Merge pull request #232 from secrethub/release/v0.32.0

Release v0.32.0

Author: SimonBarendse

internals/api/secret.go

@@ -31,7 +31,7 @@ var (
 	ErrNoSecretMembers            = errAPI.Code("no_secret_members").StatusError("no secret members added to write request", http.StatusBadRequest)
 
 	ErrInvalidSecretKeyID              = errAPI.Code("invalid_secret_key_id").StatusError("secret_key_id is invalid", http.StatusBadRequest)
-	ErrNotEncryptedForAccounts         = errAPI.Code("not_encrypted_for_accounts").StatusError("missing data encrypted for accounts", http.StatusBadRequest)
+	ErrNotEncryptedForAccounts         = errAPI.Code("not_encrypted_for_accounts").StatusError("missing data encrypted for accounts. This can occur when access rules are simultaneously created with resources controlled by the access rule. You may try again.", http.StatusConflict)
 	ErrNotUniquelyEncryptedForAccounts = errAPI.Code("not_uniquely_encrypted_for_accounts").StatusError("not uniquely encrypted for accounts", http.StatusBadRequest)
 
 	ErrCannotDeleteLastSecretVersion = errAPI.Code("cannot_delete_last_version").StatusError("Cannot delete the last version of a secret", http.StatusForbidden)

internals/api/service.go

@@ -66,7 +66,6 @@ func (a Service) ToAuditActor() *AuditActor {
 type CreateServiceRequest struct {
 	Description string                   `json:"description"`
 	Credential  *CreateCredentialRequest `json:"credential"`
-	AccountKey  *CreateAccountKeyRequest `json:"account_key"`
 	RepoMember  *CreateRepoMemberRequest `json:"repo_member"`
 }
 
@@ -83,10 +82,10 @@ func (req CreateServiceRequest) Validate() error {
 		return err
 	}
 
-	if req.AccountKey == nil {
+	if req.Credential.AccountKey == nil {
 		return ErrMissingField("account_key")
 	}
-	if err := req.AccountKey.Validate(); err != nil {
+	if err := req.Credential.AccountKey.Validate(); err != nil {
 		return err
 	}
 

internals/api/user.go

@@ -85,56 +85,3 @@ func (u User) ToAuditActor() *AuditActor {
 		User:    u.Trim(),
 	}
 }
-
-// CreateUserRequest contains the required fields for signing up
-type CreateUserRequest struct {
-	Username   string                   `json:"username"`
-	Email      string                   `json:"email"`
-	FullName   string                   `json:"full_name"`
-	Password   string                   `json:"password,omitempty"`
-	Credential *CreateCredentialRequest `json:"credential,omitempty"`
-}
-
-// Validate validates the request fields.
-func (req *CreateUserRequest) Validate() error {
-	err := ValidateUsername(req.Username)
-	if err != nil {
-		return err
-	}
-
-	if req.Credential == nil && req.Password == "" {
-		return ErrNoPasswordNorCredential
-	}
-
-	if req.Credential != nil {
-		err = req.Credential.Validate()
-		if err != nil {
-			return err
-		}
-	}
-
-	err = ValidateEmail(req.Email)
-	if err != nil {
-		return err
-	}
-
-	err = ValidateFullName(req.FullName)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// CreateFederatedUserRequest contains the required fields for signing up with a federated user
-type CreateFederatedUserRequest struct {
-	Username string `json:"username"`
-}
-
-// Validate validates the request fields.
-func (req CreateFederatedUserRequest) Validate() error {
-	err := ValidateUsername(req.Username)
-	if err != nil {
-		return err
-	}
-	return nil
-}

internals/api/user_test.go

@@ -4,8 +4,6 @@ import (
 	"fmt"
 	"strings"
 	"testing"
-
-	"github.com/secrethub/secrethub-go/internals/assert"
 )
 
