diff --git a/api/client.go b/api/client.go index 364ba75..0ce0701 100644 --- a/api/client.go +++ b/api/client.go @@ -33,9 +33,6 @@ type Client struct { // Server Settings Determining which Resource Types we can use metadataTypeSettings MetadataTypeSettings - // Server Settings Determining which Metadata Keys to use - metadataKeySettings MetadataKeySettings - // used for solving MFA challenges. You can block this to for example wait for user input. // You shouden't run any unrelated API Calls while you are in this callback. // You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa @@ -215,28 +212,16 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error { if settings.Passbolt.IsPluginEnabled("metadata") { c.log("Server has metadata plugin enabled, is v5 or Higher") - metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx) + metadataTypeSettings, err := c.GetMetadataTypeSettings(ctx) if err != nil { return fmt.Errorf("Getting Metadata Type Settings: %w", err) } c.log("metadataTypeSettings: %+v", metadataTypeSettings) c.metadataTypeSettings = *metadataTypeSettings - - metadataKeySettings, err := c.GetServerMetadataKeySettings(ctx) - if err != nil { - return fmt.Errorf("Getting Metadata Key Settings: %w", err) - } - - c.log("metadataKeySettings: %+v", metadataKeySettings) - c.metadataKeySettings = *metadataKeySettings } else { c.log("Server has metadata plugin disabled or not installed, Server is v4") c.metadataTypeSettings = getV4DefaultMetadataTypeSettings() - c.metadataKeySettings = MetadataKeySettings{ - AllowUsageOfPersonalKeys: true, - AllowZeroKnowledgeKeyShare: false, - } } return nil } diff --git a/api/encryption.go b/api/encryption.go index 6078e19..2c393ee 100644 --- a/api/encryption.go +++ b/api/encryption.go @@ -140,11 +140,3 @@ func (c *Client) DecryptMessageWithSessionKey(sessionKey *crypto.SessionKey, cip return res.String(), nil } - -func (c *Client) GetUserPrivateKeyCopy() (*crypto.Key, error) { - key, err := c.userPrivateKey.Copy() - if err != nil { - return nil, fmt.Errorf("Get Private Key Copy: %w", err) - } - return key, nil -} diff --git a/api/metadata.go b/api/metadata.go index bf6c7ca..cc40425 100644 --- a/api/metadata.go +++ b/api/metadata.go @@ -6,9 +6,6 @@ import ( "github.com/ProtonMail/gopenpgp/v3/crypto" ) -const PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA = "PASSBOLT_RESOURCE_METADATA" -const PASSBOLT_OBJECT_TYPE_SECRET_DATA = "PASSBOLT_SECRET_DATA" - // ResourceMetadataTypeV5Default type ResourceMetadataTypeV5Default struct { ObjectType string `json:"object_type"` diff --git a/api/metadata_settings.go b/api/metadata_settings.go index 92ac9a9..ae80715 100644 --- a/api/metadata_settings.go +++ b/api/metadata_settings.go @@ -38,12 +38,6 @@ type MetadataTypeSettings struct { AllowV4V5Downgrade bool `json:"allow_v5_v4_downgrade"` } -// MetadataTypeSettings Contains the Servers Settings about which Types to use -type MetadataKeySettings struct { - AllowUsageOfPersonalKeys bool `json:"allow_usage_of_personal_keys"` - AllowZeroKnowledgeKeyShare bool `json:"zero_knowledge_key_share"` -} - func getV4DefaultMetadataTypeSettings() MetadataTypeSettings { return MetadataTypeSettings{ DefaultResourceType: PassboltAPIVersionTypeV4, @@ -63,13 +57,8 @@ func getV4DefaultMetadataTypeSettings() MetadataTypeSettings { } } -// MetadataTypeSettings Gives the Current MetadataTypeSettings -func (c *Client) MetadataTypeSettings() MetadataTypeSettings { - return c.metadataTypeSettings -} - -// GetServerMetadataTypeSettings gets the Servers Settings about which Types to use, usually you should use MetadataTypeSettings instead -func (c *Client) GetServerMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) { +// GetMetadataTypeSettings gets the Servers Settings about which Types to use +func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) { msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/types/settings.json", nil, nil) if err != nil { return nil, err @@ -82,23 +71,3 @@ func (c *Client) GetServerMetadataTypeSettings(ctx context.Context) (*MetadataTy } return &metadataSettings, nil } - -// MetadataKeySettings Gives the Current MetadataKeySettings -func (c *Client) MetadataKeySettings() MetadataKeySettings { - return c.metadataKeySettings -} - -// GetServerMetadataKeySettings gets the Servers Settings