Secret API v2 (#56)

* feat(secretv2): add secret v2 implementation

* feat(secrets): add venom test

* chore: add test on preprod

* feat(secrets): add test config secrets v2

* feat(secret): factorize code for secrets version

* feat(secret): add test list

* fix(secret): add info in venom test

* fix(secret): add Metadata Version

* fix(test): read restriction on token

* fix(secret): allow update without new data

* fix: secret version parameter

* chore: add use examples for secrets commands (#111)

* feat: update OKMS 2.5 (#130)

* feat(sdk): sdk v0.5.1

* fix: tests

---------

Co-authored-by: Gabriel Bahezre <[email protected]>
Co-authored-by: inessebz <[email protected]>
Co-authored-by: gbahezre <[email protected]>

Author: 3 people

.github/workflows/test.yaml

@@ -59,3 +59,57 @@ jobs:
             ./tests/out/coverage.txt
             ./tests/out/coverage.html
           retention-days: 5
+
+  test-preprod:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-build-env
+      - name: Build CLI
+        run: go build -cover ./cmd/okms
+      - name: Setup Venom
+        run: |
+          wget https://github.com/ovh/venom/releases/download/v1.2.0/venom.linux-amd64
+          mv venom.linux-amd64 venom
+          chmod +x venom
+      - name: Setup okms config file
+        run: |
+          echo "${{secrets.KMS_PREPROD_CERTIFICATE}}" > tls.crt
+          echo "${{secrets.KMS_PREPROD_PRIVATEKEY}}" > tls.key
+          cat > okms.yaml <<-EOF
+          version: 1
+          profile: default
+          profiles:
+            default: # default profile
+              http:
+                endpoint: ${{secrets.KMS_PREPROD_ENDPOINT}}
+                auth:
+                  type: mtls
+                  cert: $(pwd)/tls.crt
+                  key: $(pwd)/tls.key
+              kmip:
+                endpoint: ${{secrets.KMS_PREPROD_KMIP_ENDPOINT}}
+                auth:
+                  type: mtls
+                  cert: $(pwd)/tls.crt
+                  key: $(pwd)/tls.key
+          EOF
+      - name: Test connectivity to KMS dmain
+        run: ./okms keys ls -d -c okms.yaml
+      - name: Execute tests
+        run: make -C tests
+      - uses: actions/upload-artifact@v4
+        with:
+          name: test_results_preprod
+          path: |
+            ./tests/out/test_results.html
+            ./tests/out/venom.log
+          retention-days: 5
+        if: always()
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage-preprod
+          path: |
+            ./tests/out/coverage.txt
+            ./tests/out/coverage.html
+          retention-days: 5

cmd/okms/common/client.go

@@ -3,16 +3,24 @@ package common
 import (
 	"os"
 
+	"github.com/google/uuid"
 	"github.com/ovh/okms-cli/common/config"
 	"github.com/ovh/okms-cli/common/utils/exit"
 	"github.com/ovh/okms-sdk-go"
 	"github.com/spf13/cobra"
 )
 
-var ccmRestClient *okms.Client
+var (
+	okmsId     uuid.UUID
+	restClient *okms.Client
+)
 
 func Client() *okms.Client {
-	return ccmRestClient
+	return restClient
+}
+
+func GetOkmsId() uuid.UUID {
+	return okmsId
 }
 
 type CustomizeFunc func(c *cobra.Command) func(*okms.Client)
@@ -28,6 +36,7 @@ func SetupRestApiFlags(command *cobra.Command, cust CustomizeFunc) {
 	}
 
