Merge pull request #209 from joe0BAB/fix/secret-patch-policies

rumpl · web-flow · commit 5b543cbf5daa · 2025-04-25T16:09:46.000+02:00
Add "derive" command
diff --git a/src/extension/host-binary/api/schemas/secrets.yaml b/src/extension/host-binary/api/schemas/secrets.yaml
@@ -56,7 +56,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/StoredSecret'
+                $ref: '#/components/schemas/Secret'
         '404':
           description: secret not found
     delete:
diff --git a/src/extension/host-binary/cmd/main.go b/src/extension/host-binary/cmd/main.go
@@ -10,6 +10,7 @@ import (
 	"github.com/spf13/cobra"
 	"os"
 	"os/signal"
+	"slices"
 	"syscall"
 )
 
@@ -23,6 +24,7 @@ func main() {
 	cmd.AddCommand(AuthorizeApp(ctx))
 	cmd.AddCommand(UnauthorizeApp(ctx))
 	cmd.AddCommand(ListOAuthApps(ctx))
+	cmd.AddCommand(DeriveSecret(ctx))
 	if err := cmd.Execute(); err != nil {
 		fmt.Println(err)
 		os.Exit(1)
@@ -238,3 +240,44 @@ func runDeleteSecret(ctx context.Context, opts deleteOptions) error {
 func assertMcpPolicyExists(ctx context.Context, apiClient client.ApiClient) error {
 	return apiClient.SetPolicy(ctx, secretsapi.Policy{Name: mcpPolicyName, Images: []string{"*"}})
 }
+
+type deriveOptions struct {
+	Src string
+	Dst string
+}
+
+func DeriveSecret(ctx context.Context) *cobra.Command {
+	opts := &deriveOptions{}
+	cmd := &cobra.Command{
+		Use:   "derive",
+		Short: "Derive a secret from another secret",
+		Args:  cobra.NoArgs,
+		RunE: func(*cobra.Command, []string) error {
+			return runDeriveSecret(ctx, *opts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.Src, "src", "s", "", "Name of the source secret")
+	_ = cmd.MarkFlagRequired("src")
+	flags.StringVarP(&opts.Dst, "dst", "d", "", "Name of the destination secret")
+	_ = cmd.MarkFlagRequired("dst")
+	return cmd
+}
+
+func runDeriveSecret(ctx context.Context, opts deriveOptions) error {
+	c, err := newApiClient()
+	if err != nil {
+		return err
+	}
+	if err := assertMcpPolicyExists(ctx, c); err != nil {
+		return err
+	}
+	s, err := c.GetSecret(ctx, opts.Src)
+	if err != nil {
+		return err
+	}
+	if !slices.Contains(s.Policies, mcpPolicyName) {
+		s.Policies = append(s.Policies, mcpPolicyName)
+	}
+	return c.SetSecret(ctx, secretsapi.Secret{Name: opts.Dst, Value: s.Value, Policies: []string{mcpPolicyName}})
+}
diff --git a/src/extension/host-binary/pkg/client/client.go b/src/extension/host-binary/pkg/client/client.go
@@ -13,7 +13,7 @@ type ApiClient interface {
 	// GetPolicy retrieves a policy
 	GetPolicy(ctx context.Context, policy string) (secretsapi.Policy, error)
 	// GetSecret checks if a secret exists
-	GetSecret(ctx context.Context, secret string) (secretsapi.StoredSecret, error)
+	GetSecret(ctx context.Context, secret string) (secretsapi.Secret, error)
 	// ListPolicies lists all policies
 	ListPolicies(ctx context.Context) ([]secretsapi.Policy, error)
 	// ListSecrets lists all secrets
@@ -38,7 +38,8 @@ func NewApiClient(socketPath string) ApiClient {
 
 func (d apiClientImpl) SetSecret(ctx context.Context, s secretsapi.Secret) error {
 	apiReq := d.SecretsApi.SetJfsSecret(ctx)
-	req := secretsapi.NewSecret(s.Name, s.Value, s.Policies)
+	req := secretsapi.NewSecret(s.Name, s.Value)
+	req.SetPolicies(s.Policies)
 	_, err := apiReq.Secret(*req).Execute()
 	return err
 }
@@ -55,11 +56,11 @@ func (d apiClientImpl) ListSecrets(ctx context.Context) ([]secretsapi.StoredSecr
 	return res, err
 }
 