about which Key to use, usually you should use MetadataKeySettings instead -func (c *Client) GetServerMetadataKeySettings(ctx context.Context) (*MetadataKeySettings, error) { - msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/keys/settings.json", nil, nil) - if err != nil { - return nil, err - } - - var metadataKeySettings MetadataKeySettings - err = json.Unmarshal(msg.Body, &metadataKeySettings) - if err != nil { - return nil, err - } - return &metadataKeySettings, nil -} diff --git a/helper/metadata.go b/helper/metadata.go index be09475..e89cb78 100644 --- a/helper/metadata.go +++ b/helper/metadata.go @@ -11,56 +11,80 @@ import ( "github.com/santhosh-tekuri/jsonschema" ) -func GetResourceMetadata(ctx context.Context, c *api.Client, resource *api.Resource, rType *api.ResourceType) (string, error) { - _, _, metadatakey, err := GetMetadataKey(ctx, c, resource.MetadataKeyType == api.MetadataKeyTypeUserKey) +func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) { + keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ + ContainMetadataPrivateKeys: true, + }) if err != nil { return "", fmt.Errorf("Get Metadata Key: %w", err) } - // TODO should we instead get the Metadata key of this resource by id? + // TODO Get Key by id? + if len(keys) != 1 { + return "", fmt.Errorf("Not Exactly One Metadatakey Available") + } - decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata) + if len(keys[0].MetadataPrivateKeys) == 0 { + return "", fmt.Errorf("No Metadata Private key for our user") + } + + if len(keys[0].MetadataPrivateKeys) > 1 { + return "", fmt.Errorf("More than 1 metadata Private key for our user") + } + + var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] + if *privMetdata.UserID != c.GetUserID() { + return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) + } + + decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) + if err != nil { + return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) + } + + var data api.MetadataPrivateKeyData + err = json.Unmarshal([]byte(decPrivMetadatakey), &data) + if err != nil { + return "", fmt.Errorf("Parse Metadata Private Key Data") + } + + metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) + if err != nil { + return "", fmt.Errorf("Get Metadata Private Key: %w", err) + } + + decMetadata, err := c.DecryptMetadata(metadataPrivateKeyObj, resource.Metadata) if err != nil { return "", fmt.Errorf("Decrypt Metadata: %w", err) } - err = validateMetadata(rType, string(decMetadata)) - if err != nil { - return "", fmt.Errorf("Validate Metadata: %w", err) - } - - return decMetadata, nil -} - -func validateMetadata(rType *api.ResourceType, metadata string) error { var schemaDefinition api.ResourceTypeSchema - definition := rType.Definition - - // Fallback schema - if string(definition) == "[]" || string(definition) == "\"[]\"" { - tmp, ok := api.ResourceSchemas[rType.Slug] - if !ok { - return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) - } - definition = tmp - } - - err := json.Unmarshal([]byte(definition), &schemaDefinition) + err = json.Unmarshal([]byte(rType.Definition), &schemaDefinition) if err != nil { // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { var tmp string - err = json.Unmarshal([]byte(definition), &tmp) + err = json.Unmarshal([]byte(rType.Definition), &tmp) if err != nil { - return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) + return "", fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) + } + + if tmp == "[]" { + // Use The Builtin Fallback Schemas in this Case + schema, ok := api.ResourceSchemas[rType.Slug] + if !ok { + return "", fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) + } + tmp = string(schema) } err = json.Unmarshal([]byte(tmp), &schemaDefinition) if err != nil { - return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) + return "", fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) } + } else { - return fmt.Errorf("Unmarshal Json Schema: %w", err) + return "", fmt.Errorf("Unmarshal Json Schema: %w", err) } } @@ -68,17 +92,18 @@ func validateMetadata(rType *api.ResourceType, metadata string) error { err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource)) if err != nil { - return fmt.Errorf("Adding Json Schema: %w", err) + return "", fmt.Errorf("Adding Json Schema: %w", err) } schema, err := comp.Compile("metadata.json") if err != nil { - return fmt.Errorf("Compiling Json Schema: %w", err) + return "", fmt.Errorf("Compiling Json Schema: %w", err) } - err = schema.Validate(strings.NewReader(metadata)) + err = schema.Validate(strings.NewReader(decMetadata)) if err != nil { - return fmt.Errorf("Validating Secret Data: %w", err) + return "", fmt.Errorf("Validating Secret Data: %w", err) } - return nil + + return decMetadata, nil } diff --git a/helper/metadatakey.go b/helper/metadatakey.go deleted file mode 100644 index 0e7bb16..0000000 --- a/helper/metadatakey.go +++ /dev/null @@ -1,75 +0,0 @@ -package helper - -import ( - "context" - "encoding/json" - "fmt" - - "github.com/ProtonMail/gopenpgp/v3/crypto" - "github.com/passbolt/go-passbolt/api" -) - -// GetMetadataKey gets a Metadata key, Personal indicates if the function should return the personal key, -// If personal keys have been disabled on the server then we return the shared key -// Returns the Key ID, Key Type and the Key itself -func GetMetadataKey(ctx context.Context, c *api.Client, personal bool) (string, api.MetadataKeyType, *crypto.Key, error) { - // if personal is requsted and it is allowed by the server, then return that - if personal && c.MetadataKeySettings().AllowUsageOfPersonalKeys { - key, err := c.GetUserPrivateKeyCopy() - if err != nil { - return "", "", nil, fmt.Errorf("Get User Private Key: %w", err) - } - - me, err := c.GetMe(ctx) - if err != nil { - return "", "", nil, fmt.Errorf("Get User Me: %w", err) - } - - if me.GPGKey == nil { - return "", "", nil, fmt.Errorf("User Me GPG Key nil") - } - - return me.GPGKey.ID, api.MetadataKeyTypeUserKey, key, nil - } - - keys, err := c.GetMetadataKeys(ctx, nil) - if err != nil { - return "", "", nil, fmt.Errorf("Get Metadata Key: %w", err) - } - - // TODO Get Key by id? - if len(keys) != 1 { - return "", "", nil, fmt.Errorf("Not Exactly One Metadatakey Available") - } - - if len(keys[0].MetadataPrivateKeys) == 0 { - return "", "", nil, fmt.Errorf("No Metadata Private key for our user") - } - - if len(keys[0].MetadataPrivateKeys) > 1 { - return "", "", nil, fmt.Errorf("More than 1 metadata Private key for our user") - } - - var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] - if *privMetdata.UserID != c.GetUserID() { - return "", "", nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) - } - - decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) - if err != nil { - return "", "", nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) - } - - var data api.MetadataPrivateKeyData - err = json.Unmarshal([]byte(decPrivMetadatakey), &data) - if err != nil { - return "", "", nil, fmt.Errorf("Parse Metadata Private Key Data") - } - - metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) - if err != nil { - return "", "", nil, fmt.Errorf("Get Metadata Private Key: %w", err) - } - - return keys[0].ID, api.MetadataKeyTypeSharedKey, metadataPrivateKeyObj, nil -} diff --git a/helper/resources.go b/helper/resources.go index 5163ecb..9c2d31a 100644 --- a/helper/resources.go +++ b/helper/resources.go @@ -8,109 +8,8 @@ import ( "github.com/passbolt/go-passbolt/api" ) -// CreateResource Creates a Resource, Creates a v4 or v5 Resources based on the server Preference +// CreateResource Creates a Resource where the Password and Description are Encrypted and Returns the Resources ID func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { - // Create a v5 Password if that is the Server Default - if c.MetadataTypeSettings().DefaultResourceType == api.PassboltAPIVersionTypeV5 { - return CreateResourceV5(ctx, c, folderParentID, name, username, uri, password, description) - } else { - return CreateResourceV4(ctx, c, folderParentID, name, username, uri, password, description) - } -} - -func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { - if c.MetadataTypeSettings().AllowCreationOfV5Resources == false { - return "", fmt.Errorf("Creation of V5 Passwords is disabled on this Server") - } - - types, err := c.GetResourceTypes(ctx, nil) - if err != nil { - return "", fmt.Errorf("Getting ResourceTypes: %w", err) - } - var rType *api.ResourceType - for _, tmp := range types { - if tmp.Slug == "v5-default" { - rType = &tmp - break - } - } - if rType == nil { - return "", fmt.Errorf("Cannot find Resource type