Create protocol for specifying secrets' project and versions

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/GcpSecretManagerBootstrapConfiguration.java

@@ -98,9 +98,8 @@ public SecretManagerServiceClient secretManagerClient() throws IOException {
 
 	@Bean
 	public PropertySourceLocator secretManagerPropertySourceLocator(SecretManagerServiceClient client) {
-		SecretManagerPropertySourceLocator propertySourceLocator = new SecretManagerPropertySourceLocator(
-				client, this.gcpProjectIdProvider, this.properties.getSecretNamePrefix());
-		propertySourceLocator.setVersions(this.properties.getVersions());
+		SecretManagerPropertySourceLocator propertySourceLocator =
+				new SecretManagerPropertySourceLocator(client, this.gcpProjectIdProvider);
 		return propertySourceLocator;
 	}
 }

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/GcpSecretManagerProperties.java

@@ -16,9 +16,6 @@
 
 package org.springframework.cloud.gcp.autoconfigure.secretmanager;
 
-import java.util.HashMap;
-import java.util.Map;
-
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.NestedConfigurationProperty;
 import org.springframework.cloud.gcp.core.Credentials;
@@ -39,17 +36,6 @@ public class GcpSecretManagerProperties implements CredentialsSupplier {
 	 */
 	private String projectId;
 
-	/**
-	 * Defines a prefix String that will be prepended to the environment property names
-	 * of secrets in Secret Manager.
-	 */
-	private String secretNamePrefix = "";
-
-	/**
-	 * Defines versions for specific secret-ids.
-	 */
-	private Map<String, String> versions = new HashMap<>();
-
 	public Credentials getCredentials() {
 		return credentials;
 	}
@@ -61,20 +47,4 @@ public String getProjectId() {
 	public void setProjectId(String projectId) {
 		this.projectId = projectId;
 	}
-
-	public String getSecretNamePrefix() {
-		return secretNamePrefix;
-	}
-
-	public void setSecretNamePrefix(String secretNamePrefix) {
-		this.secretNamePrefix = secretNamePrefix;
-	}
-
-	public Map<String, String> getVersions() {
-		return versions;
-	}
-
-	public void setVersions(Map<String, String> versions) {
-		this.versions = versions;
-	}
 }

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/SecretManagerPropertySource.java

@@ -16,117 +16,119 @@
 
 package org.springframework.cloud.gcp.autoconfigure.secretmanager;
 
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
+import com.google.api.gax.rpc.NotFoundException;
 import com.google.cloud.secretmanager.v1beta1.AccessSecretVersionResponse;
-import com.google.cloud.secretmanager.v1beta1.ProjectName;
-import com.google.cloud.secretmanager.v1beta1.Secret;
 import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient;
-import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient.ListSecretsPagedResponse;
 import com.google.cloud.secretmanager.v1beta1.SecretVersionName;
 import com.google.protobuf.ByteString;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 
 import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
 import org.springframework.core.env.EnumerablePropertySource;
 
 /**
- * Retrieves secrets from GCP Secret Manager under the current GCP project.
+ * A property source for Secret Manager which accesses the Secret Manager APIs when {@link #getProperty} is called.
  *
  * @author Daniel Zou
  * @author Eddú Meléndez
  * @since 1.2.2
  */
 public class SecretManagerPropertySource extends EnumerablePropertySource<SecretManagerServiceClient> {
 
-	private static final Log LOGGER = LogFactory.getLog(SecretManagerPropertySource.class);
-
-	private static final String LATEST_VERSION_STRING = "latest";
-
-	private final Map<String, Object> properties;
+	private static final String GCP_SECRET_PREFIX = "gcp-secret/";
 
-	private final String[] propertyNames;
+	private final GcpProjectIdProvider projectIdProvider;
 
 	public SecretManagerPropertySource(
 			String propertySourceName,
 			SecretManagerServiceClient client,
-			GcpProjectIdProvider projectIdProvider,
-			String secretsPrefix) {
-		this(propertySourceName, client, projectIdProvider, secretsPrefix, Collections.EMPTY_MAP);
-	}
-
-	public SecretManagerPropertySource(
-			String propertySourceName,
-			SecretManagerServiceClient client,
-			GcpProjectIdProvider projectIdProvider,
-			String secretsPrefix,
-			Map<String, String> versions) {
+			GcpProjectIdProvider projectIdProvider) {
 		super(propertySourceName, client);
 
-		Map<String, Object> propertiesMap = createSecretsPropertiesMap(
-				client, projectIdProvider.getProjectId(), secretsPrefix, versions);
+		this.projectIdProvider = projectIdProvider;
+	}
 
-		this.properties = propertiesMap;
-		this.propertyNames = propertiesMap.keySet().toArray(new String[propertiesMap.size()]);
+	@Override
+	public Object getProperty(String name) {
+		SecretVersionName secretIdentifier = parseFromProperty(name, this.projectIdProvider);
+
+		if (secretIdentifier != null) {
+			return getSecretPayload(secretIdentifier);
+		}
+		else {
+			return null;
+		}
 	}
 
