fix: 🚑 gitlab secret

cloud-pi-native · Apr 16, 2024 · 0c03a95 · 0c03a95
1 parent f969b9b
commit 0c03a95
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 8 deletions.
diff --git a/plugins/gitlab/package.json b/plugins/gitlab/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@cpn-console/gitlab-plugin",
   "description": "",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "private": false,
   "type": "module",
   "main": "dist/index.js",

diff --git a/plugins/gitlab/src/class.ts b/plugins/gitlab/src/class.ts
@@ -109,7 +109,8 @@ export class GitlabProjectApi extends PluginApi {
 
     const tokenVaultSecret = await vaultApi.read('GITLAB', { throwIfNoEntry: false })
 
-    if (currentTriggerToken && !tokenVaultSecret?.GIT_MIRROR_TOKEN) {
+    if (currentTriggerToken && !tokenVaultSecret?.data?.GIT_MIRROR_TOKEN) {
+      console.debug('GITLAB: recreating PipelineTriggerToken')
       await this.api.PipelineTriggerTokens.remove(mirrorRepo.id, currentTriggerToken.id)
     }
     const triggerToken = await this.api.PipelineTriggerTokens.create(mirrorRepo.id, tokenDescription)

diff --git a/plugins/gitlab/src/repositories.ts b/plugins/gitlab/src/repositories.ts
@@ -51,23 +51,35 @@ const ensureRepositoryExists = async (
   let gitlabRepository: CondensedProjectSchema | ProjectSchema | void = gitlabRepositories.find(gitlabRepository => gitlabRepository.name === repository.internalRepoName)
   const externalRepoUrn = repository.externalRepoUrl.split(/:\/\/(.*)/s)[1]
   const vaultCredsPath = `${repository.internalRepoName}-mirror`
-  const currentVaultCreds = await vaultApi.read(vaultCredsPath, { throwIfNoEntry: false })
+  const currentVaultSecret = await vaultApi.read(vaultCredsPath, { throwIfNoEntry: false })
+  let gitInputUser: string | undefined
+  let gitInputPassword: string | undefined
+  if (currentVaultSecret?.data) {
+    gitInputUser = currentVaultSecret.data.GIT_INPUT_USER
+    gitInputPassword = currentVaultSecret.data.GIT_INPUT_PASSWORD
+  }
 
   if (!gitlabRepository) {
     gitlabRepository = await gitlabApi.createCloneRepository(repository.internalRepoName, externalRepoUrn, repository.newCreds) // TODO
   }
 
   const internalRepoUrl = await gitlabApi.getRepoUrl(repository.internalRepoName)
 
-  const gitlabSecret = await vaultApi.read('tech/GITLAB_MIRROR', { throwIfNoEntry: false })
+  const { data: gitlabSecret } = await vaultApi.read('tech/GITLAB_MIRROR', { throwIfNoEntry: false })
   const mirrorSecretData = {
     GIT_INPUT_URL: externalRepoUrn,
-    GIT_INPUT_USER: repository.newCreds?.username || currentVaultCreds?.GIT_INPUT_USER,
-    GIT_INPUT_PASSWORD: repository.newCreds?.token || currentVaultCreds?.GIT_INPUT_PASSWORD,
+    GIT_INPUT_USER: repository.isPrivate
+      ? (repository.newCreds?.username || gitInputUser)
+      : undefined,
+    GIT_INPUT_PASSWORD: repository.isPrivate
+      ? (repository.newCreds?.token || gitInputPassword)
+      : undefined,
     GIT_OUTPUT_URL: internalRepoUrl.split(/:\/\/(.*)/s)[1],
     GIT_OUTPUT_USER: projectMirrorCreds.botAccount,
     GIT_OUTPUT_PASSWORD: projectMirrorCreds.token,
   }
 
-  if (!shallowEqual(mirrorSecretData, gitlabSecret)) await vaultApi.write(mirrorSecretData, vaultCredsPath)
+  if (!shallowEqual(mirrorSecretData, gitlabSecret)) {
+    await vaultApi.write(mirrorSecretData, vaultCredsPath)
+  }
 }
diff --git a/plugins/vault/package.json b/plugins/vault/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@cpn-console/vault-plugin",
   "description": "",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "private": false,
   "type": "module",
   "main": "dist/index.js",

diff --git a/plugins/vault/src/class.ts b/plugins/vault/src/class.ts
@@ -32,6 +32,7 @@ export class VaultProjectApi extends PluginApi {
 
   public async list (path: string = '/'): Promise<string[]> {
     if (!path.startsWith('/')) path = '/' + path
+    console.debug(`VAULT: list secret from ${path}`)
 
     const listSecretPath: string[] = []
     const response = await this.axios({
@@ -59,6 +60,7 @@ export class VaultProjectApi extends PluginApi {
 
   public async read (path: string = '/', options: readOptions = { throwIfNoEntry: true }) {
     if (path.startsWith('/')) path = path.slice(1)
+    console.debug(`VAULT: reda secret ${path}`)
     const response = await this.axios.get(
       `/v1/forge-dso/data/${this.projectRootDir}/${this.basePath}/${path}`,
       {
@@ -71,6 +73,7 @@ export class VaultProjectApi extends PluginApi {
 
   public async write (body: object, path: string = '/') {
     if (path.startsWith('/')) path = path.slice(1)
+    console.debug(`VAULT: write secret from ${path}`)
     const response = await this.axios.post(
       `/v1/forge-dso/data/${this.projectRootDir}/${this.basePath}/${path}`,
       {
@@ -82,6 +85,7 @@ export class VaultProjectApi extends PluginApi {
 
   public async destroy (path: string = '/') {
     if (path.startsWith('/')) path = path.slice(1)
+    console.debug(`VAULT: destroy secret from ${path}`)
     return this.axios.delete(
       `/v1/forge-dso/metadata/${this.projectRootDir}/${this.basePath}/${path}`,
       {