Application Overview

The Secrets-Validator is a commandline application which can be used to validate secret formats across different secret storage platforms/mechanisms.

Allowing for reporting and understanding of the format of specific secerts and to better detect configuration related issues made during input/change time.

Some of the scenarios where this application would be useful is:

• Checking that credentials are unique across ALL of your secrets managers.
• Making sure that production database endpoints have a specific address prefix
• Making sure that development database endpoints are configured correctly to development environments
• Making sure that parameters are of the correct type (numeric/boolean)
• Making sure that parameters have the correct format (prefix/suffix/format)

The commandline application itself requires you to define a yaml configuration file in order for it to know which credential providers to access and also what conditions to apply to which secrets. The file itself defines two objects, the credential provider and the constraint please check their specific sections below.

Usage

Installation of the commandline tool can be done with the following command:

go install github.com/Kilemonn/Secrets-Validator@latest

The application requires a .yaml configuration file that defines the credential providers along with the constraints that you want to perform on each credential.

The application can be run using the following command (using -f to specify the file path):

Secrets-Validator.exe -f path/to/file.yaml

You can also pass in -d to enable debug to log all constraint and pattern matching output.

Credential Provider

A credential provider is a service or place that can provide credentials to the application for it to validate. Currently the following credential providers are supported:

• Env (Environment Credential Provider)
• GCP (Google Cloud Platform - Secret Manager)
• AWS (AWS - Secrets Manager)
• Kubernetes - Access to the Kubernetes' Cluster Secrets

Please refer to each individual page for each credential provider to understand how each needs to be configured.

Constraint

A constraint is made up of two parts, the pattern and the condition.

Pattern

The pattern is a Regular Expression that is a pattern matching specification language. It is used here on the secret name to determine whether the specific secret is in scope of being validated by its condition counterpart. If the defined pattern matches the secret name then the condition will be executed against the secret's value to validate it.

ALL pattern

The ALL pattern is a special placeholder special keyword that is not run through the regex evaluator and instead will match on every secret registered by all credential providers.

Condition

The condition is the value test that will be run against the secret's value as long as the pattern successfully matches against the secret's name. The available conditions that can be used are:

• Unique - That the value of this property is unique across all matching credentials.
• HasPrefix(<prefix-string>) - Check it has the supplied prefix.
• HasSuffix(<suffix-string>) - Check it has the supplied suffix.
• IsNumber - Check value is numeric.
• IsBoolean - Check value is a boolean.
• Matches(<regex-pattern>) - Check that the value matches the provided regex.

If the condition is successfully validated only the debug logging will indicate that is has passed, however a failed condition check will be logged mentioning the secret's name and the constraints name.

Example Environment Configuration

Using a simple environment configuration that is described in the repo README to provider clarity now that the concepts of the configuration have been described.

credential-providers:
    - Env: # Registers the environment as a credential provider
constraints:
    - database-connection-string-prefix-is-development: # Create a new constraint with arbitrary name
        pattern: db-host-name # This is the regex that will be matched against the credential name (in this case, environment variable name) - if this matches successfully then the following condition will be evaluated against this secret's value (environment variable value)
        condition: HasPrefix(jdbc://path-to-development-db)
    - database-port-number:
        pattern: db-port-number
        condition: IsNumeric
    - all-properties-are-unqiue:
        pattern: ALL
        condition: Unique
    - is-email: # Checks any property/secret that contains "email address" and matches the following regex
        pattern: *.email-address*.
        condition: Matches(.+@\..+)