Secrets management tab

[skosijer]

📋 Pull Request Summary

• Add a new tab in the Control Panel that provides the users with Secrets Management.
• Add CRUD operations for Secrets.

[gemini-code-assist]

Summary of Changes

Hello @skosijer, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a robust secrets management feature within the Control Panel, allowing users to securely handle environment variables. It also includes a significant refactoring of resource management, associating data sources and secrets with specific environments. These changes enhance the application's security, organization, and granular access control, alongside updates to API endpoints and user onboarding flows to support the new architecture.

Highlights

• New Secrets Management Tab: A dedicated 'Secrets Manager' tab has been added to the Control Panel, providing a centralized interface for managing environment variables and secrets.
• CRUD Operations for Secrets: Users can now perform Create, Read, Update, and Delete (CRUD) operations on environment variables directly within the application.
• Environment-Scoped Resources: Data sources and secrets are now explicitly associated with specific environments, enabling more granular control and organization of resources.
• Refactored API Endpoints: Significant changes have been made to API endpoints for managing members, data sources, environments, and websites to align with the new environment-scoped resource model and enhanced permission system.
• Improved User Access Control: Enhanced permission checks have been implemented across various resources (data sources, environments, websites, environment variables) and user roles to ensure secure access.
• New Access Denied Page: A dedicated 'Access Denied' page has been introduced to provide a clear message and options for users who do not have sufficient permissions to access the application.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new Secrets Management tab, which is a great addition. The implementation covers the necessary CRUD operations and UI components. However, I've identified a critical security vulnerability related to how environment variables are fetched on initial load, which exposes all secrets to any authenticated user. There are also several high-severity issues with permission checks that are too broad, potentially allowing unauthorized access to secrets in different environments. Additionally, I've included several medium-severity suggestions to improve code quality, maintainability, and user experience. Please address the critical and high-severity issues before merging.