Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration_script_payloads#credentials to be shown #1239

Merged
merged 1 commit into from
Sep 22, 2023
Merged

Allow configuration_script_payloads#credentials to be shown #1239

merged 1 commit into from
Sep 22, 2023

Conversation

agrare
Copy link
Member

@agrare agrare commented Sep 5, 2023
edited
Loading

The configuration_script_payloads#credentials jsonb column does not contain credentials but based on how the user names the keys (e.g. "vcenter_password": {"credential_ref": "vcenter_credential", "credential_field": "password"} the payload will be stripped which causes issues for the UI to display these.

>> pp ConfigurationScriptPayload.first.credentials
=> 
{"manageiq_api_user"=>{"credential_ref"=>"manageiq-api", "credential_field"=>"userid"},
 "manageiq_api_password"=>{"credential_ref"=>"manageiq-api", "credential_field"=>"password"}}

Problem:

GET /api/configuration_script_payloads/1
{
  "href": "http://localhost:3000/api/configuration_script_payloads/1",
  "id": "1",
  "manager_id": "2",
  ...
  "credentials": {
    "manageiq_api_user": {
      "credential_ref": "manageiq-api",
      "credential_field": "userid"
    }
  },

With this PR:

GET /api/configuration_script_payloads/1
{
  "href": "http://localhost:3000/api/configuration_script_payloads/1",
  "id": "1",
  "manager_id": "2",
  ...
  "credentials": {
    "manageiq_api_user": {
      "credential_ref": "manageiq-api",
      "credential_field": "userid"
    },
    "manageiq_api_password": {
      "credential_ref": "manageiq-api",
      "credential_field": "password"
    }
  },

@agrare agrare requested a review from bdunne as a code owner September 5, 2023 15:28
agrare
agrare commented Sep 5, 2023
View reviewed changes
app/controllers/api/configuration_script_payloads_controller.rb Outdated
Comment on lines 5 to 16
def api_resource_action_options
if @req.action == "read" && @req.collection_id && @req.subcollection.blank?
%w[include_encrypted_attributes]
else
super
end
end

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOTE this is overly broad as it disables all filters, would prefer to selectively allow specific columns while still filtering out actual v2 key values.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we throw away strings (that should be encrypted) but keep hashes?

def normalize_encrypted(value)
  value.kind_of?(String) ? nil : value
end

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@agrare It will not work if credentials are a mapping string

      "Credentials": {
        "api_user.$": "$.api_user",
        "api_password.$": "$.api_password",
        "vcenter_user.$": "$.vcenter_user",
        "vcenter_password.$": "$.vcenter_password"
      },

/via https://github.com/ManageIQ/workflows-examples/blob/master/provision-vm-service/provision-vm.asl#L9C1-L14C9

But if it is a hash, then it may work:

{"api_password": {"credential_ref": "manageiq_api", "credential_field": "userid"}}

@miq-bot miq-bot added the wip label Sep 5, 2023
@agrare
Copy link
Member Author

agrare commented Sep 6, 2023

cc @Fryguy this is the issue we were talking about with credentials being filtered out just for being named *_password

@kbrock
Copy link
Member

kbrock commented Sep 12, 2023

Is it possible to have a spec with a record in there?
That way we can tweak how we want this return to work.

The thought is it will allow $. to work?
aws has a particular format for marking a field as dynamic. Do we want to follow this and add that specific data into the encryption helper?

@agrare agrare force-pushed the allow_configuration_script_payloads_credentials_to_be_shown branch from 95eb866 to cc40edc Compare September 13, 2023 14:33
@agrare
Copy link
Member Author

agrare commented Sep 13, 2023

Is it possible to have a spec with a record in there?

👍 good idea, added

@kbrock
Copy link
Member

kbrock commented Sep 19, 2023

conversation:

  • we do not store passwords for these, they are just mappings. so no encryption will be included

@agrare agrare force-pushed the allow_configuration_script_payloads_credentials_to_be_shown branch from cc40edc to 34552d2 Compare September 20, 2023 15:46
@miq-bot
Copy link
Member

miq-bot commented Sep 20, 2023

Checked commit agrare@34552d2 with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint
2 files checked, 0 offenses detected
Everything looks fine. 👍

@agrare agrare changed the title [WIP] allow configuration_script_payloads#credentials to be shown Allow configuration_script_payloads#credentials to be shown Sep 21, 2023
@kbrock kbrock merged commit 39e5ed9 into ManageIQ:master Sep 22, 2023
4 checks passed
@agrare agrare deleted the allow_configuration_script_payloads_credentials_to_be_shown branch September 22, 2023 13:49
@Fryguy
Copy link
Member

Fryguy commented Sep 27, 2023

Backported to quinteros in commit a430cff.

commit a430cfffe04bba6a51e7b214c4b89afef1003c32
Author: Keenan Brock <[email protected]>
Date:   Fri Sep 22 09:45:24 2023 -0400

    Merge pull request #1239 from agrare/allow_configuration_script_payloads_credentials_to_be_shown
    
    Allow configuration_script_payloads#credentials to be shown
    
    (cherry picked from commit 39e5ed90a731afc22919cf17cb81f4dd2e17fb5d)

Fryguy pushed a commit that referenced this pull request Sep 27, 2023
@kbrock @Fryguy
Merge pull request #1239 from agrare/allow_configuration_script_paylo…
a430cff 
…ads_credentials_to_be_shown

Allow configuration_script_payloads#credentials to be shown

(cherry picked from commit 39e5ed9)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kbrock kbrock kbrock left review comments

@bdunne bdunne Awaiting requested review from bdunne bdunne is a code owner

Assignees

@kbrock kbrock

Labels
bug quinteros/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@agrare @kbrock @miq-bot @Fryguy