Merge pull request #219 from secrethub/release/v0.31.0

Release v0.31.0

Author: SimonBarendse

README.md

@@ -7,7 +7,7 @@
   <i>Go Client</i>
 </h1>
 
-[![GoDoc](http://img.shields.io/badge/godoc-reference-blue.svg)][godoc]
+[![GoDoc](https://img.shields.io/badge/godoc-reference-blue.svg)][godoc]
 [![CircleCI](https://circleci.com/gh/secrethub/secrethub-go.svg?style=shield)][circle-ci]
 [![Go Report Card](https://goreportcard.com/badge/github.com/secrethub/secrethub-go)][goreportcard]
 [![Version]( https://img.shields.io/github/release/secrethub/secrethub-go.svg)][latest-version]
@@ -148,7 +148,7 @@ If you get stuck or just want advice, come chat with the engineers on [Discord][
 [latest-version]: https://github.com/secrethub/secrethub-go/releases/latest
 [issues]: https://github.com/secrethub/secrethub-go/issues/new
 [pulls]: https://github.com/secrethub/secrethub-go/pulls
-[godoc]: http://godoc.org/github.com/secrethub/secrethub-go
+[godoc]: https://pkg.go.dev/github.com/secrethub/secrethub-go?tab=overview
 [goreportcard]: https://goreportcard.com/report/github.com/secrethub/secrethub-go
 [circle-ci]: https://circleci.com/gh/secrethub/secrethub-go
 [discord]: https://discord.gg/EQcE87s

go.mod

@@ -17,6 +17,7 @@ require (
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 	google.golang.org/api v0.26.0
 	google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940
+	google.golang.org/grpc v1.28.0
 )
 
 go 1.13

internals/api/patterns.go

@@ -39,6 +39,7 @@ var (
 	whitelistOrgName            = regexp.MustCompile(fmt.Sprintf(`(?i)^(%s{%d,%d})$`, patternUniformNameCharacters, uniformNameMinimumLength, uniformNameMaximumLength))
 	whitelistFullName           = regexp.MustCompile(fmt.Sprintf(`(?i)^(%s{1,128})$`, patternFullName))
 	whitelistDescription        = regexp.MustCompile(fmt.Sprintf(`(?i)^(%s)$`, patternDescription))
+	whitelistSetupCode          = regexp.MustCompile("^su-[a-zA-Z0-9-]{8,64}")
 
 	whitelistAtLeastOneAlphanumeric = regexp.MustCompile(fmt.Sprintf("%s{1,}", patternAlphanumeric))
 
@@ -89,6 +90,7 @@ var (
 	ErrInvalidGCPServiceAccountEmail        = errAPI.Code("invalid_service_account_email").StatusError("not a valid GCP service account email", http.StatusBadRequest)
 	ErrNotUserManagerGCPServiceAccountEmail = errAPI.Code("require_user_managed_service_account").StatusError("provided GCP service account email is not for a user-manager service account", http.StatusBadRequest)
 	ErrInvalidGCPKMSResourceID              = errAPI.Code("invalid_key_resource_id").StatusError("not a valid resource ID, expected: projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY", http.StatusBadRequest)
+	ErrInvalidSetupCode                     = errAPI.Code("invalid_setup_code").StatusError("setup code starts with su- and is followed by groups of letters and numbers separated by dashes", http.StatusBadRequest)
 )
 
 // ValidateNamespace validates a username.
@@ -353,3 +355,11 @@ func ValidateGCPKMSKeyResourceID(v string) error {
 
 	return nil
 }
+
+// ValidateSetupCode checks whether the given string has the format of a valid setup code.
+func ValidateSetupCode(code string) error {
+	if !whitelistSetupCode.MatchString(code) {
+		return ErrInvalidSetupCode
+	}
+	return nil
+}

pkg/secrethub/account.go

@@ -14,6 +14,8 @@ var (
 
 // AccountService handles operations on SecretHub accounts.
 type AccountService interface {
+	// Me retrieves the authenticated account of the client.
+	Me() (*api.Account, error)
 	// Get retrieves an account by name.
 	Get(name string) (*api.Account, error)
 	// Keys returns an account key service.
@@ -30,6 +32,11 @@ type accountService struct {
 	client *Client
 }
 
