Implement nosecret provider & refactor

README.md

@@ -8,30 +8,30 @@ Go package to hydrate runtime secrets from Cloud providers
 cloudsecrets.Hydrate(ctx, "gcp", &Config{})
 ```
 
-`Hydrate()` recursively walks given struct (pointer) and for any field matching `$SECRET:`
-string prefix, it will fetch secret from secret provider and replace the original value:
-- `"$SECRET:{secretName}"` => `provider.fetchSecret("secretName", "latest")`
+`Hydrate()` recursively walks a given config (struct pointer) and hydrates all string
+values matching `"$SECRET:"` prefix using a given Cloud secrets provider.
 
+The secret values to be replaced must have a format of `"$SECRET:{name|path}"`.
 
 ## Usage
 ```go
 import "github.com/0xsequence/go-cloudsecrets/cloudsecrets"
 
 func main() {
-    var cfg := &config.Config{
-    	DB: &config.DB{
-    		Database: "postgres",
-    		Host:     "localhost:5432",
-    		Username: "sequence",
-    		Password: "$SECRET:dbPassword", // to be hydrated
-        },
-    }
+	var cfg := &config.Config{
+		DB: &config.DB{
+			Database: "postgres",
+			Host:     "localhost:5432",
+			Username: "sequence",
+			DPassword: "$SECRET:dbPassword", // to be hydrated
+		},
+	}
 
 	err := cloudsecrets.Hydrate(context.Background(), "gcp", cfg)
 	if err != nil {
-		log.Fatal("failed to hydrate secrets: ", err)
+		log.Fatalf("failed to hydrate config secrets: %v", err)
 	}
 
