Merge pull request #47 from passbolt/v5-metadata-creation

V5 metadata / Resource creation
2025-05-14 11:28:21 +00:00 · 2025-05-12 21:16:46 +02:00 · 2025-05-12 21:16:46 +02:00 · 19bc97c9e1
commit 19bc97c9e1
parent f57fc2e8ac b4cf29482d
9 changed files with 343 additions and 111 deletions
--- a/api/client.go
+++ b/api/client.go
@ -33,6 +33,9 @@ type Client struct {
 	// Server Settings Determining which Resource Types we can use
 	metadataTypeSettings MetadataTypeSettings

+	// Server Settings Determining which Metadata Keys to use
+	metadataKeySettings MetadataKeySettings
+
 	// used for solving MFA challenges. You can block this to for example wait for user input.
 	// You shouden't run any unrelated API Calls while you are in this callback.
 	// You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa
@ -212,16 +215,28 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error {

 	if settings.Passbolt.IsPluginEnabled("metadata") {
 		c.log("Server has metadata plugin enabled, is v5 or Higher")
-		metadataTypeSettings, err := c.GetMetadataTypeSettings(ctx)
+		metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx)
 		if err != nil {
 			return fmt.Errorf("Getting Metadata Type Settings: %w", err)
 		}

 		c.log("metadataTypeSettings: %+v", metadataTypeSettings)
 		c.metadataTypeSettings = *metadataTypeSettings
+
+		metadataKeySettings, err := c.GetServerMetadataKeySettings(ctx)
+		if err != nil {
+			return fmt.Errorf("Getting Metadata Key Settings: %w", err)
+		}
+
+		c.log("metadataKeySettings: %+v", metadataKeySettings)
+		c.metadataKeySettings = *metadataKeySettings
 	} else {
 		c.log("Server has metadata plugin disabled or not installed, Server is v4")
 		c.metadataTypeSettings = getV4DefaultMetadataTypeSettings()
+		c.metadataKeySettings = MetadataKeySettings{
+			AllowUsageOfPersonalKeys:   true,
+			AllowZeroKnowledgeKeyShare: false,
+		}
 	}
 	return nil
 }
--- a/api/encryption.go
+++ b/api/encryption.go
@ -140,3 +140,11 @@ func (c *Client) DecryptMessageWithSessionKey(sessionKey *crypto.SessionKey, cip

 	return res.String(), nil
 }
+
+func (c *Client) GetUserPrivateKeyCopy() (*crypto.Key, error) {
+	key, err := c.userPrivateKey.Copy()
+	if err != nil {
+		return nil, fmt.Errorf("Get Private Key Copy: %w", err)
+	}
+	return key, nil
+}
--- a/api/metadata.go
+++ b/api/metadata.go
@ -6,6 +6,9 @@ import (
 	"github.com/ProtonMail/gopenpgp/v3/crypto"
 )

+const PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA = "PASSBOLT_RESOURCE_METADATA"
+const PASSBOLT_OBJECT_TYPE_SECRET_DATA = "PASSBOLT_SECRET_DATA"
+
 // ResourceMetadataTypeV5Default
 type ResourceMetadataTypeV5Default struct {
 	ObjectType     string   `json:"object_type"`
--- a/api/metadata_settings.go
+++ b/api/metadata_settings.go
@ -38,6 +38,12 @@ type MetadataTypeSettings struct {
 	AllowV4V5Downgrade         bool                   `json:"allow_v5_v4_downgrade"`
 }

+// MetadataTypeSettings Contains the Servers Settings about which Types to use
+type MetadataKeySettings struct {
+	AllowUsageOfPersonalKeys   bool `json:"allow_usage_of_personal_keys"`
+	AllowZeroKnowledgeKeyShare bool `json:"zero_knowledge_key_share"`
+}
+
 func getV4DefaultMetadataTypeSettings() MetadataTypeSettings {
 	return MetadataTypeSettings{
 		DefaultResourceType:        PassboltAPIVersionTypeV4,
@ -57,8 +63,13 @@ func getV4DefaultMetadataTypeSettings() MetadataTypeSettings {
 	}
 }