+// Me retrieves the authenticated account of the client.
+func (s accountService) Me() (*api.Account, error) {
+	return s.client.getMyAccount()
+}
+
 // Get retrieves an account by name.
 func (s accountService) Get(name string) (*api.Account, error) {
 	accountName, err := api.NewAccountName(name)

pkg/secrethub/client.go

@@ -138,7 +138,7 @@ func NewClient(with ...ClientOption) (*Client, error) {
 	}
 
 	// Try to use default key credentials if none provided explicitly
-	if client.decrypter == nil {
+	if !client.httpClient.IsAuthenticated() && client.decrypter == nil {
 		identityProvider := os.Getenv("SECRETHUB_IDENTITY_PROVIDER")
 
 		var provider credentials.Provider
@@ -207,7 +207,7 @@ func (c *Client) Accounts() AccountService {
 
 // Credentials returns a service used to manage credentials.
 func (c *Client) Credentials() CredentialService {
-	return newCredentialService(c)
+	return newCredentialService(c, c.httpClient.IsAuthenticated, c.isKeyed)
 }
 
 // Dirs returns a service used to manage directories.
@@ -272,6 +272,10 @@ func (c *Client) DefaultCredential() credentials.Reader {
 	return c.ConfigDir.Credential()
 }
 
+func (c *Client) isKeyed() bool {
+	return c.decrypter != nil
+}
+
 func (c *Client) userAgent() string {
 	userAgent := userAgentPrefix
 	for _, info := range c.appInfo {

pkg/secrethub/client_version.go

@@ -2,4 +2,4 @@ package secrethub
 
 // ClientVersion is the current version of the client
 // Do not edit this unless you know what you're doing.
-const ClientVersion = "v0.30.0"
+const ClientVersion = "v0.31.0"

pkg/secrethub/credentials.go

@@ -1,6 +1,7 @@
 package secrethub
 
 import (
+	"github.com/secrethub/secrethub-go/internals/crypto"
 	"github.com/secrethub/secrethub-go/pkg/secrethub/iterator"
 
 	"github.com/secrethub/secrethub-go/internals/api"
@@ -17,23 +18,42 @@ type CredentialService interface {
 	List(_ *CredentialListParams) CredentialIterator
 }
 
-func newCredentialService(client *Client) CredentialService {
+func newCredentialService(client *Client, isAuthenticated func() bool, isKeyed func() bool) CredentialService {
 	return credentialService{
-		client: client,
+		client:          client,
+		isAuthenticated: isAuthenticated,
+		isKeyed:         isKeyed,
 	}
 }
 
 type credentialService struct {
-	client *Client
+	client          *Client
+	isAuthenticated func() bool
+	isKeyed         func() bool
 }
 
 // Create a new credential from the credentials.Creator for an existing account.
-// This includes a re-encrypted copy the the account key.
+// If the account is already keyed, the key is re-encrypted for the new credential.
+// If the account is not yet keyed, a new account key is also created.
 // Description is optional and can be left empty.
 func (s credentialService) Create(creator credentials.Creator, description string) (*api.Credential, error) {
-	accountKey, err := s.client.getAccountKey()
-	if err != nil {
-		return nil, err
+	if !s.isAuthenticated() {
+		return nil, ErrNoDecryptionKey
+	}
+
+	var accountKey crypto.RSAPrivateKey
+	var err error
+	if !s.isKeyed() {
+		accountKey, err = generateAccountKey()
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		key, err := s.client.getAccountKey()
+		if err != nil {
+			return nil, err
+		}
+		accountKey = *key
 	}
 
 	err = creator.Create()
@@ -47,7 +67,7 @@ func (s credentialService) Create(creator credentials.Creator, description strin
 		return nil, err
 	}
 
