Adding upstream version 1.34.4.

Signed-off-by: Daniel Baumann <daniel@debian.org>

plugins/secretstores/jose/README.md

@@ -0,0 +1,53 @@
+# Javascript Object Signing and Encryption Secret-store Plugin
+
+The `jose` plugin allows to manage and store secrets locally
+protected by the [Javascript Object Signing and Encryption][jose] algorithm.
+
+To manage your secrets of this secret-store, you should use Telegraf. Run
+
+```shell
+telegraf secrets help
+```
+
+to get more information on how to do this.
+
+## Usage <!-- @/docs/includes/secret_usage.md -->
+
+Secrets defined by a store are referenced with `@{<store-id>:<secret_key>}`
+the Telegraf configuration. Only certain Telegraf plugins and options of
+support secret stores. To see which plugins and options support
+secrets, see their respective documentation (e.g.
+`plugins/outputs/influxdb/README.md`). If the plugin's README has the
+`Secret-store support` section, it will detail which options support secret
+store usage.
+
+## Configuration
+
+```toml @sample.conf
+# File based Javascript Object Signing and Encryption based secret-store
+[[secretstores.jose]]
+  ## Unique identifier for the secret-store.
+  ## This id can later be used in plugins to reference the secrets
+  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
+  id = "secretstore"
+
+  ## Directory for storing the secrets
+  path = "/etc/telegraf/secrets"
+
+  ## Password to access the secrets.
+  ## If no password is specified here, Telegraf will prompt for it at startup time.
+  # password = ""
+```
+
+Each secret is stored in an individual file in the subdirectory specified
+using the `path` parameter. To access the secrets, a password is required.
+This password can be specified using the `password` parameter containing a
+string, an environment variable or as a reference to a secret in another
+secret store. If `password` is not specified in the config, you will be
+prompted for the password at startup.
+
+__Please note:__ All secrets in this secret store are encrypted using
+the same password. If you need individual passwords for each `jose`
+secret, please use multiple instances of this plugin.
+
+[jose]: https://github.com/dvsekhvalnov/jose2go

plugins/secretstores/jose/jose.go

@@ -0,0 +1,115 @@
+//go:generate ../../../tools/readme_config_includer/generator
+package jose
+
+import (
+	_ "embed"
+	"errors"
+	"fmt"
+
+	"github.com/99designs/keyring"
+
+	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/config"
+	"github.com/influxdata/telegraf/plugins/secretstores"
+)
+
+//go:embed sample.conf
+var sampleConfig string
+
+type Jose struct {
+	ID       string        `toml:"id"`
+	Path     string        `toml:"path"`
+	Password config.Secret `toml:"password"`
+
+	ring keyring.Keyring
+}
+
+func (*Jose) SampleConfig() string {
+	return sampleConfig
+}
+
+// Init initializes all internals of the secret-store
+func (j *Jose) Init() error {
+	defer j.Password.Destroy()
+
+	if j.ID == "" {
+		return errors.New("id missing")
+	}
+
+	if j.Path == "" {
+		return errors.New("path missing")
+	}
+
+	// Create the prompt-function in case we need it
+	promptFunc := keyring.TerminalPrompt
+	if !j.Password.Empty() {
+		passwd, err := j.Password.Get()
+		if err != nil {
+			return fmt.Errorf("getting password failed: %w", err)
+		}
+		defer passwd.Destroy()
+		promptFunc = keyring.FixedStringPrompt(passwd.String())
+	} else if !config.Password.Empty() {
+		passwd, err := config.Password.Get()
+		if err != nil {
+			return fmt.Errorf("getting global password failed: %w", err)
+		}
+		defer passwd.Destroy()
+		promptFunc = keyring.FixedStringPrompt(passwd.String())
+	}
+
+	// Setup the actual keyring
+	cfg := keyring.Config{
+		AllowedBackends:  []keyring.BackendType{keyring.FileBackend},
+		FileDir:          j.Path,
+		FilePasswordFunc: promptFunc,
+	}
+	kr, err := keyring.Open(cfg)
+	if err != nil {
+		return fmt.Errorf("opening keyring failed: %w", err)
+	}
+	j.ring = kr
+
+	return nil
+}
+
+// Get searches for the given key and return the secret
+func (j *Jose) Get(key string) ([]byte, error) {
+	item, err := j.ring.Get(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return item.Data, nil
+}
+
+// Set sets the given secret for the given key
+func (j *Jose) Set(key, value string) error {
+	item := keyring.Item{
+		Key:  key,
+		Data: []byte(value),
+	}
+
+	return j.ring.Set(item)
+}
+
+// List lists all known secret keys
+func (j *Jose) List() ([]string, error) {
+	return j.ring.Keys()
+}
+
+// GetResolver returns a function to resolve the given key.
+func (j *Jose) GetResolver(key string) (telegraf.ResolveFunc, error) {
+	resolver := func() ([]byte, bool, error) {
+		s, err := j.Get(key)
+		return s, false, err
+	}
+	return resolver, nil
+}
+
+// Register the secret-store on load.
+func init() {
+	secretstores.Add("jose", func(id string) telegraf.SecretStore {
+		return &Jose{ID: id}
+	})
+}

