def can_access_secret(self, secret: ExternalSecret):
for spec in self.__clients.get('k8s').list_crd('secretpolicies',
secret.get_namespace()):
if not SecretPolicy(
spec.get('name'), spec.get('namespace'), spec.get('allow'),
spec.get('reject')).check_path_allowed(secret.get_path()):
return False
return self.__allow_by_default
def create_secret(self, secret: ExternalSecret) -> ExternalSecret:
'''
Process the creation of an externalsecrets resource
'''
backend_client = self.__controller.get_backend_client(secret.get_backend())
self.__controller.can_access_secret(secret)
secret.check_can_create()
backend_client.create_secret(secret)
return secret
def create_secret(self, secret: ExternalSecret) -> ExternalSecret:
'''
Process the creation of an externalsecrets resource
'''
backend_client = self.__controller.get_backend_client(
secret.get_backend())
secret.check_can_create()
self.__controller.can_access_secret(secret)
# changed_spec['values'], masked_values = generate_secret_values(values)
backend_client.create_secret(secret)
return secret
def check_path_allowed(self, secret: ExternalSecret):
rejected = SecretPolicy.__rule_matches(secret.get_path(),
self.get_backend(),
self.__reject)
if rejected:
raise KSCPException(
403,
f"path '{secret.get_path()}' for backend '{secret.get_backend()}' is not allowed in namespace '{secret.get_namespace()}'"
)
allowed = SecretPolicy.__rule_matches(secret.get_path(),
self.get_backend(), self.__allow)
if allowed:
logger.debug(f"Allowing { secret.get_path() }")
return True
def delete_secret(self, secret: ExternalSecret):
'''
Process the deletion of an externalsecrets resource
'''
self.__controller.can_access_secret(secret)
self.__controller.get_backend_client(secret.get_backend()).delete_secret(secret)
def update_secret(self, old_secret: ExternalSecret, new_secret: ExternalSecret):
'''
Process the update of an externalsecrets resource
'''
backend_client = self.__controller.get_backend_client(old_secret.get_backend())
# when creation happens, this handler will skip updating.
if old_secret.get_path() is None:
return True
self.__controller.can_access_secret(old_secret)
self.__controller.can_access_secret(new_secret)
__trigger_value_change = False
old_values = old_secret.get_raw_values()
new_values = new_secret.get_raw_values()
real_values = None
for k, v in new_values.items():
if old_values.get(k) == v:
if real_values is None:
real_values = backend_client.get_secret(old_secret)
if real_values is None:
raise ESKException(500, f"Values retrieved for path { old_secret.get_path() } are None")
new_values[k] = real_values[k]
new_secret.set_real_values(new_values)
backend_client.update_secret(__trigger_value_change, old_secret, new_secret)
return new_secret
def can_access_secret(self, secret: ExternalSecret):
allowed = False
for spec in self.__clients.get('k8s').list_crd('secretpolicies',
secret.get_namespace()):
allowed = SecretPolicy(
spec.get('name'), spec.get('namespace'), spec.get('allow'),
spec.get('reject')).check_path_allowed(secret)
if allowed:
break
if not self.__allow_by_default and not allowed:
raise ESKException(403, "Path not allowed.")