Azure · gouthamMN · Dec 31, 2024 · Dec 31, 2024 · Dec 31, 2024 · Jan 2, 2025
@@ -7,6 +7,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
 	github.com/go-playground/validator/v10 v10.22.0
+	github.com/google/go-cmp v0.6.0
 	go.uber.org/mock v0.4.0
 	gopkg.in/dnaeon/go-vcr.v3 v3.2.0
 )
@@ -18,7 +19,6 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect

@@ -8,6 +8,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
 	"github.com/Azure/msi-dataplane/pkg/dataplane"
+	"github.com/Azure/msi-dataplane/pkg/dataplane/swagger"
 )
 
 var (
@@ -20,11 +21,16 @@ type DeletedSecretProperties struct {
 	DeletedDate   time.Time
 }
 
-type DeletedSecretResponse struct {
+type DeletedCredentialsObjectSecretResponse struct {
 	CredentialsObject dataplane.CredentialsObject
 	Properties        DeletedSecretProperties
 }
 
+type DeletedNestedCredentialsObjectSecretResponse struct {
+	NestedCredentialsObject swagger.NestedCredentialsObject
+	Properties              DeletedSecretProperties
+}
+
 type MsiKeyVaultStore struct {
 	kvClient KeyVaultClient
 }
@@ -36,18 +42,33 @@ type SecretProperties struct {
 	NotBefore time.Time
 }
 
-type SecretResponse struct {
+type CredentialsObjectSecretResponse struct {
 	CredentialsObject dataplane.CredentialsObject
 	Properties        SecretProperties
 }
 
+type NestedCredentialsObjectSecretResponse struct {
+	NestedCredentialsObject swagger.NestedCredentialsObject
+	Properties              SecretProperties
+}
+
+type secretObject struct {
+	value      string
+	properties SecretProperties
+}
+
+type deletedSecretObject struct {
+	value      string
+	properties DeletedSecretProperties
+}
+
 func NewMsiKeyVaultStore(kvClient KeyVaultClient) *MsiKeyVaultStore {
 	return &MsiKeyVaultStore{kvClient: kvClient}
 }
 
 // Delete a credentials object from key vault using the specified secret name.
 // Delete applies to all versions of the secret.
-func (s *MsiKeyVaultStore) DeleteCredentialsObject(ctx context.Context, secretName string) error {
+func (s *MsiKeyVaultStore) DeleteSecret(ctx context.Context, secretName string) error {
 	if _, err := s.kvClient.DeleteSecret(ctx, secretName, nil); err != nil {
 		return err
 	}
@@ -57,7 +78,38 @@ func (s *MsiKeyVaultStore) DeleteCredentialsObject(ctx context.Context, secretNa
 
 // Get a credentials object from the key vault using the specified secret name.
 // The latest version of the secret will always be returned.
-func (s *MsiKeyVaultStore) GetCredentialsObject(ctx context.Context, secretName string) (*SecretResponse, error) {
+func (s *MsiKeyVaultStore) GetCredentialsObject(ctx context.Context, secretName string) (*CredentialsObjectSecretResponse, error) {
+	secretObject, err := s.getSecret(ctx, secretName)
+	if err != nil {
+		return nil, err
+	}
+
+	var credentialsObject dataplane.CredentialsObject
+	if err := credentialsObject.UnmarshalJSON([]byte(secretObject.value)); err != nil {
+		return nil, err
+	}
+
+	return &CredentialsObjectSecretResponse{CredentialsObject: credentialsObject, Properties: secretObject.properties}, nil
+}
+
+// Get a nested credentials object from the key vault using the specified secret name.
+func (s *MsiKeyVaultStore) GetNestedCredentialsObject(ctx context.Context, secretName string) (*NestedCredentialsObjectSecretResponse, error) {
+	secretObject, err := s.getSecret(ctx, secretName)
+	if err != nil {
+		return nil, err
+	}
+
+	var nestedCredentialsObject swagger.NestedCredentialsObject
+	if err := nestedCredentialsObject.UnmarshalJSON([]byte(secretObject.value)); err != nil {
+		return nil, err
+	}
+
+	return &NestedCredentialsObjectSecretResponse{NestedCredentialsObject: nestedCredentialsObject, Properties: secretObject.properties}, nil
+}
+
+// Get a secret from the key vault using the specified secret name.
+// The latest version of the secret will always be returned.
+func (s *MsiKeyVaultStore) getSecret(ctx context.Context, secretName string) (*secretObject, error) {
 	// https://github.com/Azure/azure-sdk-for-go/blob/3fab729f1bd43098837ddc34931fec6c342fa3ef/sdk/security/keyvault/azsecrets/client.go#L197
 	latestSecretVersion := ""
 	secret, err := s.kvClient.GetSecret(ctx, secretName, latestSecretVersion, nil)
@@ -68,10 +120,6 @@ func (s *MsiKeyVaultStore) GetCredentialsObject(ctx context.Context, secretName
 	if secret.Value == nil {
 		return nil, errNilSecretValue
 	}
-	var credentialsObject dataplane.CredentialsObject
-	if err := credentialsObject.UnmarshalJSON([]byte(*secret.Value)); err != nil {
-		return nil, err
-	}
 
