in pkg/berglas/resolver.go [41:106]
func (c *Client) Resolve(ctx context.Context, s string) ([]byte, error) {
logger := logging.FromContext(ctx).With(
"reference", s,
)
logger.DebugContext(ctx, "resolve.start")
defer logger.DebugContext(ctx, "resolve.finish")
ref, err := ParseReference(s)
if err != nil {
return nil, fmt.Errorf("failed to parse reference %s: %w", s, err)
}
var req accessRequest
switch ref.Type() {
case ReferenceTypeSecretManager:
req = &SecretManagerAccessRequest{
Project: ref.Project(),
Name: ref.Name(),
Version: ref.Version(),
}
case ReferenceTypeStorage:
req = &StorageAccessRequest{
Bucket: ref.Bucket(),
Object: ref.Object(),
Generation: ref.Generation(),
}
}
plaintext, err := c.Access(ctx, req)
if err != nil {
return nil, fmt.Errorf("failed to access secret %s: %w", ref.String(), err)
}
if pth := ref.Filepath(); pth != "" {
logger.DebugContext(ctx, "writing to filepath", "filepath", pth)
f, err := os.OpenFile(ref.Filepath(), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return nil, fmt.Errorf("failed to open filepath %s: %w", pth, err)
}
if chmodSupported {
if err := f.Chmod(0600); err != nil {
return nil, fmt.Errorf("failed to chmod filepath %s: %w", pth, err)
}
}
if _, err := f.Write(plaintext); err != nil {
return nil, fmt.Errorf("failed to write secret to filepath %s: %w", pth, err)
}
if err := f.Sync(); err != nil {
return nil, fmt.Errorf("failed to sync filepath %s: %w", pth, err)
}
if err := f.Close(); err != nil {
return nil, fmt.Errorf("failed to close filepath %s: %w", pth, err)
}
// Set the plaintext to the resulting file path
plaintext = []byte(f.Name())
}
return plaintext, nil
}