You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
207 lines
9.0 KiB
207 lines
9.0 KiB
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.ensureServiceAgentRole = exports.setIamPolicy = exports.getIamPolicy = exports.addVersion = exports.deleteSecret = exports.patchSecret = exports.createSecret = exports.toSecretVersionResourceName = exports.parseSecretVersionResourceName = exports.parseSecretResourceName = exports.secretExists = exports.destroySecretVersion = exports.accessSecretVersion = exports.getSecretVersion = exports.listSecretVersions = exports.getSecretMetadata = exports.listSecrets = exports.getSecret = exports.secretManagerConsoleUri = void 0;
|
|
const utils_1 = require("../utils");
|
|
const error_1 = require("../error");
|
|
const apiv2_1 = require("../apiv2");
|
|
const api_1 = require("../api");
|
|
const SECRET_NAME_REGEX = new RegExp("projects\\/" +
|
|
"(?<project>(?:\\d+)|(?:[A-Za-z]+[A-Za-z\\d-]*[A-Za-z\\d]?))\\/" +
|
|
"secrets\\/" +
|
|
"(?<secret>[A-Za-z\\d\\-_]+)");
|
|
const SECRET_VERSION_NAME_REGEX = new RegExp(SECRET_NAME_REGEX.source + "\\/versions\\/" + "(?<version>latest|[0-9]+)");
|
|
const secretManagerConsoleUri = (projectId) => `https://console.cloud.google.com/security/secret-manager?project=${projectId}`;
|
|
exports.secretManagerConsoleUri = secretManagerConsoleUri;
|
|
const API_VERSION = "v1";
|
|
const client = new apiv2_1.Client({ urlPrefix: api_1.secretManagerOrigin, apiVersion: API_VERSION });
|
|
async function getSecret(projectId, name) {
|
|
var _a;
|
|
const getRes = await client.get(`projects/${projectId}/secrets/${name}`);
|
|
const secret = parseSecretResourceName(getRes.body.name);
|
|
secret.labels = (_a = getRes.body.labels) !== null && _a !== void 0 ? _a : {};
|
|
return secret;
|
|
}
|
|
exports.getSecret = getSecret;
|
|
async function listSecrets(projectId, filter) {
|
|
var _a;
|
|
const secrets = [];
|
|
const path = `projects/${projectId}/secrets`;
|
|
const baseOpts = filter ? { queryParams: { filter } } : {};
|
|
let pageToken = "";
|
|
while (true) {
|
|
const opts = pageToken === ""
|
|
? baseOpts
|
|
: Object.assign(Object.assign({}, baseOpts), { queryParams: Object.assign(Object.assign({}, baseOpts === null || baseOpts === void 0 ? void 0 : baseOpts.queryParams), { pageToken }) });
|
|
const res = await client.get(path, opts);
|
|
for (const s of res.body.secrets || []) {
|
|
secrets.push(Object.assign(Object.assign({}, parseSecretResourceName(s.name)), { labels: (_a = s.labels) !== null && _a !== void 0 ? _a : {} }));
|
|
}
|
|
if (!res.body.nextPageToken) {
|
|
break;
|
|
}
|
|
pageToken = res.body.nextPageToken;
|
|
}
|
|
return secrets;
|
|
}
|
|
exports.listSecrets = listSecrets;
|
|
async function getSecretMetadata(projectId, secretName, version) {
|
|
const secretInfo = {};
|
|
try {
|
|
secretInfo.secret = await getSecret(projectId, secretName);
|
|
secretInfo.secretVersion = getSecretVersion(projectId, secretName, version);
|
|
}
|
|
catch (err) {
|
|
if (err.status !== 404) {
|
|
throw err;
|
|
}
|
|
}
|
|
return secretInfo;
|
|
}
|
|
exports.getSecretMetadata = getSecretMetadata;
|
|
async function listSecretVersions(projectId, name, filter) {
|
|
const secrets = [];
|
|
const path = `projects/${projectId}/secrets/${name}/versions`;
|
|
const baseOpts = filter ? { queryParams: { filter } } : {};
|
|
let pageToken = "";
|
|
while (true) {
|
|
const opts = pageToken === ""
|
|
? baseOpts
|
|
: Object.assign(Object.assign({}, baseOpts), { queryParams: Object.assign(Object.assign({}, baseOpts === null || baseOpts === void 0 ? void 0 : baseOpts.queryParams), { pageToken }) });
|
|
const res = await client.get(path, opts);
|
|
for (const s of res.body.versions || []) {
|
|
secrets.push(Object.assign(Object.assign({}, parseSecretVersionResourceName(s.name)), { state: s.state }));
|
|
}
|
|
if (!res.body.nextPageToken) {
|
|
break;
|
|
}
|
|
pageToken = res.body.nextPageToken;
|
|
}
|
|
return secrets;
|
|
}
|
|
exports.listSecretVersions = listSecretVersions;
|
|
async function getSecretVersion(projectId, name, version) {
|
|
const getRes = await client.get(`projects/${projectId}/secrets/${name}/versions/${version}`);
|
|
return Object.assign(Object.assign({}, parseSecretVersionResourceName(getRes.body.name)), { state: getRes.body.state });
|
|
}
|
|
exports.getSecretVersion = getSecretVersion;
|
|
async function accessSecretVersion(projectId, name, version) {
|
|
const res = await client.get(`projects/${projectId}/secrets/${name}/versions/${version}:access`);
|
|
return Buffer.from(res.body.payload.data, "base64").toString();
|
|
}
|
|
