Support cloudflare worker secrets

Author: kaplanelad

.teller.example.yml

@@ -121,4 +121,21 @@ providers:
   #     FOO_BAR:
   #       path: # LastPass item ID
   #       #field: by default taking password property. in case you want other property un-mark this line and set the LastPass property name
-  
+  
+
+
+#  # Configure via environment variables for integration:
+#  # CLOUDFLARE_API_KEY: Your Cloudflare api key.
+#  # CLOUDFLARE_API_EMAIL: Your email associated with the api key.
+#  # CLOUDFLARE_ACCOUNT_ID: Your account ID.
+#
+#  cloudflare_workers_secrets:
+#   env_sync:
+#       source: script-id
+#   env:
+#     foo-secret:
+#       path: foo-secret
+#       source: script-id
+#     foo-secret2:
+#       path: foo-secret
+#       source: script-id

Makefile

@@ -5,6 +5,7 @@ mocks:
 	mockgen -source pkg/providers/aws_secretsmanager.go -destination pkg/providers/mock_providers/aws_secretsmanager_mock.go
 	mockgen -source pkg/providers/aws_ssm.go -destination pkg/providers/mock_providers/aws_ssm_mock.go
 	mockgen -source pkg/providers/cloudflare_workers_kv.go -destination pkg/providers/mock_providers/cloudflare_workers_kv_mock.go
+	mockgen -source pkg/providers/cloudflare_workers_secrets.go -destination pkg/providers/mock_providers/cloudflare_workers_secrets_mock.go
 	mockgen -source pkg/providers/consul.go -destination pkg/providers/mock_providers/consul_mock.go
 	mockgen -source pkg/providers/dotenv.go -destination pkg/providers/mock_providers/dotenv_mock.go
 	mockgen -source pkg/providers/doppler.go -destination pkg/providers/mock_providers/doppler_mock.go

