Merge pull request #184 from statisticsnorway/173-add-use-of-google-secret-manager

mallport · web-flow · commit 8153a3abee61 · 2024-11-06T12:50:03.000+01:00
173 add use of google secret manager
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "dapla-toolbelt"
-version = "3.0.2"
+version = "3.1.2"
 description = "Dapla Toolbelt"
 authors = ["Dapla Developers <dapla-platform-developers@ssb.no>"]
 license = "MIT"
@@ -27,6 +27,8 @@ pyjwt = ">=2.6.0"
 tomli = ">=1.1.0"
 google-cloud-pubsub = ">=2.14.1"
 fsspec = ">=2023.12.2"
+google-cloud-secret-manager = "^2.21.0"
+pytest-mock = "^3.14.0"
 
 [tool.poetry.group.dev.dependencies]
 pygments = ">=2.10.0"
diff --git a/src/dapla/__init__.py b/src/dapla/__init__.py
@@ -13,6 +13,7 @@
 from .doctor import Doctor
 from .files import FileClient
 from .git import repo_root_dir
+from .gsm import get_secret_version
 from .guardian import GuardianClient
 from .jupyterhub import generate_api_token
 from .pandas import read_pandas
@@ -33,6 +34,7 @@
     "read_pandas",
     "write_pandas",
     "trigger_source_data_processing",
+    "get_secret_version",
 ]
 
 
diff --git a/src/dapla/gsm.py b/src/dapla/gsm.py
@@ -0,0 +1,29 @@
+from typing import Optional
+
+from google.cloud.secretmanager import SecretManagerServiceClient
+
+from .auth import AuthClient
+
+
+def get_secret_version(
+    project_id: str, shortname: str, version_id: Optional[str] = "latest"
+) -> str:
+    """Access the payload for a given secret version.
+
+    The user's google credentials are used to authorize that the user have permission
+    to access the secret_id.
+
+    Args:
+        project_id (str): ID of the Google Cloud project where the secret is stored.
+        shortname (str): Name (not full path) of the secret in Secret Manager.
+        version_id (str, optional): The version of the secret to access. Defaults to 'latest'.
+
+    Returns:
+        str: The payload of the secret version as a UTF-8 decoded string.
+    """
+    client = SecretManagerServiceClient(
+        credentials=AuthClient.fetch_google_credentials()
+    )
+    secret_name = f"projects/{project_id}/secrets/{shortname}/versions/{version_id}"
+    response = client.access_secret_version(name=secret_name)
+    return str(response.payload.data.decode("UTF-8"))
diff --git a/src/dapla/pandas.py b/src/dapla/pandas.py
@@ -91,7 +91,7 @@ def read_pandas(
                 gcs_path = FileClient._remove_gcs_uri_prefix(gcs_path)
 
             parquet_ds = pq.ParquetDataset(
-                gcs_path,
+                gcs_path,  # type: ignore [arg-type]
                 filesystem=fs,
                 filters=filters,  # type: ignore [arg-type]
             )  # Stubs show the incorrect type -
diff --git a/tests/test_gsm.py b/tests/test_gsm.py
@@ -0,0 +1,21 @@
+from unittest.mock import Mock
+
+from pytest_mock import MockerFixture
+
+from dapla.gsm import get_secret_version
+
+PKG = "dapla.gsm"
+
+
+def test_get_secret_version(mocker: MockerFixture) -> None:
+    mock_smclient = mocker.patch(f"{PKG}.SecretManagerServiceClient")
+    mock_authclient = mocker.patch(f"{PKG}.AuthClient")
+
+    fake_creds = Mock()
+    mock_authclient.fetch_google_credentials.return_value = fake_creds
+
+    project_id = "tester-a92f"
+    shortname = "supersecret"
+
+    get_secret_version(project_id=project_id, shortname=shortname)
+    mock_smclient.assert_called_once_with(credentials=fake_creds)
