Update format of secret to return both raw and decoded when possible (#…

…1372)

internal/api/genapi/input.go

@@ -560,15 +560,19 @@ var inputStructs = []*structInfo{
 		outFile: "targets/credential_library.gen.go",
 	},
 	{
-		inProto: &targets.SessionCredential{},
-		outFile: "targets/session_credential.gen.go",
+		inProto: &targets.SessionSecret{},
+		outFile: "targets/session_secret.gen.go",
 		fieldOverrides: []fieldInfo{
 			{
-				Name:      "Secret",
+				Name:      "Raw",
 				FieldType: "json.RawMessage",
 			},
 		},
 	},
+	{
+		inProto: &targets.SessionCredential{},
+		outFile: "targets/session_credential.gen.go",
+	},
 	{
 		inProto:     &targets.SessionAuthorization{},
 		outFile:     "targets/session_authorization.gen.go",

internal/cmd/base/format.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/hashicorp/boundary/api"
 	"github.com/hashicorp/boundary/api/scopes"
-	"github.com/hashicorp/boundary/api/targets"
 	"github.com/mitchellh/cli"
 	"github.com/mitchellh/go-wordwrap"
 	"github.com/pkg/errors"
@@ -258,13 +257,11 @@ func (c *Command) PrintJsonItem(result api.GenericResult, opt ...Option) bool {
 func (c *Command) PrintJson(input json.RawMessage, opt ...Option) bool {
 	opts := getOpts(opt...)
 	output := struct {
-		StatusCode         int                          `json:"status_code,omitempty"`
-		DecodedCredentials []*targets.SessionCredential `json:"decoded_credentials,omitempty"`
-		Item               json.RawMessage              `json:"item,omitempty"`
+		StatusCode int             `json:"status_code,omitempty"`
+		Item       json.RawMessage `json:"item,omitempty"`
 	}{
-		StatusCode:         opts.withStatusCode,
-		DecodedCredentials: opts.withDecodedCredentials,
-		Item:               input,
+		StatusCode: opts.withStatusCode,
+		Item:       input,
 	}
 	b, err := JsonFormatter{}.Format(output)
 	if err != nil {

internal/cmd/base/option.go

@@ -1,7 +1,5 @@
 package base
 
-import "github.com/hashicorp/boundary/api/targets"
-
 // getOpts - iterate the inbound Options and return a struct.
 func getOpts(opt ...Option) Options {
 	opts := getDefaultOptions()
@@ -28,7 +26,6 @@ type Options struct {
 	withDialect                    string
 	withAttributeFieldPrefix       string
 	withStatusCode                 int
-	withDecodedCredentials         []*targets.SessionCredential
 }
 
 func getDefaultOptions() Options {
@@ -131,10 +128,3 @@ func WithStatusCode(statusCode int) Option {
 		o.withStatusCode = statusCode
 	}
 }
-
-// WithDecodedCredentials allows passing decoded credentials
-func WithDecodedCredentials(creds []*targets.SessionCredential) Option {
-	return func(o *Options) {
-		o.withDecodedCredentials = creds
-	}
-}

internal/cmd/commands/connect/connect.go

@@ -5,7 +5,6 @@ import (
 	"crypto/ed25519"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -397,34 +396,6 @@ func (c *Command) Run(args []string) (retCode int) {
 		authzString = c.sessionAuthz.AuthorizationToken
 	}
 
-	if c.sessionAuthz != nil {
-		for _, cred := range c.sessionAuthz.Credentials {
-			// Since connect commands are helpers and are not meant as a direct CLI
-			// representation of the REST API, we can modify the credentials to be
-			// useful as a helper instead of trying to keep it as a faithful
-			// representation of what the api returns.
-			if len(cred.Secret) == 0 {
-				continue
-			}
-			switch cred.CredentialLibrary.Type {
-			case "vault":
-				// If it's Vault, the result will be JSON, except in specific
-				// circumstances that aren't used for credential fetching. So we
-				// can take the bytes as-is (after base64-decoding), but we'll
-				// format it nicely.
-				in, err := base64.StdEncoding.DecodeString(strings.Trim(string(cred.Secret), `"`))
-				if err != nil {
-					c.PrintCliError(fmt.Errorf("Error decoding secret as base64: %w", err))
-					return base.CommandCliError
-				}
-				// Now that it's decoded, pop it back in the same place as marshaled JSON
-				cred.Secret = in
-			default:
-				// If it's not Vault, and not another known type, leave it alone.
-			}
-		}
-	}
-
 	marshaled, err := base58.FastBase58Decoding(authzString)
 	if err != nil {
 		c.PrintCliError(fmt.Errorf("Unable to base58-decode authorization data: %w", err))

internal/cmd/commands/connect/funcs.go

@@ -2,6 +2,7 @@ package connect
 
 import (
 	"bytes"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -72,11 +73,15 @@ func generateCredentialTableOutputSlice(prefixIndent int, creds []*targets.Sessi
 
 func fmtSecretForTable(indent int, sc *targets.SessionCredential) []string {
 	prefixStr := strings.Repeat(" ", indent)
-	origSecret := []string{fmt.Sprintf("%s    %s", prefixStr, sc.Secret)}
+	origSecret := []string{fmt.Sprintf("%s    %s", prefixStr, sc.Secret.Raw)}
 	switch sc.CredentialLibrary.Type {
 	case "vault":
+		in, err := base64.StdEncoding.DecodeString(strings.Trim(string(sc.Secret.Raw), `"`))
+		if err != nil {
+			return origSecret
+		}
 		dst := new(bytes.Buffer)
-		if err := json.Indent(dst, sc.Secret, fmt.Sprintf("%s    ", prefixStr), fmt.Sprintf("%s  ", prefixStr)); err != nil {
+		if err := json.Indent(dst, in, fmt.Sprintf("%s    ", prefixStr), fmt.Sprintf("%s  ", prefixStr)); err != nil {
 			return origSecret
 		}
 		secretStr := strings.Split(dst.String(), "\n")

internal/cmd/commands/connect/postgres.go

@@ -1,13 +1,13 @@
 package connect
 
 import (
-	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"strings"
 