-func (d apiClientImpl) GetSecret(ctx context.Context, secret string) (secretsapi.StoredSecret, error) {
+func (d apiClientImpl) GetSecret(ctx context.Context, secret string) (secretsapi.Secret, error) {
 	apiReq := d.SecretsApi.GetJfsSecret(ctx, secret)
 	res, _, err := apiReq.Execute()
 	if err != nil {
-		return secretsapi.StoredSecret{}, err
+		return secretsapi.Secret{}, err
 	}
 	return *res, nil
 }
diff --git a/src/extension/host-binary/pkg/generated/go/client/secrets/api/openapi.yaml b/src/extension/host-binary/pkg/generated/go/client/secrets/api/openapi.yaml
@@ -77,7 +77,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/StoredSecret'
+                $ref: '#/components/schemas/Secret'
           description: success
         "404":
           description: secret not found
diff --git a/src/extension/host-binary/pkg/generated/go/client/secrets/api_secrets.go b/src/extension/host-binary/pkg/generated/go/client/secrets/api_secrets.go
diff --git a/src/extension/host-binary/pkg/generated/go/client/secrets/docs/SecretsApi.md b/src/extension/host-binary/pkg/generated/go/client/secrets/docs/SecretsApi.md
@@ -217,7 +217,7 @@ No authorization required
 
 ## GetJfsSecret
 
-> StoredSecret GetJfsSecret(ctx, secret).Execute()
+> Secret GetJfsSecret(ctx, secret).Execute()
 
 checks if a secret exists
 
@@ -243,7 +243,7 @@ func main() {
         fmt.Fprintf(os.Stderr, "Error when calling `SecretsApi.GetJfsSecret``: %v\n", err)
         fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
     }
-    // response from `GetJfsSecret`: StoredSecret
+    // response from `GetJfsSecret`: Secret
     fmt.Fprintf(os.Stdout, "Response from `SecretsApi.GetJfsSecret`: %v\n", resp)
 }
 ```
@@ -267,7 +267,7 @@ Name | Type | Description  | Notes
 
 ### Return type
 
-[**StoredSecret**](StoredSecret.md)
+[**Secret**](Secret.md)
 
 ### Authorization
 
diff --git a/src/extension/host-binary/pkg/generated/go/client/secrets/html/index.html b/src/extension/host-binary/pkg/generated/go/client/secrets/html/index.html
@@ -1998,7 +1998,7 @@ <h3>Usage and SDK Samples</h3>
         String secret = secret_example; // String | 
 
         try {
-            StoredSecret result = apiInstance.getJfsSecret(secret);
+            Secret result = apiInstance.getJfsSecret(secret);
             System.out.println(result);
         } catch (ApiException e) {
             System.err.println("Exception when calling SecretsApi#getJfsSecret");
@@ -2018,7 +2018,7 @@ <h3>Usage and SDK Samples</h3>
         String secret = secret_example; // String | 
 
         try {
-            StoredSecret result = apiInstance.getJfsSecret(secret);
+            Secret result = apiInstance.getJfsSecret(secret);
             System.out.println(result);
         } catch (ApiException e) {
             System.err.println("Exception when calling SecretsApi#getJfsSecret");
@@ -2040,7 +2040,7 @@ <h3>Usage and SDK Samples</h3>
 
 // checks if a secret exists
 [apiInstance getJfsSecretWith:secret
-              completionHandler: ^(StoredSecret output, NSError* error) {
+              completionHandler: ^(Secret output, NSError* error) {
     if (output) {
         NSLog(@"%@", output);
     }
@@ -2092,7 +2092,7 @@ <h3>Usage and SDK Samples</h3>
 
             try {
                 // checks if a secret exists
-                StoredSecret result = apiInstance.getJfsSecret(secret);
+                Secret result = apiInstance.getJfsSecret(secret);
                 Debug.WriteLine(result);
             } catch (Exception e) {
                 Debug.Print("Exception when calling SecretsApi.getJfsSecret: " + e.Message );
@@ -2247,7 +2247,7 @@ <h3 id="examples-Secrets-getJfsSecret-title-200"></h3>
   "content" : {
     "application/json" : {
       "schema" : {
-        "$ref" : "#/components/schemas/StoredSecret"
+        "$ref" : "#/components/schemas/Secret"
       }
     }
   }
diff --git a/src/extension/host-binary/pkg/generated/go/client/secrets/model_secret.go b/src/extension/host-binary/pkg/generated/go/client/secrets/model_secret.go