 	secretProperties := SecretProperties{
 		Name:      secretName,
@@ -92,26 +140,50 @@ func (s *MsiKeyVaultStore) GetCredentialsObject(ctx context.Context, secretName
 			secretProperties.NotBefore = *secret.Attributes.NotBefore
 		}
 	}
-
-	return &SecretResponse{CredentialsObject: credentialsObject, Properties: secretProperties}, nil
+	return &secretObject{value: *secret.Value, properties: secretProperties}, nil
 }
 
 // Get a deleted credentials object from the key vault using the specified secret name.
-func (s *MsiKeyVaultStore) GetDeletedCredentialsObject(ctx context.Context, secretName string) (*DeletedSecretResponse, error) {
-	response, err := s.kvClient.GetDeletedSecret(ctx, secretName, nil)
+func (s *MsiKeyVaultStore) GetDeletedCredentialsObject(ctx context.Context, secretName string) (*DeletedCredentialsObjectSecretResponse, error) {
+	deletedSecretObject, err := s.getDeletedSecret(ctx, secretName)
 	if err != nil {
 		return nil, err
 	}
 
-	if response.Value == nil {
-		return nil, errNilSecretValue
+	var credentialsObject dataplane.CredentialsObject
+	if err := credentialsObject.UnmarshalJSON([]byte(deletedSecretObject.value)); err != nil {
+		return nil, err
 	}
 
-	var credentialsObject dataplane.CredentialsObject
-	if err := credentialsObject.UnmarshalJSON([]byte(*response.Value)); err != nil {
+	return &DeletedCredentialsObjectSecretResponse{CredentialsObject: credentialsObject, Properties: deletedSecretObject.properties}, nil
+}
+
+// Get a deleted nested credentials object from the key vault using the specified secret name.
+func (s *MsiKeyVaultStore) GetDeletedNestedCredentialsObject(ctx context.Context, secretName string) (*DeletedNestedCredentialsObjectSecretResponse, error) {
+	deletedSecretObject, err := s.getDeletedSecret(ctx, secretName)
+	if err != nil {
+		return nil, err
+	}
+
+	var nestedCredentialsObject swagger.NestedCredentialsObject
+	if err := nestedCredentialsObject.UnmarshalJSON([]byte(deletedSecretObject.value)); err != nil {
+		return nil, err
+	}
+
+	return &DeletedNestedCredentialsObjectSecretResponse{NestedCredentialsObject: nestedCredentialsObject, Properties: deletedSecretObject.properties}, nil
+}
+
+// Get a deleted secret from the key vault using the specified secret name.
+func (s *MsiKeyVaultStore) getDeletedSecret(ctx context.Context, secretName string) (*deletedSecretObject, error) {
+	response, err := s.kvClient.GetDeletedSecret(ctx, secretName, nil)
+	if err != nil {
 		return nil, err
 	}
 
