LOG-7168: align file secret implementation with upstream

Signed-off-by: Vitalii Parfonov <[email protected]>

Author: vparfonov

src/secrets/file.rs

@@ -1,7 +1,5 @@
 use std::collections::{HashMap, HashSet};
-use std::fs::File;
-use std::io::{ErrorKind, Read};
-use std::path::Path;
+use std::path::PathBuf;
 
 use vector_lib::configurable::{component::GenerateConfig, configurable_component};
 
@@ -11,14 +9,14 @@ use crate::{config::SecretBackend, signal};
 #[configurable_component(secrets("file"))]
 #[derive(Clone, Debug)]
 pub struct FileBackend {
-    /// Base path to use for fetching secrets from files.
-    pub base_path: String,
+    /// File path to read secrets from.
+    pub path: PathBuf,
 }
 
 impl GenerateConfig for FileBackend {
     fn generate_config() -> toml::Value {
         toml::Value::try_from(FileBackend {
-            base_path: String::from("/path/to/secrets"),
+            path: PathBuf::from("/path/to/secret"),
         })
         .unwrap()
     }
@@ -28,99 +26,21 @@ impl SecretBackend for FileBackend {
     async fn retrieve(
         &mut self,
         secret_keys: HashSet<String>,
-        _signal_rx: &mut signal::SignalRx,
+        _: &mut signal::SignalRx,
     ) -> crate::Result<HashMap<String, String>> {
-        retrieve_secrets(&self.base_path, secret_keys)
-    }
-}
-
-fn retrieve_secrets(
-    base: &String,
-    secret_keys: HashSet<String>,
-) -> crate::Result<HashMap<String, String>> {
-    let base_path = Path::new(&base);
-    let mut secrets = HashMap::new();
-    for k in secret_keys.into_iter() {
-        let secret_path = Path::new(&k);
-        if secret_path.is_absolute() {
-            return Err(format!("secret key can not be absolute: {}", k).into());
-        }
-
-        let file_path = base_path.join(secret_path);
-        let file_result = File::open(file_path);
-        match file_result {
-            Ok(mut file) => {
-                let mut contents = String::new();
-                file.read_to_string(&mut contents)?;
-                if contents.is_empty() {
+        let contents = tokio::fs::read_to_string(&self.path).await?;
+        let output = serde_json::from_str::<HashMap<String, String>>(&contents)?;
+        let mut secrets = HashMap::new();
+        for k in secret_keys.into_iter() {
+            if let Some(secret) = output.get(&k) {
+                if secret.is_empty() {
                     return Err(format!("secret for key '{}' was empty", k).into());
                 }
-
-                secrets.insert(k.to_string(), contents);
-            }
-            Err(error) => {
-                if error.kind() == ErrorKind::NotFound {
-                    return Err(format!("secret file for '{}' not found", k).into());
-                }
-                return Err(format!("error reading file for '{}': {}", k, error).into());
+                secrets.insert(k, secret.to_string());
+            } else {
+                return Err(format!("secret for key '{}' was not retrieved", k).into());
             }
         }
-    }
-    Ok(secrets)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn retrieves_secret() {
-        let base_path = String::from("tests/secrets/");
-        let mut secret_keys = HashSet::new();
-        secret_keys.insert(String::from("secret"));
-
-        let result = retrieve_secrets(&base_path, secret_keys);
-        let values = result.expect("error reading secret");
-        assert!(values.contains_key("secret"));
-        assert_eq!(values.get("secret").unwrap(), "value\n");
-    }
-
-    #[test]
-    fn reject_absolute_path() {
-        let base_path = String::from("tests/secrets/");
-        let mut secret_keys = HashSet::new();
-        secret_keys.insert(String::from("/absolute/path"));
-
-        let result = retrieve_secrets(&base_path, secret_keys);
-        let error = result.expect_err("absolute key should produce error");
-        assert_eq!(
-            error.to_string(),
-            "secret key can not be absolute: /absolute/path"
-        );
-    }
-
-    #[test]
-    fn reject_empty_secret() {
-        let base_path = String::from("tests/secrets/");
-        let mut secret_keys = HashSet::new();
-        secret_keys.insert(String::from("empty"));
-
-        let result = retrieve_secrets(&base_path, secret_keys);
-        let error = result.expect_err("empty secret should produce error");
-        assert_eq!(error.to_string(), "secret for key 'empty' was empty");
-    }
-
-    #[test]
-    fn secret_not_found() {
-        let base_path = String::from("tests/secrets/");
-        let mut secret_keys = HashSet::new();
-        secret_keys.insert(String::from("does_not_exist"));
-
-        let result = retrieve_secrets(&base_path, secret_keys);
-        let error = result.expect_err("secret should not be found");
-        assert_eq!(
-            error.to_string(),
-            "secret file for 'does_not_exist' not found"
-        );
+        Ok(secrets)
     }
 }