 	config.SetupEndpointFlags(command, "http", func(command *cobra.Command, cfg config.EndpointConfig) {
+		okmsId = cfg.Auth.GetOkmsId()
 		clientCfg := okms.ClientConfig{
 			Timeout: timeout,
 			TlsCfg:  cfg.TlsConfig(""),
@@ -38,7 +47,12 @@ func SetupRestApiFlags(command *cobra.Command, cust CustomizeFunc) {
 		if *debug {
 			clientCfg.Middleware = okms.DebugTransport(os.Stderr)
 		}
-		ccmRestClient = exit.OnErr2(okms.NewRestAPIClient(cfg.Endpoint, clientCfg))
-		f(ccmRestClient)
+		restClient = exit.OnErr2(okms.NewRestAPIClient(cfg.Endpoint, clientCfg))
+
+		if cfg.Auth.GetToken() != nil {
+			restClient.SetCustomHeader("Authorization", "Bearer "+*cfg.Auth.GetToken())
+		}
+
+		f(restClient)
 	})
 }

cmd/okms/configure/root.go

@@ -45,10 +45,19 @@ func Run(profile string) {
 	choice := exit.OnErr2(pterm.DefaultInteractiveSelect.WithOptions([]string{"HTTP", "KMIP"}).Show("Select a protocol to configure"))
 	switch choice {
 	case "HTTP":
-		config.ReadUserInput("CA file", "http.ca", profile, config.ValidateFileExists.AllowEmpty())
-		config.ReadUserInput("Certificate file", "http.auth.cert", profile, config.ValidateFileExists)
-		config.ReadUserInput("Private key file", "http.auth.key", profile, config.ValidateFileExists)
 		config.ReadUserInput("Endpoint", "http.endpoint", profile, config.ValidateURL)
+		config.ReadUserInput("CA file", "http.ca", profile, config.ValidateFileExists.AllowEmpty())
+		authChoice := exit.OnErr2(pterm.DefaultInteractiveSelect.WithOptions([]string{"mtls", "token"}).Show("Select authentication to configure"))
+		switch authChoice {
+		case "mtls":
+			config.SetConfigKey(profile, "http.auth.type", "mtls")
+			config.ReadUserInput("Certificate file", "http.auth.cert", profile, config.ValidateFileExists)
+			config.ReadUserInput("Private key file", "http.auth.key", profile, config.ValidateFileExists)
+		case "token":
+			config.SetConfigKey(profile, "http.auth.type", "token")
+			config.ReadUserInput("Token", "http.auth.token", profile, config.ValidateNotEmpty)
+			config.ReadUserInput("okmsId", "http.auth.okmsId", profile, config.ValidateUUID)
+		}
 	case "KMIP":
 		config.ReadUserInput("CA file", "kmip.ca", profile, config.ValidateFileExists.AllowEmpty())
 		config.ReadUserInput("Certificate file", "kmip.auth.cert", profile, config.ValidateFileExists)

cmd/okms/keys/datakeys.go

@@ -39,7 +39,7 @@ func newGenerateDataKeyFromServiceKeyCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			plaintext, encrypted := exit.OnErr3(common.Client().GenerateDataKey(cmd.Context(), keyId, name, keySize))
+			plaintext, encrypted := exit.OnErr3(common.Client().GenerateDataKey(cmd.Context(), common.GetOkmsId(), keyId, name, keySize))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(map[string]any{
 					"plain":     plaintext,
@@ -66,7 +66,7 @@ DATA-KEY can be either plain text, a '-' to read from stdin, or a filename prefi
 		Args: cobra.ExactArgs(2),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			plaintext := exit.OnErr2(common.Client().DecryptDataKey(cmd.Context(), keyId, flagsmgmt.StringFromArg(args[1], 8192)))
+			plaintext := exit.OnErr2(common.Client().DecryptDataKey(cmd.Context(), common.GetOkmsId(), keyId, flagsmgmt.StringFromArg(args[1], 8192)))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(plaintext)
 			} else {

cmd/okms/keys/decrypt.go

@@ -49,7 +49,7 @@ OUTPUT can be either a filepath, or a "-" for stdout. If not set, output is stdo
 			}
 
 			text := flagsmgmt.BytesFromArg(args[1], 8192)
-			resp := exit.OnErr2(common.Client().Decrypt(cmd.Context(), keyId, context, string(text)))
+			resp := exit.OnErr2(common.Client().Decrypt(cmd.Context(), common.GetOkmsId(), keyId, context, string(text)))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -84,7 +84,7 @@ func wrapDecrypt(ctx context.Context, input, output string, keyId uuid.UUID, key
 	out := flagsmgmt.WriterFromArg(output)
 	defer out.Close()
 
