feat(passbolt): add support for Passbolt V5 API

[cedricherzog-passbolt]

Summary

• Add support for Passbolt V5 API with encrypted metadata
• Update go-passbolt SDK to latest version with V5 support
• Improve test coverage with comprehensive mock client

Fixes #5867

Overview

Adds Passbolt V5 API support (encrypted metadata), updates go-passbolt to v0.8.0-beta.1 and bumps related dependencies in both root and providers/v1/passbolt go.mod files. Fixes #5867.

Key Changes

• Dependencies:
  • Root and providers/v1/passbolt go.mod updated — go-passbolt -> v0.8.0-beta.1 plus many k8s, ProtonMail/gopenpgp, jsonschema, go-openapi, x/* and other indirect bumps.
• Provider:
  • ProviderPassbolt now holds a concrete *api.Client (removed the previous exported Client interface).
  • NewClient immediately Login()s and calls PreFetchCaches() to warm V5 metadata/session caches.
  • GetAllSecrets decrypts resource metadata (names) before filtering (supports V5), GetSecret uses helper.GetResource to reconstruct secret fields.
  • Close saves pending session keys before Logout.
  • assureLoggedIn now accepts *api.Client.
• Tests:
  • Replaced extensive PassboltClientMock scaffolding with simplified tests operating on ProviderPassbolt; added property tests (Secret.GetProp), capability assertion, and minimal not-implemented checks.
• Misc:
  • Linter issues addressed per review guidance.

Status / Notes

• PR open; author plans to publish a proper go-passbolt tag/release and update dependency pseudo-version; repository checks require signed commits.

[coderabbitai]

Walkthrough

This PR updates Go module dependencies (root and Passbolt provider), refactors the Passbolt provider to use a concrete *api.Client with immediate login and metadata prefetch, changes secret decryption flow to decrypt resource names before filtering, and simplifies provider tests by removing extensive mocks.

Changes

Cohort / File(s)	Summary
Root Go module go.mod	Updated many direct and indirect dependencies (Kubernetes libs, ProtonMail crypto/gopenpgp, go-openapi/swag, golang.org/x/*, jsonschema v6, klog, etc.) with corresponding go.sum sync.
Passbolt provider go.mod providers/v1/passbolt/go.mod	Mirrors root dependency bumps scoped to the Passbolt provider: Kubernetes components, ProtonMail libs, go-openapi/swag, golang.org/x/*, jsonschema v6, and assorted indirect updates/replacements.
Passbolt provider implementation providers/v1/passbolt/passbolt.go	Replaced exported Client interface with concrete *api.Client; NewClient performs Login and PreFetchCaches; GetAllSecrets decrypts resource names before filtering; getPassboltSecret uses helper.GetResource to build Secret; Close saves pending session keys then logs out; imports adjusted.
Passbolt tests providers/v1/passbolt/passbolt_test.go	Removed heavy PassboltClientMock scaffolding and many mock-driven tests; tests simplified to instantiate ProviderPassbolt directly, assert basic validation flows, Capabilities, GetProp behavior, and return-not-implemented expectations for unimplemented operations.
Manifest/formatting changes providers/v1/passbolt/...	Line-level manifest changes to reflect dependency additions/removals and module replacements; no new exported APIs beyond the concrete client field change noted above.

Possibly related issues

• 🚀 Feature Request: Passbolt v5 Support #5060: Implements Passbolt v5 handling (migrates to *api.Client, adds Login/PreFetchCaches and per-resource v5 metadata decryption via helper.GetResource), aligning with the issue objectives.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR successfully updates the Passbolt provider to support V5 API with encrypted metadata by upgrading go-passbolt to v0.8.0-beta.1 and refactoring to use the new client API.
Out of Scope Changes check	✅ Passed	All changes are directly related to Passbolt V5 API support: dependency updates, provider refactoring, and test migration align with the stated objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 338: The go.mod entry using the pseudo-version
github.com/passbolt/go-passbolt v0.7.3-0.20260202140352-4844e424f7c6 must be
removed because it does not include official v0.7.3 and lacks Passbolt v5 API
support; replace that line by either pinning to the last official compatible
release (e.g., github.com/passbolt/go-passbolt v0.7.2) or remove the dependency
and implement an alternative approach until upstream publishes a v5-compatible
release, and ensure any code referencing the go-passbolt package (imports and
types) is tested against the chosen version to avoid v5-breaking API changes.

[cedricherzog-passbolt]

Hi ESO maintainer 👋

It is my first contribution to this project and would like to be sure this PR is ok to review before removing the draft status. I read the contribution process, but still have a few questions :-)

• I forced pushed multiple times and the PR description generated by coderabbit does not reflect the changes anymore. Is there a way to regenerated it?
• Do I need to update the root go.mod, or do I update only the on in the provider?
• Can I keep the pseudo-version in the dependencies?

