Skip to content

Commit

Permalink
feat: added secret referencing support
Browse files Browse the repository at this point in the history
  • Loading branch information
@nimish-ks
nimish-ks committed Jul 22, 2024
1 parent 53b66ce commit 47a08db
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 12 deletions.
9 changes: 9 additions & 0 deletions src/phase/phase.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
from .utils.crypto import CryptoUtils
from .utils.const import __ph_version__, pss_user_pattern, pss_service_pattern
from .utils.misc import phase_get_context, normalize_tag, tag_matches
from .utils.secret_referencing import resolve_all_secrets


@dataclass
Expand Down Expand Up @@ -176,6 +177,7 @@ def get(self, env_name: str, keys: List[str] = None, app_name: str = None, tag:
secrets_data = secrets_response.json()

results = []
all_secrets = [] # List to store all secrets for resolving references
for secret in secrets_data:
# Check if a tag filter is applied and if the secret has the correct tags.
if tag and not tag_matches(secret.get("tags", []), tag):
Expand Down Expand Up @@ -209,6 +211,13 @@ def get(self, env_name: str, keys: List[str] = None, app_name: str = None, tag:

if not keys or decrypted_key in keys:
results.append(secret_obj)

all_secrets.append(secret_obj)

# Resolve secret references
for secret in results:
resolved_value = resolve_all_secrets(secret.value, all_secrets, self, app_name, env_name)
secret.value = resolved_value

return results

Expand Down
25 changes: 13 additions & 12 deletions src/phase/utils/secret_referencing.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ def resolve_secret_reference(ref: str, secrets_dict: Dict[str, Dict[str, Dict[st
"""

env_name = current_env_name
path = "/" # Default root path
path = "/" # Default root path
key_name = ref

# Parse the reference to identify environment, path, and secret key.
if "." in ref: # Cross-environment references, split by the first dot to get environment and the rest.
if "." in ref: # Cross-environment references
parts = ref.split(".", 1)
env_name, rest = parts[0], parts[1]
last_slash_index = rest.rfind("/")
Expand All @@ -90,15 +90,17 @@ def resolve_secret_reference(ref: str, secrets_dict: Dict[str, Dict[str, Dict[st

try:
# Lookup with environment, path, and key
if env_name in secrets_dict and path in secrets_dict[env_name] and key_name in secrets_dict[env_name][path]:
return secrets_dict[env_name][path][key_name]
if env_name in secrets_dict and path in secrets_dict[env_name]:
for secret in secrets_dict[env_name][path]:
if secret.key == key_name:
return secret.value
else:
# Handle fallback for cross-environment or missing secrets
if env_name != current_env_name:
fetched_secrets = phase.get(env_name=env_name, app_name=current_application_name, keys=[key_name], path=path)
for secret in fetched_secrets:
if secret["key"] == key_name:
return secret["value"]
if secret.key == key_name:
return secret.value
except EnvironmentNotFoundException:
pass

Expand Down Expand Up @@ -128,14 +130,13 @@ def resolve_all_secrets(value: str, all_secrets: List[Dict[str, str]], phase: 'P

secrets_dict = {}
for secret in all_secrets:
env_name = secret['environment']
path = secret['path']
key = secret['key']
env_name = current_env_name # Assume current environment if not specified
path = secret.path
if env_name not in secrets_dict:
secrets_dict[env_name] = {}
if path not in secrets_dict[env_name]:
secrets_dict[env_name][path] = {}
secrets_dict[env_name][path][key] = secret['value']
secrets_dict[env_name][path] = []
secrets_dict[env_name][path].append(secret)

refs = SECRET_REF_REGEX.findall(value)
resolved_value = value
Expand All @@ -144,4 +145,4 @@ def resolve_all_secrets(value: str, all_secrets: List[Dict[str, str]], phase: 'P
resolved_secret_value = resolve_secret_reference(ref, secrets_dict, phase, current_application_name, current_env_name)
resolved_value = resolved_value.replace(f"${{{ref}}}", resolved_secret_value)

return resolved_value
return resolved_value

0 comments on commit 47a08db

Please sign in to comment.