Implement sql parameter store and credential store

Signed-off-by: robinbraemer <[email protected]>

Author: robinbraemer

pkg/cnab/provider/helpers.go

@@ -4,14 +4,14 @@ import (
 	"context"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"get.porter.sh/porter/pkg/cnab"
 	"get.porter.sh/porter/pkg/config"
 	"get.porter.sh/porter/pkg/portercontext"
 	"get.porter.sh/porter/pkg/secrets"
 	"get.porter.sh/porter/pkg/storage"
 	"get.porter.sh/porter/pkg/test"
-	"github.com/hashicorp/go-multierror"
-	"github.com/stretchr/testify/require"
 )
 
 const debugDriver = "debug"
@@ -31,6 +31,11 @@ func NewTestRuntime(t *testing.T) *TestRuntime {
 	tc := config.NewTestConfig(t)
 	testStorage := storage.NewTestStore(tc)
 	testSecrets := secrets.NewTestSecretsProvider()
+	t.Cleanup(func() {
+		_ = testStorage.Close()
+		_ = testSecrets.Close()
+	})
+
 	testInstallations := storage.NewTestInstallationProviderFor(tc.TestContext.T, testStorage)
 	testCredentials := storage.NewTestCredentialProviderFor(tc.TestContext.T, testStorage, testSecrets)
 	testParameters := storage.NewTestParameterProviderFor(tc.TestContext.T, testStorage, testSecrets)
@@ -49,16 +54,6 @@ func NewTestRuntimeFor(tc *config.TestConfig, testInstallations *storage.TestIns
 	}
 }
 
-func (t *TestRuntime) Close() error {
-	var bigErr *multierror.Error
-
-	bigErr = multierror.Append(bigErr, t.TestInstallations.Close())
-	bigErr = multierror.Append(bigErr, t.TestCredentials.Close())
-	bigErr = multierror.Append(bigErr, t.TestParameters.Close())
-
-	return bigErr.ErrorOrNil()
-}
-
 func (t *TestRuntime) LoadBundle(bundleFile string) (cnab.ExtendedBundle, error) {
 	return t.Runtime.LoadBundle(bundleFile)
 }

pkg/porter/lifecycle.go

@@ -9,6 +9,8 @@ import (
 	"strings"
 	"unicode"
 
+	"github.com/opencontainers/go-digest"
+
 	"get.porter.sh/porter/pkg/cache"
 	"get.porter.sh/porter/pkg/cnab"
 	"get.porter.sh/porter/pkg/cnab/drivers"
@@ -18,8 +20,6 @@ import (
 	"get.porter.sh/porter/pkg/secrets"
 	"get.porter.sh/porter/pkg/storage"
 	"get.porter.sh/porter/pkg/tracing"
-	"github.com/opencontainers/go-digest"
-	"go.mongodb.org/mongo-driver/bson"
 )
 
 // BundleAction is an interface that defines a method for supplying
@@ -456,18 +456,7 @@ func (p *Porter) createRun(ctx context.Context, bundleRef cnab.BundleReference,
 	for _, csName := range currentRun.CredentialSets {
 		var cs storage.CredentialSet
 		// Try to get the creds in the local namespace first, fallback to the global creds
-		query := storage.FindOptions{
-			Sort: []string{"-namespace"},
-			Filter: bson.M{
-				"name": csName,
-				"$or": []bson.M{
-					{"namespace": ""},
-					{"namespace": currentRun.Namespace},
-				},
-			},
-		}
-		store := p.Credentials.GetDataStore()
-		err := store.FindOne(ctx, storage.CollectionCredentials, query, &cs)
+		cs, err := p.Credentials.FindCredentialSet(ctx, currentRun.Namespace, csName)
 		if err != nil {
 			return storage.Run{}, span.Errorf("could not find credential set named %s in the %s namespace or global namespace: %w", csName, inst.Namespace, err)
 		}

pkg/porter/parameters.go

@@ -11,6 +11,11 @@ import (
 	"strings"
 	"time"
 
+	dtprinter "github.com/carolynvs/datetime-printer"
+	"github.com/cnabio/cnab-go/bundle"
+	"github.com/cnabio/cnab-go/bundle/definition"
+	"github.com/olekukonko/tablewriter"
+
 	"get.porter.sh/porter/pkg/cnab"
 	"get.porter.sh/porter/pkg/editor"
 	"get.porter.sh/porter/pkg/encoding"
@@ -19,11 +24,6 @@ import (
 	"get.porter.sh/porter/pkg/secrets"
 	"get.porter.sh/porter/pkg/storage"
 	"get.porter.sh/porter/pkg/tracing"
-	dtprinter "github.com/carolynvs/datetime-printer"
-	"github.com/cnabio/cnab-go/bundle"
-	"github.com/cnabio/cnab-go/bundle/definition"
-	"github.com/olekukonko/tablewriter"
-	"go.mongodb.org/mongo-driver/bson"
 )
 