Don't hesitate to tell me if you see something else that needs a change!

[stripthis]

@Skarlso we could use some guidance here, at your convenience.

[Skarlso]

@cedricherzog-passbolt Hello! First off, thank you for doing this! :) 🙇

Second, you need to sign your commits as described here: https://github.com/external-secrets/external-secrets/pull/5919/checks?check_run_id=62940925983

Third, it would be nice to have a proper tag/version for 0.7.3. :D But I see there is none yet. I assume it's coming?

Fourth, I think you need to update both go mods, yeah. Since we are replace-importing the passbolt provider in the main go.mod file. 🤔 So I would indeed assume that it needs a go mod tidy as well. I would assume if you don't do that, either the linter or the build would fail anyways.

Fifth, you're doing fine for now as far as I can see. :)

[cedricherzog-passbolt]

@Skarlso thanks for the feedback :-)

We will do the 0.7.3 release and update this PR.
I'll ping you once we're ready!

[cedricherzog-passbolt]

Hello @Skarlso!
We created a beta release for v5 support.

I updated the dependencies.
Don't hesitate to tell me if anything needs to be changed :-)

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

providers/v1/passbolt/passbolt_test.go (1)

30-149: ⚠️ Potential issue | 🟠 Major

Add tests for core secret retrieval and lifecycle methods.

The Passbolt provider has several implemented methods missing test coverage:

• GetSecret - fetches and decrypts individual secrets with error handling
• GetAllSecrets - filters secrets by regex with error handling
• NewClient - initializes the provider with client setup
• Close - handles session cleanup
• Validate - validates provider configuration

While removing mock complexity is reasonable, compare with similar providers like SecretServer (1,323 test lines covering GetSecret, GetAllSecrets, Close) versus Passbolt's current 149 test lines covering only configuration validation and error stubs.

Either add unit tests with a minimal mock client or integrate tests against a test Passbolt instance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/passbolt/passbolt_test.go` around lines 30 - 149, Tests are
missing for core Passbolt lifecycle and retrieval methods — add unit tests
covering ProviderPassbolt.NewClient, ProviderPassbolt.Close,
ProviderPassbolt.Validate, ProviderPassbolt.GetSecret and
ProviderPassbolt.GetAllSecrets; implement a small mock Passbolt client (or a
lightweight test instance) that the provider can be initialized with to simulate
success and failure paths, assert proper error handling and decryption in
GetSecret, assert regex filtering and empty/non-matching behavior in
GetAllSecrets, verify NewClient initialization and Validate configuration
errors/success, and ensure Close properly cleans up session state; reference
ProviderPassbolt, NewClient, Close, Validate, GetSecret, GetAllSecrets, and
Secret.GetProp when locating targets in the test file.

🧹 Nitpick comments (1)

providers/v1/passbolt/passbolt.go (1)

91-98: Consider logging PreFetchCaches failures for observability.

The comment explains that PreFetchCaches failures are non-fatal, which is reasonable for a performance optimization. However, silently discarding all three return values makes debugging difficult if caching consistently fails in certain environments.

Consider logging the error at debug/info level to aid troubleshooting without failing the operation.

💡 Suggested improvement

 	// Prefetch caches for V5 metadata decryption performance (CLI pattern)
 	// This caches session keys and metadata keys for fast V5 decryption
-	_, _, _ = client.PreFetchCaches(ctx) // Non-fatal if fails
+	if _, _, err := client.PreFetchCaches(ctx); err != nil {
+		// Log at debug level - non-fatal but useful for troubleshooting
+		// log.V(1).Info("failed to prefetch caches", "error", err)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/passbolt/passbolt.go` around lines 91 - 98, The call to
client.PreFetchCaches currently discards its three return values making cache
failures invisible; modify the call in passbolt.go to capture its returned
values (e.g., _, _, err := client.PreFetchCaches(ctx)) and, if err != nil, log
the error at debug/info level via the existing logger (preserve the non-fatal
behavior by not returning the error). Keep the call site as
client.PreFetchCaches(ctx) and ensure the log message includes context like
"PreFetchCaches failed" plus the error to aid observability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@providers/v1/passbolt/passbolt_test.go`:
- Around line 30-149: Tests are missing for core Passbolt lifecycle and
retrieval methods — add unit tests covering ProviderPassbolt.NewClient,
ProviderPassbolt.Close, ProviderPassbolt.Validate, ProviderPassbolt.GetSecret
and ProviderPassbolt.GetAllSecrets; implement a small mock Passbolt client (or a
lightweight test instance) that the provider can be initialized with to simulate
success and failure paths, assert proper error handling and decryption in
GetSecret, assert regex filtering and empty/non-matching behavior in
GetAllSecrets, verify NewClient initialization and Validate configuration
errors/success, and ensure Close properly cleans up session state; reference
ProviderPassbolt, NewClient, Close, Validate, GetSecret, GetAllSecrets, and
Secret.GetProp when locating targets in the test file.

