Merge pull request #145 from rowi1de/main

Validation functionality (#132) fixes #127
bakito · May 13, 2023 · 796709f · 796709f
2 parents 50eaa61 + 29cf555
commit 796709f
Show file tree

Hide file tree

Showing 16 changed files with 284 additions and 58 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -68,7 +68,7 @@ jobs:
         # continue on error to show logs
         continue-on-error: true
         working-directory: testdata/e2e
-        run: ./runTests.sh
+        run: ./runTests.sh "skip-validate"
 
       - name: 🔐 Print logs Cert-URL
         run: |

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -8,6 +8,9 @@ on:
     types:
       - published
 
+permissions:
+  packages: write
+
 jobs:
   build-images:
     runs-on: ubuntu-latest

diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@
 - **Decode:** Base64 decodes each key in the `data` field in a secret.
 - **Secrets:** Returns a list of all Sealed Secrets in all namespaces. With a click on the Sealed Secret the decrypted Kubernetes secret is loaded.
 - **Seal:** Encrypt a Kubernetes secret and creates the Sealed Secret.
+- **Validate:** Validate a Sealed Secret.
 
 ## Installation
 
@@ -89,42 +90,20 @@ curl -request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/raw' \
      --data '{ "name": "mysecretname", "namespace": "mysecretnamespace", "value": "value to seal" }'
 ```
 
+### Validate sealed secret
+> **_NOTE:_**  Validate is only available when using cluster internal api (e.g. certURL not set) see [bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets/issues/1208)
+```bash
+curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/validate' \
+  --header 'Accept: application/x-yaml' \
+  --data-binary '@stringData.yaml'
+```
+
 ## Development
 
 For development, we are using a local Kubernetes cluster using kind. When the cluster is created we install **Sealed Secrets** using Helm:
 