 // ParameterShowOptions represent options for Porter's parameter show command
@@ -361,21 +361,8 @@ func (p *Porter) loadParameterSets(ctx context.Context, bun cnab.ExtendedBundle,
 	resolvedParameters := secrets.Set{}
 
 	for _, name := range params {
-		// Try to get the params in the local namespace first, fallback to the global creds
-		query := storage.FindOptions{
-			Sort: []string{"-namespace"},
-			Filter: bson.M{
-				"name": name,
-				"$or": []bson.M{
-					{"namespace": ""},
-					{"namespace": namespace},
-				},
-			},
-		}
-		store := p.Parameters.GetDataStore()
-
-		var pset storage.ParameterSet
-		err := store.FindOne(ctx, storage.CollectionParameters, query, &pset)
+		// Try to get the params in the local namespace first, fallback to the global params
+		pset, err := p.Parameters.FindParameterSet(ctx, name, namespace)
 		if err != nil {
 			return nil, err
 		}

pkg/secrets/strategy.go

@@ -1,6 +1,7 @@
 package secrets
 
 import (
+	"database/sql/driver"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -128,3 +129,17 @@ func (l StrategyList) Swap(i, j int) {
 func (l StrategyList) Len() int {
 	return len(l)
 }
+
+// Scan implements the sql.Scanner interface for StrategyList.
+func (l *StrategyList) Scan(value interface{}) error {
+	bytes, ok := value.([]byte)
+	if !ok {
+		return fmt.Errorf("unsupported Scan, storing driver.Value type %T into type *secrets.StrategyList", value)
+	}
+	return json.Unmarshal(bytes, l)
+}
+
+// Value implements the driver.Valuer interface for StrategyList.
+func (l StrategyList) Value() (driver.Value, error) {
+	return json.Marshal(l)
+}

pkg/storage/credential_store.go

@@ -2,14 +2,12 @@ package storage
 
 import (
 	"context"
-	"fmt"
-	"strings"
+
+	"go.mongodb.org/mongo-driver/bson"
 
 	"get.porter.sh/porter/pkg/secrets"
 	hostSecrets "get.porter.sh/porter/pkg/secrets/plugins/host"
 	"get.porter.sh/porter/pkg/tracing"
-	"github.com/cnabio/cnab-go/secrets/host"
-	"github.com/hashicorp/go-multierror"
 )
 
 var _ CredentialSetProvider = &CredentialStore{}
@@ -52,58 +50,33 @@ func EnsureCredentialIndices(ctx context.Context, store Store) error {
 	return span.Error(err)
 }
 
-func (s CredentialStore) GetDataStore() Store {
-	return s.Documents
+func (s CredentialStore) FindCredentialSet(ctx context.Context, namespace string, name string) (CredentialSet, error) {
+	var out CredentialSet
+	// Try to get the creds in the local namespace first, fallback to the global creds
+	query := FindOptions{
+		Sort: []string{"-namespace"},
+		Filter: bson.M{
+			"name": name,
+			"$or": []bson.M{
+				{"namespace": ""},
+				{"namespace": namespace},
+			},
+		},
+	}
+	err := s.Documents.FindOne(ctx, CollectionCredentials, query, &out)
+	return out, err
 }
 
 /*
 	Secrets
 */
 
 func (s CredentialStore) ResolveAll(ctx context.Context, creds CredentialSet) (secrets.Set, error) {
-	resolvedCreds := make(secrets.Set)
-	var resolveErrors error
-
-	for _, cred := range creds.Credentials {
-		var value string
-		var err error
-		if isHandledByHostPlugin(cred.Source.Strategy) {
-			value, err = s.HostSecrets.Resolve(ctx, cred.Source.Strategy, cred.Source.Hint)
-		} else {
-			value, err = s.Secrets.Resolve(ctx, cred.Source.Strategy, cred.Source.Hint)
-		}
-		if err != nil {
-			resolveErrors = multierror.Append(resolveErrors, fmt.Errorf("unable to resolve credential %s.%s from %s %s: %w", creds.Name, cred.Name, cred.Source.Strategy, cred.Source.Hint, err))
-		}
-
-		resolvedCreds[cred.Name] = value
-	}
-
-	return resolvedCreds, resolveErrors
+	return resolveAll(ctx, creds.Credentials, s.HostSecrets, s.Secrets, creds.Name, "credential")
 }
 
 func (s CredentialStore) Validate(ctx context.Context, creds CredentialSet) error {
-	validSources := []string{secrets.SourceSecret, host.SourceValue, host.SourceEnv, host.SourcePath, host.SourceCommand}
-	var errors error
-
-	for _, cs := range creds.Credentials {
-		valid := false
-		for _, validSource := range validSources {
-			if cs.Source.Strategy == validSource {
-				valid = true
-				break
-			}
-		}
-		if !valid {
-			errors = multierror.Append(errors, fmt.Errorf(
-				"%s is not a valid source. Valid sources are: %s",
-				cs.Source.Strategy,
-				strings.Join(validSources, ", "),
-			))
-		}
-	}
-
-	return errors
+	return validate(creds.Credentials)
 }
 
