From 99e3ed416fb154db565760935dbe5717a3376454 Mon Sep 17 00:00:00 2001 From: test Date: Mon, 4 Dec 2023 14:37:41 +0100 Subject: [PATCH] fix: secret name generation when secretId is not part of the secret name --- cli/app/new.go | 14 +++------- cli/app/secret.go | 8 +++--- pkg/config/app.go | 19 +++++++++----- pkg/secret/secret.go | 46 +++++++++++++++++++++------------ pkg/secret/secret_test.go | 40 ++++++++++------------------ pkg/secret/testdir/.env.sample | 3 +++ pkg/secret/testdir/compose.yaml | 21 +++++++++++++++ 7 files changed, 89 insertions(+), 62 deletions(-) create mode 100644 pkg/secret/testdir/.env.sample create mode 100644 pkg/secret/testdir/compose.yaml diff --git a/cli/app/new.go b/cli/app/new.go index 975ca502..22f51fd2 100644 --- a/cli/app/new.go +++ b/cli/app/new.go @@ -108,7 +108,7 @@ var appNewCommand = cli.Command{ } envSamplePath := path.Join(config.RECIPES_DIR, recipe.Name, ".env.sample") - secretsConfig, err := secret.ReadSecretsConfig(envSamplePath, composeFiles, recipe.Name) + secretsConfig, err := secret.ReadSecretsConfig(envSamplePath, composeFiles, config.StackName(internal.Domain)) if err != nil { return err } @@ -168,14 +168,8 @@ var appNewCommand = cli.Command{ type AppSecrets map[string]string // createSecrets creates all secrets for a new app. -func createSecrets(cl *dockerClient.Client, secretsConfig map[string]secret.SecretValue, sanitisedAppName string) (AppSecrets, error) { - // NOTE(d1): trim to match app.StackName() implementation - if len(sanitisedAppName) > 45 { - logrus.Debugf("trimming %s to %s to avoid runtime limits", sanitisedAppName, sanitisedAppName[:45]) - sanitisedAppName = sanitisedAppName[:45] - } - - secrets, err := secret.GenerateSecrets(cl, secretsConfig, sanitisedAppName, internal.NewAppServer) +func createSecrets(cl *dockerClient.Client, secretsConfig map[string]secret.Secret, sanitisedAppName string) (AppSecrets, error) { + secrets, err := secret.GenerateSecrets(cl, secretsConfig, internal.NewAppServer) if err != nil { return nil, err } @@ -217,7 +211,7 @@ func ensureDomainFlag(recipe recipe.Recipe, server string) error { } // promptForSecrets asks if we should generate secrets for a new app. -func promptForSecrets(recipeName string, secretsConfig map[string]secret.SecretValue) error { +func promptForSecrets(recipeName string, secretsConfig map[string]secret.Secret) error { if len(secretsConfig) == 0 { logrus.Debugf("%s has no secrets to generate, skipping...", recipeName) return nil diff --git a/cli/app/secret.go b/cli/app/secret.go index 2b2f7fd4..3b491055 100644 --- a/cli/app/secret.go +++ b/cli/app/secret.go @@ -91,7 +91,7 @@ var appSecretGenerateCommand = cli.Command{ logrus.Fatal(err) } - secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.Recipe) + secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.StackName()) if err != nil { logrus.Fatal(err) } @@ -104,7 +104,7 @@ var appSecretGenerateCommand = cli.Command{ logrus.Fatalf("%s doesn't exist in the env config?", secretName) } s.Version = secretVersion - secrets = map[string]secret.SecretValue{ + secrets = map[string]secret.Secret{ secretName: s, } } @@ -114,7 +114,7 @@ var appSecretGenerateCommand = cli.Command{ logrus.Fatal(err) } - secretVals, err := secret.GenerateSecrets(cl, secrets, app.StackName(), app.Server) + secretVals, err := secret.GenerateSecrets(cl, secrets, app.Server) if err != nil { logrus.Fatal(err) } @@ -274,7 +274,7 @@ Example: logrus.Fatal(err) } - secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.Recipe) + secrets, err := secret.ReadSecretsConfig(app.Path, composeFiles, app.StackName()) if err != nil { logrus.Fatal(err) } diff --git a/pkg/config/app.go b/pkg/config/app.go index 996c5357..b3efed2a 100644 --- a/pkg/config/app.go +++ b/pkg/config/app.go @@ -50,23 +50,30 @@ type App struct { Path string } -// StackName gets whatever the docker safe (uses the right delimiting -// character, e.g. "_") stack name is for the app. In general, you don't want -// to use this to show anything to end-users, you want use a.Name instead. +// See documentation of config.StackName func (a App) StackName() string { if _, exists := a.Env["STACK_NAME"]; exists { return a.Env["STACK_NAME"] } - stackName := SanitiseAppName(a.Name) + stackName := StackName(a.Name) + + a.Env["STACK_NAME"] = stackName + + return stackName +} + +// StackName gets whatever the docker safe (uses the right delimiting +// character, e.g. "_") stack name is for the app. In general, you don't want +// to use this to show anything to end-users, you want use a.Name instead. +func StackName(appName string) string { + stackName := SanitiseAppName(appName) if len(stackName) > 45 { logrus.Debugf("trimming %s to %s to avoid runtime limits", stackName, stackName[:45]) stackName = stackName[:45] } - a.Env["STACK_NAME"] = stackName - return stackName } diff --git a/pkg/secret/secret.go b/pkg/secret/secret.go index 34c1103c..282a0fab 100644 --- a/pkg/secret/secret.go +++ b/pkg/secret/secret.go @@ -21,11 +21,24 @@ import ( "github.com/sirupsen/logrus" ) -// SecretValue represents a parsed `SECRET_FOO=v1 # length=bar` env var config -// secret definition. -type SecretValue struct { +// Secret represents a secret. +type Secret struct { + // Version comes from the secret version environment variable. + // For example: + // SECRET_FOO=v1 Version string - Length int + // Length comes from the length modifier at the secret version environment + // variable. For Example: + // SECRET_FOO=v1 # length=12 + Length int + // RemoteName is the name of the secret on the server. For example: + // name: ${STACK_NAME}_test_pass_two_${SECRET_TEST_PASS_TWO_VERSION} + // With the following: + // STACK_NAME=test_example_com + // SECRET_TEST_PASS_TWO_VERSION=v2 + // Will have this remote name: + // test_example_com_test_pass_two_v2 + RemoteName string } // GeneratePasswords generates passwords. @@ -67,11 +80,13 @@ func GeneratePassphrases(count uint) ([]string, error) { // and some times you don't (as the caller). We need to be able to handle the // "app new" case where we pass in the .env.sample and the "secret generate" // case where the app is created. -func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName string) (map[string]SecretValue, error) { +func ReadSecretsConfig(appEnvPath string, composeFiles []string, stackName string) (map[string]Secret, error) { appEnv, appModifiers, err := config.ReadEnvWithModifiers(appEnvPath) if err != nil { return nil, err } + // Set the STACK_NAME to be able to generate the remote name correctly. + appEnv["STACK_NAME"] = stackName opts := stack.Deploy{Composefiles: composeFiles} config, err := loader.LoadComposefile(opts, appEnv) @@ -96,7 +111,7 @@ func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName stri return nil, nil } - secretValues := map[string]SecretValue{} + secretValues := map[string]Secret{} for secretId, secretConfig := range config.Secrets { if string(secretConfig.Name[len(secretConfig.Name)-1]) == "_" { return nil, fmt.Errorf("missing version for secret? (%s)", secretId) @@ -109,7 +124,7 @@ func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName stri lastIdx := strings.LastIndex(secretConfig.Name, "_") secretVersion := secretConfig.Name[lastIdx+1:] - value := SecretValue{Version: secretVersion} + value := Secret{Version: secretVersion, RemoteName: secretConfig.Name} // Check if the length modifier is set for this secret. for envName, modifierValues := range appModifiers { @@ -138,7 +153,7 @@ func ReadSecretsConfig(appEnvPath string, composeFiles []string, recipeName stri } // GenerateSecrets generates secrets locally and sends them to a remote server for storage. -func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, appName, server string) (map[string]string, error) { +func GenerateSecrets(cl *dockerClient.Client, secrets map[string]Secret, server string) (map[string]string, error) { secretsGenerated := map[string]string{} var mutex sync.Mutex var wg sync.WaitGroup @@ -146,11 +161,10 @@ func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, ap for n, v := range secrets { wg.Add(1) - go func(secretName string, secret SecretValue) { + go func(secretName string, secret Secret) { defer wg.Done() - secretRemoteName := fmt.Sprintf("%s_%s_%s", appName, secretName, secret.Version) - logrus.Debugf("attempting to generate and store %s on %s", secretRemoteName, server) + logrus.Debugf("attempting to generate and store %s on %s", secret.RemoteName, server) if secret.Length > 0 { passwords, err := GeneratePasswords(1, uint(secret.Length)) @@ -159,9 +173,9 @@ func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, ap return } - if err := client.StoreSecret(cl, secretRemoteName, passwords[0], server); err != nil { + if err := client.StoreSecret(cl, secret.RemoteName, passwords[0], server); err != nil { if strings.Contains(err.Error(), "AlreadyExists") { - logrus.Warnf("%s already exists, moving on...", secretRemoteName) + logrus.Warnf("%s already exists, moving on...", secret.RemoteName) ch <- nil } else { ch <- err @@ -179,9 +193,9 @@ func GenerateSecrets(cl *dockerClient.Client, secrets map[string]SecretValue, ap return } - if err := client.StoreSecret(cl, secretRemoteName, passphrases[0], server); err != nil { + if err := client.StoreSecret(cl, secret.RemoteName, passphrases[0], server); err != nil { if strings.Contains(err.Error(), "AlreadyExists") { - logrus.Warnf("%s already exists, moving on...", secretRemoteName) + logrus.Warnf("%s already exists, moving on...", secret.RemoteName) ch <- nil } else { ch <- err @@ -230,7 +244,7 @@ func PollSecretsStatus(cl *dockerClient.Client, app config.App) (secretStatuses, return secStats, err } - secretsConfig, err := ReadSecretsConfig(app.Path, composeFiles, app.Recipe) + secretsConfig, err := ReadSecretsConfig(app.Path, composeFiles, app.StackName()) if err != nil { return secStats, err } diff --git a/pkg/secret/secret_test.go b/pkg/secret/secret_test.go index bb462a8a..fc10c098 100644 --- a/pkg/secret/secret_test.go +++ b/pkg/secret/secret_test.go @@ -1,42 +1,30 @@ package secret import ( - "path" "testing" - "coopcloud.tech/abra/pkg/config" - "coopcloud.tech/abra/pkg/recipe" - "coopcloud.tech/abra/pkg/upstream/stack" - loader "coopcloud.tech/abra/pkg/upstream/stack" "github.com/stretchr/testify/assert" ) func TestReadSecretsConfig(t *testing.T) { - offline := true - recipe, err := recipe.Get("matrix-synapse", offline) + composeFiles := []string{"./testdir/compose.yaml"} + secretsFromConfig, err := ReadSecretsConfig("./testdir/.env.sample", composeFiles, "test_example_com") if err != nil { t.Fatal(err) } - sampleEnv, err := recipe.SampleEnv() - if err != nil { - t.Fatal(err) - } + // Simple secret + assert.Equal(t, "test_example_com_test_pass_one_v2", secretsFromConfig["test_pass_one"].RemoteName) + assert.Equal(t, "v2", secretsFromConfig["test_pass_one"].Version) + assert.Equal(t, 0, secretsFromConfig["test_pass_one"].Length) - composeFiles := []string{path.Join(config.RECIPES_DIR, recipe.Name, "compose.yml")} - envSamplePath := path.Join(config.RECIPES_DIR, recipe.Name, ".env.sample") - secretsFromConfig, err := ReadSecretsConfig(envSamplePath, composeFiles, recipe.Name) - if err != nil { - t.Fatal(err) - } + // Has a length modifier + assert.Equal(t, "test_example_com_test_pass_two_v1", secretsFromConfig["test_pass_two"].RemoteName) + assert.Equal(t, "v1", secretsFromConfig["test_pass_two"].Version) + assert.Equal(t, 10, secretsFromConfig["test_pass_two"].Length) - opts := stack.Deploy{Composefiles: composeFiles} - config, err := loader.LoadComposefile(opts, sampleEnv) - if err != nil { - t.Fatal(err) - } - - for secretId := range config.Secrets { - assert.Contains(t, secretsFromConfig, secretId) - } + // Secret name does not include the secret id + assert.Equal(t, "test_example_com_pass_three_v2", secretsFromConfig["test_pass_three"].RemoteName) + assert.Equal(t, "v2", secretsFromConfig["test_pass_three"].Version) + assert.Equal(t, 0, secretsFromConfig["test_pass_three"].Length) } diff --git a/pkg/secret/testdir/.env.sample b/pkg/secret/testdir/.env.sample new file mode 100644 index 00000000..bbcc2904 --- /dev/null +++ b/pkg/secret/testdir/.env.sample @@ -0,0 +1,3 @@ +SECRET_TEST_PASS_ONE_VERSION=v2 +SECRET_TEST_PASS_TWO_VERSION=v1 # length=10 +SECRET_TEST_PASS_THREE_VERSION=v2 diff --git a/pkg/secret/testdir/compose.yaml b/pkg/secret/testdir/compose.yaml new file mode 100644 index 00000000..86cc2575 --- /dev/null +++ b/pkg/secret/testdir/compose.yaml @@ -0,0 +1,21 @@ +--- +version: "3.8" + +services: + app: + image: nginx:1.21.0 + secrets: + - test_pass_one + - test_pass_two + - test_pass_three + +secrets: + test_pass_one: + external: true + name: ${STACK_NAME}_test_pass_one_${SECRET_TEST_PASS_ONE_VERSION} # should be removed + test_pass_two: + external: true + name: ${STACK_NAME}_test_pass_two_${SECRET_TEST_PASS_TWO_VERSION} + test_pass_three: + external: true + name: ${STACK_NAME}_pass_three_${SECRET_TEST_PASS_THREE_VERSION} # secretId and name don't match