-    // cfg.DB.Password now contains value of "dbPassword" GCP secret (latest version)
+	// cfg.DB.Password now contains value of "dbPassword" GCP secret (latest version)
 }
 ```

_examples/cmd/main.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"log"
 
+	"github.com/0xsequence/go-cloudsecrets"
 	"github.com/0xsequence/go-cloudsecrets/_examples/config"
-	"github.com/0xsequence/go-cloudsecrets/cloudsecrets"
 	"github.com/kr/pretty"
 )
 
@@ -22,7 +22,7 @@ func main() {
 
 	err := cloudsecrets.Hydrate(context.Background(), "gcp", cfg)
 	if err != nil {
-		log.Fatal("failed to hydrate secrets: ", err)
+		log.Fatalf("failed to hydrate config secrets: %v", err)
 	}
 
 	fmt.Printf("%# v", pretty.Formatter(cfg))

cloudsecrets/gcp.go → gcp/gcp.go

@@ -1,4 +1,4 @@
-package cloudsecrets
+package gcp
 
 import (
 	"context"
@@ -13,17 +13,16 @@ import (
 	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
 )
 
-type GCPSecretStorage struct {
+type SecretsProvider struct {
 	projectNumber string
 	client        *secretmanager.Client
 }
 
-func NewGCPSecretStorage() (*GCPSecretStorage, error) {
+func NewSecretsProvider() (*SecretsProvider, error) {
 	gcpClient, err := secretmanager.NewClient(context.Background())
 	if err != nil {
 		return nil, fmt.Errorf("initializing GCP secret manager: %w", err)
 	}
-	// TODO: gcpClient.Close()
 
 	var projectNumber string
 	if metadata.OnGCE() {
@@ -41,35 +40,35 @@ func NewGCPSecretStorage() (*GCPSecretStorage, error) {
 		}
 	}
 
-	return &GCPSecretStorage{
+	return &SecretsProvider{
 		projectNumber: projectNumber,
 		client:        gcpClient,
 	}, nil
 }
 
-func (storage GCPSecretStorage) FetchSecret(ctx context.Context, secretId string) (string, error) {
+func (p SecretsProvider) FetchSecret(ctx context.Context, secretId string) (string, error) {
 	versionId := "latest"
 
 	req := &secretmanagerpb.AccessSecretVersionRequest{
-		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", storage.projectNumber, secretId, versionId),
+		Name: fmt.Sprintf("projects/%s/secrets/%s/versions/%s", p.projectNumber, secretId, versionId),
 	}
 
 	reqCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
 	// Access the secret version
-	result, err := storage.client.AccessSecretVersion(reqCtx, req)
+	result, err := p.client.AccessSecretVersion(reqCtx, req)
 	if err != nil {
-		return "", fmt.Errorf("failed to access secret %s: %w", secretId, err)
+		return "", fmt.Errorf("fetching GCP secret %q: %w", secretId, err)
 	}
 
 	// Return the secret value
 	return string(result.Payload.Data), nil
 }
 
 func getProjectNumberFromGcloud(ctx context.Context) (string, error) {
-	// Inferring ProjectId using
-	// creds, err := google.FindDefaultCredentials(ctx, "")
+	// NOTE: Inferring projectId using
+	//   creds, err := google.FindDefaultCredentials(ctx, "")
 	// doesn't work. See https://github.com/golang/oauth2/issues/241.
 
 	projectId := os.Getenv("GOOGLE_CLOUD_PROJECT")
@@ -84,7 +83,7 @@ func getProjectNumberFromGcloud(ctx context.Context) (string, error) {
 	// We need projectNumber (not projectName!) for GCP Secret Manager APIs.
 	out, err := exec.CommandContext(ctx, "gcloud", "projects", "describe", projectId, "--format=value(projectNumber)").Output()
 	if err != nil {
-		return "", fmt.Errorf("getting projectNumber from projectId %q: %w", projectId, err)
+		return "", fmt.Errorf("getting gcloud projectNumber from projectId %q: %w", projectId, err)
 	}
 	return strings.TrimSpace(string(out)), nil
 }

cloudsecrets/hydrate.go → hydrate.go

@@ -6,30 +6,39 @@ import (
 	"reflect"
 	"strings"
 	"sync"
+
+	"github.com/0xsequence/go-cloudsecrets/gcp"
+	"github.com/0xsequence/go-cloudsecrets/nosecrets"
 )
 
-// Hydrate hydrates "obj" secrets from a given Cloud secrets provider.
-// Values are hydrated if they start with "$SECRET:" prefix following the name/path of the secret.
+// Hydrate recursively walks a given config (struct pointer) and hydrates all
+// string values matching "$SECRET:" prefix using a given Cloud secrets provider.
+//
+// The secret values to be replaced must have a format of "$SECRET:{name|path}".
 //
-// Currently, only a pointer to struct is supported as an obj.
-func Hydrate(ctx context.Context, cloudProvider string, obj interface{}) error {
-	var (
-		err      error
-		provider secretsProvider
-	)
-
-	switch cloudProvider {
+// Supported providers:
+// - "gcp": Google Cloud Secret Manager
+// - "":    If no provider is given, walk the config and fail on any "$SECRET:".
+func Hydrate(ctx context.Context, providerName string, config interface{}) error {
+	var err error
+	var provider secretsProvider
+
+	switch providerName {
+	case "":
+		// No provider configured. If we see a $SECRET: value, we fail.
+		provider = nosecrets.NewSecretsProvider()
+
 	case "gcp":
-		provider, err = NewGCPSecretStorage()
+		provider, err = gcp.NewSecretsProvider()
 		if err != nil {
-			return fmt.Errorf("failed to init gcp secret store: %w", err)
+			return fmt.Errorf("creating gcp secret provider: %w", err)
 		}
 
 	default:
-		return fmt.Errorf("unsupported provider %q", cloudProvider)
+		return fmt.Errorf("unsupported provider %q", providerName)
 	}
 
-	v := reflect.ValueOf(obj)
+	v := reflect.ValueOf(config)
 	return hydrateStruct(ctx, provider, v)
 }
 
@@ -60,7 +69,7 @@ func hydrateStruct(ctx context.Context, provider secretsProvider, v reflect.Valu
 			return nil
 		}
 		if err != nil {
-			return fmt.Errorf("failed to process config: %w", err)
+			return fmt.Errorf("walking struct fields: %w", err)
 		}
 	}
 
@@ -88,15 +97,15 @@ func hydrateStructFields(ctx context.Context, provider secretsProvider, config r
 			secretName, found := strings.CutPrefix(field.String(), "$SECRET:")
 			if found {
 				wg.Add(1)
-				go func(field reflect.Value, secretName string) {
+				go func(fieldName string, field reflect.Value, secretName string) {
 					defer wg.Done()
 					secretValue, err := provider.FetchSecret(ctx, secretName)
 					if err != nil {
-						errCh <- fmt.Errorf("fetch secret failed for field %s: %w", secretName, err)
+						errCh <- fmt.Errorf("%v=%q: %w", fieldName, field.String(), err)
 						return
 					}
 					field.SetString(secretValue)
-				}(field, secretName)
+				}(config.Type().Field(i).Name, field, secretName)
 			}
 		}
 	}

cloudsecrets/hydrate_test.go → hydrate_test.go

@@ -5,6 +5,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/0xsequence/go-cloudsecrets/mock"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -30,7 +31,7 @@ func TestFailWhenPassedValueIsNotStruct(t *testing.T) {
 	input := "hello"
 
 	v := reflect.ValueOf(input)
-	provider := NewMockSecretProvider(map[string]string{
+	provider := mock.NewSecretsProvider(map[string]string{
 		"dbPassword":        "changethissecret",
 		"analyticsPassword": "AuthTokenSecret",
 	})
@@ -108,7 +109,7 @@ func TestReplacePlaceholdersWithSecrets(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			v := reflect.ValueOf(tt.conf)
-			err := hydrateStruct(ctx, NewMockSecretProvider(tt.storage), v)
+			err := hydrateStruct(ctx, mock.NewSecretsProvider(tt.storage), v)
 			if err != nil {
 				if tt.wantErr {
 					assert.Equal(t, tt.wantConf, tt.conf)

mock/mock.go

@@ -0,0 +1,23 @@
+package mock
+
+import (
+	"context"
+	"fmt"
+)
+
+type SecretsProvider struct {
+	secrets map[string]string
+}
+
+func NewSecretsProvider(secrets map[string]string) *SecretsProvider {
+	return &SecretsProvider{secrets: secrets}
+}
+
+func (p SecretsProvider) FetchSecret(ctx context.Context, secretId string) (string, error) {
+	secret, ok := p.secrets[secretId]
+	if !ok {
+		return "", fmt.Errorf("find secret %q", secretId)
+	}
+
+	return secret, nil
+}

nosecrets/nosecrets.go

@@ -0,0 +1,19 @@
+package nosecrets
+
+import (
+	"context"
+	"errors"
+	"fmt"
+)
+
+var ErrNoSecretsProvider = errors.New("secret found but no secrets provider was configured")
+
+type SecretsProvider struct{}
+
+func NewSecretsProvider() *SecretsProvider {
+	return &SecretsProvider{}
+}
+
+func (p SecretsProvider) FetchSecret(ctx context.Context, secretId string) (string, error) {
+	return "", fmt.Errorf("fetch secret %q: %w", secretId, ErrNoSecretsProvider)
+}