Class: Makit::Secrets::AzureSecrets

Inherits:

Object

• Object
• Makit::Secrets::AzureSecrets

Defined in:

lib/makit/secrets/azure_secrets.rb

Overview

Azure Key Vault adapter that implements the LocalSecrets interface Uses Azure CLI to store and retrieve individual secrets

Instance Method Summary

• #add(key, value) ⇒ Object
• #get(key) ⇒ Object
• #get_secrets_filename ⇒ Object
• #get_secrets_hash ⇒ Object
• #has_key?(key) ⇒ Boolean
• #info ⇒ Object
• #initialize(keyvault_name: nil, secret_prefix: nil) ⇒ AzureSecrets constructor

  A new instance of AzureSecrets.

• #remove(key) ⇒ Object
• #save_secrets_hash(hash) ⇒ Object
• #set(key, value) ⇒ Object

Constructor Details

#initialize(keyvault_name: nil, secret_prefix: nil) ⇒ AzureSecrets

Returns a new instance of AzureSecrets.

# File 'lib/makit/secrets/azure_secrets.rb', line 10

def initialize(keyvault_name: nil, secret_prefix: nil)
  @keyvault_name = keyvault_name || AzureKeyVault.keyvault_name
  @secret_prefix = secret_prefix || AzureKeyVault.secret_prefix
  raise "Azure Key Vault name is required" if @keyvault_name.nil? || @keyvault_name.empty?
end

Instance Method Details

#add(key, value) ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 16

def add(key, value)
  set(key, value)
end

#get(key) ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 50

def get(key)
  secret_name = build_secret_name(key)
  return nil unless secret_exists?(secret_name)

  unless AzureKeyVault.azure_cli_authenticated?
    raise "Azure CLI is not authenticated. Run 'az login' first"
  end

  cmd = [
    "az keyvault secret show",
    "--vault-name '#{@keyvault_name}'",
    "--name '#{secret_name}'",
    "--query value",
    "-o tsv",
    "2>&1"
  ].join(" ")

  output = `#{cmd}`.strip
  exit_code = $?.exitstatus

  if exit_code != 0
    nil
  else
    output
  end
end

#get_secrets_filename ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 82

def get_secrets_filename
  "#{@keyvault_name}/secrets"
end

#get_secrets_hash ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 86

def get_secrets_hash
  # Load all secrets from Azure Key Vault
  # This is a simplified version - in practice, you might want to list all secrets
  # For now, we'll return an empty hash and let individual get() calls retrieve secrets
  {}
end

#has_key?(key) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/makit/secrets/azure_secrets.rb', line 45

def has_key?(key)
  secret_name = build_secret_name(key)
  secret_exists?(secret_name)
end

#info ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 100

def info
  unless AzureKeyVault.azure_cli_authenticated?
    puts "  Azure CLI is not authenticated. Run 'az login' first"
    return
  end

  cmd = [
    "az keyvault secret list",
    "--vault-name '#{@keyvault_name}'",
    "--query '[].name'",
    "-o tsv",
    "2>&1"
  ].join(" ")

  output = `#{cmd}`.strip
  exit_code = $?.exitstatus

  if exit_code != 0
    # Check if it's a permission error
    if output.include?("Forbidden") || output.include?("ForbiddenByRbac")
      puts "  Error: Insufficient permissions to list secrets from Azure Key Vault"
      puts "  The authenticated identity does not have the required RBAC permissions."
      puts "  Required permission: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'"
      puts "  Required role: 'Key Vault Secrets User' or 'Key Vault Secrets Officer'"
      puts "  Vault: #{@keyvault_name}"
      puts ""
      puts "  To fix this, ask your Azure administrator to grant you one of these roles:"
      puts "    - Key Vault Secrets User (read-only access to secret names and values)"
      puts "    - Key Vault Secrets Officer (full access to secrets)"
    else
      puts "  Error: Failed to list secrets from Azure Key Vault"
      puts "  #{output}"
    end
    return
  end

  secret_names = output.split("\n").map(&:strip).reject(&:empty?)

  if @secret_prefix
    # Filter secrets that match the prefix and remove the prefix
    filtered_secrets = secret_names.select { |name| name.start_with?("#{@secret_prefix}-") }
                                   .map { |name| name.sub(/^#{Regexp.escape(@secret_prefix)}-/, "") }
  else
    filtered_secrets = secret_names
  end

  if filtered_secrets.empty?
    puts "  No secrets found"
  else
    puts "  Available secrets (#{filtered_secrets.count}):"
    filtered_secrets.sort.each do |key|
      puts "    - #{key}"
    end
  end
end

#remove(key) ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 20

def remove(key)
  secret_name = build_secret_name(key)
  return true unless secret_exists?(secret_name)

  unless AzureKeyVault.azure_cli_authenticated?
    raise "Azure CLI is not authenticated. Run 'az login' first"
  end

  cmd = [
    "az keyvault secret delete",
    "--vault-name '#{@keyvault_name}'",
    "--name '#{secret_name}'",
    "2>&1"
  ].join(" ")

  output = `#{cmd}`
  exit_code = $?.exitstatus

  if exit_code != 0
    raise "Failed to delete secret '#{secret_name}': #{output}"
  end

  true
end

#save_secrets_hash(hash) ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 93

def save_secrets_hash(hash)
  # Save all secrets from hash to Azure Key Vault
  hash.each do |key, value|
    set(key, value)
  end
end

#set(key, value) ⇒ Object

# File 'lib/makit/secrets/azure_secrets.rb', line 77

def set(key, value)
  secret_name = build_secret_name(key)
  AzureKeyVault.set(secret_name, value.to_s, keyvault_name: @keyvault_name)
end