+	if response.Value == nil {
+		return nil, errNilSecretValue
+	}
+
 	deletedSecretProperties := DeletedSecretProperties{
 		Name:          secretName,
 		RecoveryLevel: "",
@@ -129,22 +201,22 @@ func (s *MsiKeyVaultStore) GetDeletedCredentialsObject(ctx context.Context, secr
 		}
 	}
 
-	return &DeletedSecretResponse{CredentialsObject: credentialsObject, Properties: deletedSecretProperties}, nil
+	return &deletedSecretObject{value: *response.Value, properties: deletedSecretProperties}, nil
 }
 
-// Get a pager for listing credentials objects from the key vault.
-func (s *MsiKeyVaultStore) GetCredentialsObjectPager() *runtime.Pager[azsecrets.ListSecretPropertiesResponse] {
+// Get a pager for listing Secret objects from the key vault.
+func (s *MsiKeyVaultStore) GetSecretObjectPager() *runtime.Pager[azsecrets.ListSecretPropertiesResponse] {
 	return s.kvClient.NewListSecretPropertiesPager(nil)
 }
 
-// Get a pager for listing deleted credentials objects from the key vault.
-func (s *MsiKeyVaultStore) GetDeletedCredentialsObjectPager() *runtime.Pager[azsecrets.ListDeletedSecretPropertiesResponse] {
+// Get a pager for listing deleted Secret objects from the key vault.
+func (s *MsiKeyVaultStore) GetDeletedSecretObjectPager() *runtime.Pager[azsecrets.ListDeletedSecretPropertiesResponse] {
 	return s.kvClient.NewListDeletedSecretPropertiesPager(nil)
 }
 
-// Purge a deleted credentials object from the key vault using the specified secret name.
+// Purge a deleted Secret object from the key vault using the specified secret name.
 // This operation is only applicable in vaults enabled for soft-delete.
-func (s *MsiKeyVaultStore) PurgeDeletedCredentialsObject(ctx context.Context, secretName string) error {
+func (s *MsiKeyVaultStore) PurgeDeletedSecretObject(ctx context.Context, secretName string) error {
 	if _, err := s.kvClient.PurgeDeletedSecret(ctx, secretName, nil); err != nil {
 		return err
 	}
@@ -153,16 +225,32 @@ func (s *MsiKeyVaultStore) PurgeDeletedCredentialsObject(ctx context.Context, se
 }
 
 // Set a credentials object in the key vault using the specified secret name.
-// If the secret already exists, key vault will create a new version of the secret.
 func (s *MsiKeyVaultStore) SetCredentialsObject(ctx context.Context, properties SecretProperties, credentialsObject dataplane.CredentialsObject) error {
 	credentialsObjectBuffer, err := credentialsObject.MarshalJSON()
 	if err != nil {
 		return err
 	}
 
 	credentialsObjectString := string(credentialsObjectBuffer)
+	return s.setSecret(ctx, properties, &credentialsObjectString)
+}
+
+// Set a nested credentials object in the key vault using the specified secret name.
+func (s *MsiKeyVaultStore) SetNestedCredentialsObject(ctx context.Context, properties SecretProperties, nestedCredentialsObject swagger.NestedCredentialsObject) error {
+	nestedCredentialsObjectBuffer, err := nestedCredentialsObject.MarshalJSON()
+	if err != nil {
+		return err
+	}
+
+	nestedCredentialsObjectString := string(nestedCredentialsObjectBuffer)
+	return s.setSecret(ctx, properties, &nestedCredentialsObjectString)
+}
+
+// Set a secret in the key vault using the specified secret name.
+// If the secret already exists, key vault will create a new version of the secret.
+func (s *MsiKeyVaultStore) setSecret(ctx context.Context, properties SecretProperties, secretValue *string) error {
 	setSecretParameters := azsecrets.SetSecretParameters{
-		Value: &credentialsObjectString,
+		Value: secretValue,
 		SecretAttributes: &azsecrets.SecretAttributes{
 			Enabled:   &properties.Enabled,
 			Expires:   &properties.Expires,