Improve azure provider (tellerops#99)

Improve azure provider

Author: kaplanelad

Makefile

@@ -17,6 +17,7 @@ mocks:
 	mockgen -source pkg/providers/onepassword.go -destination pkg/providers/mock_providers/onepassword_mock.go
 	mockgen -source pkg/providers/gopass.go -destination pkg/providers/mock_providers/gopass_mock.go
 	mockgen -source pkg/providers/github.go -destination pkg/providers/mock_providers/github_mock.go
+	mockgen -source pkg/providers/azure_keyvault.go -destination pkg/providers/mock_providers/azure_keyvault_mock.go
 readme:
 	yarn readme
 lint:

README.md

@@ -1125,6 +1125,35 @@ providers:
         path: /folder/bar
 ```
 
+## Azure
+
+### Authentication
+
+Two options for getting Azure authentication are available:
+1. Standard Azure [environment variable](https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authorization). (Enable by default)
+2. For get credentials via [az client](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) add `AZURE_CLI=1` to your environment variable
+
+Then set your vault-name by specific as environment variable: `KVAULT_NAME`
+
+### Features
+
+* Sync - `yes`
+* Mapping - `yes`
+* Modes - `read+write+delete`
+
+### Example Config
+
+```yaml
+providers:
+  azure_keyvault:
+    env_sync:
+      path: azure
+    env:
+      FOO:
+        path: bar
+```
+
+
 # Semantics
 
 ## Addressing

pkg/providers/azure_keyvault.go

@@ -8,16 +8,25 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
 	kvauth "github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
+	"github.com/Azure/go-autorest/autorest"
 	"github.com/spectralops/teller/pkg/core"
 	"github.com/spectralops/teller/pkg/logging"
 )
 
 const AzureVaultDomain = "vault.azure.net"
 
+type AzureKeyVaultClient interface {
+	SetSecret(ctx context.Context, vaultBaseURL string, secretName string, parameters keyvault.SecretSetParameters) (result keyvault.SecretBundle, err error)
+	GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result keyvault.SecretBundle, err error)
+	GetSecrets(ctx context.Context, vaultBaseURL string, maxresults *int32) (result keyvault.SecretListResultPage, err error)
+	DeleteSecret(ctx context.Context, vaultBaseURL string, secretName string) (result keyvault.DeletedSecretBundle, err error)
+}
+
 type AzureKeyVault struct {
-	client    *keyvault.BaseClient
-	logger    logging.Logger
-	vaultName string
+	client       AzureKeyVaultClient
+	logger       logging.Logger
+	vaultName    string
+	vaultBaseURL string
 }
 
 func NewAzureKeyVault(logger logging.Logger) (core.Provider, error) {
@@ -26,31 +35,56 @@ func NewAzureKeyVault(logger logging.Logger) (core.Provider, error) {
 		return nil, fmt.Errorf("cannot find KVAULT_NAME for azure key vault")
 	}
 
-	authorizer, err := kvauth.NewAuthorizerFromEnvironment()
+	var authorizer autorest.Authorizer
+	var err error
+
+	if _, ok := os.LookupEnv("AZURE_CLI"); ok {
+		authorizer, err = kvauth.NewAuthorizerFromCLI()
+	} else {
+		authorizer, err = kvauth.NewAuthorizerFromEnvironment()
+	}
+
 	if err != nil {
 		return nil, err
 	}
 
 	basicClient := keyvault.New()
 	basicClient.Authorizer = authorizer
-	return &AzureKeyVault{client: &basicClient, vaultName: vaultName, logger: logger}, nil
+	return &AzureKeyVault{client: &basicClient,
+		vaultName:    vaultName,
+		logger:       logger,
+		vaultBaseURL: "https://" + vaultName + "." + AzureVaultDomain,
+	}, nil
 }
 
 func (a *AzureKeyVault) Name() string {
 	return "azure_keyvault"
 }
+
 func (a *AzureKeyVault) Put(p core.KeyPath, val string) error {
-	return fmt.Errorf("provider %q does not implement write yet", a.Name())
+	a.logger.WithField("path", p.Path).Debug("set secret")
+	_, err := a.client.SetSecret(context.TODO(), a.vaultBaseURL, p.Path, keyvault.SecretSetParameters{
+		Value: &val,
+	})
+	return err
 }
+
 func (a *AzureKeyVault) PutMapping(p core.KeyPath, m map[string]string) error {