-	in, err := common.Client().DataKeys(keyId).DecryptStream(ctx, in, keyCtx)
+	in, err := common.Client().DataKeys(common.GetOkmsId(), keyId).DecryptStream(ctx, in, keyCtx)
 	if err != nil {
 		return err
 	}

cmd/okms/keys/encrypt.go

@@ -50,7 +50,7 @@ OUTPUT can be either a filepath, or a "-" for stdout. If not set, output is stdo
 				return
 			}
 			data := flagsmgmt.BytesFromArg(args[1], 8192)
-			resp := exit.OnErr2(common.Client().Encrypt(cmd.Context(), keyId, context, data))
+			resp := exit.OnErr2(common.Client().Encrypt(cmd.Context(), common.GetOkmsId(), keyId, context, data))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -83,7 +83,7 @@ func wrapEncrypt(ctx context.Context, input, output string, keyId uuid.UUID, key
 		defer out.Close()
 	}
 
-	out, err := common.Client().DataKeys(keyId).EncryptStream(ctx, out, keyCtx, okms.BlockSize4MB)
+	out, err := common.Client().DataKeys(common.GetOkmsId(), keyId).EncryptStream(ctx, out, keyCtx, okms.BlockSize4MB)
 	if err != nil {
 		return err
 	}

cmd/okms/keys/keys.go

@@ -28,8 +28,8 @@ import (
 
 func newListServiceKeysCmd() *cobra.Command {
 	var (
-		keysPageSize uint32
-		listAll      bool
+		pageSize uint32
+		listAll  bool
 	)
 
 	cmd := &cobra.Command{
@@ -47,7 +47,7 @@ func newListServiceKeysCmd() *cobra.Command {
 			if listAll {
 				stateFilter = types.KeyStatesAll
 			}
-			for key, err := range common.Client().ListAllServiceKeys(&keysPageSize, &stateFilter).Iter(cmd.Context()) {
+			for key, err := range common.Client().ListAllServiceKeys(common.GetOkmsId(), &pageSize, &stateFilter).Iter(cmd.Context()) {
 				exit.OnErr(err)
 				keys.ObjectsList = append(keys.ObjectsList, *key)
 			}
@@ -75,7 +75,7 @@ func newListServiceKeysCmd() *cobra.Command {
 		},
 	}
 
-	cmd.Flags().Uint32Var(&keysPageSize, "page-size", 100, "Number of keys to fetch per page (between 10 and 500)")
+	cmd.Flags().Uint32Var(&pageSize, "page-size", 100, "Number of keys to fetch per page (between 10 and 500)")
 	cmd.Flags().BoolVarP(&listAll, "all", "A", false, "List all keys (including deactivated and deleted ones)")
 	return cmd
 }
@@ -115,7 +115,7 @@ func newAddServiceKeyCmd() *cobra.Command {
 				body.Size = &keySizeEnum
 			}
 
