wip

Author: vm-001

config.yml

@@ -153,3 +153,13 @@ tracing:
   opentelemetry:
     protocol: http/protobuf                     # Supported value: http/protobuf, grpc.
     endpoint: http://localhost:4318/v1/traces   # http/protobuf(http://localhost:4318/v1/traces), grpc(localhost:4317)
+
+
+#------------------------------------------------------------------------------
+# Secret
+#------------------------------------------------------------------------------
+#secret:
+#  provider: aws
+#  aws:
+#    region: us-west-1
+#    url: http://localhost:4566

config/config.go

@@ -98,12 +98,25 @@ func Init() (*Config, error) {
 		return nil, err
 	}
 
-	err := envconfig.Process("WEBHOOKX", &cfg)
-	if err != nil {
+	if err := envconfig.Process("WEBHOOKX_SECRET", &cfg.Secret); err != nil {
 		return nil, err
 	}
+	if cfg.Secret.Provider != "" {
+		var providerConfig map[string]interface{}
+		switch cfg.Secret.Provider {
+		case ProviderAWS:
+			providerConfig = utils.Must(utils.StructToMap(cfg.Secret.Aws))
+		}
+		manager := secret.NewManager(secret.ProviderType(cfg.Secret.Provider), providerConfig)
+		err := envconfig.ProcessWithReader("WEBHOOKX", &cfg,
+			envconfig.ReaderFunc(func(key string) (string, bool, error) {
+				return manager.Get(key)
+			}))
+		return &cfg, err
+	}
 
-	return &cfg, nil
+	err := envconfig.Process("WEBHOOKX", &cfg)
+	return &cfg, err
 }
 
 func InitWithFile(filename string) (*Config, error) {

config/secret.go

@@ -0,0 +1,21 @@
+package config
+
+type Provider string
+
+const (
+	ProviderAWS Provider = "aws"
+)
+
+type SecretConfig struct {
+	Provider Provider          `json:"provider" yaml:"provider"`
+	Aws      AwsProviderConfig `json:"aws" yaml:"aws"`
+}
+
+func (cfg *SecretConfig) Validate() error {
+	return nil
+}
+
+type AwsProviderConfig struct {
+	Region string `json:"region" yaml:"region"`
+	URL    string `json:"url" yaml:"url"`
+}

pkg/envconfig/envconfig.go

@@ -180,30 +180,46 @@ func CheckDisallowed(prefix string, spec interface{}) error {
 	return nil
 }
 
+type Reader interface {
+	Read(string) (string, bool, error)
+}
+
+type ReaderFunc func(string) (string, bool, error)
+
+func (f ReaderFunc) Read(key string) (string, bool, error) {
+	return f(key)
+}
+
+var (
+	EnvironmentReader = ReaderFunc(func(key string) (string, bool, error) {
+		v, ok := os.LookupEnv(key)
+		return v, ok, nil
+	})
+)
+
 // Process populates the specified struct based on environment variables
 func Process(prefix string, spec interface{}) error {
+	return ProcessWithReader(prefix, spec, EnvironmentReader)
+}
+
+func ProcessWithReader(prefix string, spec interface{}, reader Reader) error {
 	infos, err := gatherInfo(prefix, spec)
 
 	for _, info := range infos {
-
-		// `os.Getenv` cannot differentiate between an explicitly set empty value
-		// and an unset value. `os.LookupEnv` is preferred to `syscall.Getenv`,
-		// but it is only available in go1.5 or newer. We're using Go build tags
-		// here to use os.LookupEnv for >=go1.5
-		value, ok := lookupEnv(info.Key)
-		if !ok && info.Alt != "" {
-			value, ok = lookupEnv(info.Alt)
+		value, ok, err := reader.Read(info.Key)
+		if err != nil {
+			return err // todo warp error?
 		}
 