 ```sh
-# install registry
-docker run -d --restart=always -p "127.0.0.1:5001:5000" --name kind-registry registry:2
-
-# startup kind
-curl -L https://raw.githubusercontent.com/bakito/kind-with-registry-action/main/kind-config.yaml -o testdata/e2e/kind-config.yaml
-kind create cluster --config=testdata/e2e/kind-config.yaml
-
-# setup registry
-docker network connect kind kind-registry
-kubectl apply -f https://raw.githubusercontent.com/bakito/kind-with-registry-action/main/configmap-registry.yaml
-
-# setup ingress
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-kubectl wait --namespace ingress-nginx \
-  --for=condition=ready pod \
-  --selector=app.kubernetes.io/component=controller \
-  --timeout=90s
-
-# build image
-./testdata/e2e/buildImage.sh
-
-# install sealed secrets
-helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
-helm install sealed-secrets sealed-secrets/sealed-secrets \
-  --namespace sealed-secrets \
-  --create-namespace \
-  --atomic
-
-# install sealed secrets web
-./testdata/e2e/installSealedSecretsWebChart.sh yaml
-
+./run_local.sh
 ```
 
 Access the interface via http://localhost/ssw
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
@@ -28,6 +28,13 @@ sealedSecrets:
   # -- Name of the sealed secrets service
   serviceName: sealed-secrets
   # -- URL sealed secrets certificate (required if sealed secrets is not reachable with in cluster service)
-  certURL: ""
+  certURL: "" # this will disable validate api
 ---------------------------------------------
 {{- end }}
+
+{{- if ne .Values.sealedSecrets.certURL "" }}
+*************************************
+**          ATTENTION!!            **
+*************************************
+- Using sealedSecrets.certURL will disable the validate functionality, as it is only available via cluster internal api
+{{- end }}
diff --git a/main.go b/main.go
@@ -95,6 +95,7 @@ func setupRouter(coreClient corev1.CoreV1Interface, ssClient ssClient.BitnamiV1a
 	api.GET("/certificate", h.Certificate)
 	api.POST("/kubeseal", h.KubeSeal)
 	api.POST("/dencode", h.Dencode)
+	api.POST("/validate", h.Validate)
 
 	api.GET("/secret/:namespace/:name", sHandler.Secret)
 	api.GET("/secrets", sHandler.AllSecrets)
@@ -111,10 +112,11 @@ func renderIndexHTML(cfg *config.Config) (string, error) {
 	}
 
 	data := map[string]interface{}{
-		"DisableLoadSecrets": cfg.DisableLoadSecrets,
-		"WebContext":         cfg.Web.Context,
-		"InitialSecret":      initialSecret,
-		"Version":            version.Version,
+		"DisableLoadSecrets":     cfg.DisableLoadSecrets,
+		"DisableValidateSecrets": cfg.SealedSecrets.CertURL != "",
+		"WebContext":             cfg.Web.Context,
+		"InitialSecret":          initialSecret,
+		"Version":                version.Version,
 	}
 
 	var tpl bytes.Buffer

diff --git a/pkg/config/types.go b/pkg/config/types.go
@@ -36,14 +36,14 @@ func parse(f *flags) (*Config, error) {
 
 	if *f.sealedSecretsCertURL != "" {
 		cfg.SealedSecrets.CertURL = *f.sealedSecretsCertURL
-	} else {
-		if *f.sealedSecretsServiceName != "" {
-			cfg.SealedSecrets.Service = *f.sealedSecretsServiceName
-		}
-		if *f.sealedSecretsServiceNamespace != "" {
-			cfg.SealedSecrets.Namespace = *f.sealedSecretsServiceNamespace
-		}
 	}
+	if *f.sealedSecretsServiceName != "" {
+		cfg.SealedSecrets.Service = *f.sealedSecretsServiceName
+	}
+	if *f.sealedSecretsServiceNamespace != "" {
+		cfg.SealedSecrets.Namespace = *f.sealedSecretsServiceNamespace
+	}
+
 	if *f.includeNamespaces != "" {
 		cfg.IncludeNamespaces = strings.Split(*f.includeNamespaces, " ")
 	}

diff --git a/pkg/config/types_test.go b/pkg/config/types_test.go
@@ -60,8 +60,8 @@ var _ = Describe("Types", func() {
 			f.sealedSecretsCertURL = ptr("cert.url")
 			cfg, err = parse(f)
 			Ω(cfg.SealedSecrets.CertURL).Should(Equal("cert.url"))
-			Ω(cfg.SealedSecrets.Namespace).Should(BeEmpty())
-			Ω(cfg.SealedSecrets.Service).Should(BeEmpty())
+			Ω(cfg.SealedSecrets.Namespace).Should(Equal("sealed-secrets"))
+			Ω(cfg.SealedSecrets.Service).Should(Equal("sealed-secrets"))
 		})
 		It("should set the service namespace and name", func() {
 			f.sealedSecretsServiceName = ptr("name")

diff --git a/pkg/handler/index.go b/pkg/handler/index.go
@@ -13,12 +13,14 @@ type Handler struct {
 	sealer    seal.Sealer
 	indexHTML string
 	filter    *config.FieldFilter
+	cfg       *config.Config
 }
 
 func New(indexHTML string, sealer seal.Sealer, cfg *config.Config) *Handler {
 	return &Handler{
 		sealer:    sealer,
 		indexHTML: indexHTML,
+		cfg:       cfg,
 		filter:    cfg.FieldFilter,
 	}
 }

diff --git a/pkg/handler/validate.go b/pkg/handler/validate.go
@@ -0,0 +1,25 @@
+package handler
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+func (h *Handler) Validate(c *gin.Context) {
+	if h.cfg.SealedSecrets.CertURL != "" {
+		configError := fmt.Errorf("validate can't be used with CertURL (%s)", h.cfg.SealedSecrets.CertURL)