password-and-description") - } - - // Base Resource - resource := api.Resource{ - ResourceTypeID: rType.ID, - FolderParentID: folderParentID, - } - - // Resource Metadata - meta := api.ResourceMetadataTypeV5Default{ - ObjectType: api.PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA, - ResourceTypeID: rType.ID, - Name: name, - Username: username, - URIs: []string{uri}, - } - - metaData, err := json.Marshal(&meta) - if err != nil { - return "", fmt.Errorf("Marshalling metadata: %w", err) - } - - err = validateMetadata(rType, string(metaData)) - if err != nil { - return "", fmt.Errorf("Validating metadata: %w", err) - } - - metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true) - if err != nil { - return "", fmt.Errorf("Get Metadata Key: %w", err) - } - resource.MetadataKeyID = metadataKeyID - resource.MetadataKeyType = metadataKeyType - - encMetadata, err := c.EncryptMessageWithKey(publicMetadataKey, string(metaData)) - if err != nil { - return "", fmt.Errorf("Encrypt Metadata: %w", err) - } - resource.Metadata = encMetadata - - // Resource Secret - secret := api.SecretDataTypeV5Default{ - ObjectType: api.PASSBOLT_OBJECT_TYPE_SECRET_DATA, - Password: password, - Description: description, - } - - secretData, err := json.Marshal(&secret) - if err != nil { - return "", fmt.Errorf("Marshalling Secret Data: %w", err) - } - - err = validateSecretData(rType, string(secretData)) - if err != nil { - return "", fmt.Errorf("Validating Secret Data: %w", err) - } - - encSecretData, err := c.EncryptMessage(string(secretData)) - if err != nil { - return "", fmt.Errorf("Encrypting Secret Data for User me: %w", err) - } - resource.Secrets = []api.Secret{{Data: encSecretData}} - - newresource, err := c.CreateResource(ctx, resource) - if err != nil { - return "", fmt.Errorf("Creating Resource: %w", err) - } - return newresource.ID, nil -} - -func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { - if c.MetadataTypeSettings().AllowCreationOfV4Resources == false { - return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server") - } - types, err := c.GetResourceTypes(ctx, nil) if err != nil { return "", fmt.Errorf("Getting ResourceTypes: %w", err) @@ -163,12 +62,6 @@ func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, // CreateResourceSimple Creates a Legacy Resource where only the Password is Encrypted and Returns the Resources ID func CreateResourceSimple(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { - if c.MetadataTypeSettings().AllowCreationOfV4Resources == false { - return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server") - } - - // TODO Create a v5-password-string if v5 is enabled - enc, err := c.EncryptMessage(password) if err != nil { return "", fmt.Errorf("Encrypting Password: %w", err) @@ -270,7 +163,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret uri = resource.URI // nothing fits into the interface in this case case "v5-default": - rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType) + rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) if err != nil { return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) } @@ -300,7 +193,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret pw = secretData.Password desc = secretData.Description case "v5-default-with-totp": - rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType) + rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) if err != nil { return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) } @@ -330,7 +223,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret pw = secretData.Password desc = secretData.Description case "v5-password-string": - rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType) + rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) if err != nil { return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) } diff --git a/helper/secret.go b/helper/secret.go deleted file mode 100644 index f6849dc..0000000 --- a/helper/secret.go +++ /dev/null @@ -1,63 +0,0 @@ -package helper - -import ( - "bytes" - "encoding/json" - "fmt" - "strings" - - "github.com/passbolt/go-passbolt/api" - "github.com/santhosh-tekuri/jsonschema" -) - -func validateSecretData(rType *api.ResourceType, secretData string) error { - var schemaDefinition api.ResourceTypeSchema - definition := rType.Definition - - // Fallback