Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added obfuscator into databinding #258

Merged
merged 8 commits into from
Dec 4, 2020
Merged

Added obfuscator into databinding #258

merged 8 commits into from
Dec 4, 2020

Conversation

cristianciutea
Copy link
Contributor

This PR will allow specifying in the integration configuration files, secrets obfuscated with newrelic cli

newrelic agent config obfuscate --key "encrypt_pass" --value='{"user":"test1","password":"test2"}'

e.g. of nginx configuration

integration_name: com.newrelic.nginx
variables:
  creds:
    obfuscated:
      key: encrypt_pass
      secret: result_from_newrelic_cli
instances:
  - name: nginx-server-metrics
    command: metrics
    arguments:
      status_url: http://${creds.user}:${creds.password}@example.com/status
      status_module: discover
      remote_monitoring: true
    labels:
      env: production
      role: load_balancer

@cristianciutea cristianciutea linked an issue Nov 30, 2020 that may be closed by this pull request
NR CLI obfuscation support for integration configs #236
Closed
@coveralls
Copy link

Pull Request Test Coverage Report for Build 391675528

  • 31 of 56 (55.36%) changed or added relevant lines in 2 files are covered.
  • 5 unchanged lines in 2 files lost coverage.
  • Overall coverage decreased (-0.01%) to 58.222%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/databind/pkg/databind/config.go 2 10 20.0%
pkg/databind/internal/secrets/obfuscate.go 29 46 63.04%
Files with Coverage Reduction New Missed Lines %
pkg/databind/pkg/databind/config.go 1 60.24%
pkg/integrations/v4/logs/cfg_watcher.go 4 67.5%
Totals Coverage Status
Change from base Build 391305325: -0.01%
Covered Lines: 11270
Relevant Lines: 19357
💛 - Coveralls

@coveralls
Copy link

coveralls commented Nov 30, 2020
edited
Loading

Pull Request Test Coverage Report for Build 400798901

  • 31 of 56 (55.36%) changed or added relevant lines in 2 files are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage decreased (-0.008%) to 58.115%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pkg/databind/pkg/databind/config.go 2 10 20.0%
pkg/databind/internal/secrets/obfuscate.go 29 46 63.04%
Files with Coverage Reduction New Missed Lines %
pkg/databind/pkg/databind/config.go 1 60.24%
Totals Coverage Status
Change from base Build 394042116: -0.008%
Covered Lines: 11294
Relevant Lines: 19434
💛 - Coveralls

@carlosroman carlosroman self-requested a review December 2, 2020 16:28
carlosroman
carlosroman reviewed Dec 2, 2020
View reviewed changes
test/databind/obfuscate/obfuscate_test.go
"testing"
)

func TestReplaceObfuscatedJSONYAMLs(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks for checking it still works with JSON 👍

carlosroman
carlosroman reviewed Dec 2, 2020
View reviewed changes
pkg/databind/internal/secrets/obfuscate.go Outdated
}
result := data.InterfaceMap{}
if err := json.Unmarshal([]byte(decrypted), &result); err != nil {
result["password"] = decrypted
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the text isn't JSON how about just returning the decrypted string instead instead of map with the key password? The KMS does something similar to this and so it makes the config nicer as if you know it is just one value you don't have to remember to do {something.password} and can use {something}.

varas
varas reviewed Dec 4, 2020
View reviewed changes
pkg/databind/internal/secrets/obfuscate.go
// ObfuscateGatherer instantiates a Obfuscate variable gatherer from the given configuration. The fetching process
// will return either a map containing access paths to the stored JSON.
// E.g. if the stored Secret is `{"account":{"user":"test1","password":"test2"}}`, the returned Map
// contents will be:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the comment!

@cristianciutea cristianciutea merged commit 4c130c0 into master Dec 4, 2020
@cristianciutea cristianciutea deleted the cciutea/db_obfuscater branch December 4, 2020 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlosroman carlosroman carlosroman left review comments

@varas varas varas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NR CLI obfuscation support for integration configs
4 participants
@cristianciutea @coveralls @carlosroman @varas