+		c.Data(http.StatusConflict, "text/plain", []byte(configError.Error()))
+		return
+	}
+	err := h.sealer.Validate(c, c.Request.Body)
+
+	if err != nil {
+		log.Printf("Error in %s: %v\n", Sanitize(c.Request.URL.Path), err)
+		c.Data(http.StatusBadRequest, "text/plain", []byte(err.Error()))
+	} else {
+		c.Data(http.StatusOK, "text/plain", []byte("OK"))
+	}
+}
diff --git a/pkg/handler/validate_test.go b/pkg/handler/validate_test.go
@@ -0,0 +1,78 @@
+package handler
+
+import (
+	"bytes"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+
+	"github.com/bakito/sealed-secrets-web/pkg/config"
+	"github.com/bakito/sealed-secrets-web/pkg/mocks/seal"
+	"github.com/gin-gonic/gin"
+	"github.com/golang/mock/gomock"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Handler ", func() {
+	Context("Validate", func() {
+		var (
+			recorder *httptest.ResponseRecorder
+			c        *gin.Context
+			mock     *gomock.Controller
+			sealer   *seal.MockSealer
+			h        *Handler
+			cfg      *config.Config
+		)
+		BeforeEach(func() {
+			gin.SetMode(gin.ReleaseMode)
+			recorder = httptest.NewRecorder()
+			c, _ = gin.CreateTestContext(recorder)
+			mock = gomock.NewController(GinkgoT())
+			sealer = seal.NewMockSealer(mock)
+			cfg = &config.Config{}
+			h = &Handler{
+				sealer: sealer,
+				cfg:    cfg,
+			}
+		})
+
+		It("should return success if validation succeeds", func() {
+			c.Request, _ = http.NewRequest("POST", "/v1/validate", bytes.NewReader([]byte(stringDataAsYAML)))
+			c.Request.Header.Set("Content-Type", "application/x-yaml")
+
+			sealer.EXPECT().Validate(gomock.Any(), gomock.Any()).Return(nil)
+
+			h.Validate(c)
+
+			Ω(recorder.Code).Should(Equal(http.StatusOK))
+			Ω(recorder.Body.String()).Should(Equal("OK"))
+			Ω(recorder.Header().Get("Content-Type")).Should(Equal("text/plain"))
+		})
+
+		It("should return an error if validation fails", func() {
+			c.Request, _ = http.NewRequest("POST", "/v1/validate", bytes.NewReader([]byte(stringDataAsYAML)))
+			c.Request.Header.Set("Content-Type", "application/x-yaml")
+
+			sealer.EXPECT().Validate(gomock.Any(), gomock.Any()).Return(errors.New("Validation failed"))
+
+			h.Validate(c)
+
+			Ω(recorder.Code).Should(Equal(http.StatusBadRequest))
+			Ω(recorder.Body.String()).Should(Equal("Validation failed"))
+			Ω(recorder.Header().Get("Content-Type")).Should(Equal("text/plain"))
+		})
+
+		It("should return an error if certURL is used", func() {
+			cfg.SealedSecrets.CertURL = "http://sealed-secrets/v1/cert.pem"
+			c.Request, _ = http.NewRequest("POST", "/v1/validate", bytes.NewReader([]byte(stringDataAsYAML)))
+			c.Request.Header.Set("Content-Type", "application/x-yaml")
+
+			h.Validate(c)
+
+			Ω(recorder.Code).Should(Equal(http.StatusConflict))
+			Ω(recorder.Body.String()).Should(Equal("validate can't be used with CertURL (http://sealed-secrets/v1/cert.pem)"))
+			Ω(recorder.Header().Get("Content-Type")).Should(Equal("text/plain"))
+		})
+	})
+})
diff --git a/pkg/mocks/seal/mock.go b/pkg/mocks/seal/mock.go
diff --git a/pkg/seal/seal.go b/pkg/seal/seal.go
@@ -19,6 +19,7 @@ type Sealer interface {
 	Raw(data Raw) ([]byte, error)
 	Certificate(ctx context.Context) ([]byte, error)
 	Seal(outputFormat string, secret io.Reader) ([]byte, error)
+	Validate(ctx context.Context, secret io.Reader) error
 }
 
 var _ Sealer = &apiSealer{}
@@ -100,6 +101,16 @@ func (a *apiSealer) Raw(data Raw) ([]byte, error) {
 	return buf.Bytes(), nil
 }
 
+func (a *apiSealer) Validate(ctx context.Context, secret io.Reader) error {
+	return kubeseal.ValidateSealedSecret(
+		ctx,
+		a.clientConfig,
+		a.ss.Namespace,
+		a.ss.Service,
+		secret,
+	)
+}
+
 type Raw struct {
 	Value     string `json:"value"`
 	Name      string `json:"name"`

diff --git a/run_local.sh b/run_local.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -eo pipefail
+
+# install registry
+docker run -d --restart=always -p "127.0.0.1:5001:5000" --name kind-registry registry:2
+
+# startup kind
+curl -L https://raw.githubusercontent.com/bakito/kind-with-registry-action/main/kind-config.yaml -o testdata/e2e/kind-config.yaml
+kind create cluster --config=testdata/e2e/kind-config.yaml
+
+# setup registry
+docker network connect kind kind-registry
+kubectl apply -f https://raw.githubusercontent.com/bakito/kind-with-registry-action/main/configmap-registry.yaml
+
+# setup ingress
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+kubectl wait --namespace ingress-nginx \
+  --for=condition=ready pod \
+  --selector=app.kubernetes.io/component=controller \
+  --timeout=90s
+
+# build image
+./testdata/e2e/buildImage.sh
+
+# install sealed secrets
+helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
+helm install sealed-secrets sealed-secrets/sealed-secrets \
+  --namespace sealed-secrets \
+  --create-namespace \
+  --atomic
+
+# install sealed secrets web
+./testdata/e2e/installSealedSecretsWebChart.sh yaml