feat: SecretProvider for storing/retrieving secrets

example/cmd/device-simple/Attribution.txt

@@ -42,6 +42,9 @@ https://github.com/globalsign/mgo/blob/master/LICENSE
 gopkg.in/yaml v2 (Apache 2.0) https://github.com/go-yaml/yaml/tree/v2
 https://github.com/go-yaml/yaml/blob/v2/LICENSE
 
+gopkg.in/yaml.v3 (MIT) https://github.com/go-yaml/yaml/tree/v3
+https://github.com/go-yaml/yaml/blob/v3/LICENSE
+
 google/uuid (BSD-3) https://github.com/google/uuid
 https://github.com/google/uuid/blob/master/LICENSE
 

example/cmd/device-simple/res/configuration.toml

@@ -1,5 +1,12 @@
 [Writable]
 LogLevel = 'INFO'
+  # Example InsecureSecrets configuration that simulates SecretStore for when EDGEX_SECURITY_SECRET_STORE=false
+  [Writable.InsecureSecrets]
+    [Writable.InsecureSecrets.Sample]
+    path = "sample"
+      [Writable.InsecureSecrets.Sample.Secrets]
+      username = ""
+      password = ""
 
 [Service]
 BootTimeout = 30000
@@ -30,6 +37,23 @@ Type = 'consul'
   Host = 'localhost'
   Port = 48081
 
+# Example SecretStore configuration.
+# Only used when EDGEX_SECURITY_SECRET_STORE=true
+# Must also add `ADD_SECRETSTORE_TOKENS: "device-simple"` to vault-worker environment so it generates
+# the token and secret store in vault for 'device-simple'
+[SecretStore]
+Host = 'localhost'
+Port = 8200
+Path = '/v1/secret/edgex/device-simple/'
+Protocol = 'http'
+RootCaCertPath = ''
+ServerName = ''
+TokenFile = '/tmp/edgex/secrets/device-simple/secrets-token.json'
+AdditionalRetryAttempts = 10
+RetryWaitPeriod = "1s"
+  [SecretStore.Authentication]
+  AuthType = 'X-Vault-Token'
+
 [Device]
   DataTransform = true
   InitCmd = ''

go.mod

@@ -3,13 +3,13 @@ module github.com/edgexfoundry/device-sdk-go
 require (
 	bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-0eeff89b0690
 	github.com/OneOfOne/xxhash v1.2.8
-	github.com/edgexfoundry/go-mod-bootstrap v0.0.60
-	github.com/edgexfoundry/go-mod-core-contracts v0.1.115
-	github.com/edgexfoundry/go-mod-registry v0.1.26
+	github.com/edgexfoundry/go-mod-bootstrap v0.0.68
+	github.com/edgexfoundry/go-mod-core-contracts v0.1.135
+	github.com/edgexfoundry/go-mod-registry v0.1.27
 	github.com/fxamacker/cbor/v2 v2.2.0
 	github.com/google/uuid v1.1.2
 	github.com/gorilla/mux v1.8.0
-	github.com/stretchr/testify v1.5.1
+	github.com/stretchr/testify v1.6.1
 	gopkg.in/yaml.v2 v2.4.0
 )
 

internal/autoevent/executor_test.go

@@ -20,7 +20,7 @@ func TestCompareReadings(t *testing.T) {
 	readings[2] = contract.Reading{Name: "Pressure", Value: "3"}
 	readings[3] = contract.Reading{Name: "Image", BinaryValue: []byte("This is a image")}
 
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	autoEvent := contract.AutoEvent{Frequency: "500ms"}
 	e, err := NewExecutor("hasBinaryTrue", autoEvent)
 	if err != nil {

internal/cache/init_test.go

@@ -21,7 +21,7 @@ import (
 
 func TestInitCache(t *testing.T) {
 	serviceName := "init-cache-test"
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	vdc := &mock.ValueDescriptorMock{}
 	dc := &mock.DeviceClientMock{}
 	pwc := &mock.ProvisionWatcherClientMock{}

internal/clients/init_test.go

@@ -24,7 +24,7 @@ func TestCheckServiceAvailableByPingWithTimeoutError(test *testing.T) {
 		},
 	}
 	config := &common.ConfigurationStruct{Clients: clientConfig}
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 
 	err := checkServiceAvailableByPing(common.ClientData, config, lc)
 	if err, ok := err.(net.Error); ok && !err.Timeout() {

internal/common/config.go

@@ -26,6 +26,8 @@ type ConfigurationStruct struct {
 	DeviceList []DeviceConfig `consul:"-"`
 	// Driver is a string map contains customized configuration for the protocol driver implemented based on Device SDK
 	Driver map[string]string
+	// SecretStore contains information for connecting to the secure SecretStore (Vault) to retrieve or store secrets
+	SecretStore bootstrapConfig.SecretStoreInfo
 }
 
 // UpdateFromRaw converts configuration received from the registry to a service-specific configuration struct which is
@@ -64,9 +66,10 @@ func (c *ConfigurationStruct) UpdateWritableFromRaw(rawWritable interface{}) boo
 // into an bootstrapConfig.BootstrapConfiguration struct contained within ConfigurationStruct).
 func (c *ConfigurationStruct) GetBootstrap() bootstrapConfig.BootstrapConfiguration {
 	return bootstrapConfig.BootstrapConfiguration{
-		Clients:  c.Clients,
-		Service:  c.Service.GetBootstrapServiceInfo(),
-		Registry: c.Registry,
+		Clients:     c.Clients,
+		Service:     c.Service.GetBootstrapServiceInfo(),
+		Registry:    c.Registry,
+		SecretStore: c.SecretStore,
 	}
 }
 
