in provider/secret_descriptor.go [372:484]
func NewSecretDescriptorList(mountDir, translate, objectSpec string, regions []string) (
desc map[SecretType][]*SecretDescriptor,
e error,
) {
// See if we should substitite underscore for slash
if len(translate) == 0 {
translate = "_" // Use default
} else if strings.ToLower(translate) == "false" {
translate = "" // Turn it off.
} else if len(translate) != 1 {
return nil, fmt.Errorf("pathTranslation must be either 'False' or a single character string")
}
// Unpack the SecretProviderClass mount specification
descriptors := make([]*SecretDescriptor, 0)
err := yaml.Unmarshal([]byte(objectSpec), &descriptors)
if err != nil {
return nil, fmt.Errorf("Failed to load SecretProviderClass: %+v", err)
}
// Validate each record and check for duplicates
groups := make(map[SecretType][]*SecretDescriptor, 0)
seenNames := make(map[string]SecretDescriptorSlice)
seenAliases := make(map[string]bool)
for _, descriptor := range descriptors {
descriptor.translate = translate
descriptor.mountDir = mountDir
err = descriptor.validateSecretDescriptor(regions)
if err != nil {
return nil, err
}
// Group secrets of the same type together to allow batching requests
sType := descriptor.GetSecretType()
groups[sType] = append(groups[sType], descriptor)
// We iterate over the descriptors, checking each one for duplicates and then adding it to the seenNames map.
// There are 4 cases in which a validation error is thrown when a descriptor with a duplicate object name is found:
// -------------------------------------------
// | # | OBJECT ALIAS | OBJECT VERSION LABEL |
// |---|--------------|----------------------|
// | 1 | duplicate | empty |
// | 2 | empty | duplicate |
// | 3 | duplicate | duplicate |
// | 4 | empty | empty |
// -------------------------------------------
found, ok := seenNames[descriptor.ObjectName]
if ok {
descHasAlias := descriptor.ObjectAlias != ""
foundHasAlias := found.ObjectAlias != ""
descHasVersionLabel := descriptor.ObjectVersionLabel != ""
foundHasVersionLabel := found.ObjectVersionLabel != ""
errorPrefix := fmt.Errorf("found descriptor with duplicate object name %s", descriptor.ObjectName)
// Case 1
if descHasAlias && foundHasAlias && !descHasVersionLabel && !foundHasVersionLabel &&
descriptor.ObjectAlias == found.ObjectAlias {
return nil, fmt.Errorf("%s, duplicate object alias %s, and no version label",
errorPrefix, descriptor.ObjectAlias)
}
// Case 2
if !descHasAlias && !foundHasAlias && descHasVersionLabel && foundHasVersionLabel &&
descriptor.ObjectVersionLabel == found.ObjectVersionLabel {
return nil, fmt.Errorf("%s, no object alias, and duplicate version label %s",
errorPrefix, descriptor.ObjectVersionLabel)
}
// Case 3
if descHasAlias && foundHasAlias && descHasVersionLabel && foundHasVersionLabel &&
descriptor.ObjectAlias == found.ObjectAlias &&
descriptor.ObjectVersionLabel == found.ObjectVersionLabel {
return nil, fmt.Errorf("%s, duplicate object alias %s, and duplicate version label %s",
errorPrefix, descriptor.ObjectAlias, descriptor.ObjectVersionLabel)
}
// Case 4
if !descHasAlias && !foundHasAlias && !descHasVersionLabel && !foundHasVersionLabel {
return nil, fmt.Errorf("%s, no object alias, and no version label", errorPrefix)
}
}
// Add the descriptor to the seenNames map after validation
seenNames[descriptor.ObjectName] = SecretDescriptorSlice{
ObjectAlias: descriptor.ObjectAlias,
ObjectVersionLabel: descriptor.ObjectVersionLabel,
}
if seenAliases[descriptor.ObjectAlias] {
return nil, fmt.Errorf("found duplicate object alias %s", descriptor.ObjectAlias)
}
// Add the object alias to the seenAliases map for use in JMES path validation below
if descriptor.ObjectAlias != "" {
seenAliases[descriptor.ObjectAlias] = true
}
if len(descriptor.JMESPath) == 0 { //jmesPath not used. No more checks
continue
}
for _, jmesPathEntry := range descriptor.JMESPath {
if seenAliases[jmesPathEntry.ObjectAlias] {
return nil, fmt.Errorf("Name already in use for objectAlias: found duplicate object alias %s in JMES path entry %s", jmesPathEntry.ObjectAlias, jmesPathEntry.Path)
}
seenAliases[jmesPathEntry.ObjectAlias] = true
}
}
return groups, nil
}