Adds GCP SecretManager as Secrets source (#32)

.git-secrets.json

@@ -1,17 +1,31 @@
 {
-  "$schema": "https://raw.githubusercontent.com/benammann/git-secrets/dev-beta/schema/def/v1.json",
+  "$schema": "schema/def/v1.json",
   "version": 1,
   "context": {
     "default": {
       "decryptSecret": {
         "fromName": "gitsecretspublicnew"
       },
       "secrets": {
-        "crToken": "sybpBnwiGQ+TmsIL00ordYwVMS44FLcN7gEsQ0uSNQNhH1WFE/qW/7CuMyYrHGo/AL+fJs/WAcayW5qHaq6cAw=="
+        "crToken": {
+          "gcp": {
+            "resourceId": "projects/806001934377/secrets/git-secrets-dockerhub-ci-token/versions/1"
+          }
+        }
       },
       "configs": {
         "crUser": "benammann"
       }
     }
+  },
+  "renderFiles": {
+    "env": {
+      "files": [
+        {
+          "fileIn": ".env.dist",
+          "fileOut": ".env"
+        }
+      ]
+    }
   }
 }

.github/workflows/goreleaser-dev.yml

@@ -0,0 +1,31 @@
+name: Release brew package
+
+on:
+  push:
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Fetch all tags
+        run: git fetch --force --tags
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.19
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}

.gitignore

@@ -8,3 +8,4 @@ dist/
 node_modules
 .temp
 .cache
+bin

Makefile

@@ -1,2 +1,5 @@
 watch:
-	CompileDaemon
+	CompileDaemon --build "go build -o bin/git-secrets ."
+
+tests:
+	go test ./...

cmd/auth.go

@@ -0,0 +1,57 @@
+/*
+Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+
+*/
+package cmd
+
+import (
+	"fmt"
+	gcp_auth "github.com/benammann/git-secrets/pkg/gcp/auth"
+	"github.com/spf13/cobra"
+)
+
+
+var authCmd = &cobra.Command{
+	Use:   "auth",
+	Short: "Authentication commands for remote secret managers",
+	Run: func(cmd *cobra.Command, args []string) {
+		cmd.Help()
+	},
+}
+
+var authGcpCmd = &cobra.Command{
+	Use: "gcp",
+	Short: "Authenticate against GoogleCloud using gcloud-cli",
+	RunE: func(cmd *cobra.Command, args []string) error {
+
+		force, _ := cmd.Flags().GetBool(FlagForce)
+
+		isAuthenticated, errAuth := gcp_auth.IsAuthenticated()
+		cobra.CheckErr(errAuth)
+
+		if isAuthenticated && force == false {
+			fmt.Println("you are already authenticated. Use --force if you still want to continue")
+			return nil
+		}
+
+		cobra.CheckErr(gcp_auth.Authenticate())
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(authCmd)
+
+	authCmd.AddCommand(authGcpCmd)
+	authGcpCmd.Flags().Bool(FlagForce, false, "Use --force to ignore existing gcp authentication")
+
+	// Here you will define your flags and configuration settings.
+
+	// Cobra supports Persistent Flags which will work for this command
+	// and all subcommands, e.g.:
+	// authCmd.PersistentFlags().String("foo", "", "A help for foo")
+
+	// Cobra supports local flags which will only run when this command
+	// is called directly, e.g.:
+	// authCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+}