-			resp := exit.OnErr2(common.Client().CreateImportServiceKey(cmd.Context(), nil, body))
+			resp := exit.OnErr2(common.Client().CreateImportServiceKey(cmd.Context(), common.GetOkmsId(), nil, body))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -141,7 +141,7 @@ func newGetServiceKeyCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), keyId, nil))
+			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), common.GetOkmsId(), keyId, nil))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -159,7 +159,7 @@ func newExportPublicKeyCmd() *cobra.Command {
 		Args:  cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			keyId := exit.OnErr2(uuid.Parse(args[0]))
-			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), keyId, utils.PtrTo(types.Jwk)))
+			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), common.GetOkmsId(), keyId, utils.PtrTo(types.Jwk)))
 			if resp.Keys == nil || len(*resp.Keys) == 0 {
 				exit.OnErr(errors.New("Server returned no key"))
 			}
@@ -228,10 +228,10 @@ func newImportServiceKeyCmd() *cobra.Command {
 			key := flagsmgmt.BytesFromArg(args[1], 8192)
 			var resp *types.GetServiceKeyResponse
 			if !symmetric {
-				resp = exit.OnErr2(common.Client().ImportKeyPairPEM(cmd.Context(), key, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
+				resp = exit.OnErr2(common.Client().ImportKeyPairPEM(cmd.Context(), common.GetOkmsId(), key, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
 			} else {
 				k := exit.OnErr2(base64.StdEncoding.DecodeString(string(key)))
-				resp = exit.OnErr2(common.Client().ImportKey(cmd.Context(), k, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
+				resp = exit.OnErr2(common.Client().ImportKey(cmd.Context(), common.GetOkmsId(), k, args[0], keyContext, keyUsage.ToCryptographicUsage()...))
 			}
 
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
@@ -310,12 +310,12 @@ func newDeleteKeyCmd() *cobra.Command {
 					continue
 				}
 				if force {
-					if err := common.Client().DeactivateServiceKey(cmd.Context(), keyId, types.Unspecified); err != nil {
+					if err := common.Client().DeactivateServiceKey(cmd.Context(), common.GetOkmsId(), keyId, types.Unspecified); err != nil {
 						errs = append(errs, fmt.Errorf("Failed to deactivate key %q: %w", id, err))
 						continue
 					}
 				}
-				if err := common.Client().DeleteServiceKey(cmd.Context(), keyId); err != nil {
+				if err := common.Client().DeleteServiceKey(cmd.Context(), common.GetOkmsId(), keyId); err != nil {
 					errs = append(errs, fmt.Errorf("Failed to delete key %q: %w", id, err))
 				}
 			}
@@ -342,7 +342,7 @@ func newDeactivateKeyCmd() *cobra.Command {
 					errs = append(errs, fmt.Errorf("Invalid Key ID %q: %w", id, err))
 					continue
 				}
-				if err := common.Client().DeactivateServiceKey(cmd.Context(), keyId, revocationReason.RestModel()); err != nil {
+				if err := common.Client().DeactivateServiceKey(cmd.Context(), common.GetOkmsId(), keyId, revocationReason.RestModel()); err != nil {
 					errs = append(errs, fmt.Errorf("Failed to deactivate key %q: %w", id, err))
 				}
 			}
@@ -366,7 +366,7 @@ func newActivateKeyCmd() *cobra.Command {
 					errs = append(errs, fmt.Errorf("Invalid Key ID %q: %w", id, err))
 					continue
 				}
-				if err := common.Client().ActivateServiceKey(cmd.Context(), keyId); err != nil {
+				if err := common.Client().ActivateServiceKey(cmd.Context(), common.GetOkmsId(), keyId); err != nil {
 					errs = append(errs, fmt.Errorf("Failed to activate key %q: %w", id, err))
 				}
 			}
@@ -388,7 +388,7 @@ func newUpdateKeyCmd() *cobra.Command {
 			if name != "" {
 				body.Name = name
 			}
-			resp := exit.OnErr2(common.Client().UpdateServiceKey(cmd.Context(), keyId, body))
+			resp := exit.OnErr2(common.Client().UpdateServiceKey(cmd.Context(), common.GetOkmsId(), keyId, body))
 			printServiceKey(resp)
 		},
 	}