plugins/secretstores/jose/jose_test.go

@@ -0,0 +1,203 @@
+package jose
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/config"
+)
+
+func TestSampleConfig(t *testing.T) {
+	plugin := &Jose{}
+	require.NotEmpty(t, plugin.SampleConfig())
+}
+
+func TestInitFail(t *testing.T) {
+	tests := []struct {
+		name     string
+		plugin   *Jose
+		expected string
+	}{
+		{
+			name:     "invalid id",
+			plugin:   &Jose{},
+			expected: "id missing",
+		},
+		{
+			name: "missing path",
+			plugin: &Jose{
+				ID: "test",
+			},
+			expected: "path missing",
+		},
+		{
+			name: "invalid password",
+			plugin: &Jose{
+				ID:       "test",
+				Path:     t.TempDir(),
+				Password: config.NewSecret([]byte("@{unresolvable:secret}")),
+			},
+			expected: "getting password failed",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.plugin.Init()
+			require.ErrorContains(t, err, tt.expected)
+		})
+	}
+}
+
+func TestSetListGet(t *testing.T) {
+	secrets := map[string]string{
+		"a secret":    "I won't tell",
+		"another one": "secret",
+		"foo":         "bar",
+	}
+
+	// Create a temporary directory we can use to store the secrets
+	testdir := t.TempDir()
+
+	// Initialize the plugin
+	plugin := &Jose{
+		ID:       "test",
+		Password: config.NewSecret([]byte("test")),
+		Path:     testdir,
+	}
+	require.NoError(t, plugin.Init())
+
+	// Store the secrets
+	for k, v := range secrets {
+		require.NoError(t, plugin.Set(k, v))
+	}
+
+	// Check if the secrets were actually stored
+	entries, err := os.ReadDir(testdir)
+	require.NoError(t, err)
+	require.Len(t, entries, len(secrets))
+	for _, e := range entries {
+		_, found := secrets[e.Name()]
+		require.True(t, found)
+		require.False(t, e.IsDir())
+	}
+
+	// List the secrets
+	keys, err := plugin.List()
+	require.NoError(t, err)
+	require.Len(t, keys, len(secrets))
+	for _, k := range keys {
+		_, found := secrets[k]
+		require.True(t, found)
+	}
+
+	// Get the secrets
+	require.Len(t, keys, len(secrets))
+	for _, k := range keys {
+		value, err := plugin.Get(k)
+		require.NoError(t, err)
+		v, found := secrets[k]
+		require.True(t, found)
+		require.Equal(t, v, string(value))
+	}
+}
+
+func TestResolver(t *testing.T) {
+	secretKey := "a secret"
+	secretVal := "I won't tell"
+
+	// Create a temporary directory we can use to store the secrets
+	testdir := t.TempDir()
+
+	// Initialize the plugin
+	plugin := &Jose{
+		ID:       "test",
+		Password: config.NewSecret([]byte("test")),
+		Path:     testdir,
+	}
+	require.NoError(t, plugin.Init())
+	require.NoError(t, plugin.Set(secretKey, secretVal))
+
+	// Get the resolver
+	resolver, err := plugin.GetResolver(secretKey)
+	require.NoError(t, err)
+	require.NotNil(t, resolver)
+	s, dynamic, err := resolver()
+	require.NoError(t, err)
+	require.False(t, dynamic)
+	require.Equal(t, secretVal, string(s))
+}
+
+func TestResolverInvalid(t *testing.T) {
+	secretKey := "a secret"
+	secretVal := "I won't tell"
+
+	// Create a temporary directory we can use to store the secrets
+	testdir := t.TempDir()
+
+	// Initialize the plugin
+	plugin := &Jose{
+		ID:       "test",
+		Password: config.NewSecret([]byte("test")),
+		Path:     testdir,
+	}
+	require.NoError(t, plugin.Init())
+	require.NoError(t, plugin.Set(secretKey, secretVal))
+
+	// Get the resolver
+	resolver, err := plugin.GetResolver("foo")
+	require.NoError(t, err)
+	require.NotNil(t, resolver)
+	_, _, err = resolver()
+	require.Error(t, err)
+}
+
+func TestGetNonExistent(t *testing.T) {
+	secretKey := "a secret"
+	secretVal := "I won't tell"
+
+	// Create a temporary directory we can use to store the secrets
+	testdir := t.TempDir()
+
+	// Initialize the plugin
+	plugin := &Jose{
+		ID:       "test",
+		Password: config.NewSecret([]byte("test")),
+		Path:     testdir,
+	}
+	require.NoError(t, plugin.Init())
+	require.NoError(t, plugin.Set(secretKey, secretVal))
+
+	// Get the resolver
+	_, err := plugin.Get("foo")
+	require.EqualError(t, err, "The specified item could not be found in the keyring")
+}
+
+func TestGetInvalidPassword(t *testing.T) {
+	secretKey := "a secret"
+	secretVal := "I won't tell"
+
+	// Create a temporary directory we can use to store the secrets
+	testdir := t.TempDir()
+
+	// Initialize the stored secrets
+	creator := &Jose{
+		ID:       "test",
+		Password: config.NewSecret([]byte("test")),
+		Path:     testdir,
+	}
+	require.NoError(t, creator.Init())
+	require.NoError(t, creator.Set(secretKey, secretVal))
+
+	// Initialize the plugin with a wrong password
+	// and try to access an existing secret
+	plugin := &Jose{
+		ID:       "test",
+		Password: config.NewSecret([]byte("lala")),
+		Path:     testdir,
+	}
+	require.NoError(t, plugin.Init())
+	_, err := plugin.Get(secretKey)
+	require.ErrorContains(t, err, "integrity check failed")
+}

plugins/secretstores/jose/sample.conf

@@ -0,0 +1,13 @@
+# File based Javascript Object Signing and Encryption based secret-store
+[[secretstores.jose]]
+  ## Unique identifier for the secret-store.
+  ## This id can later be used in plugins to reference the secrets
+  ## in this secret-store via @{<id>:<secret_key>} (mandatory)
+  id = "secretstore"
+
+  ## Directory for storing the secrets
+  path = "/etc/telegraf/secrets"
+
+  ## Password to access the secrets.
+  ## If no password is specified here, Telegraf will prompt for it at startup time.
+  # password = ""