-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integrate with crypto module to decrypt password #2170
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,23 +11,28 @@ import { | |
SavedObjectsErrorHelpers, | ||
} from '../../../../../src/core/server'; | ||
import { DATA_SOURCE_SAVED_OBJECT_TYPE, CREDENTIAL_SAVED_OBJECT_TYPE } from '../../common'; | ||
import { CredentialSavedObjectAttributes } from '../../common/credentials/types'; | ||
import { | ||
CredentialSavedObjectAttributes, | ||
UsernamePasswordTypedContent, | ||
} from '../../common/credentials/types'; | ||
import { DataSourceAttributes } from '../../common/data_sources'; | ||
import { DataSourcePluginConfigType } from '../../config'; | ||
import { CryptographyClient } from '../cryptography'; | ||
import { parseClientOptions } from './client_config'; | ||
import { OpenSearchClientPoolSetup } from './client_pool'; | ||
|
||
export const configureClient = async ( | ||
dataSourceId: string, | ||
savedObjects: SavedObjectsClientContract, | ||
cryptographyClient: CryptographyClient, | ||
openSearchClientPoolSetup: OpenSearchClientPoolSetup, | ||
config: DataSourcePluginConfigType, | ||
logger: Logger | ||
): Promise<Client> => { | ||
const dataSource = await getDataSource(dataSourceId, savedObjects); | ||
const rootClient = getRootClient(dataSource.attributes, config, openSearchClientPoolSetup); | ||
|
||
return getQueryClient(rootClient, dataSource, savedObjects); | ||
return getQueryClient(rootClient, dataSource, savedObjects, cryptographyClient); | ||
}; | ||
|
||
export const getDataSource = async ( | ||
|
@@ -48,13 +53,24 @@ export const getDataSource = async ( | |
|
||
export const getCredential = async ( | ||
credentialId: string, | ||
savedObjects: SavedObjectsClientContract | ||
): Promise<SavedObject<CredentialSavedObjectAttributes>> => { | ||
savedObjects: SavedObjectsClientContract, | ||
cryptographyClient: CryptographyClient | ||
): Promise<UsernamePasswordTypedContent> => { | ||
try { | ||
const credential = await savedObjects.get<CredentialSavedObjectAttributes>( | ||
const credentialSavedObject = await savedObjects.get<CredentialSavedObjectAttributes>( | ||
CREDENTIAL_SAVED_OBJECT_TYPE, | ||
credentialId | ||
); | ||
const { | ||
username, | ||
password, | ||
} = credentialSavedObject.attributes.credentialMaterials.credentialMaterialsContent; | ||
const decodedPassword = await cryptographyClient.decodeAndDecrypt(password); | ||
const credential = { | ||
username, | ||
password: decodedPassword, | ||
}; | ||
Comment on lines
+68
to
+72
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about
|
||
|
||
return credential; | ||
} catch (error: any) { | ||
// it will cause 500 error when failed to get saved objects, need to handle such error gracefully | ||
|
@@ -73,13 +89,18 @@ export const getCredential = async ( | |
const getQueryClient = async ( | ||
rootClient: Client, | ||
dataSource: SavedObject<DataSourceAttributes>, | ||
savedObjects: SavedObjectsClientContract | ||
savedObjects: SavedObjectsClientContract, | ||
cryptographyClient: CryptographyClient | ||
): Promise<Client> => { | ||
if (dataSource.attributes.noAuth) { | ||
return rootClient.child(); | ||
} else { | ||
const credential = await getCredential(dataSource.references[0].id, savedObjects); | ||
return getBasicAuthClient(rootClient, credential.attributes); | ||
const credential = await getCredential( | ||
dataSource.references[0].id, | ||
savedObjects, | ||
cryptographyClient | ||
); | ||
return getBasicAuthClient(rootClient, credential); | ||
} | ||
}; | ||
|
||
|
@@ -112,9 +133,9 @@ const getRootClient = ( | |
|
||
const getBasicAuthClient = ( | ||
rootClient: Client, | ||
credentialAttr: CredentialSavedObjectAttributes | ||
credential: UsernamePasswordTypedContent | ||
): Client => { | ||
const { username, password } = credentialAttr.credentialMaterials.credentialMaterialsContent; | ||
const { username, password } = credential; | ||
return rootClient.child({ | ||
auth: { | ||
username, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,11 +6,13 @@ | |
import { Logger, OpenSearchClient, SavedObjectsClientContract } from '../../../../src/core/server'; | ||
import { DataSourcePluginConfigType } from '../config'; | ||
import { OpenSearchClientPool, configureClient } from './client'; | ||
import { CryptographyClient } from './cryptography'; | ||
export interface DataSourceServiceSetup { | ||
getDataSourceClient: ( | ||
dataSourceId: string, | ||
// this saved objects client is used to fetch data source on behalf of users, caller should pass scoped saved objects client | ||
savedObjects: SavedObjectsClientContract | ||
savedObjects: SavedObjectsClientContract, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Can I ask more context on this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it should be scoped client, which means a client tight to a user in the request. Different user may have access to different saved object, including datasource or credentials. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Follow up question - Is this already possible with the current scoped clienet? What is the isolation based on? |
||
cryptographyClient: CryptographyClient | ||
) => Promise<OpenSearchClient>; | ||
} | ||
export class DataSourceService { | ||
|
@@ -25,11 +27,13 @@ export class DataSourceService { | |
|
||
const getDataSourceClient = async ( | ||
dataSourceId: string, | ||
savedObjects: SavedObjectsClientContract | ||
savedObjects: SavedObjectsClientContract, | ||
cryptographyClient: CryptographyClient | ||
): Promise<OpenSearchClient> => { | ||
return configureClient( | ||
dataSourceId, | ||
savedObjects, | ||
cryptographyClient, | ||
openSearchClientPoolSetup, | ||
config, | ||
this.logger | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
../../common
works as wellThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i will refactor on this to expose directly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's create an issue to track this