1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

use std::collections::{HashMap, HashSet};

use bytes::BytesMut;
use futures::executor;
use futures_util::StreamExt;
use serde::{Deserialize, Serialize};
use tokio::{io::AsyncWriteExt, process::Command, time};
use tokio_util::codec;
use vector_lib::configurable::{component::GenerateConfig, configurable_component};

use crate::{config::SecretBackend, signal};

/// Configuration for the `exec` secrets backend.
#[configurable_component(secrets("exec"))]
#[derive(Clone, Debug)]
pub struct ExecBackend {
    /// Command arguments to execute.
    ///
    /// The path to the script or binary must be the first argument.
    pub command: Vec<String>,

    /// The timeout, in seconds, to wait for the command to complete.
    #[serde(default = "default_timeout_secs")]
    pub timeout: u64,
}

impl GenerateConfig for ExecBackend {
    fn generate_config() -> toml::Value {
        toml::Value::try_from(ExecBackend {
            command: vec![String::from("/path/to/script")],
            timeout: 5,
        })
        .unwrap()
    }
}

const fn default_timeout_secs() -> u64 {
    5
}

#[derive(Clone, Debug, Deserialize, Serialize)]
struct ExecQuery {
    version: String,
    secrets: HashSet<String>,
}

fn new_query(secrets: HashSet<String>) -> ExecQuery {
    ExecQuery {
        version: "1.0".to_string(),
        secrets,
    }
}

#[derive(Clone, Debug, Deserialize, Serialize)]
struct ExecResponse {
    value: Option<String>,
    error: Option<String>,
}

impl SecretBackend for ExecBackend {
    async fn retrieve(
        &mut self,
        secret_keys: HashSet<String>,
        signal_rx: &mut signal::SignalRx,
    ) -> crate::Result<HashMap<String, String>> {
        let mut output = executor::block_on(async {
            query_backend(
                &self.command,
                new_query(secret_keys.clone()),
                self.timeout,
                signal_rx,
            )
            .await
        })?;
        let mut secrets = HashMap::new();
        for k in secret_keys.into_iter() {
            if let Some(secret) = output.get_mut(&k) {
                if let Some(e) = &secret.error {
                    return Err(format!("secret for key '{}' was not retrieved: {}", k, e).into());
                }
                if let Some(v) = secret.value.take() {
                    if v.is_empty() {
                        return Err(format!("secret for key '{}' was empty", k).into());
                    }
                    secrets.insert(k.to_string(), v);
                } else {
                    return Err(format!("secret for key '{}' was empty", k).into());
                }
            } else {
                return Err(format!("secret for key '{}' was not retrieved", k).into());
            }
        }
        Ok(secrets)
    }
}

async fn query_backend(
    cmd: &[String],
    query: ExecQuery,
    timeout: u64,
    signal_rx: &mut signal::SignalRx,
) -> crate::Result<HashMap<String, ExecResponse>> {
    let command = &cmd[0];
    let mut command = Command::new(command);

    if cmd.len() > 1 {
        command.args(&cmd[1..]);
    };

    command.kill_on_drop(true);
    command.stderr(std::process::Stdio::piped());
    command.stdin(std::process::Stdio::piped());
    command.stdout(std::process::Stdio::piped());

    let mut child = command.spawn()?;
    let mut stdin = child.stdin.take().ok_or("unable to acquire stdin")?;
    let mut stderr_stream = child
        .stderr
        .map(|s| codec::FramedRead::new(s, codec::LinesCodec::new()))
        .take()
        .ok_or("unable to acquire stderr")?;
    let mut stdout_stream = child
        .stdout
        .map(|s| codec::FramedRead::new(s, codec::BytesCodec::new()))
        .take()
        .ok_or("unable to acquire stdout")?;

    let query = serde_json::to_vec(&query)?;
    tokio::spawn(async move { stdin.write_all(&query).await });

    let timeout = time::sleep(time::Duration::from_secs(timeout));
    tokio::pin!(timeout);
    let mut output = BytesMut::new();
    loop {
        tokio::select! {
            biased;
            Ok(signal::SignalTo::Shutdown(_) | signal::SignalTo::Quit) = signal_rx.recv() => {
                drop(command);
                return Err("Secret retrieval was interrupted.".into());
            }
            Some(stderr) = stderr_stream.next() => {
                match stderr {
                    Ok(l) => warn!("An exec backend generated message on stderr: {}.", l),
                    Err(e) => warn!("Error while reading from an exec backend stderr: {}.", e),
                }
            }
            stdout = stdout_stream.next() => {
                match stdout {
                    None => break,
                    Some(Ok(b)) => output.extend(b),
                    Some(Err(e)) => return Err(format!("Error while reading from an exec backend stdout: {}.", e).into()),
                }
            }
            _ = &mut timeout => {
                drop(command);
                return Err("Command timed-out".into());
            }
        }
    }

    let response = serde_json::from_slice::<HashMap<String, ExecResponse>>(&output)?;
    Ok(response)
}