Adds validation logic for secrets aliases and IDs (Conjur var paths) #376
Conversation
I suppose it would be possible to use the
|
There was a problem hiding this comment.
PR looking good. I left a couple comments.
Fly by comments...
I'm wondering about how far down the rabbit hole of validation we want to go. The YAML validation seems a bit involved. I looked at the spec for YAML, and compared that against some commonly used YAML processing libraries and I haven't seen anything yet that goes into the weeds for validation. I worry that we might potentially constrain too much in a way that creates friction in SP interacting with other tools that consume the formats.
'm not sure what the answer is but the following questions have been on my mind re: alias validation for formats
- What value are we providing to the user by adding this nuanced validation
- What is the cost to us of providing this nuanced validation in terms of maintenance, ensuring we enforce the constraints without getting in the way etc.
| for _, group := range *secretGroups { | ||
| for _, spec := range group.SecretSpecs { | ||
| ids = append(ids, spec.Id) | ||
| if err := validateSecretSpec(spec, group.FileFormat); err != nil { |
There was a problem hiding this comment.
I think this is too late to validate the secret spec. For early feedback it would be better to carry out these checks at the time when the annotations are used to create the secret group.
There was a problem hiding this comment.
Good point! I'll move this validation so that it happens earlier.
There was a problem hiding this comment.
The validation occurs earlier now, in the NewSecretGroupsFromAnnotations function.
diverdane
force-pushed
the
ONYX-12559
branch
3 times, most recently
from
8d277f0 to
31cc972
Compare
This may be more of a quality question for @andytinkham or @adamouamani. Questions came up during the design review for M1 re. input validation for a bunch of inputs. At that time the thought was that the allowable character sets for the keys of each of these formats was well-known, and that for each format, we could fairly easily implement validity checks that are the most liberal allowable for that format (i.e. allow the widest range of characters as allowed for that format). (Applications may want to restrict the allowable character set even further... but each application may have different restrictions, so we need to design our validity checks to be the most liberal/lenient so that we work across all applications.) The value add is that if someone is using M1, but has a weird programmatic error that results in strange characters being used for secrets aliases, we'll fail fast and provide an explicit error log pointing to the error. If we've interpreted the specifications for each format correctly, and we're allowing the widest range of characters allowed, then I don't think the ongoing maintenance cost will be that big. |
diverdane
force-pushed
the
ONYX-12559
branch
7 times, most recently
from
3fdbaa0 to
1f29238
Compare
|
I've addressed your latest comments/suggestions. One issue that came up is that the current alias validator functions (and the |
I don't have anything more to add here. My main concern is that we don't inadvertently leak secret values or otherwise introduce a security risk in parsing the Yaml. @adamouamani might have quality thoughts. |
| @@ -25,6 +27,8 @@ type SecretGroup struct { | |||
| SecretSpecs []SecretSpec | |||
| } | |||
|
|
|||
| // ResolvedSecretSpecs resolves all of the secret paths for a secret | |||
| // group by prepending each path with that group's policy path prefix. | |||
There was a problem hiding this comment.
Thanks for adding the comments!
| // YAML file format, 8-bit characters | ||
| {"printable ASCII", '\u003F', assertNoError()}, | ||
| {"heart emoji", '💙', assertNoError()}, | ||
| {"dog emoji", '🐶', assertNoError()}, |
There was a problem hiding this comment.
I suppose I could have added that, but figured we have 2 representative emojis being tested.
|
Code Climate has analyzed commit 75f5f5a and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 95.5% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.1% (1.5% change). View more on Code Climate. |
What does this PR do?
This PR adds logic to validate the secrets aliases (based on output file format, e.g. YAML, JSON, Bash, or dotenv) and to validate the IDs (i.e. Conjur variable paths) contained in each
SecretSpec.The validation is done according to the
Input Validations for Annotations
section of the
M1 Push-to-File Design Spec.
The validation is done before retrieving any secret values from Conjur so that we fail fast.
What ticket does this PR close?
ONYX-12559
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or