Add initial secret manager property source implementation

spring-cloud-gcp-autoconfigure/pom.xml

@@ -238,6 +238,13 @@
             <optional>true</optional>
         </dependency>
 
+        <!-- Secret Manager -->
+        <dependency>
+            <groupId>com.google.cloud</groupId>
+            <artifactId>google-cloud-secretmanager</artifactId>
+            <optional>true</optional>
+        </dependency>
+
         <!-- Config -->
         <dependency>
             <groupId>org.springframework.cloud</groupId>

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/GcpSecretManagerBootstrapConfiguration.java

@@ -0,0 +1,103 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.secretmanager;
+
+import java.io.IOException;
+
+import com.google.api.gax.core.CredentialsProvider;
+import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceSettings;
+import com.google.protobuf.ByteString;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.cloud.bootstrap.config.PropertySourceLocator;
+import org.springframework.cloud.gcp.core.DefaultCredentialsProvider;
+import org.springframework.cloud.gcp.core.DefaultGcpProjectIdProvider;
+import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
+import org.springframework.cloud.gcp.core.UserAgentHeaderProvider;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.core.env.ConfigurableEnvironment;
+
+/**
+ * Bootstrap Autoconfiguration for GCP Secret Manager which enables loading secrets as
+ * properties into the application {@link org.springframework.core.env.Environment}.
+ *
+ * @author Daniel Zou
+ * @since 1.3
+ */
+@Configuration
+@EnableConfigurationProperties(GcpSecretManagerProperties.class)
+@ConditionalOnClass(SecretManagerServiceClient.class)
+@ConditionalOnProperty(value = "spring.cloud.gcp.secretmanager.enabled", matchIfMissing = true)
+public class GcpSecretManagerBootstrapConfiguration {
+
+	private final GcpSecretManagerProperties properties;
+
+	private final CredentialsProvider credentialsProvider;
+
+	private final GcpProjectIdProvider gcpProjectIdProvider;
+
+	public GcpSecretManagerBootstrapConfiguration(
+			GcpSecretManagerProperties properties,
+			ConfigurableEnvironment configurableEnvironment) throws IOException {
+
+		this.properties = properties;
+		this.credentialsProvider = new DefaultCredentialsProvider(properties);
+		this.gcpProjectIdProvider = properties.getProjectId() != null
+				? properties::getProjectId
+				: new DefaultGcpProjectIdProvider();
+
+		// Registers {@link ByteString} type converters to convert to String and byte[].
+		configurableEnvironment.getConversionService().addConverter(
+				new Converter<ByteString, String>() {
+					@Override
+					public String convert(ByteString source) {
+						return source.toStringUtf8();
+					}
+				});
+
+		configurableEnvironment.getConversionService().addConverter(
+				new Converter<ByteString, byte[]>() {
+					@Override
+					public byte[] convert(ByteString source) {
+						return source.toByteArray();
+					}
+				});
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public SecretManagerServiceClient secretManagerClient() throws IOException {
+		SecretManagerServiceSettings settings = SecretManagerServiceSettings.newBuilder()
+				.setCredentialsProvider(this.credentialsProvider)
+				.setHeaderProvider(new UserAgentHeaderProvider(GcpSecretManagerBootstrapConfiguration.class))
+				.build();
+
+		return SecretManagerServiceClient.create(settings);
+	}
+
+	@Bean
+	public PropertySourceLocator secretManagerPropertySourceLocator(SecretManagerServiceClient client) {
+		return new SecretManagerPropertySourceLocator(
+				client, this.gcpProjectIdProvider, this.properties.getSecretPropertyNamespace());
+	}
+}

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/GcpSecretManagerProperties.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.secretmanager;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.NestedConfigurationProperty;
+import org.springframework.cloud.gcp.core.Credentials;
+import org.springframework.cloud.gcp.core.CredentialsSupplier;
+import org.springframework.cloud.gcp.core.GcpScope;
+
+@ConfigurationProperties("spring.cloud.gcp.secretmanager")
+public class GcpSecretManagerProperties implements CredentialsSupplier {
+
+	/**
+	 * Overrides the GCP OAuth2 credentials specified in the Core module.
+	 */
+	@NestedConfigurationProperty
+	private final Credentials credentials = new Credentials(GcpScope.CLOUD_PLATFORM.getUrl());
+
+	/**
+	 * Overrides the GCP Project ID specified in the Core module.
+	 */
+	private String projectId;
+
+	/**
+	 * Defines a prefix String that will be prepended to the environment property names
+	 * of secrets in Secret Manager.
+	 */
+	private String secretPropertyNamespace = "";
+
+	public Credentials getCredentials() {
+		return credentials;
+	}
+
+	public String getProjectId() {
+		return projectId;
+	}
+
+	public void setProjectId(String projectId) {
+		this.projectId = projectId;
+	}
+
+	public String getSecretPropertyNamespace() {
+		return secretPropertyNamespace;
+	}
+
+	public void setSecretPropertyNamespace(String secretPropertyNamespace) {
+		this.secretPropertyNamespace = secretPropertyNamespace;
+	}
+}

