feat(secrets): Improve error handling of user secrets

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/SecretEngineRegistry.java

@@ -17,6 +17,8 @@
 package com.netflix.spinnaker.kork.secrets;
 
 import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 import javax.annotation.Nullable;
 import lombok.RequiredArgsConstructor;
@@ -28,6 +30,13 @@
 public class SecretEngineRegistry {
   private final ObjectProvider<SecretEngine> secretEngines;
 
+  // This is used by the Armory kubesvc plugin
+  public Map<String, SecretEngine> getRegisteredEngines() {
+    return secretEngines
+        .orderedStream()
+        .collect(Collectors.toMap(SecretEngine::identifier, Function.identity()));
+  }
+
   public List<SecretEngine> getSecretEngineList() {
     return secretEngines.orderedStream().collect(Collectors.toList());
   }

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/SecretError.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets;
+
+import com.netflix.spinnaker.kork.exceptions.HasAdditionalAttributes;
+
+/** Common interface for exceptions that have a corresponding {@link SecretErrorCode}. */
+public interface SecretError extends HasAdditionalAttributes {
+  /** Returns the error code constant for this error. */
+  String getErrorCode();
+
+  /** Returns the exception message provided by this error. */
+  String getMessage();
+}

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/SecretErrorCode.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets;
+
+import lombok.Getter;
+
+/** Standard error codes and messages for various secret errors. */
+public enum SecretErrorCode implements SecretError {
+  /** @see com.netflix.spinnaker.kork.secrets.user.InvalidUserSecretReferenceException */
+  INVALID_USER_SECRET_URI("user.format.invalid", "Invalid user secret URI format"),
+  /** @see com.netflix.spinnaker.kork.secrets.user.MissingUserSecretMetadataException */
+  MISSING_USER_SECRET_METADATA("user.metadata.missing", "Missing user secret metadata"),
+  /** @see com.netflix.spinnaker.kork.secrets.user.InvalidUserSecretMetadataException */
+  INVALID_USER_SECRET_METADATA("user.metadata.invalid", "Invalid user secret metadata"),
+  /** @see com.netflix.spinnaker.kork.secrets.user.UnsupportedUserSecretEngineException */
+  UNSUPPORTED_USER_SECRET_ENGINE(
+      "user.engine.unsupported", "SecretEngine does not support user secrets"),
+  /** @see com.netflix.spinnaker.kork.secrets.user.UnsupportedUserSecretEncodingException */
+  UNSUPPORTED_USER_SECRET_ENCODING(
+      "user.encoding.unsupported", "Unsupported user secret 'encoding'"),
+  /** @see com.netflix.spinnaker.kork.secrets.user.UnsupportedUserSecretTypeException */
+  UNSUPPORTED_USER_SECRET_TYPE("user.type.unsupported", "Unsupported user secret 'type'"),
+  /** @see com.netflix.spinnaker.kork.secrets.user.InvalidUserSecretDataException */
+  INVALID_USER_SECRET_DATA("user.data.invalid", "Invalid user secret data"),
+  /** @see SecretDecryptionException */
+  USER_SECRET_DECRYPTION_FAILURE("user.decrypt.failure", "Unable to decrypt user secret"),
+  DENIED_ACCESS_TO_USER_SECRET("user.access.deny", "Denied access to user secret"),
+  MISSING_USER_SECRET_DATA_KEY("user.data.missing", "Missing user secret data for requested key"),
+  INVALID_EXTERNAL_SECRET_URI("external.format.invalid", "Invalid external secret URI format"),
+  /** @see SecretDecryptionException */
+  EXTERNAL_SECRET_DECRYPTION_FAILURE(
+      "external.decrypt.failure", "Unable to decrypt external secret"),
+  DENIED_ACCESS_TO_EXTERNAL_SECRET("external.access.deny", "Denied access to external secret"),
+  /** @see UnsupportedSecretEngineException */
+  UNSUPPORTED_SECRET_ENGINE("engine.unsupported", "Unsupported secret engine identifier"),
+  ;
+
+  @Getter private final String errorCode;
+  @Getter private final String message;
+
+  SecretErrorCode(String errorCode, String message) {
+    this.errorCode = "secrets." + errorCode;
+    this.message = message;
+  }
+}

