def _get_github_token():
"""Return the github token from secret manager."""
_, project = google.auth.default()
client = secretmanager_v1.SecretManagerServiceClient()
name = client.secret_version_path(project, 'github-token', 'latest')
response = client.access_secret_version(name)
return response.payload.data.decode('utf8')
def test_get_iam_policy(self):
# Setup Expected Response
version = 351608024
etag = b"21"
expected_response = {"version": version, "etag": etag}
expected_response = policy_pb2.Policy(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
resource = "resource-341064690"
response = client.get_iam_policy(resource)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = iam_policy_pb2.GetIamPolicyRequest(
resource=resource)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def cert():
client = secretmanager_v1.SecretManagerServiceClient()
with tempfile.NamedTemporaryFile("w",
prefix="certificate",
suffix=".crt",
delete=False) as cert_file:
response = client.access_secret_version(request={
"name":
"projects/911343863113/secrets/cert-cert-crt/versions/1"
})
payload = response.payload.data.decode("UTF-8")
cert_file.write(payload)
with tempfile.NamedTemporaryFile("w",
prefix="private",
suffix=".key",
delete=False) as private_key_file:
response = client.access_secret_version(request={
"name":
"projects/911343863113/secrets/cert-private-key/versions/3"
})
payload = response.payload.data.decode("UTF-8")
private_key_file.write(payload)
cert_file = Path(cert_file.name)
private_key_file = Path(private_key_file.name)
yield (
str(cert_file.absolute()),
str(private_key_file.absolute()),
)
cert_file.unlink()
private_key_file.unlink()
def test_add_secret_version(self):
# Setup Expected Response
name = "name3373707"
expected_response = {"name": name}
expected_response = resources_pb2.SecretVersion(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
parent = client.secret_path("[PROJECT]", "[SECRET]")
payload = {}
response = client.add_secret_version(parent, payload)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.AddSecretVersionRequest(parent=parent,
payload=payload)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def get_client(cls, expected_response):
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
return secretmanager_v1.SecretManagerServiceClient()
def test_create_secret(self):
# Setup Expected Response
name = "name3373707"
expected_response = {"name": name}
expected_response = resources_pb2.Secret(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
parent = client.project_path("[PROJECT]")
secret_id = "secretId-739547894"
secret = {}
response = client.create_secret(parent, secret_id, secret)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.CreateSecretRequest(parent=parent,
secret_id=secret_id,
secret=secret)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_test_iam_permissions(self):
# Setup Expected Response
expected_response = {}
expected_response = iam_policy_pb2.TestIamPermissionsResponse(
**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
resource = "resource-341064690"
permissions = []
response = client.test_iam_permissions(resource, permissions)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = iam_policy_pb2.TestIamPermissionsRequest(
resource=resource, permissions=permissions)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_list_secrets(self):
# Setup Expected Response
next_page_token = ""
total_size = 705419236
secrets_element = {}
secrets = [secrets_element]
expected_response = {
"next_page_token": next_page_token,
"total_size": total_size,
"secrets": secrets,
}
expected_response = service_pb2.ListSecretsResponse(
**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
parent = client.project_path("[PROJECT]")
paged_list_response = client.list_secrets(parent)
resources = list(paged_list_response)
assert len(resources) == 1
assert expected_response.secrets[0] == resources[0]
assert len(channel.requests) == 1
expected_request = service_pb2.ListSecretsRequest(parent=parent)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_update_secret(self):
# Setup Expected Response
name = "name3373707"
expected_response = {"name": name}
expected_response = resources_pb2.Secret(**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
secret = {}
update_mask = {}
response = client.update_secret(secret, update_mask)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.UpdateSecretRequest(
secret=secret, update_mask=update_mask)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def test_access_secret_version(self):
# Setup Expected Response
name_2 = "name2-1052831874"
expected_response = {"name": name_2}
expected_response = service_pb2.AccessSecretVersionResponse(
**expected_response)
# Mock the API response
channel = ChannelStub(responses=[expected_response])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup Request
name = client.secret_version_path("[PROJECT]", "[SECRET]",
"[SECRET_VERSION]")
response = client.access_secret_version(name)
assert expected_response == response
assert len(channel.requests) == 1
expected_request = service_pb2.AccessSecretVersionRequest(name=name)
actual_request = channel.requests[0][1]
assert expected_request == actual_request
def _client(self):
if self.client:
return self.client
from google.cloud import secretmanager_v1
self.client = secretmanager_v1.SecretManagerServiceClient()
return self.client
def get_secret():
secret_manager_client = secretmanager_v1.SecretManagerServiceClient()
secret_name = secret_manager_client.secret_version_path(
os.environ['PROJECT_ID'], os.environ['SECRET_NAME'], 'latest')
response = secret_manager_client.access_secret_version(secret_name)
payload = response.payload.data.decode('UTF-8')
return payload
def access_secret_version(project_id, secret_id, version_id):
"""
Accesses the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
client = secretmanager.SecretManagerServiceClient()
name = client.secret_version_path(project_id, secret_id, version_id)
response = client.access_secret_version(name)
payload = response.payload.data.decode('UTF-8')
return payload
def get_secret(self, secret_id, version="latest"):
"""
Access the payload for the given secret version if one exists. The version
can be a version number as a string (e.g. "5") or an alias (e.g. "latest").