 func TestValidateUsername(t *testing.T) {
@@ -168,78 +166,3 @@ func TestValidateFullName(t *testing.T) {
 		}
 	}
 }
-
-func TestCreateUserRequest_Validate(t *testing.T) {
-	cases := map[string]struct {
-		req CreateUserRequest
-		err error
-	}{
-		"valid using password": {
-			req: CreateUserRequest{
-				Username: "test.-_UserTestT",
-				Email:    "test-account.dev1@secrethub.io",
-				FullName: "Test Tester",
-				Password: "hello world",
-			},
-			err: nil,
-		},
-		"valid using credential": {
-			req: CreateUserRequest{
-				Username: "test.-_UserTestT",
-				Email:    "test-account.dev1@secrethub.io",
-				FullName: "Test Tester",
-				Credential: &CreateCredentialRequest{
-					Type:        CredentialTypeKey,
-					Fingerprint: "88c9eae68eb300b2971a2bec9e5a26ff4179fd661d6b7d861e4c6557b9aaee14",
-					Verifier:    []byte("verifier"),
-				},
-			},
-			err: nil,
-		},
-		"invalid no password nor credential": {
-			req: CreateUserRequest{
-				Username: "test.-_UserTestT",
-				Email:    "test-account.dev1@secrethub.io",
-				FullName: "Test Tester",
-			},
-			err: ErrNoPasswordNorCredential,
-		},
-		"invalid username": {
-			req: CreateUserRequest{
-				Username: "",
-				Email:    "test-account.dev1@secrethub.io",
-				FullName: "Test Tester",
-				Password: "hello world",
-			},
-			err: ErrInvalidUsername,
-		},
-		"invalid email": {
-			req: CreateUserRequest{
-				Username: "test",
-				Email:    "notanemail",
-				FullName: "Test Tester",
-				Password: "hello world",
-			},
-			err: ErrInvalidEmail,
-		},
-		"invalid full name": {
-			req: CreateUserRequest{
-				Username: "test",
-				Email:    "test-account.dev1@secrethub.io",
-				FullName: "",
-				Password: "hello world",
-			},
-			err: ErrInvalidFullName,
-		},
-	}
-
-	for name, tc := range cases {
-		t.Run(name, func(t *testing.T) {
-			// Do
-			err := tc.req.Validate()
-
-			// Assert
-			assert.Equal(t, err, tc.err)
-		})
-	}
-}

internals/errio/errors.go

@@ -158,6 +158,7 @@ func UnexpectedError(err error) PublicError {
 			"an unexpected error occurred: %v\n\nTry again later or contact support@secrethub.io if the problem persists",
 			err,
 		),
+		err: err,
 	}
 }
 
@@ -190,6 +191,7 @@ type PublicError struct {
 	Namespace Namespace `json:"namespace,omitempty"`
 	Code      string    `json:"code"`
 	Message   string    `json:"message"`
+	err       error
 }
 
 // PublicError implements the error interface.
@@ -221,6 +223,11 @@ func (e PublicError) Type() string {
 	return fmt.Sprintf("%s.%s", e.Namespace, e.Code)
 }
 
+// Unwrap returns the wrapped error if the PublicError represents an error wrapped as an UnexpectedError.
+func (e PublicError) Unwrap() error {
+	return e.err
+}
+
 // PublicStatusError represents an http error. It contains an HTTP status
 // code and can be json encoded in an HTTP response.
 type PublicStatusError struct {
@@ -263,3 +270,14 @@ func Equals(a PublicError, b error) bool {
 	}
 	return a.Namespace == publicError.Namespace && a.Code == publicError.Code
 }
+
+// EqualsAPIError checks whether the given error has the namespace and code of the
+// given API error. The HTTP status code and error message aren't checked, so this
+// function is compatible with any changes to the message and HTTP status code.
+func EqualsAPIError(apiErr PublicStatusError, err error) bool {
+	publicStatusError, ok := err.(PublicStatusError)
+	if !ok {
+		return false
+	}
+	return Equals(apiErr.PublicError, publicStatusError.PublicError)
+}

pkg/secrethub/account.go

@@ -78,17 +78,23 @@ func (c *Client) createAccountKeyRequest(encrypter credentials.Encrypter, accoun
 	}, nil
 }
 
-func (c *Client) createCredentialRequest(verifier credentials.Verifier, metadata map[string]string) (*api.CreateCredentialRequest, error) {
+func (c *Client) createCredentialRequest(encrypter credentials.Encrypter, accountKey crypto.RSAPrivateKey, verifier credentials.Verifier, metadata map[string]string) (*api.CreateCredentialRequest, error) {
 	bytes, fingerprint, err := verifier.Export()
 	if err != nil {
 		return nil, errio.Error(err)
 	}
 
+	accountKeyReq, err := c.createAccountKeyRequest(encrypter, accountKey)
+	if err != nil {
+		return nil, err
+	}
+
 	req := api.CreateCredentialRequest{
 		Fingerprint: fingerprint,
 		Verifier:    bytes,
 		Type:        verifier.Type(),
 		Metadata:    metadata,
+		AccountKey:  accountKeyReq,
 	}
 	err = verifier.AddProof(&req)
 	if err != nil {