 	"github.com/hashicorp/boundary/internal/cmd/base"
+	"github.com/mitchellh/mapstructure"
 	"github.com/posener/complete"
 )
 
@@ -53,20 +53,23 @@ func (p *postgresFlags) defaultExec() string {
 }
 
 type postgresCredentials struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
+	Username string `mapstructure:"username"`
+	Password string `mapstructure:"password"`
 }
 
 func (p *postgresFlags) buildArgs(c *Command, port, ip, addr string) (args, envs []string, retErr error) {
 	var creds postgresCredentials
 	if c.sessionAuthz != nil && len(c.sessionAuthz.Credentials) > 0 {
 		for _, cred := range c.sessionAuthz.Credentials {
+			if cred.Secret == nil || cred.Secret.Decoded == nil {
+				continue
+			}
 			// TODO: Could allow switching on library ID or name
 			switch cred.CredentialLibrary.Type {
 			case "vault":
 				// Attempt unmarshaling into creds
-				if err := json.Unmarshal(cred.Secret, &creds); err != nil {
-					return nil, nil, fmt.Errorf("Error unmarshaling Vault secret: %w", err)
+				if err := mapstructure.Decode(cred.Secret.Decoded, &creds); err != nil {
+					return nil, nil, fmt.Errorf("Error interpreting Vault secret: %w", err)
 				}
 			}
 

internal/cmd/commands/targetscmd/funcs.go

@@ -604,7 +604,7 @@ func printCustomActionOutputImpl(c *Command) (bool, error) {
 				)
 
 				for _, cred := range item.Credentials {
-					if len(cred.Secret) == 0 {
+					if cred.Secret == nil || len(cred.Secret.Raw) == 0 {
 						continue
 					}
 
@@ -629,7 +629,7 @@ func printCustomActionOutputImpl(c *Command) (bool, error) {
 						// credential fetching. So we can take the bytes
 						// as-is (after base64-decoding), but we'll format
 						// it nicely.
-						in, err := base64.StdEncoding.DecodeString(strings.Trim(string(cred.Secret), `"`))
+						in, err := base64.StdEncoding.DecodeString(strings.Trim(string(cred.Secret.Raw), `"`))
 						if err != nil {
 							return false, fmt.Errorf("Error decoding secret as base64: %w", err)
 						}
@@ -658,33 +658,7 @@ func printCustomActionOutputImpl(c *Command) (bool, error) {
 			return true, nil
 
 		case "json":
-			if len(item.Credentials) > 0 {
-				for _, cred := range item.Credentials {
-					if len(cred.Secret) == 0 {
-						continue
-					}
-
-					switch cred.CredentialLibrary.Type {
-					case "vault":
-						// If it's Vault, the result will be JSON, except in
-						// specific circumstances that aren't used for
-						// credential fetching. So we can take the bytes
-						// as-is (after base64-decoding), but we'll format
-						// it nicely.
-						in, err := base64.StdEncoding.DecodeString(strings.Trim(string(cred.Secret), `"`))
-						if err != nil {
-							return false, fmt.Errorf("Error decoding secret as base64: %w", err)
-						}
-						// Now that it's decoded, pop it back in the same place
-						// as marshaled JSON
-						cred.Secret = in
-					default:
-						// If it's not Vault, and not another known type,
-						// leave it alone.
-					}
-				}
-			}
-			if ok := c.PrintJsonItem(c.sar, base.WithDecodedCredentials(item.Credentials)); !ok {
+			if ok := c.PrintJsonItem(c.sar); !ok {
 				return false, fmt.Errorf("Error formatting as JSON")
 			}
 			return true, nil

internal/gen/controller.swagger.json

@@ -4266,13 +4266,29 @@
           "readOnly": true
         },
         "secret": {
-          "type": "string",
+          "$ref": "#/definitions/controller.api.resources.targets.v1.SessionSecret",
           "description": "Output only. The secret of this credential base64 encoded.",
           "readOnly": true
         }
       },
       "description": "A credential for a session."
     },
+    "controller.api.resources.targets.v1.SessionSecret": {
+      "type": "object",
+      "properties": {
+        "raw": {
+          "type": "string",
+          "description": "Output only. The base64-encoded value representing the raw bytes from the\ncredential provider.",
+          "readOnly": true
+        },
+        "decoded": {
+          "type": "object",
+          "description": "Output only. The decoded raw string, if a JSON object.",
+          "readOnly": true
+        }
+      },
+      "description": "The actual secret for a session credential."
+    },
     "controller.api.resources.targets.v1.Target": {
       "type": "object",
       "properties": {