From 1aa876f0723f213bd098aa0557510f8043e82faa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Mon, 24 Jun 2024 13:51:37 -0700 Subject: [PATCH] minor refactoring (#1010) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- app/init_container/cmd/main.go | 3 +- app/inspector/cmd/main.go | 2 +- app/safe/internal/bootstrap/bootstrap.go | 36 +--- app/safe/internal/bootstrap/init.go | 26 +++ app/safe/internal/bootstrap/init_test.go | 11 ++ app/safe/internal/server/handle/handle.go | 38 +---- app/safe/internal/server/handle/route.go | 157 +++--------------- .../internal/server/route/delete/delete.go | 2 +- .../server/route/fallback/fallback.go | 30 ++++ app/safe/internal/server/route/fetch/fetch.go | 2 +- .../server/route/keystone/keystone.go | 2 +- app/safe/internal/server/route/list/list.go | 2 +- .../internal/server/route/receive/receive.go | 2 +- .../internal/server/route/secret/secret.go | 2 +- 14 files changed, 106 insertions(+), 209 deletions(-) create mode 100644 app/safe/internal/bootstrap/init.go create mode 100644 app/safe/internal/bootstrap/init_test.go create mode 100644 app/safe/internal/server/route/fallback/fallback.go diff --git a/app/init_container/cmd/main.go b/app/init_container/cmd/main.go index 928b4780..7669890d 100644 --- a/app/init_container/cmd/main.go +++ b/app/init_container/cmd/main.go @@ -34,8 +34,7 @@ func main() { // Wait for a specified duration before exiting the init container. // This can be useful when you want things to reconcile before // starting the main container. - d := env.WaitBeforeExitForInitContainer() - go startup.Watch(d) + go startup.Watch(env.WaitBeforeExitForInitContainer()) // Block the process from exiting, but also be graceful and honor the // termination signals that may come from the orchestrator. diff --git a/app/inspector/cmd/main.go b/app/inspector/cmd/main.go index 169735d7..af20c0c2 100644 --- a/app/inspector/cmd/main.go +++ b/app/inspector/cmd/main.go @@ -33,6 +33,6 @@ func main() { return } - // d.Data is a collection of VSecM secrets. + // d.Data is a serialized collection of VSecM secrets. fmt.Println(d.Data) } diff --git a/app/safe/internal/bootstrap/bootstrap.go b/app/safe/internal/bootstrap/bootstrap.go index 0f7b9e33..f5bde0ee 100644 --- a/app/safe/internal/bootstrap/bootstrap.go +++ b/app/safe/internal/bootstrap/bootstrap.go @@ -18,13 +18,11 @@ import ( "github.com/spiffe/go-spiffe/v2/workloadapi" - "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/queue" "github.com/vmware-tanzu/secrets-manager/core/constants/key" "github.com/vmware-tanzu/secrets-manager/core/constants/val" "github.com/vmware-tanzu/secrets-manager/core/crypto" "github.com/vmware-tanzu/secrets-manager/core/env" log "github.com/vmware-tanzu/secrets-manager/core/log/std" - "github.com/vmware-tanzu/secrets-manager/core/probe" "github.com/vmware-tanzu/secrets-manager/core/validation" ) @@ -83,16 +81,7 @@ func Monitor( correlationId, "remaining operations before ready:", counter) if counter == 0 { - queue.Initialize() - log.DebugLn( - correlationId, - "Creating readiness probe.") - - <-probe.CreateReadiness() - - log.AuditLn( - correlationId, - "VSecM Safe is ready to serve.") + completeInitialization(correlationId) } // Updated the root key: case <-channels.UpdatedSecret: @@ -102,16 +91,7 @@ func Monitor( correlationId, "remaining operations before ready:", counter) if counter == 0 { - queue.Initialize() - log.DebugLn( - correlationId, - "Creating readiness probe.") - - <-probe.CreateReadiness() - - log.AuditLn( - correlationId, - "VSecM Safe is ready to serve.") + completeInitialization(correlationId) } // VSecM Safe REST API is ready to serve: case <-channels.ServerStarted: @@ -121,17 +101,7 @@ func Monitor( correlationId, "remaining operations before ready:", counter) if counter == 0 { - // Start all background jobs. - queue.Initialize() - log.DebugLn( - correlationId, - "Creating readiness probe.") - - <-probe.CreateReadiness() - - log.AuditLn( - correlationId, - "VSecM Safe is ready to serve.") + completeInitialization(correlationId) } // Things didn't start in a timely manner: case <-timedOut: diff --git a/app/safe/internal/bootstrap/init.go b/app/safe/internal/bootstrap/init.go