src/secrets/mod.rs

@@ -2,8 +2,9 @@
 use std::collections::{HashMap, HashSet};
 
 use enum_dispatch::enum_dispatch;
-use vector_lib::configurable::{configurable_component, NamedComponent};
+use vector_lib::configurable::configurable_component;
 
+use crate::config::GenerateConfig;
 use crate::{config::SecretBackend, signal};
 
 #[cfg(feature = "secrets-aws-secrets-manager")]
@@ -13,12 +14,50 @@ mod exec;
 mod file;
 mod test;
 
-/// Configurable secret backends in Vector.
+///	Configuration options to retrieve secrets from external backend in order to avoid storing secrets in plaintext
+/// in Vector config. Multiple backends can be configured. Use `SECRET[<backend_name>.<secret_key>]` to tell Vector to retrieve the secret. This placeholder is replaced by the secret
+/// retrieved from the relevant backend.
+///
+/// When `type` is `exec`, the provided command will be run and provided a list of
+/// secrets to fetch, determined from the configuration file, on stdin as JSON in the format:
+///
+/// ```json
+/// {"version": "1.0", "secrets": ["secret1", "secret2"]}
+/// ```
+///
+/// The executable is expected to respond with the values of these secrets on stdout, also as JSON, in the format:
+///
+/// ```json
+/// {
+///     "secret1": {"value": "secret_value", "error": null},
+///     "secret2": {"value": null, "error": "could not fetch the secret"}
+/// }
+/// ```
+/// If an `error` is returned for any secrets, or if the command exits with a non-zero status code,
+/// Vector will log the errors and exit.
+///
+/// Otherwise, the secret must be a JSON text string with key/value pairs. For example:
+/// ```json
+/// {
+///     "username": "test",
+///     "password": "example-password"
+/// }
+/// ```
+///
+/// If an error occurred while reading the file or retrieving the secrets, Vector logs the error and exits.
+///
+/// Secrets are loaded when Vector starts or if Vector receives a `SIGHUP` signal triggering its
+/// configuration reload process.
 #[allow(clippy::large_enum_variant)]
-#[configurable_component]
+#[configurable_component(global_option("secret"))]
 #[derive(Clone, Debug)]
 #[enum_dispatch(SecretBackend)]
 #[serde(tag = "type", rename_all = "snake_case")]
+#[configurable(metadata(
+    docs::enum_tag_description = "secret type",
+    docs::common = false,
+    docs::required = false,
+))]
 pub enum SecretBackends {
     /// File.
     File(file::FileBackend),
@@ -38,16 +77,11 @@ pub enum SecretBackends {
     Test(test::TestBackend),
 }
 
-// TODO: Use `enum_dispatch` here.
-impl NamedComponent for SecretBackends {
-    fn get_component_name(&self) -> &'static str {
-        match self {
-            Self::File(config) => config.get_component_name(),
-            Self::Directory(config) => config.get_component_name(),
-            Self::Exec(config) => config.get_component_name(),
-            #[cfg(feature = "secrets-aws-secrets-manager")]
-            Self::AwsSecretsManager(config) => config.get_component_name(),
-            Self::Test(config) => config.get_component_name(),
-        }
+impl GenerateConfig for SecretBackends {
+    fn generate_config() -> toml::Value {
+        toml::Value::try_from(Self::File(file::FileBackend {
+            path: "path/to/file".into(),
+        }))
+        .unwrap()
     }
 }