-		//patch: does not handle 'default' tag
-		def := ""
+		//patch: do not handle 'default' tag
+		//def := ""
 		//def := info.Tags.Get("default")
 		//if def != "" && !ok {
 		//	value = def
 		//}
 
 		req := info.Tags.Get("required")
-		if !ok && def == "" {
+		if !ok {
 			if isTrue(req) {
 				key := info.Key
 				if info.Alt != "" {

pkg/secret/aws.go

@@ -0,0 +1,58 @@
+package secret
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+	"github.com/aws/smithy-go/logging"
+	"log"
+)
+
+type AwsProvider struct {
+	cfg    interface{}
+	client *secretsmanager.Client
+}
+
+func NewAwsProvider(cfg map[string]interface{}) *AwsProvider {
+	opts := []func(*config.LoadOptions) error{
+		config.WithClientLogMode(aws.LogRequestWithBody | aws.LogResponseWithBody),
+		config.WithLogger(logging.LoggerFunc(func(classification logging.Classification, format string, v ...interface{}) {
+			log.Printf("[AWS %s] %s", classification, fmt.Sprintf(format, v...))
+		})),
+	}
+	url := cfg["url"].(string)
+	if url != "" {
+		opts = append(opts, config.WithBaseEndpoint(url))
+	}
+	region := cfg["region"].(string)
+	if region != "" {
+		opts = append(opts, config.WithRegion(region))
+	}
+
+	config, err := config.LoadDefaultConfig(context.TODO(), opts...)
+	if err != nil {
+		panic(err) // todo
+	}
+
+	provider := &AwsProvider{}
+	provider.cfg = cfg
+	provider.client = secretsmanager.NewFromConfig(config, func(options *secretsmanager.Options) {})
+
+	return provider
+}
+
+func (p *AwsProvider) GetValue(ctx context.Context, key string, properties map[string]string) (string, error) {
+	result, err := p.client.GetSecretValue(ctx, &secretsmanager.GetSecretValueInput{SecretId: aws.String(key)})
+	if err != nil {
+		var awsErr *types.ResourceNotFoundException
+		if errors.As(err, &awsErr) {
+			return "", fmt.Errorf("%w: %s", ErrSecretNotFound, key)
+		}
+		return "", err
+	}
+	return *result.SecretString, nil
+}

pkg/secret/manager.go

@@ -0,0 +1,53 @@
+package secret
+
+import (
+	"context"
+	"errors"
+	"os"
+	"strings"
+)
+
+var (
+	ErrSecretNotFound = errors.New("secret not found")
+)
+
+type ProviderType string
+
+const (
+	AwsPrivider ProviderType = "aws"
+)
+
+type Provider interface {
+	GetValue(ctx context.Context, key string, properties map[string]string) (string, error)
+}
+
+type Manager struct {
+	provider Provider
+}
+
+func NewManager(typ ProviderType, cfg map[string]interface{}) *Manager {
+	var p Provider
+	switch typ {
+	case AwsPrivider:
+		p = NewAwsProvider(cfg)
+	}
+	return &Manager{
+		provider: p,
+	}
+}
+
+func (p *Manager) Get(key string) (string, bool, error) {
+	value, ok := os.LookupEnv(key)
+	if ok && strings.HasPrefix(value, "{secret://") && strings.HasSuffix(value, "}") {
+		ref, err := Parse(value)
+		if err != nil {
+			return "", false, err
+		}
+		value, err = p.provider.GetValue(context.TODO(), ref.Name, ref.Properties)
+		if err != nil {
+			return "", false, err
+		}
+		return value, true, nil
+	}
+	return value, ok, nil
+}

pkg/secret/reference.go

@@ -42,7 +42,7 @@ func Parse(s string) (*Reference, error) {
 
 	ref := &Reference{
 		Type:       u.Host,
-		Name:       u.Path,
+		Name:       u.Path[1:],
 		Properties: make(map[string]string),
 	}
 	for k := range values {

test/anonymous/anonymous_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/webhookx-io/webhookx/test/helper"
 	"github.com/webhookx-io/webhookx/utils"
 	"testing"
+	"time"
 )
 
 var _ = Describe("anonymous reports", Ordered, func() {
@@ -18,7 +19,7 @@ var _ = Describe("anonymous reports", Ordered, func() {
 		BeforeAll(func() {
 			helper.InitDB(true, nil)
 			app = utils.Must(helper.Start(map[string]string{
-				"ANONYMOUS_REPORTS": "false",
+				"WEBHOOKX_ANONYMOUS_REPORTS": "false",
 			}))
 		})
 
