feat: added secret referencing support

Author: nimish-ks

src/phase/phase.py

@@ -17,6 +17,7 @@
 from .utils.crypto import CryptoUtils
 from .utils.const import __ph_version__, pss_user_pattern, pss_service_pattern
 from .utils.misc import phase_get_context, normalize_tag, tag_matches
+from .utils.secret_referencing import resolve_all_secrets
 
 
 @dataclass
@@ -176,6 +177,7 @@ def get(self, env_name: str, keys: List[str] = None, app_name: str = None, tag:
         secrets_data = secrets_response.json()
 
         results = []
+        all_secrets = []  # List to store all secrets for resolving references
         for secret in secrets_data:
             # Check if a tag filter is applied and if the secret has the correct tags.
             if tag and not tag_matches(secret.get("tags", []), tag):
@@ -209,6 +211,13 @@ def get(self, env_name: str, keys: List[str] = None, app_name: str = None, tag:
 
             if not keys or decrypted_key in keys:
                 results.append(secret_obj)
+            
+            all_secrets.append(secret_obj)
+
+        # Resolve secret references
+        for secret in results:
+            resolved_value = resolve_all_secrets(secret.value, all_secrets, self, app_name, env_name)
+            secret.value = resolved_value
 
         return results
 

src/phase/utils/secret_referencing.py

@@ -66,11 +66,11 @@ def resolve_secret_reference(ref: str, secrets_dict: Dict[str, Dict[str, Dict[st
     """
 
     env_name = current_env_name
-    path = "/" # Default root path
+    path = "/"  # Default root path
     key_name = ref
 
     # Parse the reference to identify environment, path, and secret key.
-    if "." in ref:  # Cross-environment references, split by the first dot to get environment and the rest.
+    if "." in ref:  # Cross-environment references
         parts = ref.split(".", 1)
         env_name, rest = parts[0], parts[1]
         last_slash_index = rest.rfind("/")
@@ -90,15 +90,17 @@ def resolve_secret_reference(ref: str, secrets_dict: Dict[str, Dict[str, Dict[st
 
     try:
         # Lookup with environment, path, and key
-        if env_name in secrets_dict and path in secrets_dict[env_name] and key_name in secrets_dict[env_name][path]:
-            return secrets_dict[env_name][path][key_name]
+        if env_name in secrets_dict and path in secrets_dict[env_name]:
+            for secret in secrets_dict[env_name][path]:
+                if secret.key == key_name:
+                    return secret.value
         else:
             # Handle fallback for cross-environment or missing secrets
             if env_name != current_env_name:
                 fetched_secrets = phase.get(env_name=env_name, app_name=current_application_name, keys=[key_name], path=path)
                 for secret in fetched_secrets:
-                    if secret["key"] == key_name:
-                        return secret["value"]
+                    if secret.key == key_name:
+                        return secret.value
     except EnvironmentNotFoundException:
         pass
 
@@ -128,14 +130,13 @@ def resolve_all_secrets(value: str, all_secrets: List[Dict[str, str]], phase: 'P
 
     secrets_dict = {}
     for secret in all_secrets:
-        env_name = secret['environment']
-        path = secret['path']
-        key = secret['key']
+        env_name = current_env_name  # Assume current environment if not specified
+        path = secret.path
         if env_name not in secrets_dict:
             secrets_dict[env_name] = {}
         if path not in secrets_dict[env_name]:
-            secrets_dict[env_name][path] = {}
-        secrets_dict[env_name][path][key] = secret['value']
+            secrets_dict[env_name][path] = []
+        secrets_dict[env_name][path].append(secret)
 
     refs = SECRET_REF_REGEX.findall(value)
     resolved_value = value
@@ -144,4 +145,4 @@ def resolve_all_secrets(value: str, all_secrets: List[Dict[str, str]], phase: 'P
         resolved_secret_value = resolve_secret_reference(ref, secrets_dict, phase, current_application_name, current_env_name)
         resolved_value = resolved_value.replace(f"${{{ref}}}", resolved_secret_value)
 
-    return resolved_value
+    return resolved_value