UNPKG

envilder

Version:

A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth

113 lines 5.84 kB
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; }; var __metadata = (this && this.__metadata) || function (k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); }; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; import { injectable } from 'inversify'; import { EnvironmentVariable } from '../../domain/EnvironmentVariable.js'; import { InvalidArgumentError, SecretOperationError, } from '../../domain/errors/DomainErrors.js'; import { describeError } from '../describeError.js'; let AzureKeyVaultSecretProvider = class AzureKeyVaultSecretProvider { constructor(client) { this.normalizedNameRegistry = new Map(); this.client = client; } getSecret(name) { return __awaiter(this, void 0, void 0, function* () { var _a; const secretName = this.resolveSecretName(name); try { const secret = yield this.client.getSecret(secretName); return (_a = secret === null || secret === void 0 ? void 0 : secret.value) !== null && _a !== void 0 ? _a : undefined; } catch (error) { if (typeof error === 'object' && error !== null && 'statusCode' in error && error.statusCode === 404) { return undefined; } throw new SecretOperationError(`${EnvironmentVariable.maskSecretPath(name)}: ${describeError(error)}`); } }); } setSecret(name, value) { return __awaiter(this, void 0, void 0, function* () { const secretName = this.resolveSecretName(name); yield this.client.setSecret(secretName, value); }); } /** * Validates that the secret name meets Azure Key Vault naming constraints. * @see https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#objects-identifiers-and-versioning */ validateSecretName(name) { if (name.trim().length === 0) { throw new InvalidArgumentError('Invalid secret name: name cannot be empty or whitespace-only.'); } if (/[^a-zA-Z0-9\-_/]/.test(name)) { throw new InvalidArgumentError(`Invalid secret name '${name}': contains characters not allowed` + ' by Azure Key Vault. Only alphanumeric characters,' + ' hyphens, slashes, and underscores are accepted.'); } } resolveSecretName(originalName) { this.validateSecretName(originalName); const normalized = this.normalizeSecretName(originalName); if (normalized.length > 127) { throw new InvalidArgumentError(`Invalid secret name '${originalName}': normalized name '${normalized}' exceeds the 127-character limit for Azure Key Vault.`); } const existing = this.normalizedNameRegistry.get(normalized); if (existing !== undefined && existing !== originalName) { throw new SecretOperationError(`Secret name collision: '${originalName}' and '${existing}' ` + `both normalize to '${normalized}'. Use distinct ` + 'Key Vault-compatible names in your map file ' + 'when targeting Azure.'); } this.normalizedNameRegistry.set(normalized, originalName); return normalized; } // Azure Key Vault secret names: 1-127 chars, alphanumeric + hyphens, start with letter normalizeSecretName(name) { // Remove leading slashes let normalized = name.replace(/^\/+/, ''); // Replace slashes and underscores with hyphens normalized = normalized.replace(/[/_]/g, '-'); // Lowercase to match Azure Key Vault case-insensitivity normalized = normalized.toLowerCase(); // Remove invalid characters normalized = normalized.replace(/[^a-zA-Z0-9-]/g, ''); // Remove consecutive hyphens normalized = normalized.replace(/-+/g, '-'); // Remove leading/trailing hyphens normalized = normalized.replace(/^-+|-+$/g, ''); // Ensure starts with a letter if (normalized.length > 0 && !/^[a-zA-Z]/.test(normalized)) { normalized = `secret-${normalized}`; } // Default name if empty if (normalized.length === 0) { normalized = 'secret'; } return normalized; } }; AzureKeyVaultSecretProvider = __decorate([ injectable(), __metadata("design:paramtypes", [Function]) ], AzureKeyVaultSecretProvider); export { AzureKeyVaultSecretProvider }; //# sourceMappingURL=AzureKeyVaultSecretProvider.js.map