-
Notifications
You must be signed in to change notification settings - Fork 848
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow dot and colon in variable path #5898
Conversation
atc/creds/credhub/credhub.go
Outdated
var cred credentials.Credential | ||
var found bool | ||
var err error | ||
|
||
cred, found, err = c.findCred(secretPath) | ||
cred, found, err = c.findCred(ref.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same issue as Conjur, looking below it seems like it only cares about Path and not Fields. But I haven't actually used Credhub so can't say for sure
|
||
var ErrEmptyVar = errors.New("empty var") | ||
varRef := VariableReference{Name: name} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm beginning to think that the Name shouldn't include Source, that way it'll just be Path + Fields and won't break all of our existing cred managers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem is if we do path
+ fields
we will need to concatenate them back with .
and wrap them properly with "
. I think the parsing of (())
makes us to use ref.Path for creds manager.
And the logic in template will take care of looking up fields.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can probably use parts[1]
Lines 144 to 145 in 46efd51
parts := strings.SplitN(name, ":", 2) | |
varRef.Source = parts[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And the logic in template will take care of looking up fields.
True, I guess another question is how much processing should the cred manager do vs Concourse. They technically have all the information (e.g. Fields) required to fully resolve the secret, but it might be less code duplication if Concourse handles that part
// Get value of a var. Name can be the following formats: 1) 'foo', where foo | ||
// is var name; 2) 'foo:bar', where foo is var source name, and bar is var name; | ||
// 3) '.:foo', where . means a local var, foo is var name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment needs updating, the main purpose now is to extract Fields from a map[string]interface{}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the end goal of this Get
is still finding a string value? Extracting fields is the first part. It then use the fields to do recursive look up.
b827a06
to
4709956
Compare
After a bunch of fiddling, I eventually got a local Conjur connected to Concourse. I ended up mostly following the quick start, but made the few modifications to the quick start repo. These are the changes I made
diff --git a/conf/default.conf b/conf/default.conf
index 8aa7e18..0832396 100755
--- a/conf/default.conf
+++ b/conf/default.conf
@@ -1,11 +1,8 @@
server {
- listen 443 ssl;
+ listen 80;
server_name proxy;
access_log /var/log/nginx/access.log;
- ssl_certificate /etc/nginx/tls/nginx.crt;
- ssl_certificate_key /etc/nginx/tls/nginx.key;
-
location / {
proxy_pass http://conjur;
} diff --git a/docker-compose.yml b/docker-compose.yml
index 1332b86..56ad583 100755
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -53,10 +53,9 @@ services:
image: nginx:1.13.6-alpine
container_name: nginx_proxy
ports:
- - "8443:443"
+ - "8081:80"
volumes:
- ./conf/:/etc/nginx/conf.d/:ro
- - ./conf/tls/:/etc/nginx/tls/:ro
depends_on:
- conjur
- openssl
- !policy
id: concourse
body:
- !variable "secret.value"
- !variable "secret"
version: '3'
services:
web:
environment:
CONCOURSE_CONJUR_APPLIANCE_URL: http://docker.for.mac.localhost:8081
CONCOURSE_CONJUR_ACCOUNT: myConjurAccount
CONCOURSE_CONJUR_AUTHN_LOGIN: admin
CONCOURSE_CONJUR_AUTHN_API_KEY: 1xkf4xh2efa4ja7k3ng0rhdqg52dajps63ks08h511q08ks1d8a4pd
CONCOURSE_CONJUR_SECRET_TEMPLATE: concourse/{{.Secret}} where the API_KEY is the admin key (in the Anyway, I tested it a bit with the changes in this PR and without. Something about this change seems to not work with (at least) Conjur, even in the case where there are no dots or colons in the path. e.g. consider the following pipeline: jobs:
- name: job
plan:
- task: echo
config:
platform: linux
image_resource:
type: registry-image
source: {repository: busybox}
run:
path: echo
args: [((secret))] On master, this works correctly (i.e. echos the value of
(note: I had to modify to modify this line concourse/atc/creds/conjur/conjur.go Line 43 in a822574
|
Thx for the detail of integration test.