cmd/gcp_credentials.go

@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+	"path/filepath"
+)
+
+// setGcpCredentialsCmd represents the globalSecrets command
+var setGcpCredentialsCmd = &cobra.Command{
+	Use:   "gcp-credentials",
+	Short: "Write a secret to the global configuration",
+	Example: `
+git secrets set global-secret <secretKey>: sets the global secret from terminal input
+git secrets set global-secret <secretKey> --value $MY_SECRET_VALUE_STORED_IN_ENV: sets the global secret value from --value parameter (insecure)
+`,
+	Aliases: []string{"global-secrets", "gs"},
+	Args:    cobra.ExactArgs(2),
+	Run: func(cmd *cobra.Command, args []string) {
+
+		isForce, _ := cmd.Flags().GetBool(FlagForce)
+		secretKey := args[0]
+		pathToFile := args[1]
+
+		absFilePath, errAbs := filepath.Abs(pathToFile)
+		cobra.CheckErr(errAbs)
+
+		errWrite := globalCfg.SetGcpCredentials(secretKey, absFilePath, isForce)
+		if errWrite != nil {
+			cobra.CheckErr(fmt.Errorf("could not write config: %s", errWrite.Error()))
+		}
+
+		fmt.Printf("%s written.\n", secretKey)
+
+	},
+}
+
+func init() {
+	setCmd.AddCommand(setGcpCredentialsCmd)
+
+	setGcpCredentialsCmd.Flags().Bool(FlagForce, false, "Force overwrite existing secret: You may loose your master password!")
+
+	// Here you will define your flags and configuration settings.
+
+	// Cobra supports Persistent Flags which will work for this command
+	// and all subcommands, e.g.:
+	// getGlobalSecretsCmd.PersistentFlags().String("foo", "", "A help for foo")
+
+	// Cobra supports local flags which will only run when this command
+	// is called directly, e.g.:
+	// getGlobalSecretsCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+}
+

cmd/get.go

@@ -54,7 +54,7 @@ git secrets get secret <secretName> -c prod
 		if secretEntry == nil {
 			cobra.CheckErr(fmt.Errorf("the secret %s does not exist on context %s", secretKey, selectedContext.Name))
 		}
-		decodedValue, errDecode := secretEntry.Decode()
+		decodedValue, errDecode := secretEntry.GetPlainValue(cmd.Context())
 		if errDecode != nil {
 			cobra.CheckErr(fmt.Errorf("could not decode secret %s: %s", secretKey, errDecode.Error()))
 		}

cmd/info.go

@@ -61,7 +61,7 @@ git secrets info -d -c prod: Decodes all secrets from the prod context
 
 		shouldDecode, _ := cmd.Flags().GetBool(InfoCmdFlagDecode)
 
-		tableHeader := []string{"Secret Name", "Origin Context"}
+		tableHeader := []string{"Secret Name", "Origin Context", "Type"}
 		if shouldDecode {
 			tableHeader = append(tableHeader, "Decoded Value")
 		}
@@ -70,11 +70,11 @@ git secrets info -d -c prod: Decodes all secrets from the prod context
 
 		for _, secret := range projectCfg.GetCurrentSecrets() {
 
-			tableRow := []string{secret.Name, secret.OriginContext.Name}
+			tableRow := []string{secret.GetName(), secret.GetOriginContext().Name, secret.GetType()}
 			if shouldDecode {
-				decodedValue, errDecode := secret.Decode()
+				decodedValue, errDecode := secret.GetPlainValue(cmd.Context())
 				if errDecode != nil {
-					fmt.Printf("Could not decode %s: %s\n", secret.Name, errDecode.Error())
+					fmt.Printf("Could not decode %s: %s\n", secret.GetName(), errDecode.Error())
 					continue
 				}
 				tableRow = append(tableRow, decodedValue)

cmd/render.go

@@ -81,7 +81,7 @@ git secrets render <targetName> --debug: Render and write the rendering target
 		for _, fileToRender := range filesToRender {
 
 			if isDryRun {
-				usedContext, fileContents, errRender := renderingEngine.RenderFile(fileToRender)
+				usedContext, fileContents, errRender := renderingEngine.RenderFile(cmd.Context(), fileToRender)
 				if isDebug {
 					fmt.Println(fileToRender.FileIn)
 					if usedContext != nil {
@@ -95,7 +95,7 @@ git secrets render <targetName> --debug: Render and write the rendering target
 				}
 				fmt.Println(fileContents)
 			} else {
-				usedContext, errWrite := renderingEngine.WriteFile(fileToRender)
+				usedContext, errWrite := renderingEngine.WriteFile(cmd.Context(), fileToRender)
 				if isDebug && usedContext != nil {
 					fmt.Println(fileToRender.FileIn)
 					renderContextJson, _ := json.MarshalIndent(usedContext, "", "  ")