README.md

@@ -876,6 +876,50 @@ providers:
         # Accesses the field `SOME_KEY` in the KV namespace and maps it to REMAPPED_KEY.
         field: SOME_KEY
 ```
+
+## Cloudflare Workers Secrets
+
+### Usage:
+```sh
+$ teller put foo-secret=000000  --providers cloudflare_workers_secrets  
+$ telelr put foo-secret=123 foo-secret2=456 --providers cloudflare_workers_secrets --sync # take from env_sync for using the same source for multiple secrets
+$ telelr delete foo-secret foo-secret2 --providers cloudflare_workers_secrets
+```
+
+### Authentication
+
+requires the following environment variables to be set:
+
+`CLOUDFLARE_API_KEY`: Your Cloudflare api key.
+`CLOUDFLARE_API_EMAIL`: Your email associated with the api key.
+`CLOUDFLARE_ACCOUNT_ID`: Your account ID.
+
+### Features
+
+* Sync - `yes`
+* Mapping - `yes`
+* Modes - `write`
+* Key format
+  * `source` - The script name
+  * `path` - Name of the secret, when using `--sync` the path will overridden by the given parameters
+
+### Example Config
+
+```yaml
+
+providers:
+  cloudflare_workers_secrets:
+    env_sync:
+        source: script-id
+    env:
+      foo-secret:
+        path: foo-secret
+        source: script-id
+      foo-secret2:
+        path: foo-secret
+        source: script-id
+```
+
 ## 1Password
 
 ### Authentication

pkg/providers.go

@@ -17,22 +17,23 @@ type BuiltinProviders struct {
 
 func (p *BuiltinProviders) ProviderHumanToMachine() map[string]string {
 	return map[string]string{
-		"Heroku":                   "heroku",
-		"Vault by Hashicorp":       "hashicorp_vault",
-		"AWS SSM (aka paramstore)": "aws_ssm",
-		"AWS Secrets Manager":      "aws_secretsmanager",
-		"Google Secret Manager":    "google_secretmanager",
-		"Etcd":                     "etcd",
-		"Consul":                   "consul",
-		".env":                     "dotenv",
-		"Vercel":                   "vercel",
-		"Azure Key Vault":          "azure_keyvault",
-		"Doppler":                  "doppler",
-		"CyberArk Conjur":          "cyberark_conjur",
-		"Cloudlflare Workers KV":   "cloudflare_workers_kv",
-		"1Password":                "1password",
-		"Gopass":                   "gopass",
-		"LastPass":                 "lastpass",
+		"Heroku":                      "heroku",
+		"Vault by Hashicorp":          "hashicorp_vault",
+		"AWS SSM (aka paramstore)":    "aws_ssm",
+		"AWS Secrets Manager":         "aws_secretsmanager",
+		"Google Secret Manager":       "google_secretmanager",
+		"Etcd":                        "etcd",
+		"Consul":                      "consul",
+		".env":                        "dotenv",
+		"Vercel":                      "vercel",
+		"Azure Key Vault":             "azure_keyvault",
+		"Doppler":                     "doppler",
+		"CyberArk Conjur":             "cyberark_conjur",
+		"Cloudlflare Workers KV":      "cloudflare_workers_kv",
+		"Cloudlflare Workers Secrets": "cloudflare_workers_secrets",
+		"1Password":                   "1password",
+		"Gopass":                      "gopass",
+		"LastPass":                    "lastpass",
 	}
 }
 
@@ -64,6 +65,8 @@ func (p *BuiltinProviders) GetProvider(name string) (core.Provider, error) {
 		return providers.NewConjurClient()
 	case "cloudflare_workers_kv":
 		return providers.NewCloudflareClient()
+	case "cloudflare_workers_secrets":
+		return providers.NewCloudflareSecretsClient()
 	case "1password":
 		return providers.NewOnePassword()
 	case "gopass":

pkg/providers/cloudflare_workers_secrets.go

@@ -0,0 +1,120 @@
+package providers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+
+	cloudflare "github.com/cloudflare/cloudflare-go"
+	"github.com/spectralops/teller/pkg/core"
+)
+
+var (
+	ErrCloudFlareSourceFieldIsMissing = errors.New("`source` filed is missing")
+)
+
+type CloudflareSecretsClient interface {
+	SetWorkersSecret(ctx context.Context, script string, req *cloudflare.WorkersPutSecretRequest) (cloudflare.WorkersPutSecretResponse, error)
+	DeleteWorkersSecret(ctx context.Context, script, secretName string) (cloudflare.Response, error)
+}
+
+type CloudflareSecrets struct {
+	client CloudflareSecretsClient
+}
+
+func NewCloudflareSecretsClient() (core.Provider, error) {
+	api, err := cloudflare.New(
+		os.Getenv("CLOUDFLARE_API_KEY"),
+		os.Getenv("CLOUDFLARE_API_EMAIL"),
+	)
+
+	if err != nil {
+		return nil, err
+	}
+
+	cloudflare.UsingAccount(os.Getenv("CLOUDFLARE_ACCOUNT_ID"))(api) //nolint
+	return &CloudflareSecrets{client: api}, nil