---

Nitpick comments:
In `@providers/v1/passbolt/passbolt.go`:
- Around line 91-98: The call to client.PreFetchCaches currently discards its
three return values making cache failures invisible; modify the call in
passbolt.go to capture its returned values (e.g., _, _, err :=
client.PreFetchCaches(ctx)) and, if err != nil, log the error at debug/info
level via the existing logger (preserve the non-fatal behavior by not returning
the error). Keep the call site as client.PreFetchCaches(ctx) and ensure the log
message includes context like "PreFetchCaches failed" plus the error to aid
observability.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b7eee259-e163-4e2f-8177-de0bf1e71191

📥 Commits

Reviewing files that changed from the base of the PR and between 74bf18b and 6c0144c.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• providers/v1/passbolt/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• go.mod
• providers/v1/passbolt/go.mod
• providers/v1/passbolt/passbolt.go
• providers/v1/passbolt/passbolt_test.go

[Skarlso]

@cedricherzog-passbolt can you please take care of the linter issue? :) Thanks.

[cedricherzog-passbolt]

@Skarlso the linter should pass now! :-)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

providers/v1/passbolt/passbolt.go (2)

198-202: Make Close safe on an uninitialized provider.

Close dereferences provider.client unconditionally. A nil guard keeps cleanup idempotent and avoids panics on zero-value or error-path usage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/passbolt/passbolt.go` around lines 198 - 202,
ProviderPassbolt.Close currently dereferences provider.client unconditionally;
add a nil guard so Close is safe on an uninitialized or error-path provider. In
the Close method, check if provider.client == nil and return nil (or no-op)
immediately; otherwise call provider.client.SavePendingSessionKeys(ctx) and
provider.client.Logout(ctx) as before, keeping the SavePendingSessionKeys call
best-effort and returning the Logout error if present. Ensure you reference the
ProviderPassbolt.Close method and the provider.client, SavePendingSessionKeys,
and Logout symbols when making the change.

---

97-100: Use the controller logger for prefetch failures.

fmt.Printf bypasses structured logging, loses request/store context, and makes these non-fatal cache warmup failures much harder to correlate in production. Please route this through the operator logger instead of stdout.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/passbolt/passbolt.go` around lines 97 - 100, Replace the stdout
print with the controller logger: where client.PreFetchCaches(ctx) is called and
currently uses fmt.Printf, obtain the controller logger from the context (e.g.
logger := ctrl.LoggerFrom(ctx)) and call logger.Error(err, "passbolt: prefetch
caches failed (non-fatal)") (optionally add context values with WithValues); do
not use fmt.Printf so failures are recorded in structured logs tied to the
request/store.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@providers/v1/passbolt/passbolt.go`:
- Around line 176-180: GetAllSecrets currently aborts the whole bulk fetch when
any single resource fails in the loop; change the loop that iterates over
resources to treat errors from provider.getPassboltSecret(ctx, resource.ID) as
skippable: on error, log a warning (including resource.ID and the error) and
continue to the next resource instead of returning; preserve returning errors
for session-wide or caller-level failures (e.g., failures from session
initialization or provider.listResources), and only treat getPassboltSecret
errors as per-resource non-fatal issues so filtering/regex logic can still run
on the rest of the resources.

---

Nitpick comments:
In `@providers/v1/passbolt/passbolt.go`:
- Around line 198-202: ProviderPassbolt.Close currently dereferences
provider.client unconditionally; add a nil guard so Close is safe on an
uninitialized or error-path provider. In the Close method, check if
provider.client == nil and return nil (or no-op) immediately; otherwise call
provider.client.SavePendingSessionKeys(ctx) and provider.client.Logout(ctx) as
before, keeping the SavePendingSessionKeys call best-effort and returning the
Logout error if present. Ensure you reference the ProviderPassbolt.Close method
and the provider.client, SavePendingSessionKeys, and Logout symbols when making
the change.
- Around line 97-100: Replace the stdout print with the controller logger: where
client.PreFetchCaches(ctx) is called and currently uses fmt.Printf, obtain the
controller logger from the context (e.g. logger := ctrl.LoggerFrom(ctx)) and
call logger.Error(err, "passbolt: prefetch caches failed (non-fatal)")
(optionally add context values with WithValues); do not use fmt.Printf so
failures are recorded in structured logs tied to the request/store.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9aa68564-e653-44d6-9682-dca8401163eb

📥 Commits

Reviewing files that changed from the base of the PR and between 6c0144c and 67c6559.

