fix: secret name generation when secretId is not part of the secret name

cli/app/new.go

@@ -108,7 +108,7 @@ var appNewCommand = cli.Command{
 			}
 
 			envSamplePath := path.Join(config.RECIPES_DIR, recipe.Name, ".env.sample")
-			secretsConfig, err := secret.ReadSecretsConfig(envSamplePath, composeFiles, recipe.Name)
+			secretsConfig, err := secret.ReadSecretsConfig(envSamplePath, composeFiles, config.StackName(internal.Domain))
 			if err != nil {
 				return err
 			}
@@ -168,14 +168,8 @@ var appNewCommand = cli.Command{
 type AppSecrets map[string]string
 
 // createSecrets creates all secrets for a new app.
-func createSecrets(cl *dockerClient.Client, secretsConfig map[string]secret.SecretValue, sanitisedAppName string) (AppSecrets, error) {
+func createSecrets(cl *dockerClient.Client, secretsConfig map[string]secret.Secret, sanitisedAppName string) (AppSecrets, error) {
-	// NOTE(d1): trim to match app.StackName() implementation
+	secrets, err := secret.GenerateSecrets(cl, secretsConfig, internal.NewAppServer)
-	if len(sanitisedAppName) > 45 {
-		logrus.Debugf("trimming %s to %s to avoid runtime limits", sanitisedAppName, sanitisedAppName[:45])
-		sanitisedAppName = sanitisedAppName[:45]
-	}
-
-	secrets, err := secret.GenerateSecrets(cl, secretsConfig, sanitisedAppName, internal.NewAppServer)
 	if err != nil {
 		return nil, err
 	}
@@ -217,7 +211,7 @@ func ensureDomainFlag(recipe recipe.Recipe, server string) error {
 }
 
 // promptForSecrets asks if we should generate secrets for a new app.
-func promptForSecrets(recipeName string, secretsConfig map[string]secret.SecretValue) error {
+func promptForSecrets(recipeName string, secretsConfig map[string]secret.Secret) error {
 	if len(secretsConfig) == 0 {
 		logrus.Debugf("%s has no secrets to generate, skipping...", recipeName)
 		return nil

cli/app/secret.go

@@ -91,7 +91,7 @@ var appSecretGenerateCommand = cli.Command{
 			logrus.Fatal(err)
 		}
 
-		secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.Recipe)
+		secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.StackName())
 		if err != nil {
 			logrus.Fatal(err)
 		}
@@ -104,7 +104,7 @@ var appSecretGenerateCommand = cli.Command{
 				logrus.Fatalf("%s doesn't exist in the env config?", secretName)
 			}
 			s.Version = secretVersion
-			secrets = map[string]secret.SecretValue{
+			secrets = map[string]secret.Secret{
 				secretName: s,
 			}
 		}
@@ -114,7 +114,7 @@ var appSecretGenerateCommand = cli.Command{
 			logrus.Fatal(err)
 		}
 
-		secretVals, err := secret.GenerateSecrets(cl, secrets, app.StackName(), app.Server)
+		secretVals, err := secret.GenerateSecrets(cl, secrets, app.Server)
 		if err != nil {
 			logrus.Fatal(err)
 		}
@@ -274,7 +274,7 @@ Example:
 			logrus.Fatal(err)
 		}
 
-		secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.Recipe)
+		secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.StackName())
 		if err != nil {
 			logrus.Fatal(err)
 		}

pkg/config/app.go

@@ -50,23 +50,30 @@ type App struct {
 	Path   string
 }
 
-// StackName gets whatever the docker safe (uses the right delimiting
+// See documentation of config.StackName
-// character, e.g. "_") stack name is for the app. In general, you don't want
-// to use this to show anything to end-users, you want use a.Name instead.
 func (a App) StackName() string {
 	if _, exists := a.Env["STACK_NAME"]; exists {
 		return a.Env["STACK_NAME"]
 	}
 
-	stackName := SanitiseAppName(a.Name)
+	stackName := StackName(a.Name)
+
+	a.Env["STACK_NAME"] = stackName
+
+	return stackName
+}
+
+// StackName gets whatever the docker safe (uses the right delimiting
+// character, e.g. "_") stack name is for the app. In general, you don't want
+// to use this to show anything to end-users, you want use a.Name instead.
+func StackName(appName string) string {
+	stackName := SanitiseAppName(appName)
 
 	if len(stackName) > 45 {
 		logrus.Debugf("trimming %s to %s to avoid runtime limits", stackName, stackName[:45])
 		stackName = stackName[:45]
 	}
 
