map if disabled
var de autorest.DetailedError
if errors.As(err, &de) {
var re *azure.RequestError
if errors.As(de.Original, &re) {
if re.ServiceError.Code == "SecretDisabled" {
certBundle, err := s.kvClient.GetCertificate(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version)
if err != nil {
return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err)
}
keyVaultCert.Version = getObjectVersion(*certBundle.Kid)
isEnabled := *certBundle.Attributes.Enabled
lastRefreshed := startTime.Format(time.RFC3339)
certProperty := getStatusProperty(keyVaultCert.Name, keyVaultCert.Version, lastRefreshed, isEnabled)
certsStatus = append(certsStatus, certProperty)
mapKey := keymanagementprovider.KMPMapKey{Name: keyVaultCert.Name, Version: keyVaultCert.Version, Enabled: isEnabled}
keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey)
continue
}
secretDisabled := isSecretDisabledError(err)

if secretDisabled {
// if secret is disabled, get the version of the certificate for status
certBundle, err := s.kvClient.GetCertificate(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version)
if err != nil {
return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err)
}
keyVaultCert.Version = getObjectVersion(*certBundle.Kid)
isEnabled := *certBundle.Attributes.Enabled
lastRefreshed := startTime.Format(time.RFC3339)
certProperty := getStatusProperty(keyVaultCert.Name, keyVaultCert.Version, lastRefreshed, isEnabled)
certsStatus = append(certsStatus, certProperty)
mapKey := keymanagementprovider.KMPMapKey{Name: keyVaultCert.Name, Version: keyVaultCert.Version, Enabled: isEnabled}
keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey)
continue
}

return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err)
Expand Down Expand Up @@ -411,6 +413,19 @@ func getObjectVersion(id string) string {
return splitID[len(splitID)-1]
}

func isSecretDisabledError(err error) bool {
var de autorest.DetailedError
if errors.As(err, &de) {
var re *azure.RequestError
if errors.As(de.Original, &re) {
if re.ServiceError.Code == "SecretDisabled" {
return true
}
}
}
return false
}

// validate checks vaultURI, tenantID, clientID are set and all certificates/keys have a name
func (s *akvKMProvider) validate() error {
if s.vaultURI == "" {
Expand Down
18 changes: 18 additions & 0 deletions pkg/keymanagementprovider/azurekeyvault/provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,24 @@ func TestGetCertificates(t *testing.T) {
return kv.SecretBundle{}, err
},
},
expectedErr: false,
},
{
name: "Certificate disabled error",
mockKvClient: &MockKvClient{
GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) {
return kv.CertificateBundle{}, errors.New("error")
},
GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) {
err := autorest.DetailedError{
Original: &azure.RequestError{
ServiceError: &azure.ServiceError{Code: "SecretDisabled"},
},
}
return kv.SecretBundle{}, err
},
},
expectedErr: true,
},
{
name: "Certificate enabled",
Expand Down

0 comments on commit d60fc81

Please sign in to comment.