+	/**
+	 * The {@link SecretManagerPropertySource} is not enumerable, so this always returns an empty array.
+	 * @return the empty array.
+	 */
 	@Override
 	public String[] getPropertyNames() {
-		return propertyNames;
+		return new String[0];
 	}
 
-	@Override
-	public Object getProperty(String name) {
-		return properties.get(name);
+	private ByteString getSecretPayload(SecretVersionName secretIdentifier) {
+		try {
+			AccessSecretVersionResponse response = getSource().accessSecretVersion(secretIdentifier);
+			return response.getPayload().getData();
+		}
+		catch (NotFoundException e) {
+			return null;
+		}
 	}
 
-	private static Map<String, Object> createSecretsPropertiesMap(
-			SecretManagerServiceClient client, String projectId, String secretsPrefix, Map<String, String> versions) {
-
-		ListSecretsPagedResponse response = client.listSecrets(ProjectName.of(projectId));
-		Map<String, Object> secretsMap = new HashMap<>();
-		for (Secret secret : response.iterateAll()) {
-			String secretId = extractSecretId(secret);
-			ByteString secretPayload = getSecretPayload(client, projectId, secretId, versions);
-			if (secretPayload != null) {
-				secretsMap.put(secretsPrefix + secretId, secretPayload);
-			}
+	static SecretVersionName parseFromProperty(String property, GcpProjectIdProvider projectIdProvider) {
+		if (!property.startsWith(GCP_SECRET_PREFIX)) {
+			return null;
 		}
 
-		return secretsMap;
-	}
+		String resourcePath = property.substring(GCP_SECRET_PREFIX.length());
+		String[] tokens = resourcePath.split("/");
 
-	private static ByteString getSecretPayload(
-			SecretManagerServiceClient client,
-			String projectId,
-			String secretId,
-			Map<String, String> versions) {
+		String projectId = projectIdProvider.getProjectId();
+		String secretId = null;
+		String version = "latest";
 
-		String version = versions.containsKey(secretId) ? versions.get(secretId) : LATEST_VERSION_STRING;
+		if (tokens.length == 1) {
+			// property is form "gcp-secret/<secret-id>"
+			secretId = tokens[0];
+		}
+		else if (tokens.length == 2) {
+			// property is form "gcp-secret/<secret-id>/<version>"
+			secretId = tokens[0];
+			version = tokens[1];
+		}
+		else if (tokens.length == 3) {
+			// property is form "gcp-secret/<project-id>/<secret-id>/<version-id>"
+			projectId = tokens[0];
+			secretId = tokens[1];
+			version = tokens[2];
+		}
+		else if (tokens.length == 4
+				&& tokens[0].equals("projects")
+				&& tokens[2].equals("secrets")) {
+			// property is form "gcp-secret/projects/<project-id>/secrets/<secret-id>"
+			projectId = tokens[1];
+			secretId = tokens[3];
+		}
+		else if (tokens.length == 6
+				&& tokens[0].equals("projects")
+				&& tokens[2].equals("secrets")
+				&& tokens[4].equals("versions")) {
+			// property is form "gcp-secret/projects/<project-id>/secrets/<secret-id>/versions/<version>"
+			projectId = tokens[1];
+			secretId = tokens[3];
+			version = tokens[5];
+		}
+		else {
+			return null;
+		}
 
-		SecretVersionName secretVersionName = SecretVersionName.newBuilder()
+		return SecretVersionName.newBuilder()
 				.setProject(projectId)
 				.setSecret(secretId)
 				.setSecretVersion(version)
 				.build();
-
-		AccessSecretVersionResponse response = client.accessSecretVersion(secretVersionName);
-		return response.getPayload().getData();
-	}
-
-	/**
-	 * Extracts the Secret ID from the {@link Secret}. The secret ID refers to the unique ID
-	 * given to the secret when it is saved under a GCP project.
-	 *
-	 * <p>
-	 * The secret ID is extracted from the full secret name of the form:
-	 * projects/${PROJECT_ID}/secrets/${SECRET_ID}
-	 */
-	private static String extractSecretId(Secret secret) {
-		String[] secretNameTokens = secret.getName().split("/");
-		return secretNameTokens[secretNameTokens.length - 1];
 	}
 }

spring-cloud-gcp-autoconfigure/src/main/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/SecretManagerPropertySourceLocator.java

@@ -16,8 +16,6 @@
 
 package org.springframework.cloud.gcp.autoconfigure.secretmanager;
 