cmd/root.go

@@ -1,16 +1,19 @@
 package cmd
 
 import (
+	"context"
 	config_const "github.com/benammann/git-secrets/pkg/config/const"
 	config_generic "github.com/benammann/git-secrets/pkg/config/generic"
 	global_config "github.com/benammann/git-secrets/pkg/config/global"
 	"github.com/benammann/git-secrets/pkg/render"
+	"github.com/benammann/git-secrets/pkg/utility"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"os"
 	"strings"
-
-	"github.com/spf13/viper"
+	"sync"
+	"time"
 )
 
 var fs = afero.NewOsFs()
@@ -31,7 +34,10 @@ var contextName string
 
 var overwrittenSecrets []string
 
+var waitGroupSize = 0
+
 const FlagValue = "value"
+const FlagResourceId = "resourceId"
 const FlagForce = "force"
 const FlagDebug = "debug"
 const FlagDryRun = "dry-run"
@@ -64,7 +70,37 @@ func Execute(buildVersion string, buildCommit string, buildDate string) {
 	version = buildVersion
 	commit = buildCommit
 	date = buildDate
-	cobra.CheckErr(rootCmd.Execute())
+
+	ctx := utility.NewChannelContext()
+	addChannel, doneChannel := utility.GetContextChannels(ctx)
+	ctx, cancel := context.WithCancel(ctx)
+
+	var waitGroup sync.WaitGroup
+	timeout, _ := context.WithTimeout(context.Background(), time.Second * 5)
+
+	go func() {
+		for {
+			select {
+			case val := <-addChannel:
+				waitGroupSize = waitGroupSize + val
+				waitGroup.Add(val)
+			case <-doneChannel:
+				waitGroup.Done()
+				waitGroupSize--
+			case <-timeout.Done():
+				for waitGroupSize > 0 {
+					waitGroup.Done()
+					waitGroupSize--
+				}
+			}
+		}
+	}()
+
+	cobra.CheckErr(rootCmd.ExecuteContext(ctx))
+	cancel()
+
+	waitGroup.Wait()
+
 }
 
 func init() {

cmd/scan.go

@@ -15,7 +15,7 @@ import (
 )
 
 type DecodedSecret struct {
-	secret       *config_generic.Secret
+	secret       config_generic.Secret
 	decodedValue string
 }
 
@@ -48,9 +48,9 @@ var scanCmd = &cobra.Command{
 		for _, context := range projectCfg.GetContexts() {
 			contextSecrets := projectCfg.GetSecretsByContext(context.Name)
 			for _, secret := range contextSecrets {
-				decodedValue, errDecode := secret.Decode()
+				decodedValue, errDecode := secret.GetPlainValue(cmd.Context())
 				if errDecode != nil {
-					color.Yellow("Warning: could not decode secret %s from context %s, skipping this secret\n", secret.Name, secret.OriginContext.Name)
+					color.Yellow("Warning: could not decode secret %s from context %s, skipping this secret\n", secret.GetName(), secret.GetOriginContext().Name)
 					continue
 				}
 				decodedSecrets = append(decodedSecrets, &DecodedSecret{secret: secret, decodedValue: decodedValue})
@@ -149,7 +149,7 @@ var scanCmd = &cobra.Command{
 			}
 
 			for _, leakedSecret := range leakedSecrets {
-				fmt.Printf("%s:%s - secret %s from context %s is present\n", red(leakedSecret.fileName), yellow(leakedSecret.line), yellow(leakedSecret.secret.secret.Name), yellow(leakedSecret.secret.secret.OriginContext.Name))
+				fmt.Printf("%s:%s - secret %s from context %s is present\n", red(leakedSecret.fileName), yellow(leakedSecret.line), yellow(leakedSecret.secret.secret.GetName()), yellow(leakedSecret.secret.secret.GetOriginContext().Name))
 				fmt.Printf("%s%d | %s\n\n", yellow("> "), leakedSecret.line, leakedSecret.lineContent)
 			}