+}
+
+func (c *CloudflareSecrets) Name() string {
+	return "cloudflare_workers_secret"
+}
+
+func (c *CloudflareSecrets) Put(p core.KeyPath, val string) error {
+
+	if p.Source == "" {
+		return ErrCloudFlareSourceFieldIsMissing
+	}
+
+	secretName, err := c.getSecretName(p)
+	if err != nil {
+		return err
+	}
+
+	secretRequest := cloudflare.WorkersPutSecretRequest{
+		Name: secretName,
+		Text: val,
+		Type: cloudflare.WorkerSecretTextBindingType,
+	}
+
+	_, err = c.client.SetWorkersSecret(context.TODO(), p.Source, &secretRequest)
+
+	return err
+}
+
+func (c *CloudflareSecrets) PutMapping(p core.KeyPath, m map[string]string) error {
+	if p.Source == "" {
+		return ErrCloudFlareSourceFieldIsMissing
+	}
+
+	for k, v := range m {
+		ap := p.WithEnv(fmt.Sprintf("%v/%v", p.Path, k))
+
+		err := c.Put(ap, v)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *CloudflareSecrets) Delete(p core.KeyPath) error {
+
+	if p.Source == "" {
+		return ErrCloudFlareSourceFieldIsMissing
+	}
+
+	secretName, err := c.getSecretName(p)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.client.DeleteWorkersSecret(context.TODO(), p.Source, secretName)
+	return err
+}
+
+func (c *CloudflareSecrets) GetMapping(p core.KeyPath) ([]core.EnvEntry, error) {
+	return nil, fmt.Errorf("%s does not support read functionality", c.Name())
+}
+
+func (c *CloudflareSecrets) Get(p core.KeyPath) (*core.EnvEntry, error) {
+	return nil, fmt.Errorf("%s does not support read functionality", c.Name())
+}
+
+func (c *CloudflareSecrets) DeleteMapping(kp core.KeyPath) error {
+	return fmt.Errorf("%s does not implement deleteMapping yet", c.Name())
+}
+
+func (c *CloudflareSecrets) getSecretName(p core.KeyPath) (string, error) {
+
+	k := p.Field
+	if k == "" {
+		k = p.Env
+	}
+	if k == "" {
+		return "", fmt.Errorf("key required for fetching secrets. Received \"\"")
+	}
+	return k, nil
+
+}

pkg/providers/cloudflare_workers_secrets_test.go

@@ -0,0 +1,50 @@
+package providers
+
+import (
+	"testing"
+
+	"github.com/alecthomas/assert"
+	cloudflare "github.com/cloudflare/cloudflare-go"
+	"github.com/golang/mock/gomock"
+
+	"github.com/spectralops/teller/pkg/core"
+	"github.com/spectralops/teller/pkg/providers/mock_providers"
+)
+
+func TestCloudflareWorkersSecretsPut(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	client := mock_providers.NewMockCloudflareSecretsClient(ctrl)
+
+	expectedWorkerPutRequest := cloudflare.WorkersPutSecretRequest{
+		Name: "MG_KEY",
+		Text: "put-secret",
+		Type: "secret_text",
+	}
+	client.EXPECT().SetWorkersSecret(gomock.Any(), "script-key", &expectedWorkerPutRequest).Return(cloudflare.WorkersPutSecretResponse{}, nil).AnyTimes()
+
+	c := CloudflareSecrets{
+		client: client,
+	}
+	assert.Nil(t, c.Put(core.KeyPath{Field: "MG_KEY", Source: "script-key"}, "put-secret"))
+	assert.Nil(t, c.Put(core.KeyPath{Env: "MG_KEY", Source: "script-key"}, "put-secret"))
+	assert.NotNil(t, c.Put(core.KeyPath{Path: "script-key"}, "put-secret"))
+	assert.EqualError(t, c.Delete(core.KeyPath{Field: "MG_KEY"}), ErrCloudFlareSourceFieldIsMissing.Error())
+}
+
+func TestCloudflareWorkersSecretsDelete(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	client := mock_providers.NewMockCloudflareSecretsClient(ctrl)
+
+	client.EXPECT().DeleteWorkersSecret(gomock.Any(), "script-key", "MG_KEY").Return(cloudflare.Response{}, nil).AnyTimes()
+
+	c := CloudflareSecrets{
+		client: client,
+	}
+
+	assert.Nil(t, c.Delete(core.KeyPath{Field: "MG_KEY", Source: "script-key"}))
+	assert.EqualError(t, c.Delete(core.KeyPath{Field: "MG_KEY"}), ErrCloudFlareSourceFieldIsMissing.Error())
+	assert.NotNil(t, c.Delete(core.KeyPath{Path: "script-key"}))
+
+}

pkg/providers/mock_providers/cloudflare_workers_secrets_mock.go

@@ -199,4 +199,21 @@ providers:
         path: # Lastpass item ID
         # field: by default taking password property. in case you want other property un-mark this line and set the lastpass property name.
 {{end}}
+
+{{- if index .ProviderKeys "cloudflare_workers_secrets" }}
+
+  # Configure via environment variables for integration:
+  # CLOUDFLARE_API_KEY: Your Cloudflare api key.
+  # CLOUDFLARE_API_EMAIL: Your email associated with the api key.
+  # CLOUDFLARE_ACCOUNT_ID: Your account ID.
+
+  cloudflare_workers_secrets:
+    env_sync:
+      source: # Mandatory: script field
+    env:
+      script-value:
+        path: foo-secret
+        source: # Mandatory: script field
+{{end}}
+
 `