Skip to content

Secure OAuth client secret storage and prevent API exposure #2204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 15, 2025
Merged

Secure OAuth client secret storage and prevent API exposure #2204

merged 2 commits into from
Oct 15, 2025

Conversation

@amirejaz
Copy link
Contributor

🔒 OAuth Client Secret Security Fix

This PR addresses a critical security vulnerability where OAuth client secrets were being stored as in run config and exposed in export API.

🚨 Security Issue

Problem: OAuth client secrets provided via CLI were being stored as plain text in RunConfig and exposed in export/detail API responses, creating a security vulnerability.

Impact: Sensitive OAuth credentials were visible in API responses, potentially exposing them to unauthorized users.

🛡️ Security Solution

Secure Secret Storage:

  • Plain text OAuth client secrets are now automatically converted to secure secret references
  • Secrets are stored in the secret manager with unique names based on workload names
  • Only CLI format references ("SECRET_NAME,target=oauth_secret") are stored in RunConfig

Centralized Processing:

  • All OAuth client secret sources (CLI flags, registry metadata, environment variables) are processed consistently
  • Plain text secrets are intercepted and converted to secure references before storage

🛠️ Technical Implementation

New Security Functions:

  • processOAuthClientSecret() - Converts plain text secrets to secure references
  • generateOAuthClientSecretName() - Creates unique secret names based on workload
  • findUniqueSecretName() - Handles secret name conflicts with timestamp resolution
  • storeSecretInManager() - Secure secret storage with error handling
  • SecretParameter.ToCLIString() - CLI format string conversion

Enhanced Secret Resolution:

  • Modified WithSecrets() method to resolve OAuth client secrets during runtime
  • Updated runner to ensure secrets are resolved before OAuth authentication flow
  • Added validation for both CLI format and plain text secrets

Comprehensive Testing:

  • Added unit tests for all utility functions with table-driven test cases
  • Tests cover edge cases, error conditions, and security scenarios
  • Focused on testable functions with clear test coverage

📊 Files Changed

  • cmd/thv/app/run_flags.go - OAuth secret processing and CLI integration
  • pkg/api/v1/workload_service.go - API secret handling and conversion
  • pkg/runner/config.go - Secret resolution and validation
  • pkg/runner/runner.go - Secret resolution integration
  • pkg/secrets/types.go - CLI string conversion utilities
  • cmd/thv/app/oauth_secret_test.go - Comprehensive unit tests

🔄 Breaking Changes

None - This is a security fix that maintains backward compatibility while improving security posture.

🎯 Security Impact

  • Before: OAuth client secrets stored as plain text in RunConfig and exposed in APIs
  • After: OAuth client secrets stored as secure references, never exposed in APIs
  • Result: Eliminates security vulnerability while maintaining full functionality

🔍 Verification

  1. CLI Usage: Plain text secrets are automatically converted to secure references
  2. API Responses: No plain text secrets are exposed in export/detail APIs
  3. OAuth Flow: Client secrets are properly resolved during authentication
  4. Secret Manager: Secrets are stored securely with unique names

🚀 Benefits

  • Security: Eliminates OAuth client secret exposure vulnerability
  • Consistency: All secret sources handled uniformly
  • Reliability: Robust error handling and conflict resolution
  • Maintainability: Comprehensive unit tests ensure future security

This PR resolves the OAuth client secret security vulnerability while maintaining full backward compatibility and functionality.

@amirejaz
fix: secure OAuth client secret storage and prevent API exposure
7985958 
- Implement secure client secret storage using secret references
- Convert plain text CLI secrets to secure secret manager references
- Add CLI format string support for secret parameters
- Centralize OAuth client secret processing across all entry points
- Add comprehensive unit tests for utility functions
- Prevent plain text secret exposure in API responses

Fixes security vulnerability where OAuth client secrets were stored
as plain text and exposed in API responses.
@amirejaz
secure OAuth client secret storage and prevent API exposure
3d7406f 
- Implement secure client secret storage using secret references
- Convert plain text CLI secrets to secure secret manager references
- Add CLI format string support for secret parameters
- Centralize OAuth client secret processing across all entry points
- Add comprehensive unit tests for utility functions
- Prevent plain text secret exposure in API responses

Fixes security vulnerability where OAuth client secrets were stored
as plain text and exposed in API responses.
@codecov
Copy link

codecov bot commented Oct 15, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 31.88406% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.18%. Comparing base (3b5e0a0) to head (3d7406f).
⚠️ Report is 5 commits behind head on main.

Files with missing lines Patch % Lines
pkg/runner/config.go 29.03% 20 Missing and 2 partials ⚠️
pkg/api/v1/workload_service.go 0.00% 13 Missing ⚠️
pkg/runner/runner.go 0.00% 9 Missing ⚠️
pkg/secrets/types.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2204      +/-   ##
==========================================
+ Coverage   53.06%   53.18%   +0.12%     
==========================================
  Files         222      222              
  Lines       28916    28920       +4     
==========================================
+ Hits        15345    15382      +37     
+ Misses      12431    12396      -35     
- Partials     1140     1142       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@amirejaz amirejaz merged commit 61d04b4 into main Oct 15, 2025
27 checks passed
@amirejaz amirejaz deleted the use_thv_client_secret branch October 15, 2025 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmjb dmjb dmjb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amirejaz @dmjb