@@ -79,3 +82,8 @@ func (c *ConfigurationStruct) GetLogLevel() string {
 func (c *ConfigurationStruct) GetRegistryInfo() bootstrapConfig.RegistryInfo {
 	return c.Registry
 }
+
+// GetInsecureSecrets returns the service's InsecureSecrets.
+func (c *ConfigurationStruct) GetInsecureSecrets() bootstrapConfig.InsecureSecrets {
+	return c.Writable.InsecureSecrets
+}

internal/common/types.go

@@ -16,7 +16,8 @@ import (
 // WritableInfo is a struct which contains configuration settings that can be changed in the Registry .
 type WritableInfo struct {
 	// Level is the logging level of writing log message
-	LogLevel string
+	LogLevel        string
+	InsecureSecrets bootstrapConfig.InsecureSecrets
 }
 
 // ServiceInfo is a struct which contains service related configuration
@@ -57,7 +58,7 @@ type ServiceInfo struct {
 // DeviceInfo is a struct which contains device specific configuration settings.
 type DeviceInfo struct {
 	// DataTransform specifies whether or not the DS perform transformations
-	// specified by valuedescriptor on a actuation or query command.
+	// specified by value descriptor on a actuation or query command.
 	DataTransform bool
 	// InitCmd specifies a device resource command which is automatically
 	// generated whenever a new device is added to the DS.
@@ -68,15 +69,15 @@ type DeviceInfo struct {
 	// can be sent to a Driver in a single command.
 	MaxCmdOps int
 	// MaxCmdValueLen is the maximum string length of a command parameter or
-	// result (including the valuedescriptor name) that can be returned
+	// result (including the value descriptor name) that can be returned
 	// by a Driver.
 	MaxCmdValueLen int
 	// InitCmd specifies a device resource command which is automatically
 	// generated whenever a new device is removed from the DS.
 	RemoveCmd string
 	// RemoveCmdArgs specify arguments to be used when building the RemoveCmd.
 	RemoveCmdArgs string
-	// ProfilesDir specifies a directory which contains deviceprofile
+	// ProfilesDir specifies a directory which contains device profiles
 	// files which should be imported on startup.
 	ProfilesDir string
 	// UpdateLastConnected specifies whether to update device's LastConnected

internal/common/utils_test.go

@@ -107,7 +107,7 @@ func TestFilterQueryParams(t *testing.T) {
 			fmt.Sprintf("%sname", SDKReservedPrefix), false},
 	}
 
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	for _, tt := range tests {
 		actual := FilterQueryParams(tt.query, lc)
 		if _, ok := actual[tt.key]; ok != tt.expected {

internal/controller/restfuncs_test.go

@@ -47,7 +47,7 @@ func TestCallback(t *testing.T) {
 		{"Invalid id", http.MethodPut, `{"id":"","type":"DEVICE"}`, http.StatusBadRequest},
 	}
 
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	deviceClient := &mock.DeviceClientMock{}
 	ds := contract.DeviceService{}
 	dic := di.NewContainer(di.ServiceConstructorMap{
@@ -85,7 +85,7 @@ func TestCallback(t *testing.T) {
 
 // Test Command REST call when service is locked.
 func TestCommandServiceLocked(t *testing.T) {
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	ds := contract.DeviceService{
 		AdminState: contract.Locked,
 	}
@@ -122,7 +122,7 @@ func TestCommandServiceLocked(t *testing.T) {
 // TestCommandNoDevice tests the command REST call when the given deviceId doesn't
 // specify an existing device.
 func TestCommandNoDevice(t *testing.T) {
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	ds := contract.DeviceService{}
 	dc := &mock.DeviceClientMock{}
 	vdc := &mock.ValueDescriptorMock{}

internal/controller/restrouter_test.go

@@ -42,7 +42,7 @@ func TestAddRoute(t *testing.T) {
 		{"Reserved Route", common.APIVersionRoute, true},
 	}
 
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	dic := di.NewContainer(di.ServiceConstructorMap{
 		bootstrapContainer.LoggingClientInterfaceName: func(get di.Get) interface{} {
 			return lc
@@ -89,7 +89,7 @@ func TestAddRoute(t *testing.T) {
 }
 
 func TestInitRestRoutes(t *testing.T) {
-	lc := logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc := logger.NewMockClient()
 	dic := di.NewContainer(di.ServiceConstructorMap{
 		bootstrapContainer.LoggingClientInterfaceName: func(get di.Get) interface{} {
 			return lc

internal/handler/command_test.go

@@ -69,7 +69,7 @@ func init() {
 	pwc = &mock.ProvisionWatcherClientMock{}
 	dc = &mock.DeviceClientMock{}
 	ec = &mock.EventClientMock{}
-	lc = logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc = logger.NewMockClient()
 	driver = &mock.DriverMock{}
 	deviceInfo := common.DeviceInfo{DataTransform: true, MaxCmdOps: 128}
 	configuration = &common.ConfigurationStruct{Device: deviceInfo}

internal/transformer/transformresult_test.go

@@ -20,7 +20,7 @@ import (
 var lc logger.LoggingClient
 
 func init() {
-	lc = logger.NewClientStdOut("device-sdk-test", false, "DEBUG")
+	lc = logger.NewMockClient()
 }
 
 func TestTransformReadResult_base_unt8(t *testing.T) {