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/SecretReferenceValidator.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets;
+
+import com.netflix.spinnaker.kork.annotations.NonnullByDefault;
+import com.netflix.spinnaker.kork.secrets.user.UserSecret;
+import com.netflix.spinnaker.kork.secrets.user.UserSecretReference;
+import java.util.Optional;
+
+/**
+ * Validation strategy for checking strings for possible secret references and validating that the
+ * current authenticated user (if available) is allowed to use it.
+ */
+@NonnullByDefault
+public interface SecretReferenceValidator {
+  /**
+   * Checks the given string to see if it is a valid {@link UserSecretReference} or {@link
+   * EncryptedSecret} URI and performs validation on the referenced secret. If the given string does
+   * not match {@link UserSecretReference#isUserSecret(String)} or {@link
+   * EncryptedSecret#isEncryptedSecret(String)}, then this will not validate the string any further.
+   *
+   * @param secretReference string possibly containing a secret reference URI
+   * @return an optional containing the {@link SecretError} if invalid or an empty optional
+   *     otherwise
+   */
+  default Optional<SecretError> validate(String secretReference) {
+    if (UserSecretReference.isUserSecret(secretReference)) {
+      return validateUserSecretReference(secretReference);
+    }
+    if (EncryptedSecret.isEncryptedSecret(secretReference)) {
+      return validateExternalSecretReference(secretReference);
+    }
+    return Optional.empty();
+  }
+
+  /**
+   * Checks the given string to see if it is a valid {@link UserSecretReference} and that its
+   * referenced {@link UserSecret} is valid.
+   *
+   * @param uri secret URI to validate
+   * @return a specific error code for a validation error or empty
+   */
+  Optional<SecretError> validateUserSecretReference(String uri);
+
+  /**
+   * Checks the given string to see if it is a valid {@link EncryptedSecret} and that its referenced
+   * secret data can be fetched.
+   *
+   * @param uri external secret URI to validate
+   * @return a specific error code for a validation error or empty
+   */
+  Optional<SecretError> validateExternalSecretReference(String uri);
+}

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/UnsupportedSecretEngineException.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets;
+
+/** Exception thrown when an unsupported secret engine is called upon for decrypting a secret. */
+public class UnsupportedSecretEngineException extends SecretDecryptionException
+    implements SecretError {
+  public UnsupportedSecretEngineException(String engine) {
+    super(String.format("Unsupported secret engine identifier '%s'", engine));
+  }
+
+  @Override
+  public String getErrorCode() {
+    return SecretErrorCode.UNSUPPORTED_SECRET_ENGINE.getErrorCode();
+  }
+}

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/user/DefaultUserSecretSerde.java

@@ -20,12 +20,9 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.netflix.spinnaker.kork.annotations.NonnullByDefault;
-import com.netflix.spinnaker.kork.secrets.SecretDecryptionException;
-import com.netflix.spinnaker.kork.secrets.SecretException;
 import java.io.IOException;
 import java.util.Collection;
 import java.util.Map;
-import java.util.Objects;
 import java.util.TreeMap;
 
 /**
@@ -62,22 +59,33 @@ public boolean supports(UserSecretMetadata metadata) {
 
   @Override
   public UserSecret deserialize(byte[] encoded, UserSecretMetadata metadata) {
-    var type = Objects.requireNonNull(userSecretTypes.get(metadata.getType()));
-    var mapper = Objects.requireNonNull(mappersByEncodingFormat.get(metadata.getEncoding()));
+    var type = userSecretTypes.get(metadata.getType());
+    if (type == null) {
+      throw new UnsupportedUserSecretTypeException(metadata.getType());
+    }
+    var mapper = mappersByEncodingFormat.get(metadata.getEncoding());
+    if (mapper == null) {
+      throw new UnsupportedUserSecretEncodingException(metadata.getEncoding());
+    }
+    UserSecretData data;
     try {
-      return UserSecret.builder().metadata(metadata).data(mapper.readValue(encoded, type)).build();
+      data = mapper.readValue(encoded, type);
     } catch (IOException e) {
-      throw new SecretDecryptionException(e);
+      throw new InvalidUserSecretDataException("cannot parse user secret data", e);
     }
+    return UserSecret.builder().metadata(metadata).data(data).build();
   }
 
   @Override
   public byte[] serialize(UserSecretData secret, UserSecretMetadata metadata) {
-    var mapper = Objects.requireNonNull(mappersByEncodingFormat.get(metadata.getEncoding()));
+    var mapper = mappersByEncodingFormat.get(metadata.getEncoding());
+    if (mapper == null) {
+      throw new UnsupportedUserSecretEncodingException(metadata.getEncoding());
+    }
     try {
       return mapper.writeValueAsBytes(secret);
     } catch (JsonProcessingException e) {
-      throw new SecretException(e);
+      throw new InvalidUserSecretDataException(e.getMessage(), e);
     }
   }
 }

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/user/InvalidUserSecretDataException.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets.user;
+
+import com.netflix.spinnaker.kork.secrets.SecretDecryptionException;
+import com.netflix.spinnaker.kork.secrets.SecretError;
+import com.netflix.spinnaker.kork.secrets.SecretErrorCode;
+
+/**
+ * Exception thrown when a {@link UserSecretSerde} is unable to deserialize data into {@link
+ * UserSecretData}.
+ */
+public class InvalidUserSecretDataException extends SecretDecryptionException
+    implements SecretError {
+  public InvalidUserSecretDataException(String message, Throwable cause) {
+    super(message, cause);
+  }
+
+  @Override
+  public String getErrorCode() {
+    return SecretErrorCode.INVALID_USER_SECRET_DATA.getErrorCode();
+  }
+}

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/user/InvalidUserSecretMetadataException.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets.user;
+
+import com.netflix.spinnaker.kork.exceptions.HasAdditionalAttributes;
+import com.netflix.spinnaker.kork.secrets.InvalidSecretFormatException;
+import com.netflix.spinnaker.kork.secrets.SecretError;
+import com.netflix.spinnaker.kork.secrets.SecretErrorCode;
+import lombok.Getter;
+
+/**
+ * Exception thrown when a decrypted {@link UserSecret} has invalid {@link UserSecretMetadata}
+ * defined.
+ */
+public class InvalidUserSecretMetadataException extends InvalidSecretFormatException
+    implements HasAdditionalAttributes, SecretError {
+  @Getter private final UserSecretReference userSecretReference;
+
+  public InvalidUserSecretMetadataException(
+      UserSecretReference userSecretReference, Throwable cause) {
+    super(String.format("User secret %s has invalid metadata", userSecretReference), cause);
+    this.userSecretReference = userSecretReference;
+  }
+
+  @Override
+  public String getErrorCode() {
+    return SecretErrorCode.INVALID_USER_SECRET_METADATA.getErrorCode();
+  }
+}

kork-secrets/src/main/java/com/netflix/spinnaker/kork/secrets/user/InvalidUserSecretReferenceException.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2023 Apple Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.netflix.spinnaker.kork.secrets.user;
+
+import com.netflix.spinnaker.kork.exceptions.HasAdditionalAttributes;
+import com.netflix.spinnaker.kork.secrets.InvalidSecretFormatException;
+import com.netflix.spinnaker.kork.secrets.SecretError;
+import com.netflix.spinnaker.kork.secrets.SecretErrorCode;
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
+import lombok.Getter;
+
+/** Exception thrown when an invalid {@link UserSecretReference} is attempted to be parsed. */
+@Getter
+public class InvalidUserSecretReferenceException extends InvalidSecretFormatException
+    implements HasAdditionalAttributes, SecretError {
+  private final Map<String, Object> additionalAttributes = new HashMap<>();
+
+  public InvalidUserSecretReferenceException(String input, Throwable cause) {
+    super("Unable to parse input into a URI", cause);
+    additionalAttributes.put("input", input);
+  }
+
+  public InvalidUserSecretReferenceException(String message, URI uri) {
+    super(message);
+    additionalAttributes.put("input", uri);
+  }
+
+  @Override
+  public String getErrorCode() {
+    return SecretErrorCode.INVALID_USER_SECRET_URI.getErrorCode();
+  }
+}