schema - if string(definition) == "[]" || string(definition) == "\"[]\"" { - tmp, ok := api.ResourceSchemas[rType.Slug] - if !ok { - return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) - } - definition = tmp - } - - err := json.Unmarshal([]byte(definition), &schemaDefinition) - if err != nil { - // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string - if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { - var tmp string - err = json.Unmarshal([]byte(definition), &tmp) - if err != nil { - return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) - } - - err = json.Unmarshal([]byte(tmp), &schemaDefinition) - if err != nil { - return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) - } - - } else { - return fmt.Errorf("Unmarshal Json Schema: %w", err) - } - } - - comp := jsonschema.NewCompiler() - - err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret)) - if err != nil { - return fmt.Errorf("Adding Json Schema: %w", err) - } - - schema, err := comp.Compile("secret.json") - if err != nil { - return fmt.Errorf("Compiling Json Schema: %w", err) - } - - err = schema.Validate(strings.NewReader(secretData)) - if err != nil { - return fmt.Errorf("Validating Secret Data: %w", err) - } - return nil -} diff --git a/helper/share.go b/helper/share.go index 4d0897a..d9514b3 100644 --- a/helper/share.go +++ b/helper/share.go @@ -79,33 +79,6 @@ func ShareResource(ctx context.Context, c *api.Client, resourceID string, change return fmt.Errorf("Validating Secret Data: %w", err) } - // if Metadata has not been shared yet then we need to do that - // we assume that if MetadataKeyType is not null that this is a v5 Resource and that the other field are fine - if resource.MetadataKeyType == api.MetadataKeyTypeUserKey { - metadata, err := GetResourceMetadata(ctx, c, resource, rType) - if err != nil { - return fmt.Errorf("Get Metadata: %w", err) - } - - metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true) - if err != nil { - return fmt.Errorf("Get Metadata Key: %w", err) - } - resource.MetadataKeyID = metadataKeyID - resource.MetadataKeyType = metadataKeyType - - encMetadata, err := c.EncryptMessageWithKey(publicMetadataKey, string(metadata)) - if err != nil { - return fmt.Errorf("Encrypt Metadata: %w", err) - } - resource.Metadata = encMetadata - - resource, err = c.UpdateResource(ctx, resource.ID, *resource) - if err != nil { - return fmt.Errorf("Update Resource Metadata to Shared key: %w", err) - } - } - simulationResult, err := c.SimulateShareResource(ctx, resourceID, shareRequest) if err != nil { return fmt.Errorf("Simulate Share Resource: %w", err) diff --git a/helper/util.go b/helper/util.go index 78b1960..4d7a144 100644 --- a/helper/util.go +++ b/helper/util.go @@ -1,9 +1,13 @@ package helper import ( + "bytes" + "encoding/json" "fmt" + "strings" "github.com/passbolt/go-passbolt/api" + "github.com/santhosh-tekuri/jsonschema" ) func getPublicKeyByUserID(userID string, Users []api.User) (string, error) { @@ -32,3 +36,44 @@ func getSecretByResourceID(secrets []api.Secret, resourceID string) (*api.Secret } return nil, fmt.Errorf("Cannot Find Secret for id %v", resourceID) } + +func validateSecretData(rType *api.ResourceType, secretData string) error { + var schemaDefinition api.ResourceTypeSchema + err := json.Unmarshal([]byte(rType.Definition), &schemaDefinition) + if err != nil { + // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string + if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { + var tmp string + err = json.Unmarshal([]byte(rType.Definition), &tmp) + if err != nil { + return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) + } + + err = json.Unmarshal([]byte(tmp), &schemaDefinition) + if err != nil { + return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) + } + + } else { + return fmt.Errorf("Unmarshal Json Schema: %w", err) + } + } + + comp := jsonschema.NewCompiler() + + err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret)) + if err != nil { + return fmt.Errorf("Adding Json Schema: %w", err) + } + + schema, err := comp.Compile("secret.json") + if err != nil { + return fmt.Errorf("Compiling Json Schema: %w", err) + } + + err = schema.Validate(strings.NewReader(secretData)) + if err != nil { + return fmt.Errorf("Validating Secret Data: %w", err) + } + return nil +}