From 33af2809e2074fdcda02685737ed0e160a9e676f Mon Sep 17 00:00:00 2001
From: Nghia Tran <tcnghia@gmail.com>
Date: Sun, 7 Feb 2021 18:23:50 -0800
Subject: [PATCH] Add Azure Keyvault secret store (#654)

Co-authored-by: Artur Souza <artursouza.ms@outlook.com>
---
 .github/workflows/conformance.yml             | 30 ++++++++++++++++++-
 .../azure/keyvault/azure-keyvault.yaml        | 15 ++++++++++
 tests/config/secretstores/tests.yml           |  5 +++-
 tests/conformance/common.go                   |  3 ++
 4 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 tests/config/secretstores/azure/keyvault/azure-keyvault.yaml

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index bf2849615..aa7baa8f1 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -41,6 +41,7 @@ jobs:
         - bindings.redis
         - pubsub.azure.servicebus
         - pubsub.redis
+        - secretstores.azure.keyvault
         - secretstores.localenv
         - secretstores.localfile
         - state.cosmosdb
@@ -72,6 +73,9 @@ jobs:
           required-secrets: AzureServiceBusConnectionString
         - component: bindings.azure.storagequeues
           required-secrets: AzureBlobStorageAccessKey,AzureBlobStorageAccount,AzureBlobStorageQueue
+        - component: secretstores.azure.keyvault
+          required-secrets: AzureKeyVaultSecretStoreTenantId,AzureKeyVaultSecretStoreClientId
+          required-certs: AzureKeyVaultSecretStoreCert
     steps:
     - name: Check out code onto GOPATH
       uses: actions/checkout@v2
@@ -103,6 +107,19 @@ jobs:
         echo "Ngrok's endpoint: ${NGROK_ENDPOINT}"
         echo "AzureEventGridSubscriberEndpoint=${NGROK_ENDPOINT}/api/events" >> $GITHUB_ENV
 
+    # Download the required certificates into files, and set env var pointing to their names
+    - name: Setup certs
+      if: matrix.required-certs != ''
+      run: |
+        for CERT_NAME in $(echo "${{ matrix.required-certs }}" | sed 's/,/ /g'); do
+          CERT_FILE=$(mktemp --suffix .pfx)
+          echo "Downloading cert $CERT_NAME into file $CERT_FILE"
+          rm $CERT_FILE && \
+            az keyvault secret download --vault-name $AZURE_KEYVAULT --name $CERT_NAME --encoding base64 --file $CERT_FILE
+          echo 'Setting $CERT_NAME to' "$CERT_FILE"
+          echo "$CERT_NAME=$CERT_FILE" >> $GITHUB_ENV
+        done
+
     - name: Start Redis
       uses: supercharge/redis-github-action@1.2.0
       with:
@@ -141,4 +158,15 @@ jobs:
         if grep -q "warning: no tests to run" output.log ; then
           echo "::error:: No test was found for component ${{ matrix.component }}"
           exit -1
-        fi
\ No newline at end of file
+        fi
+
+    # Download the required certificates into files, and set env var pointing to their names
+    - name: Clean up certs
+      if: matrix.required-certs != ''
+      run: |
+        for CERT_NAME in $(echo "${{ matrix.required-certs }}" | sed 's/,/ /g'); do
+          CERT_FILE=$(printenv $CERT_NAME)
+
+          echo "Cleaning up the certificate file $CERT_FILE..."
+          rm $CERT_FILE
+        done
diff --git a/tests/config/secretstores/azure/keyvault/azure-keyvault.yaml b/tests/config/secretstores/azure/keyvault/azure-keyvault.yaml
new file mode 100644
index 000000000..066af85e6
--- /dev/null
+++ b/tests/config/secretstores/azure/keyvault/azure-keyvault.yaml
@@ -0,0 +1,15 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azurekeyvault
+spec:
+  type: secretstores.azure.keyvault
+  metadata:
+  - name: vaultName
+    value: secretstore-keyvault
+  - name: spnTenantId
+    value: ${{AzureKeyVaultSecretStoreTenantId}}
+  - name: spnClientId
+    value: ${{AzureKeyVaultSecretStoreClientId}}
+  - name: spnCertificateFile
+    value : ${{AzureKeyVaultSecretStoreCert}}
diff --git a/tests/config/secretstores/tests.yml b/tests/config/secretstores/tests.yml
index 98bec7592..2dc64ae0a 100644
--- a/tests/config/secretstores/tests.yml
+++ b/tests/config/secretstores/tests.yml
@@ -3,4 +3,7 @@ components:
   - component: localenv
     operations: ["get"]
   - component: localfile
-    allOperations: true
\ No newline at end of file
+    allOperations: true
+  - component: azure.keyvault
+    allOperations: true
+
diff --git a/tests/conformance/common.go b/tests/conformance/common.go
index 39dcb8f20..af27adb5c 100644
--- a/tests/conformance/common.go
+++ b/tests/conformance/common.go
@@ -27,6 +27,7 @@ import (
 	p_servicebus "github.com/dapr/components-contrib/pubsub/azure/servicebus"
 	p_redis "github.com/dapr/components-contrib/pubsub/redis"
 	"github.com/dapr/components-contrib/secretstores"
+	ss_azure "github.com/dapr/components-contrib/secretstores/azure/keyvault"
 	ss_local_env "github.com/dapr/components-contrib/secretstores/local/env"
 	ss_local_file "github.com/dapr/components-contrib/secretstores/local/file"
 	"github.com/dapr/components-contrib/state"
@@ -274,6 +275,8 @@ func loadSecretStore(tc TestComponent) secretstores.SecretStore {
 		store = ss_local_file.NewLocalSecretStore(testLogger)
 	case "localenv":
 		store = ss_local_env.NewEnvSecretStore(testLogger)
+	case "azure.keyvault":
+		store = ss_azure.NewAzureKeyvaultSecretStore(testLogger)
 	default:
 		return nil
 	}