Use the new HMAC column in secret representations

api/src/main/java/keywhiz/api/automation/v2/SecretDetailResponseV2.java

@@ -22,6 +22,7 @@
   public static Builder builder() {
     return new AutoValue_SecretDetailResponseV2.Builder()
         .content("")
+        .checksum("")
         .description("")
         .type(null)
         .metadata(ImmutableMap.of());
@@ -37,6 +38,7 @@ public static Builder builder() {
     public abstract Builder name(String name);
     public abstract Builder version(@Nullable long version); // Unique ID in secrets_content table
     public abstract Builder content(String secret);
+    public abstract Builder checksum(String checksum);
     public abstract Builder description(String description);
     public abstract Builder createdAtSeconds(long createdAt);
     public abstract Builder createdBy(String person);
@@ -62,6 +64,7 @@ public Builder secret(Secret secret) {
           .name(secret.getName())
           .description(secret.getDescription())
           .content(secret.getSecret())
+          .checksum(secret.getChecksum())
           .createdAtSeconds(secret.getCreatedAt().toEpochSecond())
           .createdBy(secret.getCreatedBy())
           .type(secret.getType().orElse(null))
@@ -100,6 +103,7 @@ public SecretDetailResponseV2 build() {
       @JsonProperty("version") @Nullable long version,
       @JsonProperty("description") @Nullable String description,
       @JsonProperty("content") String content,
+      @JsonProperty("checksum") String checksum,
       @JsonProperty("size") UnsignedLong size,
       @JsonProperty("createdAtSeconds") long createdAtSeconds,
       @JsonProperty("createdBy") String createdBy,
@@ -111,6 +115,7 @@ public SecretDetailResponseV2 build() {
         .version(version)
         .description(nullToEmpty(description))
         .content(content)
+        .checksum(checksum)
         .size(size)
         .createdAtSeconds(createdAtSeconds)
         .createdBy(createdBy)
@@ -125,6 +130,7 @@ public SecretDetailResponseV2 build() {
   @JsonProperty("version") @Nullable public abstract long version();
   @JsonProperty("description") public abstract String description();
   @JsonProperty("content") public abstract String content();
+  @JsonProperty("checksum") public abstract String checksum();
   @JsonProperty("size") public abstract UnsignedLong size();
   @JsonProperty("createdAtSeconds") public abstract long createdAtSeconds();
   @JsonProperty("createdBy") public abstract String createdBy();
@@ -137,6 +143,7 @@ public SecretDetailResponseV2 build() {
         .add("name", name())
         .add("description", description())
         .add("content", "[REDACTED]")
+        .add("checksum", checksum())
         .add("size", size())
         .add("createdAtSeconds", createdAtSeconds())
         .add("createdBy", createdBy())

api/src/main/java/keywhiz/api/model/SanitizedSecret.java

@@ -19,9 +19,7 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.auto.value.AutoValue;
-import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import javax.annotation.Nullable;
@@ -38,6 +36,7 @@ public abstract class SanitizedSecret {
   @JsonCreator public static SanitizedSecret of(
       @JsonProperty("id") long id,
       @JsonProperty("name") String name,
+      @JsonProperty("checksum") String checksum,
       @JsonProperty("description") @Nullable String description,
       @JsonProperty("createdAt") ApiDate createdAt,
       @JsonProperty("createdBy") @Nullable String createdBy,
@@ -51,13 +50,13 @@ public abstract class SanitizedSecret {
         (metadata == null) ? ImmutableMap.of() : ImmutableMap.copyOf(metadata);
     ImmutableMap<String, String> genOptions =
         (generationOptions == null) ? ImmutableMap.of() : ImmutableMap.copyOf(generationOptions);
-    return new AutoValue_SanitizedSecret(id, name, nullToEmpty(description), createdAt,
+    return new AutoValue_SanitizedSecret(id, name, checksum, nullToEmpty(description), createdAt,
         nullToEmpty(createdBy), updatedAt, nullToEmpty(updatedBy), meta, Optional.ofNullable(type),
         genOptions, expiry);
   }
 
   public static SanitizedSecret of(long id, String name) {
-    return of(id, name, null, new ApiDate(0), null, new ApiDate(0), null, null, null, null, 0);
+    return of(id, name, "", null, new ApiDate(0), null, new ApiDate(0), null, null, null, null, 0);
   }
 
   public static SanitizedSecret fromSecretSeriesAndContent(SecretSeriesAndContent seriesAndContent) {
@@ -66,6 +65,7 @@ public static SanitizedSecret fromSecretSeriesAndContent(SecretSeriesAndContent
     return SanitizedSecret.of(
         series.id(),
         series.name(),
+        content.hmac(),
         series.description(),
         content.createdAt(),
         content.createdBy(),
@@ -88,6 +88,7 @@ public static SanitizedSecret fromSecret(Secret secret) {
     return SanitizedSecret.of(
         secret.getId(),
         secret.getName(),
+        secret.getChecksum(),
         secret.getDescription(),
         secret.getCreatedAt(),
         secret.getCreatedBy(),
@@ -101,6 +102,7 @@ public static SanitizedSecret fromSecret(Secret secret) {
 