-	return fmt.Errorf("provider %q does not implement write yet", a.Name())
+	for k, v := range m {
+		ap := p.SwitchPath(k)
+		err := a.Put(ap, v)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
+
 func (a *AzureKeyVault) GetMapping(kp core.KeyPath) ([]core.EnvEntry, error) {
 	r := []core.EnvEntry{}
 	ctx := context.Background()
-	vaultBaseURL := "https://" + a.vaultName + "." + AzureVaultDomain
-	a.logger.WithField("vault_base_url", vaultBaseURL).Debug("get secrets")
-	secretList, err := a.client.GetSecrets(ctx, vaultBaseURL, nil)
+	a.logger.WithField("vault_base_url", a.vaultBaseURL).Debug("get secrets")
+	secretList, err := a.client.GetSecrets(ctx, a.vaultBaseURL, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -91,18 +125,18 @@ func (a *AzureKeyVault) Get(p core.KeyPath) (*core.EnvEntry, error) {
 }
 
 func (a *AzureKeyVault) Delete(kp core.KeyPath) error {
-	return fmt.Errorf("%s does not implement delete yet", a.Name())
+	_, err := a.client.DeleteSecret(context.TODO(), a.vaultBaseURL, kp.Path)
+	return err
 }
 
 func (a *AzureKeyVault) DeleteMapping(kp core.KeyPath) error {
 	return fmt.Errorf("%s does not implement delete yet", a.Name())
 }
 
 func (a *AzureKeyVault) getSecret(kp core.KeyPath) (keyvault.SecretBundle, error) {
-	vaultBaseURL := "https://" + a.vaultName + "." + AzureVaultDomain
 	a.logger.WithFields(map[string]interface{}{
-		"vault_base_url": vaultBaseURL,
+		"vault_base_url": a.vaultBaseURL,
 		"secret_name":    kp.Path,
 	}).Debug("get secret")
-	return a.client.GetSecret(context.Background(), vaultBaseURL, kp.Path, "")
+	return a.client.GetSecret(context.Background(), a.vaultBaseURL, kp.Path, "")
 }

pkg/providers/azure_keyvault_test.go

@@ -0,0 +1,69 @@
+package providers
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
+	"github.com/alecthomas/assert"
+	"github.com/golang/mock/gomock"
+
+	"github.com/spectralops/teller/pkg/core"
+	"github.com/spectralops/teller/pkg/providers/mock_providers"
+)
+
+func String(v string) *string { return &v }
+
+func TestAzureKeyVault(t *testing.T) {
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	client := mock_providers.NewMockAzureKeyVaultClient(ctrl)
+
+	a := AzureKeyVault{
+		client:       client,
+		logger:       GetTestLogger(),
+		vaultName:    "test",
+		vaultBaseURL: "https://test/",
+	}
+
+	path := "settings/prod/billing-svc"
+	shazam := "shazam"
+
+	secretList := keyvault.SecretListResult{
+		Value: &[]keyvault.SecretItem{
+			{ID: String("all")},
+			{ID: String("all-1")},
+		},
+	}
+
+	stopNext := func(context.Context, keyvault.SecretListResult) (keyvault.SecretListResult, error) {
+		return keyvault.SecretListResult{}, nil
+	}
+	returnSecrets := keyvault.NewSecretListResultPage(secretList, stopNext)
+	client.EXPECT().GetSecret(gomock.Any(), a.vaultBaseURL, path, "").Return(keyvault.SecretBundle{Value: &shazam}, nil).AnyTimes()
+	client.EXPECT().GetSecret(gomock.Any(), a.vaultBaseURL, "all", "").Return(keyvault.SecretBundle{Value: String("mailman")}, nil).AnyTimes()
+	client.EXPECT().GetSecret(gomock.Any(), a.vaultBaseURL, "all-1", "").Return(keyvault.SecretBundle{Value: String("shazam")}, nil).AnyTimes()
+	client.EXPECT().GetSecrets(gomock.Any(), a.vaultBaseURL, nil).Return(returnSecrets, nil).AnyTimes()
+
+	AssertProvider(t, &a, true)
+
+}
+
+func TestAzureKeyVaultFailures(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	client := mock_providers.NewMockAzureKeyVaultClient(ctrl)
+	a := AzureKeyVault{
+		client:       client,
+		logger:       GetTestLogger(),
+		vaultName:    "test",
+		vaultBaseURL: "https://test/",
+	}
+
+	client.EXPECT().GetSecret(gomock.Any(), a.vaultBaseURL, "settings/{{stage}}/billing-svc", "").Return(keyvault.SecretBundle{}, errors.New("error")).AnyTimes()
+
+	_, err := a.Get(core.KeyPath{Env: "MG_KEY", Path: "settings/{{stage}}/billing-svc"})
+	assert.NotNil(t, err)
+}