internal/secret: add flag support

To avoid hardcoding secret names everywhere, we want to pass them via
flags instead. As a convenience, introduce a new flag type that resolves
values of the form "secret:[project name/]<secret name>" using Secret
Manager.

This is a bit janky in the name of convenience: we need a SM client
before calling flag.Parse, which I decided should be initialized by the
user rather than implicitly. Typical usage will look like:

  var token = secret.Flag("token", "token used to do the thing")

  func main() {
    if err := secret.InitFlagSupport(context.Background()); err != nil {
      log.Fatal(err)
    }
    flag.Parse()
    fmt.Printf("My token is %v\n", *token)
  }

Supporting literal values might be unnecessary but I think it might be
helpful for local testing, and we can extend it with a file: prefix to
read from local files too.

For golang/go#51122.

Change-Id: Ie6102453c2242baf2e91b873e62e035f72a82584
Reviewed-on: https://go-review.googlesource.com/c/build/+/385185
Trust: Heschi Kreinick <[email protected]>
Run-TryBot: Heschi Kreinick <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Heschi Kreinick <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: heschi

internal/secret/flag.go

@@ -0,0 +1,83 @@
+package secret
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"strings"
+
+	"cloud.google.com/go/compute/metadata"
+	secretmanager "cloud.google.com/go/secretmanager/apiv1"
+	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
+)
+
+// FlagResolver contains the dependencies necessary to resolve a Secret flag.
+type FlagResolver struct {
+	Context          context.Context
+	Client           secretClient
+	DefaultProjectID string
+}
+
+// Flag declares a string flag on set that will be resolved using r.
+func (r *FlagResolver) Flag(set *flag.FlagSet, name string, usage string) *string {
+	var value string
+	suffixedUsage := usage + " [ specify `secret:[project name/]<secret name>` to read from Secret Manager ]"
+	set.Func(name, suffixedUsage, func(flagValue string) error {
+		if r.Client == nil || r.Context == nil {
+			return fmt.Errorf("secret resolver was not initialized")
+		}
+		if !strings.HasPrefix(flagValue, "secret:") {
+			value = flagValue
+			return nil
+		}
+
+		secretName := strings.TrimPrefix(flagValue, "secret:")
+		projectID := r.DefaultProjectID
+		if parts := strings.SplitN(secretName, "/", 2); len(parts) == 2 {
+			projectID, secretName = parts[0], parts[1]
+		}
+		if projectID == "" {
+			return fmt.Errorf("missing project ID: none specified in %q, and no default set (not on GCP?)", secretName)
+		}
+		r, err := r.Client.AccessSecretVersion(r.Context, &secretmanagerpb.AccessSecretVersionRequest{
+			Name: buildNamePath(projectID, secretName, "latest"),
+		})
+		if err != nil {
+			return fmt.Errorf("reading secret %q from project %v failed: %v", secretName, projectID, err)
+		}
+		value = string(r.Payload.GetData())
+		return nil
+	})
+	return &value
+}
+
+// DefaultResolver is the FlagResolver used by the convenience functions.
+var DefaultResolver FlagResolver
+
+// Flag declares a string flag on flag.CommandLine that supports Secret Manager
+// resolution for values like "secret:<secret name>". InitFlagSupport must be
+// called before flag.Parse.
+func Flag(name string, usage string) *string {
+	return DefaultResolver.Flag(flag.CommandLine, name, usage)
+}
+
+// InitFlagSupport initializes the dependencies for flags declared with Flag.
+func InitFlagSupport(ctx context.Context) error {
+	client, err := secretmanager.NewClient(ctx)
+	if err != nil {
+		return err
+	}
+	DefaultResolver = FlagResolver{
+		Context: ctx,
+		Client:  client,
+	}
+	if metadata.OnGCE() {
+		projectID, err := metadata.ProjectID()
+		if err != nil {
+			return err
+		}
+		DefaultResolver.DefaultProjectID = projectID
+	}
+
+	return nil
+}

internal/secret/gcp_secret_manager_test.go

@@ -6,6 +6,7 @@ package secret
 
 import (
 	"context"
+	"flag"
 	"fmt"
 	"testing"
 
@@ -138,3 +139,47 @@ func TestBuildNamePath(t *testing.T) {
 		t.Errorf("BuildVersionNumber(%s, %s, %s) = %q; want=%q", "x", "y", "z", got, want)
 	}
 }
+
+func TestFlag(t *testing.T) {
+	r := &FlagResolver{
+		Context: context.Background(),
+		Client: &fakeSecretClient{
+			accessSecretMap: map[string]string{
+				buildNamePath("project1", "secret1", "latest"): "supersecret",
+				buildNamePath("project2", "secret2", "latest"): "tippytopsecret",
+			},
+		},
+		DefaultProjectID: "project1",
+	}
+
+	tests := []struct {
+		flagVal, wantVal string
+		wantErr          bool
+	}{
+		{"hey", "hey", false},
+		{"secret:secret1", "supersecret", false},
+		{"secret:project2/secret2", "tippytopsecret", false},
+		{"secret:foo", "", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.flagVal, func(t *testing.T) {
+			fs := flag.NewFlagSet("", flag.ContinueOnError)
+			fs.Usage = func() {} // Minimize console spam; can't prevent it entirely.
+			flagVal := r.Flag(fs, "testflag", "usage")
+			err := fs.Parse([]string{"--testflag", tt.flagVal})
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("flag parsing succeeded, should have failed")
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("flag parsing failed: %v", err)
+			}
+			if *flagVal != tt.wantVal {
+				t.Errorf("flag value = %q, want %q", *flagVal, "hey")
+			}
+		})
+	}
+}