cmd/okms/keys/sign.go

@@ -41,7 +41,7 @@ In both cases, DATA can be either plain text, a '-' to read from stdin, or a fil
 	signCmd.Run = func(cmd *cobra.Command, args []string) {
 		data := readDigest(params.signatureAlgorithm, args[1], "Signing", noProgress)
 		keyId := exit.OnErr2(uuid.Parse(args[0]))
-		signature := exit.OnErr2(common.Client().Sign(cmd.Context(), keyId, nil, params.signatureAlgorithm.Alg(), true, data))
+		signature := exit.OnErr2(common.Client().Sign(cmd.Context(), common.GetOkmsId(), keyId, nil, params.signatureAlgorithm.Alg(), true, data))
 		if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 			output.JsonPrint(signature)
 		} else {
@@ -81,7 +81,7 @@ SIGNATURE can also be passed from a file or stdin using '-' or '@'. Stdin can ho
 		signature := flagsmgmt.StringFromArg(args[2], 8192)
 		keyId := exit.OnErr2(uuid.Parse(args[0]))
 		if !local {
-			valid := exit.OnErr2(common.Client().Verify(cmd.Context(), keyId, params.signatureAlgorithm.Alg(), true, data, signature))
+			valid := exit.OnErr2(common.Client().Verify(cmd.Context(), common.GetOkmsId(), keyId, params.signatureAlgorithm.Alg(), true, data, signature))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(valid)
 			} else if valid {
@@ -91,7 +91,7 @@ SIGNATURE can also be passed from a file or stdin using '-' or '@'. Stdin can ho
 				exit.OnErr(errors.New("Signature invalid"))
 			}
 		} else {
-			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), keyId, utils.PtrTo(types.Jwk)))
+			resp := exit.OnErr2(common.Client().GetServiceKey(cmd.Context(), common.GetOkmsId(), keyId, utils.PtrTo(types.Jwk)))
 			if len(*resp.Keys) == 0 {
 				exit.OnErr(errors.New("The server returned no key"))
 			}

cmd/okms/main.go

@@ -8,6 +8,8 @@ import (
 	"github.com/ovh/okms-cli/cmd/okms/configure"
 	"github.com/ovh/okms-cli/cmd/okms/keys"
 	"github.com/ovh/okms-cli/cmd/okms/kmip"
+	"github.com/ovh/okms-cli/cmd/okms/secrets"
+	secretsv2 "github.com/ovh/okms-cli/cmd/okms/secretsV2"
 
 	"github.com/ovh/okms-cli/cmd/okms/x509"
 	"github.com/ovh/okms-cli/common/commands"
@@ -36,7 +38,8 @@ func createRootCommand() *cobra.Command {
 	command.AddCommand(
 		// rnd.CreateCommand(nil),
 		keys.CreateCommand(nil),
-		// secrets.CreateCommand(nil),
+		secrets.CreateCommand(nil),
+		secretsv2.CreateCommand(nil),
 		x509.CreateX509Command(nil),
 		kmip.NewCommand(nil),
 		configure.CreateCommand(),

cmd/okms/secrets/config.go

@@ -33,7 +33,7 @@ func kvReadConfigCommand() *cobra.Command {
 		Short: "Reads secret engine configuration",
 		Args:  cobra.NoArgs,
 		Run: func(cmd *cobra.Command, args []string) {
-			resp := exit.OnErr2(common.Client().GetSecretConfig(cmd.Context()))
+			resp := exit.OnErr2(common.Client().GetSecretConfig(cmd.Context(), common.GetOkmsId()))
 			if cmd.Flag("output").Value.String() == string(flagsmgmt.JSON_OUTPUT_FORMAT) {
 				output.JsonPrint(resp)
 			} else {
@@ -82,7 +82,7 @@ func kvWriteConfigCommand() *cobra.Command {
 				MaxVersions:        m,
 			}
 
-			exit.OnErr(common.Client().PostSecretConfig(cmd.Context(), body))
+			exit.OnErr(common.Client().PostSecretConfig(cmd.Context(), common.GetOkmsId(), body))
 		},
 	}