exports.accessSecretVersion = accessSecretVersion;
|
|
async function destroySecretVersion(projectId, name, version) {
|
|
if (version === "latest") {
|
|
const sv = await getSecretVersion(projectId, name, "latest");
|
|
version = sv.versionId;
|
|
}
|
|
await client.post(`projects/${projectId}/secrets/${name}/versions/${version}:destroy`);
|
|
}
|
|
exports.destroySecretVersion = destroySecretVersion;
|
|
async function secretExists(projectId, name) {
|
|
try {
|
|
await getSecret(projectId, name);
|
|
return true;
|
|
}
|
|
catch (err) {
|
|
if (err.status === 404) {
|
|
return false;
|
|
}
|
|
throw err;
|
|
}
|
|
}
|
|
exports.secretExists = secretExists;
|
|
function parseSecretResourceName(resourceName) {
|
|
const match = SECRET_NAME_REGEX.exec(resourceName);
|
|
if (!(match === null || match === void 0 ? void 0 : match.groups)) {
|
|
throw new error_1.FirebaseError(`Invalid secret resource name [${resourceName}].`);
|
|
}
|
|
return {
|
|
projectId: match.groups.project,
|
|
name: match.groups.secret,
|
|
};
|
|
}
|
|
exports.parseSecretResourceName = parseSecretResourceName;
|
|
function parseSecretVersionResourceName(resourceName) {
|
|
const match = resourceName.match(SECRET_VERSION_NAME_REGEX);
|
|
if (!(match === null || match === void 0 ? void 0 : match.groups)) {
|
|
throw new error_1.FirebaseError(`Invalid secret version resource name [${resourceName}].`);
|
|
}
|
|
return {
|
|
secret: {
|
|
projectId: match.groups.project,
|
|
name: match.groups.secret,
|
|
},
|
|
versionId: match.groups.version,
|
|
};
|
|
}
|
|
exports.parseSecretVersionResourceName = parseSecretVersionResourceName;
|
|
function toSecretVersionResourceName(secretVersion) {
|
|
return `projects/${secretVersion.secret.projectId}/secrets/${secretVersion.secret.name}/versions/${secretVersion.versionId}`;
|
|
}
|
|
exports.toSecretVersionResourceName = toSecretVersionResourceName;
|
|
async function createSecret(projectId, name, labels) {
|
|
const createRes = await client.post(`projects/${projectId}/secrets`, {
|
|
name,
|
|
replication: {
|
|
automatic: {},
|
|
},
|
|
labels,
|
|
}, { queryParams: { secretId: name } });
|
|
return Object.assign(Object.assign({}, parseSecretResourceName(createRes.body.name)), { labels });
|
|
}
|
|
exports.createSecret = createSecret;
|
|
async function patchSecret(projectId, name, labels) {
|
|
const fullName = `projects/${projectId}/secrets/${name}`;
|
|
const res = await client.patch(fullName, { name: fullName, labels }, { queryParams: { updateMask: "labels" } });
|
|
return parseSecretResourceName(res.body.name);
|
|
}
|
|
exports.patchSecret = patchSecret;
|
|
async function deleteSecret(projectId, name) {
|
|
const path = `projects/${projectId}/secrets/${name}`;
|
|
await client.delete(path);
|
|
}
|
|
exports.deleteSecret = deleteSecret;
|
|
async function addVersion(projectId, name, payloadData) {
|
|
const res = await client.post(`projects/${projectId}/secrets/${name}:addVersion`, {
|
|
payload: {
|
|
data: Buffer.from(payloadData).toString("base64"),
|
|
},
|
|
});
|
|
return Object.assign(Object.assign({}, parseSecretVersionResourceName(res.body.name)), { state: res.body.state });
|
|
}
|
|
exports.addVersion = addVersion;
|
|
async function getIamPolicy(secret) {
|
|
const res = await client.get(`projects/${secret.projectId}/secrets/${secret.name}:getIamPolicy`);
|
|
return res.body;
|
|
}
|
|
exports.getIamPolicy = getIamPolicy;
|
|
async function setIamPolicy(secret, bindings) {
|
|
await client.post(`projects/${secret.projectId}/secrets/${secret.name}:setIamPolicy`, {
|
|
policy: {
|
|
bindings,
|
|
},
|
|
updateMask: "bindings",
|
|
});
|
|
}
|
|
exports.setIamPolicy = setIamPolicy;
|
|
async function ensureServiceAgentRole(secret, serviceAccountEmails, role) {
|
|
const policy = await module.exports.getIamPolicy(secret);
|
|
const bindings = policy.bindings || [];
|
|
let binding = bindings.find((b) => b.role === role);
|
|
if (!binding) {
|
|
binding = { role, members: [] };
|
|
bindings.push(binding);
|
|
}
|
|
let shouldShortCircuit = true;
|
|
for (const serviceAccount of serviceAccountEmails) {
|
|
if (!binding.members.find((m) => m === `serviceAccount:${serviceAccount}`)) {
|
|
binding.members.push(`serviceAccount:${serviceAccount}`);
|
|
shouldShortCircuit = false;
|
|
}
|
|
}
|
|
if (shouldShortCircuit)
|
|
return;
|
|
await module.exports.setIamPolicy(secret, bindings);
|
|
(0, utils_1.logLabeledSuccess)("secretmanager", `Granted ${role} on projects/${secret.projectId}/secrets/${secret.name} to ${serviceAccountEmails.join(", ")}`);
|
|
}
|
|
exports.ensureServiceAgentRole = ensureServiceAgentRole;
|