-	accountKeyRequest, err := s.client.createAccountKeyRequest(creator.Encrypter(), *accountKey)
+	accountKeyRequest, err := s.client.createAccountKeyRequest(creator.Encrypter(), accountKey)
 	if err != nil {
 		return nil, err
 	}

pkg/secrethub/credentials/setup_code.go

@@ -0,0 +1,33 @@
+package credentials
+
+import (
+	"fmt"
+	"net/http"
+
+	httpclient "github.com/secrethub/secrethub-go/pkg/secrethub/internals/http"
+
+	"github.com/secrethub/secrethub-go/internals/auth"
+)
+
+type SetupCode struct {
+	code string
+}
+
+// Provide implements the Provider interface for the setup code.
+// Note that no decrypter is ever returned as setup codes cannot be used to decrypt secrets.
+func (s *SetupCode) Provide(client *httpclient.Client) (auth.Authenticator, Decrypter, error) {
+	return s, nil, nil
+}
+
+func NewSetupCode(code string) *SetupCode {
+	return &SetupCode{
+		code: code,
+	}
+}
+
+// Authenticate authenticates the given request with a setup code, by providing the "SetupCode" tag and the setup code
+// in the "Authorization" header.
+func (s *SetupCode) Authenticate(r *http.Request) error {
+	r.Header.Set("Authorization", fmt.Sprintf("%s-%s %s", auth.AuthHeaderVersionV1, "SetupCode", s.code))
+	return nil
+}

pkg/secrethub/fakeclient/account.go

@@ -9,6 +9,7 @@ import (
 
 // AccountService is a mock of the AccountService interface.
 type AccountService struct {
+	MeFunc            func() (*api.Account, error)
 	GetFunc           func(name string) (*api.Account, error)
 	AccountKeyService secrethub.AccountKeyService
 }
@@ -21,3 +22,8 @@ func (s *AccountService) Keys() secrethub.AccountKeyService {
 func (s *AccountService) Get(name string) (*api.Account, error) {
 	return s.GetFunc(name)
 }
+
+// Me implements the AccountService interface Me function.
+func (s *AccountService) Me() (*api.Account, error) {
+	return s.MeFunc()
+}

pkg/secrethub/fakeclient/client.go

@@ -6,17 +6,21 @@ package fakeclient
 
 import "github.com/secrethub/secrethub-go/pkg/secrethub"
 
+var _ secrethub.ClientInterface = (*Client)(nil)
+
 // Client implements the secrethub.Client interface.
 type Client struct {
 	AccessRuleService *AccessRuleService
 	AccountService    *AccountService
+	CredentialService *CredentialService
 	DirService        *DirService
+	IDPLinkService    *IDPLinkService
+	MeService         *MeService
 	OrgService        *OrgService
 	RepoService       *RepoService
 	SecretService     *SecretService
 	ServiceService    *ServiceService
 	UserService       *UserService
-	secrethub.ClientInterface
 }
 
 // AccessRules implements the secrethub.Client interface.
@@ -36,7 +40,7 @@ func (c Client) Dirs() secrethub.DirService {
 
 // Me implements the secrethub.Client interface.
 func (c Client) Me() secrethub.MeService {
-	return nil
+	return c.MeService
 }
 
 // Orgs implements the secrethub.Client interface.
@@ -63,3 +67,11 @@ func (c Client) Services() secrethub.ServiceService {
 func (c Client) Users() secrethub.UserService {
 	return c.UserService
 }
+
+func (c Client) IDPLinks() secrethub.IDPLinkService {
+	return c.IDPLinkService
+}
+
+func (c Client) Credentials() secrethub.CredentialService {
+	return c.CredentialService
+}