   @JsonProperty public abstract long id();
   @JsonProperty public abstract String name();
+  @JsonProperty public abstract String checksum();
   @JsonProperty public abstract String description();
   @JsonProperty public abstract ApiDate createdAt();
   @JsonProperty public abstract String createdBy();

api/src/main/java/keywhiz/api/model/Secret.java

@@ -47,6 +47,7 @@ public class Secret {
   /** Base64-encoded content of this version of the secret. */
   private String secret;
   private final LazyString encryptedSecret;
+  private final String checksum;
 
   private final ApiDate createdAt;
   private final String createdBy;
@@ -65,6 +66,7 @@ public Secret(long id,
                 String name,
                 @Nullable String description,
                 LazyString encryptedSecret,
+                String checksum,
                 ApiDate createdAt,
                 @Nullable String createdBy,
                 ApiDate updatedAt,
@@ -79,6 +81,7 @@ public Secret(long id,
     this.name = name;
     this.description = nullToEmpty(description);
     this.encryptedSecret = checkNotNull(encryptedSecret);
+    this.checksum = checksum;
     this.createdAt = checkNotNull(createdAt);
     this.createdBy = nullToEmpty(createdBy);
     this.updatedAt = checkNotNull(updatedAt);
@@ -115,6 +118,10 @@ public String getSecret() {
     return secret;
   }
 
+  public String getChecksum() {
+    return checksum;
+  }
+
   public ApiDate getCreatedAt() {
     return createdAt;
   }
@@ -163,6 +170,7 @@ public boolean equals(Object o) {
           Objects.equal(this.name, that.name) &&
           Objects.equal(this.description, that.description) &&
           Objects.equal(this.getSecret(), that.getSecret()) &&
+          Objects.equal(this.getChecksum(), that.getChecksum()) &&
           Objects.equal(this.createdAt, that.createdAt) &&
           Objects.equal(this.createdBy, that.createdBy) &&
           Objects.equal(this.updatedAt, that.updatedAt) &&
@@ -178,7 +186,7 @@ public boolean equals(Object o) {
   }
 
   @Override public int hashCode() {
-    return Objects.hashCode(id, name, description, getSecret(), createdAt, createdBy, updatedAt,
+    return Objects.hashCode(id, name, description, getSecret(), checksum, createdAt, createdBy, updatedAt,
         updatedBy, metadata, type, generationOptions, expiry);
   }
 
@@ -189,6 +197,7 @@ public String toString() {
         .add("name", name)
         .add("description", description)
         .add("secret", "[REDACTED]")
+        .add("checksum", checksum)
         .add("creationDate", createdAt)
         .add("createdBy", createdBy)
         .add("updatedDate", updatedAt)

api/src/main/java/keywhiz/api/model/SecretContent.java

@@ -32,17 +32,18 @@
  */
 @AutoValue
 public abstract class SecretContent {
-  public static SecretContent of(long id, long secretSeriesId, String encryptedContent, ApiDate createdAt,
+  public static SecretContent of(long id, long secretSeriesId, String encryptedContent, String hmac, ApiDate createdAt,
                                  @Nullable String createdBy, ApiDate updatedAt, @Nullable String updatedBy,
                                  ImmutableMap<String, String> metadata, long expiry) {
-    return new AutoValue_SecretContent(id, secretSeriesId, encryptedContent,
+    return new AutoValue_SecretContent(id, secretSeriesId, encryptedContent, hmac,
         createdAt, nullToEmpty(createdBy), updatedAt,
         nullToEmpty(updatedBy), metadata, expiry);
   }
 
   public abstract long id();
   public abstract long secretSeriesId();
   public abstract String encryptedContent();
+  public abstract String hmac();
   public abstract ApiDate createdAt();
   public abstract String createdBy();
   public abstract ApiDate updatedAt();
@@ -55,6 +56,7 @@ createdAt, nullToEmpty(createdBy), updatedAt,
         .add("id", id())
         .add("secretSeriesId", secretSeriesId())
         .add("encryptedContent", "[REDACTED]")
+        .add("checksum", hmac())
         .add("createdAt", createdAt())
         .add("createdBy", createdBy())
         .add("updatedAt", updatedAt())

api/src/test/java/keywhiz/api/AutomationSecretResponseTest.java

@@ -33,7 +33,7 @@ public class AutomationSecretResponseTest {
   private static final ImmutableMap<String, String> metadata =
       ImmutableMap.of("key1", "value1", "key2", "value2");
   private static final ApiDate NOW = ApiDate.now();
-  private static final Secret secret = new Secret(0, "name", null, () -> "YWJj", NOW, null, NOW, null, metadata,
+  private static final Secret secret = new Secret(0, "name", null, () -> "YWJj", "checksum", NOW, null, NOW, null, metadata,
       "upload", null, 1136214245);
 