"""
if self.secretmanager_client is None:
self.secretmanager_client = secretmanager.SecretManagerServiceClient()
secret_path = f"projects/{self.project_id}/secrets/{secret_id}/versions/{version}"
response = self.secretmanager_client.access_secret_version(name=secret_path)
return response.payload.data.decode("UTF-8")
def add_secret(self, secret_id, data):
"""
Add a new secret version to the given secret with the provided data.
"""
if self.secretmanager_client is None:
self.secretmanager_client = secretmanager.SecretManagerServiceClient()
parent = f"projects/{self.project_id}/secrets/{secret_id}"
payload = secretmanager.types.SecretPayload(data=data.encode("UTF-8"))
response = self.secretmanager_client.add_secret_version(parent=parent, payload=payload)
print("Added secret version: {}".format(response.name))
def __init__(self, project_id=None):
scraped_id = environ.get('GCP_PROJECT', project_id)
self.project_id = scraped_id
if running_in_gcf():
self.client = sm.SecretManagerServiceClient()
else:
import logging
logging.warning(
'SecretManager -> Running local; using ./account.json')
self.client = sm.SecretManagerServiceClient.from_service_account_json(
'account.json')
def sample_delete_secret():
# Create a client
client = secretmanager_v1.SecretManagerServiceClient()
# Initialize request argument(s)
request = secretmanager_v1.DeleteSecretRequest(
name="name_value",
)
# Make the request
client.delete_secret(request=request)
def get_secret(self, project_id, secret_id):
client = secretmanager_v1.SecretManagerServiceClient()
secret_name = client.secret_version_path(project_id, secret_id,
'latest')
response = client.access_secret_version(secret_name)
payload = response.payload.data.decode('UTF-8')
return payload
def sample_access_secret_version():
# Create a client
client = secretmanager_v1.SecretManagerServiceClient()
# Initialize request argument(s)
request = secretmanager_v1.AccessSecretVersionRequest(name="name_value", )
# Make the request
response = client.access_secret_version(request=request)
# Handle the response
print(response)
def sample_get_secret():
# Create a client
client = secretmanager_v1.SecretManagerServiceClient()
# Initialize request argument(s)
request = secretmanager_v1.GetSecretRequest(name="name_value", )
# Make the request
response = client.get_secret(request=request)
# Handle the response
print(response)
def get_secret():
client = secretmanager_v1.SecretManagerServiceClient()
secret_name = client.secret_version_path(
os.environ['GOOGLE_CLOUD_PROJECT'],
'{}-api-key'.format(os.environ['GOOGLE_CLOUD_PROJECT']), 'latest')
response = client.access_secret_version(request={"name": secret_name})
payload = response.payload.data.decode('utf-8').replace('\n', '')
return payload
def init_vars():
client = secretmanager_v1.SecretManagerServiceClient()
secrets = ["APCA_API_KEY_ID", "APCA_API_SECRET_KEY", "NEWS_API_KEY"]
result = {"APCA_API_BASE_URL": "https://paper-api.alpaca.markets"}
for s in secrets:
name = f"projects/{PRJID}/secrets/{s}/versions/latest"
response = client.access_secret_version(request={'name': name})
print(response)
os.environ[s] = response.payload.data.decode('UTF-8')
result[s] = response.payload.data.decode('UTF-8')
print(result)
return result
def sample_set_iam_policy():
# Create a client
client = secretmanager_v1.SecretManagerServiceClient()
# Initialize request argument(s)
request = iam_policy_pb2.SetIamPolicyRequest(resource="resource_value", )
# Make the request
response = client.set_iam_policy(request=request)
# Handle the response
print(response)
def get_secret(project_id, secret_id):
"""
Returns a Secret Manager secret.