 /*

pkg/storage/credential_store_sql.go

@@ -0,0 +1,135 @@
+package storage
+
+import (
+	"context"
+	"errors"
+
+	"gorm.io/gorm"
+
+	"get.porter.sh/porter/pkg/secrets"
+	hostSecrets "get.porter.sh/porter/pkg/secrets/plugins/host"
+	"get.porter.sh/porter/pkg/tracing"
+)
+
+var _ CredentialSetProvider = (*CredentialStoreSQL)(nil)
+
+// CredentialStoreSQL is a wrapper around Porter's datastore
+// providing typed access and additional business logic around
+// credential sets, usually referred to as "credentials" as a shorthand.
+type CredentialStoreSQL struct {
+	db          *gorm.DB
+	Secrets     secrets.Store
+	HostSecrets hostSecrets.Store
+}
+
+func NewCredentialStoreSQL(db *gorm.DB, secrets secrets.Store) *CredentialStoreSQL {
+	return &CredentialStoreSQL{
+		db:          db,
+		Secrets:     secrets,
+		HostSecrets: hostSecrets.NewStore(),
+	}
+}
+
+/*
+	Secrets
+*/
+
+func (s CredentialStoreSQL) ResolveAll(ctx context.Context, creds CredentialSet) (secrets.Set, error) {
+	return resolveAll(ctx, creds.Credentials, s.HostSecrets, s.Secrets, creds.Name, "credential")
+}
+
+func (s CredentialStoreSQL) Validate(ctx context.Context, creds CredentialSet) error {
+	return validate(creds.Credentials)
+}
+
+/*
+  Document Storage
+*/
+
+func (s CredentialStoreSQL) InsertCredentialSet(ctx context.Context, creds CredentialSet) error {
+	creds.SchemaVersion = DefaultCredentialSetSchemaVersion
+	return s.db.WithContext(ctx).Create(&creds).Error
+}
+
+func (s CredentialStoreSQL) ListCredentialSets(ctx context.Context, listOptions ListOptions) ([]CredentialSet, error) {
+	_, log := tracing.StartSpan(ctx)
+	defer log.EndSpan()
+
+	var out []CredentialSet
+
+	// If no filters are provided, return an empty list
+	if listOptions.Namespace == "" && listOptions.Name == "" && len(listOptions.Labels) == 0 {
+		return out, nil
+	}
+
+	query := s.db.WithContext(ctx).Order("namespace ASC, name ASC")
+
+	if listOptions.Namespace != "" && listOptions.Namespace != "*" {
+		query = query.Where("namespace = ?", listOptions.Namespace)
+	}
+
+	if listOptions.Name != "" {
+		query = query.Where("name LIKE ?", "%"+listOptions.Name+"%")
+	}
+
+	// Filter by Labels
+	if len(listOptions.Labels) > 0 {
+		for key, value := range listOptions.Labels {
+			query = query.Where("labels->? = ?", key, value)
+		}
+	}
+
+	if listOptions.Skip > 0 {
+		query = query.Offset(int(listOptions.Skip))
+	}
+
+	if listOptions.Limit > 0 {
+		query = query.Limit(int(listOptions.Limit))
+	}
+
+	err := query.Find(&out).Error
+	if err != nil {
+		return nil, log.Error(err)
+	}
+	return out, err
+}
+
+func (s CredentialStoreSQL) GetCredentialSet(ctx context.Context, namespace string, name string) (CredentialSet, error) {
+	var out CredentialSet
+	err := s.db.WithContext(ctx).
+		Where("namespace = ? AND name = ?", namespace, name).
+		First(&out).Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return CredentialSet{}, ErrNotFound{Collection: "credentials"}
+	}
+	return out, err
+}
+func (s CredentialStoreSQL) FindCredentialSet(ctx context.Context, namespace string, name string) (CredentialSet, error) {
+	var out CredentialSet
+
+	query := s.db.WithContext(ctx).
+		Where("name = ?", name).
+		Where("(namespace = ? OR namespace = '' OR namespace IS NULL)", namespace).
+		Order("namespace DESC") // DESC ensures that the namespace is prioritized over the empty or null
+
+	err := query.First(&out).Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return CredentialSet{}, ErrNotFound{Collection: "credentials"}
+	}
+	return out, err
+}
+
+func (s CredentialStoreSQL) UpdateCredentialSet(ctx context.Context, creds CredentialSet) error {
+	creds.SchemaVersion = DefaultCredentialSetSchemaVersion
+	return s.db.WithContext(ctx).
+		Where("namespace = ? AND name = ?", creds.Namespace, creds.Name).
+		Save(&creds).Error
+}
+
+func (s CredentialStoreSQL) UpsertCredentialSet(ctx context.Context, creds CredentialSet) error {
+	creds.SchemaVersion = DefaultCredentialSetSchemaVersion
+	return s.db.WithContext(ctx).Save(&creds).Error
+}
+func (s CredentialStoreSQL) RemoveCredentialSet(ctx context.Context, namespace string, name string) error {
+	return s.db.WithContext(ctx).Where("namespace = ? AND name = ?", namespace, name).Delete(&CredentialSet{}).Error
+}