-	a.Env["STACK_NAME"] = stackName
-
 	return stackName
 }
 

pkg/secret/secret.go

@@ -21,11 +21,24 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// SecretValue represents a parsed `SECRET_FOO=v1 # length=bar` env var config
+// Secret represents a secret.
-// secret definition.
+type Secret struct {
-type SecretValue struct {
+	// Version comes from the secret version environment variable.
+	// For example:
+	//  SECRET_FOO=v1
 	Version string
-	Length  int
+	// Length comes from the length modifier at the secret version environment
+	// variable. For Example:
+	//   SECRET_FOO=v1 # length=12
+	Length int
+	// RemoteName is the name of the secret on the server. For example:
+	//   name: ${STACK_NAME}_test_pass_two_${SECRET_TEST_PASS_TWO_VERSION}
+	// With the following:
+	//   STACK_NAME=test_example_com
+	//   SECRET_TEST_PASS_TWO_VERSION=v2
+	// Will have this remote name:
+	//   test_example_com_test_pass_two_v2
+	RemoteName string
 }
 
 // GeneratePasswords generates passwords.
@@ -67,11 +80,13 @@ func GeneratePassphrases(count uint) ([]string, error) {
 // and some times you don't (as the caller). We need to be able to handle the
 // "app new" case where we pass in the .env.sample and the "secret generate"
 // case where the app is created.
-func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName string) (map[string]SecretValue, error) {
+func ReadSecretsConfig(appEnvPath string, composeFiles []string, stackName string) (map[string]Secret, error) {
 	appEnv, appModifiers, err := config.ReadEnvWithModifiers(appEnvPath)
 	if err != nil {
 		return nil, err
 	}
+	// Set the STACK_NAME to be able to generate the remote name correctly.
+	appEnv["STACK_NAME"] = stackName
 
 	opts := stack.Deploy{Composefiles: composeFiles}
 	config, err := loader.LoadComposefile(opts, appEnv)
@@ -96,7 +111,7 @@ func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName stri
 		return nil, nil
 	}
 
-	secretValues := map[string]SecretValue{}
+	secretValues := map[string]Secret{}
 	for secretId, secretConfig := range config.Secrets {
 		if string(secretConfig.Name[len(secretConfig.Name)-1]) == "_" {
 			return nil, fmt.Errorf("missing version for secret? (%s)", secretId)
@@ -109,7 +124,7 @@ func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName stri
 
 		lastIdx := strings.LastIndex(secretConfig.Name, "_")
 		secretVersion := secretConfig.Name[lastIdx+1:]
-		value := SecretValue{Version: secretVersion}
+		value := Secret{Version: secretVersion, RemoteName: secretConfig.Name}
 
 		// Check if the length modifier is set for this secret.
 		for envName, modifierValues := range appModifiers {
@@ -138,7 +153,7 @@ func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName stri
 }
 
 // GenerateSecrets generates secrets locally and sends them to a remote server for storage.
-func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, appName, server string) (map[string]string, error) {
+func GenerateSecrets(cl *dockerClient.Client, secrets map[string]Secret, server string) (map[string]string, error) {
 	secretsGenerated := map[string]string{}
 	var mutex sync.Mutex
 	var wg sync.WaitGroup
@@ -146,11 +161,10 @@ func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, ap
 	for n, v := range secrets {
 		wg.Add(1)
 
-		go func(secretName string, secret SecretValue) {
+		go func(secretName string, secret Secret) {
 			defer wg.Done()
 
-			secretRemoteName := fmt.Sprintf("%s_%s_%s", appName, secretName, secret.Version)
+			logrus.Debugf("attempting to generate and store %s on %s", secret.RemoteName, server)
-			logrus.Debugf("attempting to generate and store %s on %s", secretRemoteName, server)
 
 			if secret.Length > 0 {
 				passwords, err := GeneratePasswords(1, uint(secret.Length))
@@ -159,9 +173,9 @@ func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, ap
 					return
 				}
 
-				if err := client.StoreSecret(cl, secretRemoteName, passwords[0], server); err != nil {
+				if err := client.StoreSecret(cl, secret.RemoteName, passwords[0], server); err != nil {
 					if strings.Contains(err.Error(), "AlreadyExists") {
-						logrus.Warnf("%s already exists, moving on...", secretRemoteName)
+						logrus.Warnf("%s already exists, moving on...", secret.RemoteName)
 						ch <- nil
 					} else {
 						ch <- err
@@ -179,9 +193,9 @@ func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, ap
 					return
 				}
 