   @Test

api/src/test/java/keywhiz/api/SecretDeliveryResponseTest.java

@@ -30,7 +30,7 @@ public class SecretDeliveryResponseTest {
   private static final ImmutableMap<String, String> metadata =
       ImmutableMap.of("key1", "value1", "key2", "value2");
   private static final ApiDate NOW = ApiDate.now();
-  private static final Secret secret = new Secret(0, "name", null, () -> "YWJj", NOW, null, NOW, null, metadata,
+  private static final Secret secret = new Secret(0, "name", null, () -> "YWJj", "checksum", NOW, null, NOW, null, metadata,
       "upload", null, 0);
 
   @Test

api/src/test/java/keywhiz/api/SecretsResponseTest.java

@@ -31,6 +31,7 @@ public class SecretsResponseTest {
         SanitizedSecret.of(
             767,
             "trapdoor",
+            "checksum",
             "v1",
             ApiDate.parse("2013-03-28T21:42:42.573Z"),
             "keywhizAdmin",
@@ -43,6 +44,7 @@ public class SecretsResponseTest {
         SanitizedSecret.of(
             768,
             "anotherSecret",
+            "checksum",
             "",
             ApiDate.parse("2013-04-28T21:42:42.573Z"),
             "keywhizAdmin",

api/src/test/java/keywhiz/api/automation/v2/SecretDetailResponseV2Test.java

@@ -37,6 +37,7 @@ public class SecretDetailResponseV2Test {
         .version(1)
         .description("secret-description")
         .content("YXNkZGFz")
+        .checksum("checksum")
         .createdAtSeconds(OffsetDateTime.parse("2013-03-28T21:23:04.159Z").toEpochSecond())
         .createdBy("creator-user")
         .type("text/plain")
@@ -56,6 +57,7 @@ public class SecretDetailResponseV2Test {
     SecretDetailResponseV2 secretDetailResponse = SecretDetailResponseV2.builder()
         .series(series)
         .content("YXNkZGFz")
+        .checksum("checksum")
         .metadata(ImmutableMap.of("owner", "root"))
         .expiry(1136214245)
         .build();
@@ -65,7 +67,7 @@ public class SecretDetailResponseV2Test {
   }
 
   @Test public void formsCorrectlyFromSecret() throws Exception {
-    Secret secret = new Secret(1, "secret-name", "secret-description", () -> "",
+    Secret secret = new Secret(1, "secret-name", "secret-description", () -> "", "checksum",
         ApiDate.parse("2013-03-28T21:23:04.159Z"), "creator-user",
         ApiDate.parse("2013-03-28T21:23:04.159Z"), "creator-user",
         ImmutableMap.of("owner", "root"), "text/plain", null,
@@ -88,6 +90,7 @@ public class SecretDetailResponseV2Test {
     SecretDetailResponseV2 secretDetailResponse = SecretDetailResponseV2.builder()
         .secretVersion(version)
         .content("YXNkZGFz")
+        .checksum("checksum")
         .build();
 
     assertThat(asJson(secretDetailResponse))

api/src/test/java/keywhiz/api/model/SanitizedSecretTest.java

@@ -29,6 +29,7 @@ public class SanitizedSecretTest {
     SanitizedSecret sanitizedSecret = SanitizedSecret.of(
         767,
         "trapdoor",
+        "checksum",
         "v1",
         ApiDate.parse("2013-03-28T21:42:42.573Z"),
         "keywhizAdmin",
@@ -42,4 +43,56 @@ public class SanitizedSecretTest {
     assertThat(asJson(sanitizedSecret))
         .isEqualTo(jsonFixture("fixtures/sanitizedSecret.json"));
   }
+
+  @Test public void buildsCorrectlyFromSecret() throws Exception {
+    SanitizedSecret sanitizedSecret = SanitizedSecret.fromSecret(
+        new Secret(
+            767,
+            "trapdoor",
+            "v1",
+            () -> "foo",
+            "checksum",
+            ApiDate.parse("2013-03-28T21:42:42.573Z"),
+            "keywhizAdmin",
+            ApiDate.parse("2013-03-28T21:42:42.573Z"),
+            "keywhizAdmin",
+            ImmutableMap.of("owner", "the king"),
+            "password",
+            ImmutableMap.of("favoriteFood", "PB&J sandwich"),
+            1136214245));
+
+    assertThat(asJson(sanitizedSecret))
+        .isEqualTo(jsonFixture("fixtures/sanitizedSecret.json"));
+  }
+
+  @Test public void buildsCorrectlyFromSecretSeriesAndContent() throws Exception {
+    SanitizedSecret sanitizedSecret = SanitizedSecret.fromSecretSeriesAndContent(
+        SecretSeriesAndContent.of(
+            SecretSeries.of(
+                767,
+                "trapdoor",
+                "v1",
+                ApiDate.parse("2013-03-28T21:42:42.573Z"),
+                "keywhizAdmin",
+                ApiDate.parse("2013-03-28T21:42:42.573Z"),
+                "keywhizAdmin",
+                "password",
+                ImmutableMap.of("favoriteFood", "PB&J sandwich"),
+                1136214245L
+            ), SecretContent.of(
+                1L,
+                767,
+                "foo",
+                "checksum",
+                ApiDate.parse("2013-03-28T21:42:42.573Z"),
+                "keywhizAdmin",
+                ApiDate.parse("2013-03-28T21:42:42.573Z"),
+                "keywhizAdmin",
+                ImmutableMap.of("owner", "the king"),
+                1136214245L
+            )));
+
+    assertThat(asJson(sanitizedSecret))
+        .isEqualTo(jsonFixture("fixtures/sanitizedSecret.json"));
+  }
 }