-// GetMetadataTypeSettings gets the Servers Settings about which Types to use
-func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) {
+// MetadataTypeSettings Gives the Current MetadataTypeSettings
+func (c *Client) MetadataTypeSettings() MetadataTypeSettings {
+	return c.metadataTypeSettings
+}
+
+// GetServerMetadataTypeSettings gets the Servers Settings about which Types to use, usually you should use MetadataTypeSettings instead
+func (c *Client) GetServerMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) {
 	msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/types/settings.json", nil, nil)
 	if err != nil {
 		return nil, err
@ -71,3 +82,23 @@ func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSett
 	}
 	return &metadataSettings, nil
 }
+
+// MetadataKeySettings Gives the Current MetadataKeySettings
+func (c *Client) MetadataKeySettings() MetadataKeySettings {
+	return c.metadataKeySettings
+}
+
+// GetServerMetadataKeySettings gets the Servers Settings about which Key to use, usually you should use MetadataKeySettings instead
+func (c *Client) GetServerMetadataKeySettings(ctx context.Context) (*MetadataKeySettings, error) {
+	msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/keys/settings.json", nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var metadataKeySettings MetadataKeySettings
+	err = json.Unmarshal(msg.Body, &metadataKeySettings)
+	if err != nil {
+		return nil, err
+	}
+	return &metadataKeySettings, nil
+}
--- a/helper/metadata.go
+++ b/helper/metadata.go
@ -11,80 +11,56 @@ import (
 	"github.com/santhosh-tekuri/jsonschema"
 )

-func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) {
-	keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{
-		ContainMetadataPrivateKeys: true,
-	})
+func GetResourceMetadata(ctx context.Context, c *api.Client, resource *api.Resource, rType *api.ResourceType) (string, error) {
+	_, _, metadatakey, err := GetMetadataKey(ctx, c, resource.MetadataKeyType == api.MetadataKeyTypeUserKey)
 	if err != nil {
 		return "", fmt.Errorf("Get Metadata Key: %w", err)
 	}

-	// TODO Get Key by id?
-	if len(keys) != 1 {
-		return "", fmt.Errorf("Not Exactly One Metadatakey Available")
-	}
+	// TODO should we instead get the Metadata key of this resource by id?

-	if len(keys[0].MetadataPrivateKeys) == 0 {
-		return "", fmt.Errorf("No Metadata Private key for our user")
-	}
-
-	if len(keys[0].MetadataPrivateKeys) > 1 {
-		return "", fmt.Errorf("More than 1 metadata Private key for our user")
-	}
-
-	var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
-	if *privMetdata.UserID != c.GetUserID() {
-		return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
-	}
-
-	decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
-	if err != nil {
-		return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
-	}
-
-	var data api.MetadataPrivateKeyData
-	err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
-	if err != nil {
-		return "", fmt.Errorf("Parse Metadata Private Key Data")
-	}
-
-	metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
-	if err != nil {
-		return "", fmt.Errorf("Get Metadata Private Key: %w", err)
-	}
-
-	decMetadata, err := c.DecryptMetadata(metadataPrivateKeyObj, resource.Metadata)
+	decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata)
 	if err != nil {
 		return "", fmt.Errorf("Decrypt Metadata: %w", err)
 	}

+	err = validateMetadata(rType, string(decMetadata))
+	if err != nil {
+		return "", fmt.Errorf("Validate Metadata: %w", err)
+	}
+
+	return decMetadata, nil
+}
+
+func validateMetadata(rType *api.ResourceType, metadata string) error {
 	var schemaDefinition api.ResourceTypeSchema
-	err = json.Unmarshal([]byte(rType.Definition), &schemaDefinition)
+	definition := rType.Definition
+
+	// Fallback schema
+	if string(definition) == "[]" || string(definition) == "\"[]\"" {
+		tmp, ok := api.ResourceSchemas[rType.Slug]
+		if !ok {
+			return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
+		}
+		definition = tmp
+	}
+
+	err := json.Unmarshal([]byte(definition), &schemaDefinition)
 	if err != nil {
 		// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
 		if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
 			var tmp string
-			err = json.Unmarshal([]byte(rType.Definition), &tmp)
+			err = json.Unmarshal([]byte(definition), &tmp)
 			if err != nil {
-				return "", fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
-			}
-
-			if tmp == "[]" {
-				// Use The Builtin Fallback Schemas in this Case
-				schema, ok := api.ResourceSchemas[rType.Slug]
-				if !ok {
-					return "", fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
-				}
-				tmp = string(schema)
+				return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
 			}

 			err = json.Unmarshal([]byte(tmp), &schemaDefinition)
 			if err != nil {
-				return "", fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
+				return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
 			}
-
 		} else {
-			return "", fmt.Errorf("Unmarshal Json Schema: %w", err)
+			return fmt.Errorf("Unmarshal Json Schema: %w", err)
 		}
 	}

@ -92,18 +68,17 @@ func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resour

 	err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource))
 	if err != nil {
-		return "", fmt.Errorf("Adding Json Schema: %w", err)
+		return fmt.Errorf("Adding Json Schema: %w", err)
 	}

 	schema, err := comp.Compile("metadata.json")
 	if err != nil {
-		return "", fmt.Errorf("Compiling Json Schema: %w", err)
+		return fmt.Errorf("Compiling Json Schema: %w", err)
 	}

-	err = schema.Validate(strings.NewReader(decMetadata))
+	err = schema.Validate(strings.NewReader(metadata))
 	if err != nil {
-		return "", fmt.Errorf("Validating Secret Data: %w", err)
+		return fmt.Errorf("Validating Secret Data: %w", err)
 	}
-
-	return decMetadata, nil
+	return nil
 }
--- a/helper/metadatakey.go
+++ b/helper/metadatakey.go
@ -0,0 +1,75 @@
+package helper
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/ProtonMail/gopenpgp/v3/crypto"
+	"github.com/passbolt/go-passbolt/api"
+)
+
+// GetMetadataKey gets a Metadata key, Personal indicates if the function should return the personal key,
+// If personal keys have been disabled on the server then we return the shared key
+// Returns the Key ID, Key Type and the Key itself
+func GetMetadataKey(ctx context.Context, c *api.Client, personal bool) (string, api.MetadataKeyType, *crypto.Key, error) {
+	// if personal is requsted and it is allowed by the server, then return that
+	if personal && c.MetadataKeySettings().AllowUsageOfPersonalKeys {
+		key, err := c.GetUserPrivateKeyCopy()
+		if err != nil {
+			return "", "", nil, fmt.Errorf("Get User Private Key: %w", err)
+		}
+
+		me, err := c.GetMe(ctx)
+		if err != nil {
+			return "", "", nil, fmt.Errorf("Get User Me: %w", err)
+		}
+
+		if me.GPGKey == nil {
+			return "", "", nil, fmt.Errorf("User Me GPG Key nil")
+		}
+
+		return me.GPGKey.ID, api.MetadataKeyTypeUserKey, key, nil
+	}
+
+	keys, err := c.GetMetadataKeys(ctx, nil)
+	if err != nil {
+		return "", "", nil, fmt.Errorf("Get Metadata Key: %w", err)
+	}
+
+	// TODO Get Key by id?
+	if len(keys) != 1 {
+		return "", "", nil, fmt.Errorf("Not Exactly One Metadatakey Available")
+	}
+
+	if len(keys[0].MetadataPrivateKeys) == 0 {
+		return "", "", nil, fmt.Errorf("No Metadata Private key for our user")
+	}
+
+	if len(keys[0].MetadataPrivateKeys) > 1 {
+		return "", "", nil, fmt.Errorf("More than 1 metadata Private key for our user")
+	}
+
+	var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
+	if *privMetdata.UserID != c.GetUserID() {
+		return "", "", nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
+	}
+
+	decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
+	if err != nil {
+		return "", "", nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
+	}
+
+	var data api.MetadataPrivateKeyData
+	err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
+	if err != nil {
+		return "", "", nil, fmt.Errorf("Parse Metadata Private Key Data")
+	}
+
+	metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
+	if err != nil {
+		return "", "", nil, fmt.Errorf("Get Metadata Private Key: %w", err)
+	}
+
+	return keys[0].ID, api.MetadataKeyTypeSharedKey, metadataPrivateKeyObj, nil
+}
--- a/helper/resources.go
+++ b/helper/resources.go
@ -8,8 +8,109 @@ import (
 	"github.com/passbolt/go-passbolt/api"
 )

-// CreateResource Creates a Resource where the Password and Description are Encrypted and Returns the Resources ID
+// CreateResource Creates a Resource, Creates a v4 or v5 Resources based on the server Preference
 func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
+	// Create a v5 Password if that is the Server Default
+	if c.MetadataTypeSettings().DefaultResourceType == api.PassboltAPIVersionTypeV5 {
+		return CreateResourceV5(ctx, c, folderParentID, name, username, uri, password, description)
+	} else {
+		return CreateResourceV4(ctx, c, folderParentID, name, username, uri, password, description)
+	}
+}
+
+func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
+	if c.MetadataTypeSettings().AllowCreationOfV5Resources == false {
+		return "", fmt.Errorf("Creation of V5 Passwords is disabled on this Server")
+	}
+
+	types, err := c.GetResourceTypes(ctx, nil)
+	if err != nil {
+		return "", fmt.Errorf("Getting ResourceTypes: %w", err)
+	}
+	var rType *api.ResourceType
+	for _, tmp := range types {
+		if tmp.Slug == "v5-default" {
+			rType = &tmp
+			break
+		}
+	}
+	if rType == nil {
+		return "", fmt.Errorf("Cannot find Resource type password-and-description")
+	}
+
+	// Base Resource
+	resource := api.Resource{
+		ResourceTypeID: rType.ID,
+		FolderParentID: folderParentID,
+	}
+
+	// Resource Metadata
+	meta := api.ResourceMetadataTypeV5Default{
+		ObjectType:     api.PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA,
+		ResourceTypeID: rType.ID,
+		Name:           name,
+		Username:       username,
+		URIs:           []string{uri},
+	}
+
+	metaData, err := json.Marshal(&meta)
+	if err != nil {
+		return "", fmt.Errorf("Marshalling metadata: %w", err)
+	}
+
+	err = validateMetadata(rType, string(metaData))
+	if err != nil {
+		return "", fmt.Errorf("Validating metadata: %w", err)
+	}
+
+	metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true)
+	if err != nil {
+		return "", fmt.Errorf("Get Metadata Key: %w", err)
+	}
+	resource.MetadataKeyID = metadataKeyID
+	resource.MetadataKeyType = metadataKeyType
+
+	encMetadata, err := c.EncryptMessageWithKey(publicMetadataKey, string(metaData))
+	if err != nil {
+		return "", fmt.Errorf("Encrypt Metadata: %w", err)
+	}
+	resource.Metadata = encMetadata
+
+	// Resource Secret
+	secret := api.SecretDataTypeV5Default{
+		ObjectType:  api.PASSBOLT_OBJECT_TYPE_SECRET_DATA,
+		Password:    password,
+		Description: description,
+	}
+
+	secretData, err := json.Marshal(&secret)
+	if err != nil {
+		return "", fmt.Errorf("Marshalling Secret Data: %w", err)
+	}
+
+	err = validateSecretData(rType, string(secretData))
+	if err != nil {
+		return "", fmt.Errorf("Validating Secret Data: %w", err)
+	}
+
+	encSecretData, err := c.EncryptMessage(string(secretData))
+	if err != nil {
+		return "", fmt.Errorf("Encrypting Secret Data for User me: %w", err)
+	}
+	resource.Secrets = []api.Secret{{Data: encSecretData}}
+
+	newresource, err := c.CreateResource(ctx, resource)
+	if err != nil {
+		return "", fmt.Errorf("Creating Resource: %w", err)
+	}
+	return newresource.ID, nil
+}
+
+func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
+	if c.MetadataTypeSettings().AllowCreationOfV4Resources == false {
+		return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server")
+	}
+
 	types, err := c.GetResourceTypes(ctx, nil)
 	if err != nil {
 		return "", fmt.Errorf("Getting ResourceTypes: %w", err)
@ -62,6 +163,12 @@ func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, us

 // CreateResourceSimple Creates a Legacy Resource where only the Password is Encrypted and Returns the Resources ID
 func CreateResourceSimple(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
+	if c.MetadataTypeSettings().AllowCreationOfV4Resources == false {
+		return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server")
+	}
+
+	// TODO Create a v5-password-string if v5 is enabled
+
 	enc, err := c.EncryptMessage(password)
 	if err != nil {
 		return "", fmt.Errorf("Encrypting Password: %w", err)
@ -163,7 +270,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 		uri = resource.URI
 		// nothing fits into the interface in this case
 	case "v5-default":
-		rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType)
+		rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)
 		if err != nil {
 			return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err)
 		}
@ -193,7 +300,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 		pw = secretData.Password
 		desc = secretData.Description
 	case "v5-default-with-totp":
-		rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType)
+		rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)
 		if err != nil {
 			return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err)
 		}
@ -223,7 +330,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 		pw = secretData.Password
 		desc = secretData.Description
 	case "v5-password-string":
-		rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType)
+		rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)
 		if err != nil {
 			return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err)
 		}
--- a/helper/secret.go
+++ b/helper/secret.go
@ -0,0 +1,63 @@
+package helper
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/passbolt/go-passbolt/api"
+	"github.com/santhosh-tekuri/jsonschema"
+)
+
+func validateSecretData(rType *api.ResourceType, secretData string) error {
+	var schemaDefinition api.ResourceTypeSchema
+	definition := rType.Definition
+
+	// Fallback schema
+	if string(definition) == "[]" || string(definition) == "\"[]\"" {
+		tmp, ok := api.ResourceSchemas[rType.Slug]
+		if !ok {
+			return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
+		}
+		definition = tmp
+	}
+
+	err := json.Unmarshal([]byte(definition), &schemaDefinition)
+	if err != nil {
+		// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
+		if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
+			var tmp string
+			err = json.Unmarshal([]byte(definition), &tmp)
+			if err != nil {
+				return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
+			}
+
+			err = json.Unmarshal([]byte(tmp), &schemaDefinition)
+			if err != nil {
+				return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
+			}
+
+		} else {
+			return fmt.Errorf("Unmarshal Json Schema: %w", err)
+		}
+	}
+
+	comp := jsonschema.NewCompiler()
+
+	err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret))
+	if err != nil {
+		return fmt.Errorf("Adding Json Schema: %w", err)
+	}
+
+	schema, err := comp.Compile("secret.json")
+	if err != nil {
+		return fmt.Errorf("Compiling Json Schema: %w", err)
+	}
+
+	err = schema.Validate(strings.NewReader(secretData))
+	if err != nil {
+		return fmt.Errorf("Validating Secret Data: %w", err)
+	}
+	return nil
+}
--- a/helper/util.go
+++ b/helper/util.go
@ -1,13 +1,9 @@
 package helper

 import (
-	"bytes"
-	"encoding/json"
 	"fmt"
-	"strings"

 	"github.com/passbolt/go-passbolt/api"
-	"github.com/santhosh-tekuri/jsonschema"
 )

 func getPublicKeyByUserID(userID string, Users []api.User) (string, error) {
@ -36,44 +32,3 @@ func getSecretByResourceID(secrets []api.Secret, resourceID string) (*api.Secret
 	}
 	return nil, fmt.Errorf("Cannot Find Secret for id %v", resourceID)
 }
-
-func validateSecretData(rType *api.ResourceType, secretData string) error {
-	var schemaDefinition api.ResourceTypeSchema
-	err := json.Unmarshal([]byte(rType.Definition), &schemaDefinition)
-	if err != nil {
-		// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
-		if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
-			var tmp string
-			err = json.Unmarshal([]byte(rType.Definition), &tmp)
-			if err != nil {
-				return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
-			}
-
-			err = json.Unmarshal([]byte(tmp), &schemaDefinition)
-			if err != nil {
-				return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
-			}
-
-		} else {
-			return fmt.Errorf("Unmarshal Json Schema: %w", err)
-		}
-	}
-
-	comp := jsonschema.NewCompiler()
-
-	err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret))
-	if err != nil {
-		return fmt.Errorf("Adding Json Schema: %w", err)
-	}
-
-	schema, err := comp.Compile("secret.json")
-	if err != nil {
-		return fmt.Errorf("Compiling Json Schema: %w", err)
-	}
-
-	err = schema.Validate(strings.NewReader(secretData))
-	if err != nil {
-		return fmt.Errorf("Validating Secret Data: %w", err)
-	}
-	return nil
-}