Add improved secret management #301

macmv · 2023-10-11T01:40:34Z

Ticket(s): ENG-5635

Adds a Secret helper class, which manages a scoped secret.

This makes it so that fauna shell <scope> will append the given scope to the scope in your project file. The behavior is a little weird:

% fauna shell bar
Connected to endpoint: neil-2-us database: foo/bar
Starting shell for database bar
Type Ctrl+D or .exit to exit the shell
bar>

Note that it says "connected to database foo/bar", and then says "Starting shell for database bar."

Not sure if we want to fix this or not, but I think its fine as-is.

fauna-chase

overall this looks good to me, my only real question would be if we currently allow users to provide custom roles via a scoped secret and this change would then break them.

src/lib/config/index.ts

src/lib/secret.ts

src/lib/fauna-command.js

fauna-chase

Looking good, just have one more question on backwards compatibility.

Are we doing a major version release for the new shell? If so perhaps we could just drop a note on that specific case and just call it a day.

fauna-chase · 2023-10-11T18:17:12Z

src/lib/secret.ts

+    return new Secret({ key, allowScope: !key.includes(":") });
+  }
+
+  static parse(key: string) {


does the 'current' shell allow you to have endpoints in your file that are scoped?

[endpoint.child] secret=secret:child:admin secret=secret:child:@role/myrole

maybe we don't care? just trying to think through if this could lead to backwards incompatible changes for users and where we draw the line on that.

the current shell lets you do that, but it will break if you set a database path in fauna eval or fauna shell. It seems like something we ought to just disallow.

test/commands/eval.test.js

macmv requested a review from fauna-chase October 11, 2023 01:40

fauna-chase reviewed Oct 11, 2023

View reviewed changes

src/lib/config/index.ts Outdated Show resolved Hide resolved

src/lib/secret.ts Outdated Show resolved Hide resolved

src/lib/secret.ts Show resolved Hide resolved

src/lib/secret.ts Show resolved Hide resolved

src/lib/fauna-command.js Show resolved Hide resolved

macmv force-pushed the correct-secret-management branch 2 times, most recently from 930cea0 to 8675352 Compare October 11, 2023 18:06

fauna-chase reviewed Oct 11, 2023

View reviewed changes

fauna-chase approved these changes Oct 11, 2023

View reviewed changes

macmv force-pushed the correct-secret-management branch from 77b1c44 to 0fd9144 Compare October 11, 2023 19:09

macmv added 4 commits October 12, 2023 11:35

Add secret class to manage scoped secrets

b0974a2

Update config to store a Secret instead of a string

4277b51

Update all the things to use Secret

e40cc88

Add some eval tests for scoped secret handling

4c6d798

macmv force-pushed the correct-secret-management branch from 0fd9144 to 4c6d798 Compare October 12, 2023 18:47

macmv changed the base branch from main to add-secret-helper October 12, 2023 18:48

Base automatically changed from add-secret-helper to main October 12, 2023 19:20

fauna-chase approved these changes Oct 12, 2023

View reviewed changes

macmv merged commit ceffdc5 into main Oct 12, 2023

macmv deleted the correct-secret-management branch October 12, 2023 19:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add improved secret management #301

Add improved secret management #301

macmv commented Oct 11, 2023

fauna-chase left a comment

fauna-chase left a comment

fauna-chase Oct 11, 2023

macmv Oct 11, 2023

Add improved secret management #301

Add improved secret management #301

Conversation

macmv commented Oct 11, 2023

fauna-chase left a comment

Choose a reason for hiding this comment

fauna-chase left a comment

Choose a reason for hiding this comment

fauna-chase Oct 11, 2023

Choose a reason for hiding this comment

macmv Oct 11, 2023

Choose a reason for hiding this comment