📒 Files selected for processing (1)

• providers/v1/passbolt/passbolt.go

[coderabbitai]

♻️ Duplicate comments (1)

providers/v1/passbolt/passbolt.go (1)

176-180: ⚠️ Potential issue | 🟠 Major

Don't fail the whole bulk fetch on one bad resource.

This still aborts GetAllSecrets on the first getPassboltSecret error. With V5 metadata decryption now happening before regex filtering, one unreadable or concurrently deleted entry can blank out the entire find result even if that item would never match.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/passbolt/passbolt.go` around lines 176 - 180, The loop inside
GetAllSecrets currently returns nil on the first provider.getPassboltSecret(ctx,
resource.ID) error, aborting the whole bulk fetch; change this to skip the
failing resource instead: when getPassboltSecret returns an error, log the error
(including resource.ID and error details) and continue the for _, resource :=
range resources loop so other resources are processed; optionally collect
non-fatal errors into a slice for reporting but do not return early—ensure
symbols mentioned: GetAllSecrets, resources, provider.getPassboltSecret are
updated accordingly.

🧹 Nitpick comments (1)

providers/v1/passbolt/passbolt.go (1)

52-53: Create a mockable interface for Passbolt client dependencies.

The client *api.Client field prevents unit testing the changed V5 paths (NewClient, GetSecret, GetAllSecrets, Close); the test file now covers only validation/helpers and stubs. Extract a small internal interface for the methods used by ProviderPassbolt (Login, GetResources, SavePendingSessionKeys, Logout, decryption) to restore testability for login/prefetch/session-key/decryption logic without affecting the production implementation.

Additionally, GetAllSecrets still aborts the entire bulk fetch on the first per-resource error, which remains risky—especially now that decryption happens eagerly before filtering.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/passbolt/passbolt.go` around lines 52 - 53, Replace the concrete
client field on ProviderPassbolt with a small internal interface (e.g.,
PassboltAPI) that declares only the methods ProviderPassbolt uses (Login,
GetResources, SavePendingSessionKeys, Logout, Close and the specific decryption
call(s) you invoke) and update ProviderPassbolt to hold that interface instead
of *api.Client; add an adapter type that wraps *api.Client and implements
PassboltAPI and update NewClient to construct ProviderPassbolt with the adapter
so production behavior is unchanged but tests can inject a mock. Also modify
GetAllSecrets to not abort on the first per-resource error: iterate resources,
attempt decryption/filtering for each, collect successful secrets and record
per-resource errors (returning successful results plus an aggregated/multi-error
or a slice of errors) so a single failing resource doesn’t cancel the whole bulk
fetch. Ensure GetSecret, GetAllSecrets, NewClient and Close signatures use the
interface-backed ProviderPassbolt.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@providers/v1/passbolt/passbolt.go`:
- Around line 176-180: The loop inside GetAllSecrets currently returns nil on
the first provider.getPassboltSecret(ctx, resource.ID) error, aborting the whole
bulk fetch; change this to skip the failing resource instead: when
getPassboltSecret returns an error, log the error (including resource.ID and
error details) and continue the for _, resource := range resources loop so other
resources are processed; optionally collect non-fatal errors into a slice for
reporting but do not return early—ensure symbols mentioned: GetAllSecrets,
resources, provider.getPassboltSecret are updated accordingly.

---

Nitpick comments:
In `@providers/v1/passbolt/passbolt.go`:
- Around line 52-53: Replace the concrete client field on ProviderPassbolt with
a small internal interface (e.g., PassboltAPI) that declares only the methods
ProviderPassbolt uses (Login, GetResources, SavePendingSessionKeys, Logout,
Close and the specific decryption call(s) you invoke) and update
ProviderPassbolt to hold that interface instead of *api.Client; add an adapter
type that wraps *api.Client and implements PassboltAPI and update NewClient to
construct ProviderPassbolt with the adapter so production behavior is unchanged
but tests can inject a mock. Also modify GetAllSecrets to not abort on the first
per-resource error: iterate resources, attempt decryption/filtering for each,
collect successful secrets and record per-resource errors (returning successful
results plus an aggregated/multi-error or a slice of errors) so a single failing
resource doesn’t cancel the whole bulk fetch. Ensure GetSecret, GetAllSecrets,
NewClient and Close signatures use the interface-backed ProviderPassbolt.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c47d87b7-a0a6-4a5f-9b75-a2ed42d5e12c

📥 Commits

Reviewing files that changed from the base of the PR and between 67c6559 and c474331.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• providers/v1/passbolt/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• go.mod
• providers/v1/passbolt/go.mod
• providers/v1/passbolt/passbolt.go
• providers/v1/passbolt/passbolt_test.go

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud