-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add a new management api for secrets #4138
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are always happy to welcome new contributors ❤️ To make things easier for everyone, please make sure to follow our contribution guidelines, check if you have already signed the ECA, and relate this pull request to an existing issue or discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few general remarks:
- I think it should be called
SecretsApi
etc., i.e. using the plural, otherwise people could be mislead into thinking it's some sort of secret API - Please do not introduce domain relations (Secrets -> Assets) just out-of-hand. This is a more complicated topic, and one that must be discussed and designed first. If this is a requirement, then I suggest opening a scoped discussion first.
- I would generally avoid transmitting stuff in the request URL. secret aliases are not secrets per se, but I wouldn't take any chances.
- Please add an End-To-End Test. Feel free to take a look at the
AssetApiEndToEndTest
or theCatalogApiEndToEndTest
etc. for an example.
Other comments inline.
...l-plane/secret-spi/src/main/java/org/eclipse/edc/connector/secret/spi/event/SecretEvent.java
Outdated
Show resolved
Hide resolved
...java/org/eclipse/edc/transform/transformer/edc/from/JsonObjectFromSecretTransformerTest.java
Outdated
Show resolved
Hide resolved
...est/java/org/eclipse/edc/transform/transformer/edc/to/JsonObjectToSecretTransformerTest.java
Outdated
Show resolved
Hide resolved
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/types/domain/secret/Secret.java
Outdated
Show resolved
Hide resolved
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/types/domain/secret/Secret.java
Outdated
Show resolved
Hide resolved
...-api/secret-api/src/main/java/org/eclipse/edc/connector/api/management/secret/SecretApi.java
Outdated
Show resolved
Hide resolved
...-api/secret-api/src/main/java/org/eclipse/edc/connector/api/management/secret/SecretApi.java
Outdated
Show resolved
Hide resolved
...t-api/src/main/java/org/eclipse/edc/connector/api/management/secret/SecretApiController.java
Outdated
Show resolved
Hide resolved
...ane/control-plane-spi/src/main/java/org/eclipse/edc/connector/spi/service/SecretService.java
Outdated
Show resolved
Hide resolved
...n/java/org/eclipse/edc/protocol/dsp/http/api/configuration/DspApiConfigurationExtension.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add some end-to-end tests (as done in system-tests/management-api
for the other endpoints
...ain/java/org/eclipse/edc/transform/transformer/edc/from/JsonObjectFromSecretTransformer.java
Outdated
Show resolved
Hide resolved
...est/java/org/eclipse/edc/transform/transformer/edc/to/JsonObjectToSecretTransformerTest.java
Outdated
Show resolved
Hide resolved
...n/java/org/eclipse/edc/protocol/dsp/http/api/configuration/DspApiConfigurationExtension.java
Outdated
Show resolved
Hide resolved
.../eclipse/edc/connector/api/management/configuration/ManagementApiConfigurationExtension.java
Outdated
Show resolved
Hide resolved
.../src/main/java/org/eclipse/edc/connector/controlplane/services/secret/SecretServiceImpl.java
Outdated
Show resolved
Hide resolved
...t-api/src/main/java/org/eclipse/edc/connector/api/management/secret/SecretApiController.java
Outdated
Show resolved
Hide resolved
...est/java/org/eclipse/edc/connector/api/management/secret/validation/SecretValidatorTest.java
Outdated
Show resolved
Hide resolved
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/types/domain/secret/Secret.java
Outdated
Show resolved
Hide resolved
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/types/domain/secret/Secret.java
Outdated
Show resolved
Hide resolved
...ret-spi/src/main/java/org/eclipse/edc/connector/secret/spi/observe/SecretObservableImpl.java
Outdated
Show resolved
Hide resolved
I have one concern regarding a possible exploit this API opens. Two proposals that come to mind are:
|
That is true for any other Management API as well. Malicious actors could easily nuke their connector deployment if they delete stuff they shouldn't. Which is all the more reason to properly secure the Management API.
not sure how that would help the supposed exploit
Some powerful vault impls (Hashicorp Vault) support that, but some vaults, such as Azure KeyVault are more geared towards role-based-access-control, so there is no way that I know of to realize user-based access control on "subfolders". |
Isn't it a bit different? If someone who has access to the DMA mistakenly deletes a resource (i.e. asset or policy) its up to them to restore it. But if they are able to, say, delete the private certificate the connector uses to encrypt EDRs is a concern for the operator of said connector. At least from my point of view...
If the SecretsApi always prefixes its keys, it is unlikely that a malicious actor can access non prefixed keys, only if the operator made the mistake to prefix them in the same way. |
I don't think so, because if you give users access to a certain class of information, be they assets, policies or secrets, you're handing over full control. If an operational scenario requires that users have only read access to secrets, but write access should be blocked, that could be solved in the vault directly. Most vaults have some sort of RBAC.
I may not be understanding this fully, but it sounds like a very brittle and insecure solution, that could easily be circumvented by guessing the secret alias, or looking at EDC code. |
Agree with all remarks. |
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/types/domain/secret/Secret.java
Fixed
Show fixed
Hide fixed
spi/common/core-spi/src/main/java/org/eclipse/edc/spi/types/domain/secret/Secret.java
Fixed
Show fixed
Hide fixed
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #4138 +/- ##
===========================================
- Coverage 71.74% 19.05% -52.70%
===========================================
Files 919 1003 +84
Lines 18457 20444 +1987
Branches 1037 1149 +112
===========================================
- Hits 13242 3895 -9347
- Misses 4756 16436 +11680
+ Partials 459 113 -346 ☔ View full report in Codecov by Sentry. |
On top of what @paullatzelsperger mentioned, it is also worth emphasizing that such API will typically be exposed over the internet through an API gateway (such as Azure APIM) which gives you full freedom to create inbound policies for the incoming traffic so that only secrets with alias matching a given pattern can be updated, removed... |
14459f7
to
06efc84
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a few nits an niggles here and there
...i/secrets-api/src/main/java/org/eclipse/edc/connector/api/management/secrets/SecretsApi.java
Outdated
Show resolved
Hide resolved
...i/secrets-api/src/main/java/org/eclipse/edc/connector/api/management/secrets/SecretsApi.java
Outdated
Show resolved
Hide resolved
...src/test/java/org/eclipse/edc/connector/api/management/secrets/SecretsApiControllerTest.java
Outdated
Show resolved
Hide resolved
...src/test/java/org/eclipse/edc/connector/api/management/secrets/SecretsApiControllerTest.java
Outdated
Show resolved
Hide resolved
...crets-api/src/test/java/org/eclipse/edc/connector/api/management/secrets/SecretsApiTest.java
Outdated
Show resolved
Hide resolved
...t/java/org/eclipse/edc/connector/api/management/secrets/validation/SecretsValidatorTest.java
Outdated
Show resolved
Hide resolved
...ain/java/org/eclipse/edc/transform/transformer/edc/from/JsonObjectFromSecretTransformer.java
Outdated
Show resolved
Hide resolved
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are still 6 unresolved comments on my previous review (and 1 from Paul's one).
please solve them
All comments should be processed now, could you please check again |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one wrong package, but good for me otherwise
...rg/eclipse/edc/connector/api/management/secret/validation/JsonObjectToSecretTransformer.java
Outdated
Show resolved
Hide resolved
fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What this PR changes/adds
This PR adds a new management API that enables to manage secrets from the vault.
Why it does that
In case of the connector is hosted on behalf of another entity, this entity might not have access to the underlying vault. In that case, this API can be used to add or remove secrets from the vault.
Linked Issue(s)
Closes #4090