-				if err := client.StoreSecret(cl, secretRemoteName, passphrases[0], server); err != nil {
+				if err := client.StoreSecret(cl, secret.RemoteName, passphrases[0], server); err != nil {
 					if strings.Contains(err.Error(), "AlreadyExists") {
-						logrus.Warnf("%s already exists, moving on...", secretRemoteName)
+						logrus.Warnf("%s already exists, moving on...", secret.RemoteName)
 						ch <- nil
 					} else {
 						ch <- err
@@ -230,7 +244,7 @@ func PollSecretsStatus(cl *dockerClient.Client, app config.App) (secretStatuses,
 		return secStats, err
 	}
 
-	secretsConfig, err := ReadSecretsConfig(app.Path, composeFiles, app.Recipe)
+	secretsConfig, err := ReadSecretsConfig(app.Path, composeFiles, app.StackName())
 	if err != nil {
 		return secStats, err
 	}

pkg/secret/secret_test.go

@@ -1,42 +1,30 @@
 package secret
 
 import (
-	"path"
 	"testing"
 
-	"coopcloud.tech/abra/pkg/config"
-	"coopcloud.tech/abra/pkg/recipe"
-	"coopcloud.tech/abra/pkg/upstream/stack"
-	loader "coopcloud.tech/abra/pkg/upstream/stack"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestReadSecretsConfig(t *testing.T) {
-	offline := true
+	composeFiles := []string{"./testdir/compose.yaml"}
-	recipe, err := recipe.Get("matrix-synapse", offline)
+	secretsFromConfig, err := ReadSecretsConfig("./testdir/.env.sample", composeFiles, "test_example_com")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	sampleEnv, err := recipe.SampleEnv()
+	// Simple secret
-	if err != nil {
+	assert.Equal(t, "test_example_com_test_pass_one_v2", secretsFromConfig["test_pass_one"].RemoteName)
-		t.Fatal(err)
+	assert.Equal(t, "v2", secretsFromConfig["test_pass_one"].Version)
-	}
+	assert.Equal(t, 0, secretsFromConfig["test_pass_one"].Length)
 
-	composeFiles := []string{path.Join(config.RECIPES_DIR, recipe.Name, "compose.yml")}
+	// Has a length modifier
-	envSamplePath := path.Join(config.RECIPES_DIR, recipe.Name, ".env.sample")
+	assert.Equal(t, "test_example_com_test_pass_two_v1", secretsFromConfig["test_pass_two"].RemoteName)
-	secretsFromConfig, err := ReadSecretsConfig(envSamplePath, composeFiles, recipe.Name)
+	assert.Equal(t, "v1", secretsFromConfig["test_pass_two"].Version)
-	if err != nil {
+	assert.Equal(t, 10, secretsFromConfig["test_pass_two"].Length)
-		t.Fatal(err)
-	}
 
-	opts := stack.Deploy{Composefiles: composeFiles}
+	// Secret name does not include the secret id
-	config, err := loader.LoadComposefile(opts, sampleEnv)
+	assert.Equal(t, "test_example_com_pass_three_v2", secretsFromConfig["test_pass_three"].RemoteName)
-	if err != nil {
+	assert.Equal(t, "v2", secretsFromConfig["test_pass_three"].Version)
-		t.Fatal(err)
+	assert.Equal(t, 0, secretsFromConfig["test_pass_three"].Length)
-	}
-
-	for secretId := range config.Secrets {
-		assert.Contains(t, secretsFromConfig, secretId)
-	}
 }

pkg/secret/testdir/.env.sample

@@ -0,0 +1,3 @@
+SECRET_TEST_PASS_ONE_VERSION=v2
+SECRET_TEST_PASS_TWO_VERSION=v1 # length=10
+SECRET_TEST_PASS_THREE_VERSION=v2

pkg/secret/testdir/compose.yaml

@@ -0,0 +1,21 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: nginx:1.21.0
+    secrets:
+      - test_pass_one
+      - test_pass_two
+      - test_pass_three
+
+secrets:
+  test_pass_one:
+    external: true
+    name: ${STACK_NAME}_test_pass_one_${SECRET_TEST_PASS_ONE_VERSION}  # should be removed
+  test_pass_two:
+    external: true
+    name: ${STACK_NAME}_test_pass_two_${SECRET_TEST_PASS_TWO_VERSION}
+  test_pass_three:
+    external: true
+    name: ${STACK_NAME}_pass_three_${SECRET_TEST_PASS_THREE_VERSION} # secretId and name don't match