This error is strange since it outputs the Updated: the working path in master is |
* extract source, path and fields from secrect name instead of treating it as black box * move nested variables lookup out of template into static_vars * refactor trackers error handling Signed-off-by: Rui Yang <ryang@pivotal.io> Co-authored-by: Bohan Chen <bochen@pivotal.io>
put back fields look up logic from static_vars to tempalte Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
Signed-off-by: Rui Yang <ruiya@vmware.com>
4709956
to
c5e2ad3
Compare
@aoldershaw the way that creds manager looking up secret is
In my local testing, I rebased master and run the test pretty much follow your instruction. I have these values set up in Conjur. docker-compose exec client conjur variable value concourse/secret
blah
docker-compose exec client conjur variable value concourse/secret.value
foo In my test both ((secret)) and (("secret.value")) revolved to Additionally, I use the setup to test static variable by I also used this pipeline to test named variable
All seems working. Could you try this rebased version again? Thx! |
@xtremerui just tried it out again (with both Conjur and Vault), and it works as expected. Will take a closer look through the code now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have some questions
} | ||
|
||
// var ErrEmptyVar = errors.New("empty var") | ||
|
||
type varsTracker struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just realized there's both a varsTracker
and a credVarsTracker
(which happens to live in vars_tracker.go
). Doesn't have to be on this PR to change this, but it's a bit confusing
passing variable reference is unnecessary. Signed-off-by: Rui Yang <ruiya@vmware.com>
8e2f773
to
d8818bd
Compare
Looks pretty good but FYI some of the unit tests are broken - missed reverting some test code in dfcc427 I think |
use source+path as unique identifier for visited all error Signed-off-by: Rui Yang <ruiya@vmware.com>
d8818bd
to
03306f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
what version of concourse will this roll into? |
@mkkeffeler should be the next release (6.5.0), which will probably be in around 2-3 weeks |
documents concourse/concourse#5898 Signed-off-by: Izabela Gomes <igomes@pivotal.io> Co-authored-by: Aidan Oldershaw <aoldershaw@pivotal.io>
was this test case tested? seems to be faiiling for us on 6.6
|
was it working before? Seems to me the last part |
actually no. its a conjur credential. all of those dots are dots in the actual secret name, not a sub attribute or anything like that |
do you mean the var is not evaluated to a value by conjur when you say "failed"? or there is an error. |
the var is not evaluated to a value in conjur, conjur logs show it isn't being looked up. when we print "env" we see the variable that we typed in the pipeline, rather than the value. other variables work though. |
@mkkeffeler Thx for the info. I think the interpolation regex failed to match the var name in your particular case. This is a bug we will fix it. |
hmm not sure i follow. Can you explain how it does that? and is there a workaround? |
we have a regex to first check if the node in yml file is a var that needed to be interpolated or not. For example, one condition is it needs to be surrounded by The example you gave by current regex is not considered a var at all so it is treated as normal text. By allowing |
got it we also will have spaces in some vars. not sure if thats already working, but worth calling out :) |
What does this PR accomplish?
Bug Fix | Feature | Documentation
closes #4249 .
Changes proposed by this PR:
Allow dot
.
and:
in variable path if quoted with"
. Parse variable name in((var_name))
toVariableReference
so underneath implementation ofVariable
interface doesn't need to.((foo:"a_path_with.dot".bar.zoo))
->Release Note
.
and:
in the name by wrapping them in double quotes(("some.secret".field1))
accessesfield1
of the secretsome.secret
Notes to reviewer:
Contributor Checklist
Reviewer Checklist
BOSH and
Helm packaging; otherwise, ignored for
the integration
tests
(for example, if they are Garden configs that are not displayed in the
--help
text).