1
package vault
2

3
import (
4
	"context"
5
	"fmt"
6
	"strings"
7

8
	vault "github.com/hashicorp/vault/api"
9
)
10

11
// secretStore abstracts away the details for how a secret is retrieved from a
12
// vault.Client.
13
type secretStore interface {
14
	Read(ctx context.Context, args *Arguments) (*vault.Secret, error)
15
}
16

17
// TODO(rfratto): support logical stores.
18

19
type kvStore struct{ c *vault.Client }
20

21
func (ks *kvStore) Read(ctx context.Context, args *Arguments) (*vault.Secret, error) {
22
	// Split the path so we know which kv mount we want to use.
23
	pathParts := strings.SplitN(args.Path, "/", 2)
24
	if len(pathParts) != 2 {
25
		return nil, fmt.Errorf("missing mount path in %q", args.Path)
26
	}
27

28
	kv := ks.c.KVv2(pathParts[0])
29
	kvSecret, err := kv.Get(ctx, pathParts[1])
30
	if err != nil {
31
		return nil, err
32
	}
33

34
	// kvSecret.Data contains unwrapped data. Let's assign that to the raw secret
35
	// and return it. This is a bit of a hack, but should work just fine.
36
	kvSecret.Raw.Data = kvSecret.Data
37
	return kvSecret.Raw, nil
38
}
39

40