api/src/test/java/keywhiz/api/model/SecretTest.java

@@ -45,7 +45,7 @@ public class SecretTest {
   }
 
   @Test public void callsDecryptOnlyOnce() {
-    Secret s = new Secret(42, "toto", null, () -> String.valueOf(++called), ApiDate.now(), "", ApiDate.now(), "", null,
+    Secret s = new Secret(42, "toto", null, () -> String.valueOf(++called), "checksum", ApiDate.now(), "", ApiDate.now(), "", null,
         null, null, 0);
     assertThat(s.getSecret()).isEqualTo("1");
     assertThat(s.getSecret()).isEqualTo("1");

api/src/test/resources/fixtures/sanitizedSecret.json

@@ -1,6 +1,7 @@
 {
   "id" : 767,
   "name" : "trapdoor",
+  "checksum" : "checksum",
   "description" : "v1",
   "createdAt" : "2013-03-28T21:42:42.000Z",
   "createdBy" : "keywhizAdmin",

api/src/test/resources/fixtures/secretsResponse.json

@@ -3,6 +3,7 @@
     {
       "id" : 767,
       "name" : "trapdoor",
+      "checksum": "checksum",
       "description" : "v1",
       "createdAt" : "2013-03-28T21:42:42.000Z",
       "createdBy" : "keywhizAdmin",
@@ -20,6 +21,7 @@
     {
       "id" : 768,
       "name" : "anotherSecret",
+      "checksum" : "checksum",
       "description" : "",
       "createdAt" : "2013-04-28T21:42:42.000Z",
       "createdBy" : "keywhizAdmin",

api/src/test/resources/fixtures/v2/secretDetailResponse.json

@@ -3,6 +3,7 @@
   "version" : 1,
   "description" : "secret-description",
   "content": "YXNkZGFz",
+  "checksum": "checksum",
   "size":6,
   "createdAtSeconds": 1364505784,
   "createdBy": "creator-user",

cli/src/test/java/keywhiz/cli/commands/AddActionTest.java

@@ -55,7 +55,7 @@ public class AddActionTest {
 
   Client client = new Client(4, "newClient", null, null, null, null, null, null, true, false);
   Group group = new Group(4, "newGroup", null, null, null, null, null, null);
-  Secret secret = new Secret(15, "newSecret", null, () -> "c2VjcmV0MQ==", NOW, null, NOW, null, null, null,
+  Secret secret = new Secret(15, "newSecret", null, () -> "c2VjcmV0MQ==", "checksum", NOW, null, NOW, null, null, null,
       ImmutableMap.of(), 0);
   SanitizedSecret sanitizedSecret = SanitizedSecret.fromSecret(secret);
   SecretDetailResponse secretDetailResponse = SecretDetailResponse.fromSecret(secret, null, null);

cli/src/test/java/keywhiz/cli/commands/AssignActionTest.java

@@ -53,7 +53,7 @@ public class AssignActionTest {
   Group group = new Group(5, "group", null, null, null, null, null, null);
   GroupDetailResponse groupDetailResponse = GroupDetailResponse.fromGroup(group,
       ImmutableList.<SanitizedSecret>of(), ImmutableList.<Client>of());
-  Secret secret = new Secret(16, "secret", null, () -> "c2VjcmV0MQ==", NOW, null, NOW, null, null, null,
+  Secret secret = new Secret(16, "secret", null, () -> "c2VjcmV0MQ==", "checksum", NOW, null, NOW, null, null, null,
       ImmutableMap.of(), 0);
   SanitizedSecret sanitizedSecret = SanitizedSecret.fromSecret(secret);