refactor: Refactor to be proper abstraction of a SecretStore

No longer leak that Vault is the only implementation
Add Type to the configuration and factory method, so it will error if not set
Move SecretStore client from edgex-go in to this abstraction
Now have to interfaces that the vault wrapper implements, which are SecretsClient & SecretStoreClient

closes #87

BREAKING CHANGE: All existing SecretStore configuration must add `Type = 'vault'`

Signed-off-by: lenny <[email protected]>

Author: lenny

internal/pkg/vault/client.go

@@ -0,0 +1,101 @@
+/*******************************************************************************
+ * Copyright 2019 Dell Inc.
+ * Copyright 2021 Intel Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ *******************************************************************************/
+
+package vault
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"github.com/edgexfoundry/go-mod-secrets/v2/pkg"
+	"github.com/edgexfoundry/go-mod-secrets/v2/pkg/types"
+
+	"github.com/edgexfoundry/go-mod-core-contracts/v2/clients/logger"
+)
+
+// *Client defines the behavior for interacting with the Vault REST secret key/value store via HTTP(S).
+type Client struct {
+	Config     types.SecretConfig
+	HttpCaller pkg.Caller
+	lc         logger.LoggingClient
+	context    context.Context
+}
+
+// NewVaultClient constructs a Vault *Client which communicates with Vault via HTTP(S)
+//
+// lc is any logging client that implements the loggingClient interface;
+// today EdgeX's logger.LoggingClient from go-mod-core-contracts satisfies this implementation
+//
+func NewClient(config types.SecretConfig, requester pkg.Caller, forSecrets bool, lc logger.LoggingClient) (*Client, error) {
+	if forSecrets && config.Authentication.AuthToken == "" {
+		return nil, pkg.NewErrSecretStore("AuthToken is required in config")
+	}
+
+	var err error
+	if requester == nil {
+		requester, err = createHTTPClient(config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if config.RetryWaitPeriod != "" {
+		retryTimeDuration, err := time.ParseDuration(config.RetryWaitPeriod)
+		if err != nil {
+			return nil, err
+		}
+		config.RetryWaitPeriodTime = retryTimeDuration
+	}
+
+	vaultClient := Client{
+		Config:     config,
+		HttpCaller: requester,
+		lc:         lc,
+	}
+
+	return &vaultClient, err
+}
+
+func createHTTPClient(config types.SecretConfig) (pkg.Caller, error) {
+
+	if config.RootCaCertPath == "" {
+		return http.DefaultClient, nil
+	}
+
+	// Read and load the CA Root certificate so the client will be able to use TLS without skipping the verification of
+	// the cert received by the server.
+	caCert, err := ioutil.ReadFile(config.RootCaCertPath)
+	if err != nil {
+		return nil, ErrCaRootCert{
+			path:        config.RootCaCertPath,
+			description: err.Error(),
+		}
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs:    caCertPool,
+				ServerName: config.ServerName,
+			},
+		},
+	}, nil
+}

internal/pkg/vault/client_test.go

@@ -0,0 +1,63 @@
+//
+// Copyright (c) 2021 Intel Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+// in compliance with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software distributed under the License
+// is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+// or implied. See the License for the specific language governing permissions and limitations under
+// the License.
+//
+
+package vault
+
+import (
+	"testing"
+
+	"github.com/edgexfoundry/go-mod-core-contracts/v2/clients/logger"
+	"github.com/stretchr/testify/require"
+
+	"github.com/edgexfoundry/go-mod-secrets/v2/pkg/types"
+)
+
+func TestNewClient(t *testing.T) {
+	mockLogger := logger.NewMockClient()
+
+	validConfig := types.SecretConfig{
+		RootCaCertPath: "", // Leave empty so it uses default HTTP Client
+		Authentication: types.AuthenticationInfo{
+			AuthToken: "my-unit-test-token",
+		},
+		RetryWaitPeriod: "1ms",
+	}
+	noToken := validConfig
+	noToken.Authentication.AuthToken = ""
+	badWaitPeriod := validConfig
+	badWaitPeriod.RetryWaitPeriod = "n/a"
+
+	tests := []struct {
+		Name        string
+		Config      types.SecretConfig
+		ExpectError bool
+	}{
+		{"Valid", validConfig, false},
+		{"Invalid - no token", noToken, true},
+		{"Invalid - bad wait period", badWaitPeriod, true},
+	}
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			client, err := NewClient(test.Config, nil, true, mockLogger)
+			if test.ExpectError {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.NotNil(t, client)
+		})
+	}
+}

internal/pkg/vault/constants.go

@@ -0,0 +1,39 @@
+/*******************************************************************************
+ * Copyright 2019 Dell Inc.
+ * Copyright 2021 Intel Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ *******************************************************************************/
+
+package vault
+
+const (
+	// NamespaceHeader specifies the header name to use when including Namespace information in a request.
+	NamespaceHeader = "X-Vault-Namespace"
+	AuthTypeHeader  = "X-Vault-Token"
+
+	HealthAPI             = "/v1/sys/health"
+	InitAPI               = "/v1/sys/init"
+	UnsealAPI             = "/v1/sys/unseal"
+	CreatePolicyPath      = "/v1/sys/policies/acl/%s"
+	CreateTokenAPI        = "/v1/auth/token/create"
+	ListAccessorsAPI      = "/v1/auth/token/accessors"
+	RevokeAccessorAPI     = "/v1/auth/token/revoke-accessor"
+	LookupAccessorAPI     = "/v1/auth/token/lookup-accessor"
+	LookupSelfAPI         = "/v1/auth/token/lookup-self"
+	RevokeSelfAPI         = "/v1/auth/token/revoke-self"
+	RootTokenControlAPI   = "/v1/sys/generate-root/attempt"
+	RootTokenRetrievalAPI = "/v1/sys/generate-root/update"
+	MountsAPI             = "/v1/sys/mounts"
+
+	lookupSelfVaultAPI = "/v1/auth/token/lookup-self"
+	renewSelfVaultAPI  = "/v1/auth/token/renew-self"
+)

pkg/providers/vault/errors.go internal/pkg/vault/errors.go

@@ -1,6 +1,6 @@
 /*******************************************************************************
  * Copyright 2019 Dell Inc.
- * Copyright 2020 Intel Corp.
+ * Copyright 2021 Intel Corp.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License. You may obtain a copy of the License at