"""
client = secretmanager_v1.SecretManagerServiceClient()
secret_name = client.secret_version_path(project_id, secret_id, "latest")
response = client.access_secret_version(request={"name": secret_name})
payload = response.payload.data.decode("UTF-8")
return payload
def test_list_secret_versions_exception(self):
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup request
parent = client.secret_path("[PROJECT]", "[SECRET]")
paged_list_response = client.list_secret_versions(parent)
with pytest.raises(CustomException):
list(paged_list_response)
def test_delete_secret_exception(self):
# Mock the API response
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup request
name = client.secret_path("[PROJECT]", "[SECRET]")
with pytest.raises(CustomException):
client.delete_secret(name)
def test_get_iam_policy_exception(self):
# Mock the API response
channel = ChannelStub(responses=[CustomException()])
patch = mock.patch("google.api_core.grpc_helpers.create_channel")
with patch as create_channel:
create_channel.return_value = channel
client = secretmanager_v1.SecretManagerServiceClient()
# Setup request
resource = "resource-341064690"
with pytest.raises(CustomException):
client.get_iam_policy(resource)
def sample_update_secret():
# Create a client
client = secretmanager_v1.SecretManagerServiceClient()
# Initialize request argument(s)
request = secretmanager_v1.UpdateSecretRequest(
)
# Make the request
response = client.update_secret(request=request)
# Handle the response
print(response)
def sample_list_secrets():
# Create a client
client = secretmanager_v1.SecretManagerServiceClient()
# Initialize request argument(s)
request = secretmanager_v1.ListSecretsRequest(parent="parent_value", )
# Make the request
page_result = client.list_secrets(request=request)
# Handle the response
for response in page_result:
print(response)
def refresh_token(event, context):
"""
helper function to refresh defender token and store in secrets manager
runs on a cron job (Cloud Scheduler) which triggers via pub/sub
"""
# build client and vars
secret_client = secretmanager_v1.SecretManagerServiceClient()
project_id = os.environ['GCP_PROJECT']
secret_parent = f'projects/{project_id}'
secret_name = secret_parent + f'/secrets/{secret_id}'
secret_version = secret_name + '/versions/latest'
# fetch secret with current token
secret_data = secret_client.access_secret_version(
request={'name': secret_version})
#print("DEBUG: ", secret_data)
# decode and format
payload = secret_data.payload.data.decode('UTF-8')
current_token = 'Bearer ' + str(payload)
headers = {'authorization': current_token}
# request to refresh the token
refresh_token = requests.get(console_address,
headers=headers,
verify=False)
print("DEBUG: ", refresh_token)
# load new token as json and encode
response_data = json.loads(refresh_token.content)
new_token = response_data['token'].encode('utf-8')
# create new secret version with upadated token value
parent = secret_client.secret_path(project_id, secret_id)
response = secret_client.add_secret_version(request={
"parent": parent,
"payload": {
"data": new_token
}
})
print("DEBUG: ", response)
new_version_name = response.name
# destroy old version(s)
for version in secret_client.list_secret_versions(
request={"parent": parent}):
# skip over newly created version with updated token
if version.name == new_version_name:
continue
# destroy enabled versions
if str(version.state) == "State.ENABLED":
print("DELETING: ", version.name, version.state)
delete_secret = secret_client.destroy_secret_version(
request={'name': version.name})
print("SECRET VERSION DESTROYED: ", delete_secret)