-import java.util.Map;
-
 import com.google.cloud.secretmanager.v1beta1.SecretManagerServiceClient;
 
 import org.springframework.cloud.bootstrap.config.PropertySourceLocator;
@@ -41,30 +39,18 @@ public class SecretManagerPropertySourceLocator implements PropertySourceLocator
 
 	private final GcpProjectIdProvider projectIdProvider;
 
-	private final String secretsPrefix;
-
-	private Map<String, String> versions;
-
 	SecretManagerPropertySourceLocator(
 			SecretManagerServiceClient client,
-			GcpProjectIdProvider projectIdProvider,
-			String secretsPrefix) {
+			GcpProjectIdProvider projectIdProvider) {
 		this.client = client;
 		this.projectIdProvider = projectIdProvider;
-		this.secretsPrefix = secretsPrefix;
-	}
-
-	public void setVersions(Map<String, String> versions) {
-		this.versions = versions;
 	}
 
 	@Override
 	public PropertySource<?> locate(Environment environment) {
 		return new SecretManagerPropertySource(
 				SECRET_MANAGER_NAME,
 				this.client,
-				this.projectIdProvider,
-				this.secretsPrefix,
-				this.versions);
+				this.projectIdProvider);
 	}
 }

spring-cloud-gcp-autoconfigure/src/test/java/org/springframework/cloud/gcp/autoconfigure/secretmanager/SecretPropertySourceTests.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.gcp.autoconfigure.secretmanager;
+
+import com.google.cloud.secretmanager.v1beta1.SecretVersionName;
+import org.junit.Test;
+
+import org.springframework.cloud.gcp.core.GcpProjectIdProvider;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class SecretPropertySourceTests {
+
+	private static final GcpProjectIdProvider DEFAULT_PROJECT_ID_PROVIDER = () -> "defaultProject";
+
+	@Test
+	public void testNonSecret() {
+		String property = "spring.cloud.datasource";
+		SecretVersionName secretIdentifier =
+				SecretManagerPropertySource.parseFromProperty(property, DEFAULT_PROJECT_ID_PROVIDER);
+
+		assertThat(secretIdentifier).isNull();
+	}
+
+	@Test
+	public void testShortProperty_secretId() {
+		String property = "gcp-secret/the-secret";
+		SecretVersionName secretIdentifier =
+				SecretManagerPropertySource.parseFromProperty(property, DEFAULT_PROJECT_ID_PROVIDER);
+
+		assertThat(secretIdentifier.getProject()).isEqualTo("defaultProject");
+		assertThat(secretIdentifier.getSecret()).isEqualTo("the-secret");
+		assertThat(secretIdentifier.getSecretVersion()).isEqualTo("latest");
+	}
+
+	@Test
+	public void testShortProperty_projectSecretId() {
+		String property = "gcp-secret/the-secret/the-version";
+		SecretVersionName secretIdentifier =
+				SecretManagerPropertySource.parseFromProperty(property, DEFAULT_PROJECT_ID_PROVIDER);
+
+		assertThat(secretIdentifier.getProject()).isEqualTo("defaultProject");
+		assertThat(secretIdentifier.getSecret()).isEqualTo("the-secret");
+		assertThat(secretIdentifier.getSecretVersion()).isEqualTo("the-version");
+	}
+
+	@Test
+	public void testShortProperty_projectSecretIdVersion() {
+		String property = "gcp-secret/my-project/the-secret/2";
+		SecretVersionName secretIdentifier =
+				SecretManagerPropertySource.parseFromProperty(property, DEFAULT_PROJECT_ID_PROVIDER);
+
+		assertThat(secretIdentifier.getProject()).isEqualTo("my-project");
+		assertThat(secretIdentifier.getSecret()).isEqualTo("the-secret");
+		assertThat(secretIdentifier.getSecretVersion()).isEqualTo("2");
+	}
+
+	@Test
+	public void testLongProperty_projectSecret() {
+		String property = "gcp-secret/projects/my-project/secrets/the-secret";
+		SecretVersionName secretIdentifier =
+				SecretManagerPropertySource.parseFromProperty(property, DEFAULT_PROJECT_ID_PROVIDER);
+
+		assertThat(secretIdentifier.getProject()).isEqualTo("my-project");
+		assertThat(secretIdentifier.getSecret()).isEqualTo("the-secret");
+		assertThat(secretIdentifier.getSecretVersion()).isEqualTo("latest");
+	}
+
+	@Test
+	public void testLongProperty_projectSecretVersion() {
+		String property = "gcp-secret/projects/my-project/secrets/the-secret/versions/3";
+		SecretVersionName secretIdentifier =
+				SecretManagerPropertySource.parseFromProperty(property, DEFAULT_PROJECT_ID_PROVIDER);
+
+		assertThat(secretIdentifier.getProject()).isEqualTo("my-project");
+		assertThat(secretIdentifier.getSecret()).isEqualTo("the-secret");
+		assertThat(secretIdentifier.getSecretVersion()).isEqualTo("3");
+	}
+}