Adding dedicated and efficient DAO method to support listing expired …

…secret names (#1185)
square · Jan 17, 2023 · 0a426fc · 0a426fc
1 parent 17ac31e
commit 0a426fc
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 7 deletions.
diff --git a/server/src/main/java/keywhiz/service/daos/SecretSeriesDAO.java b/server/src/main/java/keywhiz/service/daos/SecretSeriesDAO.java
@@ -277,6 +277,17 @@ public List<SecretSeries> getMultipleSecretSeriesByName(List<String> names) {
     return dslContext.fetch(SECRETS, SECRETS.NAME.in(names).and(SECRETS.CURRENT.isNotNull())).map(secretSeriesMapper::map);
   }
 
+  public List<String> listExpiringSecretNames(Instant notAfterInclusive) {
+    List<String> expiringSecretNames = dslContext
+        .select()
+        .from(SECRETS)
+        .where(SECRETS.CURRENT.isNotNull())
+        .and(SECRETS.EXPIRY.greaterOrEqual(Instant.now().getEpochSecond()))
+        .and(SECRETS.EXPIRY.lessThan(notAfterInclusive.getEpochSecond()))
+        .fetch(SECRETS.NAME);
+    return ImmutableList.copyOf(expiringSecretNames);
+  }
+
   public ImmutableList<SecretSeries> getSecretSeries(@Nullable Long expireMaxTime,
       @Nullable Group group, @Nullable Long expireMinTime, @Nullable String minName,
       @Nullable Integer limit) {

diff --git a/server/src/main/java/keywhiz/service/resources/automation/v2/SecretResource.java b/server/src/main/java/keywhiz/service/resources/automation/v2/SecretResource.java
@@ -363,22 +363,20 @@ public Iterable<SanitizedSecret> secretListingV2(@Auth AutomationClient automati
   /**
    * Retrieve listing of secrets expiring soon
    *
-   * @param time timestamp for farthest expiry to include
+   * @param notAfterInclusiveUnixEpochSeconds timestamp for farthest expiry to include
    *
-   * responseMessage 200 List of secrets expiring soon
+   * responseMessage 200 List of secret names expiring soon
    */
   @Timed @ExceptionMetered
   @Path("expiring/{time}")
   @GET
   @Produces(APPLICATION_JSON)
   @LogArguments
-  public Iterable<String> secretListingExpiring(@Auth AutomationClient automationClient, @PathParam("time") Long time) {
+  public Iterable<String> listExpiringSecretNames(@Auth AutomationClient automationClient, @PathParam("time") Long notAfterInclusiveUnixEpochSeconds) {
     permissionCheck.checkAllowedForTargetTypeOrThrow(automationClient, Action.READ, Secret.class);
 
-    List<SanitizedSecret> secrets = secretControllerReadOnly.getSanitizedSecrets(time, null);
-    return secrets.stream()
-        .map(SanitizedSecret::name)
-        .collect(toList());
+    Instant notAfterInclusive = Instant.ofEpochSecond(notAfterInclusiveUnixEpochSeconds);
+    return secretSeriesDAO.listExpiringSecretNames(notAfterInclusive);
   }
 
   /**

diff --git a/server/src/test/java/keywhiz/service/daos/SecretSeriesDAOTest.java b/server/src/test/java/keywhiz/service/daos/SecretSeriesDAOTest.java
@@ -56,6 +56,56 @@ public class SecretSeriesDAOTest {
   @Inject @Readwrite SecretContentDAO secretContentDAO;
   @Inject @Readwrite GroupDAO groupDAO;
 
+  @Test
+  public void listExpiringSecretNamesIncludesAllExpiringSecrets() {
+    long expiration1 = randomExpiration();
+    long expiration2 = randomExpiration();
+
+    String secretSeriesName1 = createSecretSeriesAndContentWithExpiration(expiration1);
+    String secretSeriesName2 = createSecretSeriesAndContentWithExpiration(expiration2);
+
+    long notAfter = Math.max(expiration1, expiration2) + 1;
+
+    List<String> expiringSecretNames = secretSeriesDAO.listExpiringSecretNames(Instant.ofEpochSecond(notAfter));
+    assertThat(expiringSecretNames).containsExactlyInAnyOrder(secretSeriesName1, secretSeriesName2);
+  }
+
+  @Test
+  public void listExpiringSecretNamesDoesNotIncludeSecretsExpiringOnNotAfter() {
+    long expiration1 = randomExpiration();
+    long expiration2 = expiration1 + 1;
+
+    String secretSeriesName1 = createSecretSeriesAndContentWithExpiration(expiration1);
+    String secretSeriesName2 = createSecretSeriesAndContentWithExpiration(expiration2);
+
+    long notAfter = expiration2;
+
+    List<String> expiringSecretNames = secretSeriesDAO.listExpiringSecretNames(Instant.ofEpochSecond(notAfter));
+    assertThat(expiringSecretNames).containsExactlyInAnyOrder(secretSeriesName1);
+  }
+
+  @Test
+  public void listExpiringSecretNamesDoesNotIncludeSecretsExpiringAfterNotAfter() {
+    long expiration1 = randomExpiration();
+    long expiration2 = expiration1 + 2;
+
+    String secretSeriesName1 = createSecretSeriesAndContentWithExpiration(expiration1);
+    String secretSeriesName2 = createSecretSeriesAndContentWithExpiration(expiration2);
+
+    long notAfter = expiration1 + 1;
+
+    List<String> expiringSecretNames = secretSeriesDAO.listExpiringSecretNames(Instant.ofEpochSecond(notAfter));
+    assertThat(expiringSecretNames).containsExactlyInAnyOrder(secretSeriesName1);
+  }
+
+  private String createSecretSeriesAndContentWithExpiration(long expiration) {
+    String secretSeriesName = randomName();
+    long secretSeriesId = createSecretSeries(secretSeriesName);
+    long secretContentId = createSecretContent(secretSeriesId);
+    secretSeriesDAO.setExpiration(secretContentId, Instant.ofEpochSecond(expiration));
+    return secretSeriesName;
+  }
+
   @Test
   public void setCurrentVersionUpdatesSecretSeriesExpiry() {
     long secretSeriesId = createRandomSecretSeries();