envilder
Version:
A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth
113 lines • 5.84 kB
JavaScript
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
return c > 3 && r && Object.defineProperty(target, key, r), r;
};
var __metadata = (this && this.__metadata) || function (k, v) {
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import { injectable } from 'inversify';
import { EnvironmentVariable } from '../../domain/EnvironmentVariable.js';
import { InvalidArgumentError, SecretOperationError, } from '../../domain/errors/DomainErrors.js';
import { describeError } from '../describeError.js';
let AzureKeyVaultSecretProvider = class AzureKeyVaultSecretProvider {
constructor(client) {
this.normalizedNameRegistry = new Map();
this.client = client;
}
getSecret(name) {
return __awaiter(this, void 0, void 0, function* () {
var _a;
const secretName = this.resolveSecretName(name);
try {
const secret = yield this.client.getSecret(secretName);
return (_a = secret === null || secret === void 0 ? void 0 : secret.value) !== null && _a !== void 0 ? _a : undefined;
}
catch (error) {
if (typeof error === 'object' &&
error !== null &&
'statusCode' in error &&
error.statusCode === 404) {
return undefined;
}
throw new SecretOperationError(`${EnvironmentVariable.maskSecretPath(name)}: ${describeError(error)}`);
}
});
}
setSecret(name, value) {
return __awaiter(this, void 0, void 0, function* () {
const secretName = this.resolveSecretName(name);
yield this.client.setSecret(secretName, value);
});
}
/**
* Validates that the secret name meets Azure Key Vault naming constraints.
* @see https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#objects-identifiers-and-versioning
*/
validateSecretName(name) {
if (name.trim().length === 0) {
throw new InvalidArgumentError('Invalid secret name: name cannot be empty or whitespace-only.');
}
if (/[^a-zA-Z0-9\-_/]/.test(name)) {
throw new InvalidArgumentError(`Invalid secret name '${name}': contains characters not allowed` +
' by Azure Key Vault. Only alphanumeric characters,' +
' hyphens, slashes, and underscores are accepted.');
}
}
resolveSecretName(originalName) {
this.validateSecretName(originalName);
const normalized = this.normalizeSecretName(originalName);
if (normalized.length > 127) {
throw new InvalidArgumentError(`Invalid secret name '${originalName}': normalized name '${normalized}' exceeds the 127-character limit for Azure Key Vault.`);
}
const existing = this.normalizedNameRegistry.get(normalized);
if (existing !== undefined && existing !== originalName) {
throw new SecretOperationError(`Secret name collision: '${originalName}' and '${existing}' ` +
`both normalize to '${normalized}'. Use distinct ` +
'Key Vault-compatible names in your map file ' +
'when targeting Azure.');
}
this.normalizedNameRegistry.set(normalized, originalName);
return normalized;
}
// Azure Key Vault secret names: 1-127 chars, alphanumeric + hyphens, start with letter
normalizeSecretName(name) {
// Remove leading slashes
let normalized = name.replace(/^\/+/, '');
// Replace slashes and underscores with hyphens
normalized = normalized.replace(/[/_]/g, '-');
// Lowercase to match Azure Key Vault case-insensitivity
normalized = normalized.toLowerCase();
// Remove invalid characters
normalized = normalized.replace(/[^a-zA-Z0-9-]/g, '');
// Remove consecutive hyphens
normalized = normalized.replace(/-+/g, '-');
// Remove leading/trailing hyphens
normalized = normalized.replace(/^-+|-+$/g, '');
// Ensure starts with a letter
if (normalized.length > 0 && !/^[a-zA-Z]/.test(normalized)) {
normalized = `secret-${normalized}`;
}
// Default name if empty
if (normalized.length === 0) {
normalized = 'secret';
}
return normalized;
}
};
AzureKeyVaultSecretProvider = __decorate([
injectable(),
__metadata("design:paramtypes", [Function])
], AzureKeyVaultSecretProvider);
export { AzureKeyVaultSecretProvider };
//# sourceMappingURL=AzureKeyVaultSecretProvider.js.map