Fixes #18972: API to use secret database #3534

ElaadF · 2021-03-10T10:04:44Z

https://issues.rudder.io/issues/18972

…dF/rudder into ust_18972/api_to_use_secret_database

ElaadF · 2021-03-10T10:07:57Z

Commit modified

VinceMacBuche · 2021-03-10T10:10:13Z

I think you should rename secretVault into secret or secrets depending on the case. I don't to make think it could be related to hashicorp Vault

ElaadF · 2021-03-10T10:10:17Z

Currently, Delete and Update actions doesn't return an error if the secret doesn't exists

...rudder/rudder-rest/src/main/scala/com/normation/rudder/web/services/SecretVaultService.scala

VinceMacBuche · 2021-03-10T10:34:31Z

...rudder/rudder-rest/src/main/scala/com/normation/rudder/web/services/SecretVaultService.scala

+
+import java.nio.charset.StandardCharsets
+
+final case class Metadata(author: Option[String], formatVersion: Option[String], date: Option[String])


You don't need those metadata, author and date

format should not be optionnal, and i think it should not be a parameter

@fanf mentionned that it could be interesting to have extra metadas, but nothing for the moment, I can remove it, should we keep formatVersion anyway ?

...rudder/rudder-rest/src/main/scala/com/normation/rudder/web/services/SecretVaultService.scala

…dF/rudder into ust_18972/api_to_use_secret_database

...rudder/rudder-rest/src/main/scala/com/normation/rudder/web/services/SecretVaultService.scala

…om:ElaadF/rudder into ust_18972/api_to_use_secret_database Fixes #18972: API to use secret database

ElaadF · 2021-03-10T17:49:00Z

Commit modified

ElaadF · 2021-03-10T17:51:21Z

Commit modified

VinceMacBuche · 2021-03-24T10:20:05Z

webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/SecretApi.scala

+        JString(id)
+      }
+
+      RestUtils.response(restExtractor, "secretName", None)(res, req, "Error when trying to delete a secret")


you should always send back the whole secret structure with the same container than the rest of the api

VinceMacBuche · 2021-03-24T10:22:09Z

webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/SecretApi.scala

+        Secret.serializeSecret(secret)
+      }
+
+      RestUtils.response(restExtractor, "secret", None)(res, req, "Error when trying to add a secret")


should be secrets and in an array

VinceMacBuche · 2021-03-24T10:22:31Z

webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/SecretApi.scala

+        Secret.serializeSecret(secret)
+      }
+
+      RestUtils.response(restExtractor, "secret", None)(res, req, s"Error when trying to update a secret")


Should be secrets and in an array

VinceMacBuche · 2021-03-24T10:23:48Z

.../rudder-rest/src/main/scala/com/normation/rudder/web/services/EventLogDetailsGenerator.scala

+                </ul>
+                {(
+                "#name"  #> modDiff.name &
+                  "#value" #> mapSimpleDiff(modDiff.modValue)


Should state that value has changed and (diff strucure should only have a boolean, stating it has changed or not

VinceMacBuche · 2021-03-24T10:38:57Z

...rces/rudder/rudder-rest/src/main/scala/com/normation/rudder/web/services/SecretService.scala

+      _         <- oldSecret match {
+                     case Some(oldSec) =>
+                       if(oldSec.value == newSecret.value) {
+                         logger.warn(s"Trying to update secret `${oldSec.name}` with the same value")


log level should not be warn and it don't even think we need to log it

VinceMacBuche · 2021-03-24T11:36:28Z

...rces/rudder/rudder-rest/src/main/scala/com/normation/rudder/web/services/SecretService.scala

+}
+
+class FileSystemSecretRepository(
+    jsonDbPath   : String


I think it should be configuration-repository path, and the end of the path should be in the repository

btw, the secrets.json should be in a secrets directory

ElaadF · 2021-04-09T04:17:48Z

PR updated with a new commit
add description parameter, standardize API return format and remove value from eventlog

ElaadF · 2021-04-09T04:21:04Z

...r-core/src/main/scala/com/normation/rudder/services/marshalling/XmlUnserialisationImpl.scala

+//      value            <- (secret \ "value").headOption.map( _.text ) ?~! ("Missing attribute 'value' in entry type secret : " + entry)
+      description      <- (secret \ "description").headOption.map( _.text ) ?~! ("Missing attribute 'description' in entry type secret : " + entry)
+    } yield {
+      Secret(name, "", description)


Not the best solution, maybe create a SecretInfo(name: String, description: String) and used it instead of Secret
and transform Secret(name: String, value: String, description: String) into Secret(value: String, info: SecretInfo)

ElaadF · 2021-04-09T04:22:55Z

Commit modified

ElaadF · 2021-04-09T07:44:21Z

Commit modified

Fixes #18972: API to use secret database

ElaadF · 2021-04-09T09:29:25Z

PR updated with a new commit
adding support of git

Fixes #18972: API to use secret database

ElaadF · 2021-04-11T00:29:58Z

PR updated with a new commit
optionnal field when empty for update API and make mandatory all field when adding new secret

ElaadF · 2021-07-28T08:21:36Z

This PR should not be in rudder main project, it will be moved in rudder-plugins

ElaadF added 2 commits March 4, 2021 15:01

Work in progress

4d2ba2f

Merge branch 'ust_18972/api_to_use_secret_databse' of github.com:Elaa…

31f8f5e

…dF/rudder into ust_18972/api_to_use_secret_database

ElaadF requested a review from VinceMacBuche March 10, 2021 10:04

ElaadF added the Trigger test label Mar 10, 2021

Fixes #18972: API to use secret database

9a812c4

ElaadF force-pushed the ust_18972/api_to_use_secret_databse branch from af4ba0e to 9a812c4 Compare March 10, 2021 10:07

ElaadF added Trigger test and removed Trigger test labels Mar 10, 2021

ElaadF added the WIP Use that label for a Work In Progress PR that must not be merged yet label Mar 10, 2021

ElaadF requested a review from fanf March 10, 2021 10:10

ElaadF commented Mar 10, 2021

View reviewed changes