Validate Secret on Get

2025-09-13 14:29:09 +00:00 · 2025-08-18 14:38:12 +02:00 · 2025-08-18 14:38:12 +02:00 · 5c4fb07d5e
commit 5c4fb07d5e
parent faf74e0156
1 changed files with 11 additions and 30 deletions
--- a/helper/resource_get.go
+++ b/helper/resource_get.go
@ -37,23 +37,24 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret

 	ctx := context.TODO()

+	rawSecretData, err := c.DecryptMessage(secret.Data)
+	if err != nil {
+		return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
+	}
+
+	err = validateSecretData(&rType, rawSecretData)
+	if err != nil {
+		return "", "", "", "", "", "", fmt.Errorf("Validate Secret Data: %w", err)
+	}
+
 	switch rType.Slug {
 	case "password-string":
-		var err error
-		pw, err = c.DecryptMessage(secret.Data)
-		if err != nil {
-			return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
-		}
+		pw = rawSecretData
 		name = resource.Name
 		username = resource.Username
 		uri = resource.URI
 		desc = resource.Description
 	case "password-and-description":
-		rawSecretData, err := c.DecryptMessage(secret.Data)
-		if err != nil {
-			return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
-		}
-
 		var secretData api.SecretDataTypePasswordAndDescription
 		err = json.Unmarshal([]byte(rawSecretData), &secretData)
 		if err != nil {
@ -65,11 +66,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 		pw = secretData.Password
 		desc = secretData.Description
 	case "password-description-totp":
-		rawSecretData, err := c.DecryptMessage(secret.Data)
-		if err != nil {
-			return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
-		}
-
 		var secretData api.SecretDataTypePasswordDescriptionTOTP
 		err = json.Unmarshal([]byte(rawSecretData), &secretData)
 		if err != nil {
@ -103,11 +99,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 			uri = metadata.URIs[0]
 		}

-		rawSecretData, err := c.DecryptMessage(secret.Data)
-		if err != nil {
-			return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
-		}
-
 		var secretData api.SecretDataTypeV5Default
 		err = json.Unmarshal([]byte(rawSecretData), &secretData)
 		if err != nil {
@ -133,11 +124,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 			uri = metadata.URIs[0]
 		}

-		rawSecretData, err := c.DecryptMessage(secret.Data)
-		if err != nil {
-			return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
-		}
-
 		var secretData api.SecretDataTypeV5DefaultWithTOTP
 		err = json.Unmarshal([]byte(rawSecretData), &secretData)
 		if err != nil {
@ -166,11 +152,6 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
 		// Not available in the Secret
 		desc = metadata.Description

-		rawSecretData, err := c.DecryptMessage(secret.Data)
-		if err != nil {
-			return "", "", "", "", "", "", fmt.Errorf("Decrypting Secret Data: %w", err)
-		}
-
 		pw = rawSecretData
 	case "v5-totp-standalone":
 		rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)