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/SecretManagerPropertySource.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.secretmanager;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import com.google.cloud.secretmanager.v1beta1.AccessSecretVersionResponse;
+import com.google.cloud.secretmanager.v1beta1.ProjectName;
+import com.google.cloud.secretmanager.v1beta1.Secret;
+import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient.ListSecretsPagedResponse;
+import com.google.cloud.secretmanager.v1beta1.SecretVersionName;
+import com.google.protobuf.ByteString;
+
+import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
+import org.springframework.core.env.EnumerablePropertySource;
+
+/**
+ * Retrieves secrets from GCP Secret Manager under the current GCP project.
+ *
+ * @author Daniel Zou
+ * @since 1.3
+ */
+public class SecretManagerPropertySource extends EnumerablePropertySource<SecretManagerServiceClient> {
+
+	private static final String LATEST_VERSION_STRING = "latest";
+
+	private final Map<String, Object> properties;
+
+	private final String[] propertyNames;
+
+	public SecretManagerPropertySource(
+			String propertySourceName,
+			SecretManagerServiceClient client,
+			GcpProjectIdProvider projectIdProvider,
+			String secretsNamespace) {
+
+		super(propertySourceName, client);
+
+		Map<String, Object> propertiesMap = createSecretsPropertiesMap(
+				client, projectIdProvider.getProjectId(), secretsNamespace);
+
+		this.properties = propertiesMap;
+		this.propertyNames = propertiesMap.keySet().toArray(new String[propertiesMap.size()]);
+	}
+
+	@Override
+	public String[] getPropertyNames() {
+		return propertyNames;
+	}
+
+	@Override
+	public Object getProperty(String name) {
+		return properties.get(name);
+	}
+
+	private static Map<String, Object> createSecretsPropertiesMap(
+			SecretManagerServiceClient client, String projectId, String secretsNamespace) {
+
+		ListSecretsPagedResponse response = client.listSecrets(ProjectName.of(projectId));
+
+		HashMap<String, Object> secretsMap = new HashMap<>();
+		for (Secret secret : response.iterateAll()) {
+			String secretId = extractSecretId(secret);
+			ByteString secretPayload = getSecretPayload(client, projectId, secretId);
+			secretsMap.put(secretsNamespace + secretId, secretPayload);
+		}
+
+		return secretsMap;
+	}
+
+	private static ByteString getSecretPayload(
+			SecretManagerServiceClient client, String projectId, String secretId) {
+
+		SecretVersionName secretVersionName = SecretVersionName.newBuilder()
+				.setProject(projectId)
+				.setSecret(secretId)
+				.setSecretVersion(LATEST_VERSION_STRING)
+				.build();
+
+		AccessSecretVersionResponse response = client.accessSecretVersion(secretVersionName);
+		return response.getPayload().getData();
+	}
+
+	/**
+	 * Extracts the Secret ID from the {@link Secret}. The secret ID refers to the unique ID
+	 * given to the secret when it is saved under a GCP project.
+	 *
+	 * <p>
+	 * The secret ID is extracted from the full secret name of the form:
+	 * projects/${PROJECT_ID}/secrets/${SECRET_ID}
+	 */
+	private static String extractSecretId(Secret secret) {
+		String[] secretNameTokens = secret.getName().split("/");
+		return secretNameTokens[secretNameTokens.length - 1];
+	}
+}

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/SecretManagerPropertySourceLocator.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.secretmanager;
+
+import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient;
+
+import org.springframework.cloud.bootstrap.config.PropertySourceLocator;
+import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
+import org.springframework.core.env.Environment;
+import org.springframework.core.env.PropertySource;
+
+/**
+ * Implementation of {@link PropertySourceLocator} which provides GCP Secret Manager as a
+ * property source.
+ *
+ * @author Daniel Zou
+ * @since 1.3
+ */
+public class SecretManagerPropertySourceLocator implements PropertySourceLocator {
+
+	private static final String SECRET_MANAGER_NAME = "spring-cloud-gcp-secret-manager";
+
+	private final SecretManagerServiceClient client;
+
+	private final GcpProjectIdProvider projectIdProvider;
+
+	private final String secretsNamespace;
+
+	SecretManagerPropertySourceLocator(
+			SecretManagerServiceClient client,
+			GcpProjectIdProvider projectIdProvider,
+			String secretsNamespace) {
+		this.client = client;
+		this.projectIdProvider = projectIdProvider;
+		this.secretsNamespace = secretsNamespace;
+	}
+
+	@Override
+	public PropertySource<?> locate(Environment environment) {
+		return new SecretManagerPropertySource(
+				SECRET_MANAGER_NAME,
+				this.client,
+				this.projectIdProvider,
+				this.secretsNamespace);
+	}
+}

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/package-info.java

@@ -0,0 +1,4 @@
+/**
+ * Auto-configuration for Spring Cloud GCP Secret Manager module.
+ */
+package org.springframework.cloud.gcp.autoconfigure.secretmanager;

spring-cloud-gcp-autoconfigure/src/main/resources/META-INF/spring.factories

@@ -21,4 +21,5 @@ org.springframework.cloud.gcp.autoconfigure.datastore.DatastoreTransactionManage
 org.springframework.cloud.gcp.autoconfigure.firestore.FirestoreRepositoriesAutoConfiguration
 
 org.springframework.cloud.bootstrap.BootstrapConfiguration=\
-org.springframework.cloud.gcp.autoconfigure.config.GcpConfigBootstrapConfiguration
+org.springframework.cloud.gcp.autoconfigure.config.GcpConfigBootstrapConfiguration,\
+org.springframework.cloud.gcp.autoconfigure.secretmanager.GcpSecretManagerBootstrapConfiguration