new file mode 100644 index 00000000..68f04b18 --- /dev/null +++ b/app/safe/internal/bootstrap/init.go @@ -0,0 +1,26 @@ +/* +| Protect your secrets, protect your sensitive data. +: Explore VMware Secrets Manager docs at https://vsecm.com/ +/ keep your secrets... secret +>/ +<>/' Copyright 2023-present VMware Secrets Manager contributors. +>/' SPDX-License-Identifier: BSD-2-Clause +*/ + +package bootstrap + +import ( + "github.com/vmware-tanzu/secrets-manager/app/safe/internal/state/queue" + log "github.com/vmware-tanzu/secrets-manager/core/log/std" + "github.com/vmware-tanzu/secrets-manager/core/probe" +) + +func completeInitialization(correlationId *string) { + queue.Initialize() + log.DebugLn(correlationId, "Creating readiness probe.") + + <-probe.CreateReadiness() + + log.AuditLn(correlationId, "VSecM Safe is ready to serve.") +} diff --git a/app/safe/internal/bootstrap/init_test.go b/app/safe/internal/bootstrap/init_test.go new file mode 100644 index 00000000..d1202a3a --- /dev/null +++ b/app/safe/internal/bootstrap/init_test.go @@ -0,0 +1,11 @@ +/* +| Protect your secrets, protect your sensitive data. +: Explore VMware Secrets Manager docs at https://vsecm.com/ +/ keep your secrets... secret +>/ +<>/' Copyright 2023-present VMware Secrets Manager contributors. +>/' SPDX-License-Identifier: BSD-2-Clause +*/ + +package bootstrap diff --git a/app/safe/internal/server/handle/handle.go b/app/safe/internal/server/handle/handle.go index 4c22e17e..4cbf7af6 100644 --- a/app/safe/internal/server/handle/handle.go +++ b/app/safe/internal/server/handle/handle.go @@ -11,6 +11,7 @@ package handle import ( + routeFallback "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fallback" "net/http" "github.com/spiffe/go-spiffe/v2/workloadapi" @@ -40,9 +41,10 @@ func InitializeRoutes(source *workloadapi.X509Source) { id, err := s.IdFromRequest(r) if err != nil { - log.WarnLn( - &cid, - "Handler: blocking insecure svid", id, err) + log.WarnLn(&cid, "Handler: blocking insecure svid", id, err) + + routeFallback.Fallback(cid, r, w) + return } @@ -54,34 +56,6 @@ func InitializeRoutes(source *workloadapi.X509Source) { &cid, "Handler: got svid:", sid, "path", p, "method", m) - switch { - case routeSentinelGetKeystone(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelGetKeystone") - return - case routeSentinelGetSecrets(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelGetSecrets") - return - case routeSentinelGetSecretsReveal(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelGetSecretsReveal") - return - case routeSentinelPostSecrets(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelPostSecrets") - return - case routeSentinelDeleteSecrets(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelDeleteSecrets") - return - case routeSentinelPostKeys(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeSentinelPostKeys") - return - case routeWorkloadGetSecrets(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeWorkloadGetSecrets") - return - case routeWorkloadPostSecrets(cid, r, w): - log.TraceLn(&cid, "InitializeRoutes:Handler:routeWorkloadPostSecrets") - return - } - - log.TraceLn(&cid, "InitializeRoutes:Handler:routeFallback") - routeFallback(cid, r, w) + route(cid, r, w) }) } diff --git a/app/safe/internal/server/handle/route.go b/app/safe/internal/server/handle/route.go index 5bfa623a..af805af0 100644 --- a/app/safe/internal/server/handle/route.go +++ b/app/safe/internal/server/handle/route.go @@ -11,7 +11,7 @@ package handle import ( - "io" + routeFallback "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/fallback" "net/http" routeDelete "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/delete" @@ -21,155 +21,42 @@ import ( routeReceive "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/receive" routeSecret "github.com/vmware-tanzu/secrets-manager/app/safe/internal/server/route/secret" "github.com/vmware-tanzu/secrets-manager/core/constants/url" - log "github.com/vmware-tanzu/secrets-manager/core/log/std" ) -func routeSentinelGetKeystone( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method - - // Return the current state of the Keystone secret. - // Either "initialized", or "pending" - if m == http.MethodGet && p == url.SentinelKeystone { - log.DebugLn(&cid, "Handler:routeSentinelGetKeystone") - routeKeystone.Status(cid, w, r) - - return true - } - - return false -} - -func routeSentinelGetSecrets( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method - - // Route to list secrets. - // Only VSecM Sentinel is allowed to call this API endpoint. - // Calling it from anywhere else will error out. - if m == http.MethodGet && p == url.SentinelSecrets { - log.DebugLn(&cid, "Handler:routeSentinelGetSecrets") - routeList.Masked(cid, w, r) - - return true - } - - return false -} - -func routeSentinelGetSecretsReveal( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method - - if m == http.MethodGet && p == url.SentinelSecretsWithReveal { - log.DebugLn(&cid, "Handler:routeSentinelGetSecretsReveal") - routeList.Encrypted(cid, w, r) - - return true - } - - return false -} - -func routeSentinelPostSecrets( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method - - // Route to add secrets to VSecM Safe. - // Only VSecM Sentinel is allowed to call this API endpoint. - // Calling it from anywhere else will error out. - if m == http.MethodPost && p == url.SentinelSecrets { - log.DebugLn(&cid, "Handler:routeSentinelPostSecrets") - routeSecret.Secret(cid, w, r) - - return true - } - - return false -} - -func routeSentinelDeleteSecrets( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method +type handler func(string, *http.Request, http.ResponseWriter) +func factory(p, m string) handler { + switch { + case m == http.MethodGet && p == url.SentinelKeystone: + return routeKeystone.Status + case m == http.MethodGet && p == url.SentinelSecretsWithReveal: + return routeList.Encrypted + case m == http.MethodPost && p == url.SentinelSecrets: + return routeSecret.Secret // Route to delete secrets from VSecM Safe. // Only VSecM Sentinel is allowed to call this API endpoint. // Calling it from anywhere else will error out. - if m == http.MethodDelete && p == url.SentinelSecrets { - log.DebugLn(&cid, "Handler:routeSentinelDeleteSecrets") - routeDelete.Delete(cid, w, r) - - return true - } - - return false -} - -func routeSentinelPostKeys( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method - + case m == http.MethodDelete && p == url.SentinelSecrets: + return routeDelete.Delete // Route to define the root key. // Only VSecM Sentinel is allowed to call this API endpoint. - if m == http.MethodPost && p == url.SentinelKeys { - log.DebugLn(&cid, "Handler:routeSentinelPostKeys") - routeReceive.Keys(cid, w, r) - - return true - } - - return false -} - -func routeWorkloadGetSecrets( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - p := r.URL.Path - m := r.Method - + case m == http.MethodPost && p == url.SentinelKeys: + return routeReceive.Keys // Route to fetch secrets. // Only a VSecM-nominated workload is allowed to // call this API endpoint. Calling it from anywhere else will // error out. - if m == http.MethodGet && p == url.WorkloadSecrets { - log.DebugLn(&cid, "Handler:routeWorkloadGetSecrets") - routeFetch.Fetch(cid, w, r) - - return true + case m == http.MethodGet && p == url.WorkloadSecrets: + return routeFetch.Fetch + case m == http.MethodPost && p == url.WorkloadSecrets: + panic("routeWorkloadPostSecrets not implemented") + default: + return routeFallback.Fallback } - - return false } -func routeWorkloadPostSecrets( - cid string, r *http.Request, w http.ResponseWriter, -) bool { - log.DebugLn(&cid, - "Handler:routeWorkloadPostSecrets: will post", r.Method, r.URL.Path) - - panic("routeWorkloadPostSecrets not implemented") -} - -func routeFallback( +func route( cid string, r *http.Request, w http.ResponseWriter, ) { - log.DebugLn(&cid, "Handler: route mismatch:", r.RequestURI) - - w.WriteHeader(http.StatusBadRequest) - _, err := io.WriteString(w, "") - if err != nil { - log.WarnLn(&cid, "Problem writing response:", err.Error()) - } + factory(r.URL.Path, r.Method)(cid, r, w) } diff --git a/app/safe/internal/server/route/delete/delete.go b/app/safe/internal/server/route/delete/delete.go index c14467e7..70fd8dd1 100644 --- a/app/safe/internal/server/route/delete/delete.go +++ b/app/safe/internal/server/route/delete/delete.go @@ -39,7 +39,7 @@ import ( // - spiffeid: A string representing the SPIFFE ID of the client making the // request. func Delete( - cid string, w http.ResponseWriter, r *http.Request, + cid string, r *http.Request, w http.ResponseWriter, ) { spiffeid := s.IdAsString(r) diff --git a/app/safe/internal/server/route/fallback/fallback.go b/app/safe/internal/server/route/fallback/fallback.go new file mode 100644 index 00000000..d1089683 --- /dev/null +++ b/app/safe/internal/server/route/fallback/fallback.go @@ -0,0 +1,30 @@ +/* +| Protect your secrets, protect your sensitive data. +: Explore VMware Secrets Manager docs at https://vsecm.com/ +/ keep your secrets... secret +>/ +<>/' Copyright 2023-present VMware Secrets Manager contributors. +>/' SPDX-License-Identifier: BSD-2-Clause +*/ + +package fallback + +import ( + "io" + "net/http" + + log "github.com/vmware-tanzu/secrets-manager/core/log/std" +) + +func Fallback( + cid string, r *http.Request, w http.ResponseWriter, +) { + log.DebugLn(&cid, "Handler: route mismatch:", r.RequestURI) + + w.WriteHeader(http.StatusBadRequest) + _, err := io.WriteString(w, "") + if err != nil { + log.WarnLn(&cid, "Problem writing response:", err.Error()) + } +} diff --git a/app/safe/internal/server/route/fetch/fetch.go b/app/safe/internal/server/route/fetch/fetch.go index 26b38dd9..339468d0 100644 --- a/app/safe/internal/server/route/fetch/fetch.go +++ b/app/safe/internal/server/route/fetch/fetch.go @@ -43,7 +43,7 @@ import ( // - spiffeid: A string representing the SPIFFE ID of the client making the // request. func Fetch( - cid string, w http.ResponseWriter, r *http.Request, + cid string, r *http.Request, w http.ResponseWriter, ) { spiffeid := s.IdAsString(r) diff --git a/app/safe/internal/server/route/keystone/keystone.go b/app/safe/internal/server/route/keystone/keystone.go index 7c025519..aa8b8aae 100644 --- a/app/safe/internal/server/route/keystone/keystone.go +++ b/app/safe/internal/server/route/keystone/keystone.go @@ -43,7 +43,7 @@ import ( // - spiffeid: The SPIFFE ID of the entity making the request, used for // authentication and logging. func Status( - cid string, w http.ResponseWriter, r *http.Request, + cid string, r *http.Request, w http.ResponseWriter, ) { spiffeid := s.IdAsString(r) diff --git a/app/safe/internal/server/route/list/list.go b/app/safe/internal/server/route/list/list.go index be134ca0..a0959919 100644 --- a/app/safe/internal/server/route/list/list.go +++ b/app/safe/internal/server/route/list/list.go @@ -36,7 +36,7 @@ func Masked( // - r: A pointer to an http.Request representing the received HTTP request. // - spiffeid: spiffe id of the caller. func Encrypted( - cid string, w http.ResponseWriter, r *http.Request, + cid string, r *http.Request, w http.ResponseWriter, ) { doList(cid, w, r, true) } diff --git a/app/safe/internal/server/route/receive/receive.go b/app/safe/internal/server/route/receive/receive.go index ffb372e0..e6deba3c 100644 --- a/app/safe/internal/server/route/receive/receive.go +++ b/app/safe/internal/server/route/receive/receive.go @@ -47,7 +47,7 @@ import ( // - r (*http.Request): The incoming HTTP request containing the payload. // - spiffeid (string): The SPIFFE ID associated with the requester, used for // authorization validation. -func Keys(cid string, w http.ResponseWriter, r *http.Request) { +func Keys(cid string, r *http.Request, w http.ResponseWriter) { spiffeid := s.IdAsString(r) j := journal.CreateDefaultEntry(cid, spiffeid, r) diff --git a/app/safe/internal/server/route/secret/secret.go b/app/safe/internal/server/route/secret/secret.go index f49aaa25..9ea83612 100644 --- a/app/safe/internal/server/route/secret/secret.go +++ b/app/safe/internal/server/route/secret/secret.go @@ -38,7 +38,7 @@ import ( // - r: An http.Request object containing the details of the client's request. // - spiffeid: A string representing the SPIFFE ID of the client making the // request. -func Secret(cid string, w http.ResponseWriter, r *http.Request) { +func Secret(cid string, r *http.Request, w http.ResponseWriter) { spiffeid := s.IdAsString(r) if spiffeid == "" { w.WriteHeader(http.StatusBadRequest)