@@ -27,9 +28,11 @@ var _ = Describe("anonymous reports", Ordered, func() {
 		})
 
 		It("should display log when anonymous_reports is disabled", func() {
-			matched, err := helper.FileHasLine("webhookx.log", "^.*anonymous reports is disabled$")
-			assert.Nil(GinkgoT(), err)
-			assert.Equal(GinkgoT(), true, matched)
+			assert.Eventually(GinkgoT(), func() bool {
+				matched, err := helper.FileHasLine("webhookx.log", "^.*anonymous reports is disabled$")
+				assert.Nil(GinkgoT(), err)
+				return matched
+			}, time.Second, time.Millisecond*100)
 		})
 	})
 

test/docker-compose.yml

@@ -43,3 +43,14 @@ services:
     ports:
       - 4317:4317
       - 4318:4318
+
+  localstack:
+    container_name: "localstack"
+    image: localstack/localstack
+    ports:
+      - "4566:4566"
+    environment:
+      DEBUG: "1"
+#      DOCKER_HOST: unix:///var/run/docker.sock
+#    volumes:
+#      - "/var/run/docker.sock:/var/run/docker.sock"

test/secret-reference/secret-reference_test.go

@@ -0,0 +1,71 @@
+package secret_reference
+
+import (
+	"context"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	. "github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	"github.com/stretchr/testify/assert"
+	"github.com/webhookx-io/webhookx/app"
+	"github.com/webhookx-io/webhookx/test/helper"
+	"testing"
+)
+
+var _ = Describe("SecretReference", Ordered, func() {
+
+	Context("test", func() {
+		var app *app.Application
+
+		AfterEach(func() {
+			app.Stop()
+		})
+
+		BeforeAll(func() {
+			helper.InitDB(true, nil)
+			// mock aws config
+			config, err := config.LoadDefaultConfig(context.TODO(),
+				config.WithBaseEndpoint("http://localhost:4566"),
+				config.WithRegion("us-east-1"),
+				config.WithCredentialsProvider(aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider(
+					"test",
+					"test",
+					"",
+				))),
+			)
+			assert.NoError(GinkgoT(), err)
+			client := secretsmanager.NewFromConfig(config, func(options *secretsmanager.Options) {})
+			_, err = client.CreateSecret(context.TODO(), &secretsmanager.CreateSecretInput{
+				Name:         aws.String("path/to/value"),
+				SecretString: aws.String("this is value"),
+			})
+			assert.NoError(GinkgoT(), err)
+		})
+
+		AfterAll(func() {
+			app.Stop()
+		})
+
+		It("reference should be de-reference", func() {
+			var err error
+			app, err = helper.Start(map[string]string{
+				"AWS_ACCESS_KEY_ID":          "test",
+				"AWS_SECRET_ACCESS_KEY":      "test",
+				"WEBHOOKX_SECRET_AWS_REGION": "us-east-1",
+				"WEBHOOKX_SECRET_AWS_URL":    "http://localhost:4566",
+				"WEBHOOKX_SECRET_PROVIDER":   "aws",
+				"WEBHOOKX_REDIS_PASSWORD":    "{secret://aws/path/to/value}",
+			})
+			assert.Nil(GinkgoT(), err)
+			assert.Equal(GinkgoT(), "this is value", string(app.Config().Redis.Password))
+		})
+	})
+
+})
+
+func TestAdmin(t *testing.T) {
+	gomega.RegisterFailHandler(Fail)
+	RunSpecs(t, "SecretReference Suite")
+}