Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Commit

Permalink
saving secrets in keyvault (#2200)
Browse files Browse the repository at this point in the history
  • Loading branch information
chkeita authored Jul 28, 2022
1 parent 25242f1 commit 36d36cd
Show file tree
Hide file tree
Showing 5 changed files with 31 additions and 11 deletions.
2 changes: 1 addition & 1 deletion src/ApiService/ApiService/OneFuzzTypes/Model.cs
Original file line number Diff line number Diff line change
Expand Up @@ -677,7 +677,7 @@ public override void Write(Utf8JsonWriter writer, ISecret<T> value, JsonSerializ
if (value is SecretAddress<T> secretAddress) {
JsonSerializer.Serialize(writer, secretAddress, options);
} else if (value is SecretValue<T> secretValue) {
JsonSerializer.Serialize(writer, secretValue.Value, options);
throw new JsonException("SecretValue should not be serialized");
}
}
}
Expand Down
24 changes: 22 additions & 2 deletions src/ApiService/ApiService/onefuzzlib/NotificationOperations.cs
Original file line number Diff line number Diff line change
Expand Up @@ -99,16 +99,36 @@ public async Async.Task<OneFuzzResult<Notification>> Create(Container container,
await this.Delete(existingEntry);
}
}

var entry = new Notification(Guid.NewGuid(), container, config);
var configWithHiddenSecret = await HideSecrets(config);
var entry = new Notification(Guid.NewGuid(), container, configWithHiddenSecret);
await this.Insert(entry);
_logTracer.Info($"created notification. notification_id:{entry.NotificationId} container:{entry.Container}");

return OneFuzzResult<Notification>.Ok(entry);
}


private async Async.Task<NotificationTemplate> HideSecrets(NotificationTemplate notificationTemplate) {

switch (notificationTemplate) {
case AdoTemplate adoTemplate:
var hiddenAuthToken = await _context.SecretsOperations.SaveToKeyvault(adoTemplate.AuthToken);
return adoTemplate with { AuthToken = hiddenAuthToken };
case GithubIssuesTemplate githubIssuesTemplate:
var hiddenAuth = await _context.SecretsOperations.SaveToKeyvault(githubIssuesTemplate.Auth);
return githubIssuesTemplate with { Auth = hiddenAuth };
case TeamsTemplate teamsTemplate:
var hiddenUrl = await _context.SecretsOperations.SaveToKeyvault(teamsTemplate.Url);
return teamsTemplate with { Url = hiddenUrl };
default:
throw new ArgumentOutOfRangeException(nameof(notificationTemplate));
}

}

public async Async.Task<Task?> GetRegressionReportTask(RegressionReport report) {
if (report.CrashTestResult.CrashReport != null) {

return await _context.TaskOperations.GetByJobIdAndTaskId(report.CrashTestResult.CrashReport.JobId, report.CrashTestResult.CrashReport.TaskId);
}
if (report.CrashTestResult.NoReproReport != null) {
Expand Down
2 changes: 1 addition & 1 deletion src/ApiService/ApiService/onefuzzlib/Request.cs
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ public async Async.Task<HttpResponseData> NotOk(HttpRequestData request, Error e
public static async Async.Task<OneFuzzResult<T>> ParseRequest<T>(HttpRequestData req) {
Exception? exception = null;
try {
var t = await JsonSerializer.DeserializeAsync<T>(req.Body, EntityConverter.GetJsonSerializerOptions());
var t = await req.ReadFromJsonAsync<T>();
if (t != null) {
return OneFuzzResult<T>.Ok(t);
}
Expand Down
10 changes: 5 additions & 5 deletions src/ApiService/ApiService/onefuzzlib/Secrets.cs
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ namespace Microsoft.OneFuzz.Service;

public interface ISecretsOperations {
public (Uri, string) ParseSecretUrl(Uri secretsUrl);
public Task<SecretAddress<T>> SaveToKeyvault<T>(SecretData<T> secretData);
public Task<SecretData<T>> SaveToKeyvault<T>(SecretData<T> secretData);

public Task<string?> GetSecretStringValue<T>(SecretData<T> data);

Expand All @@ -31,14 +31,14 @@ public SecretsOperations(ICreds creds, IServiceConfig config) {
public (Uri, string) ParseSecretUrl(Uri secretsUrl) {
// format: https://{vault-name}.vault.azure.net/secrets/{secret-name}/{version}
var vaultUrl = $"{secretsUrl.Scheme}://{secretsUrl.Host}";
var secretName = secretsUrl.Segments[secretsUrl.Segments.Length - 2].Trim('/');
var secretName = secretsUrl.Segments[^2].Trim('/');
return (new Uri(vaultUrl), secretName);
}

public async Task<SecretAddress<T>> SaveToKeyvault<T>(SecretData<T> secretData) {
public async Task<SecretData<T>> SaveToKeyvault<T>(SecretData<T> secretData) {

if (secretData.Secret is SecretAddress<T> secretAddress) {
return secretAddress;
return secretData;
} else if (secretData.Secret is SecretValue<T> sValue) {
var secretName = Guid.NewGuid();
string secretValue;
Expand All @@ -49,7 +49,7 @@ public async Task<SecretAddress<T>> SaveToKeyvault<T>(SecretData<T> secretData)
}

var kv = await StoreInKeyvault(GetKeyvaultAddress(), secretName.ToString(), secretValue);
return new SecretAddress<T>(kv.Id);
return new SecretData<T>(new SecretAddress<T>(kv.Id));
}

throw new Exception("Invalid secret value");
Expand Down
4 changes: 2 additions & 2 deletions src/ApiService/Tests/OrmModelsTest.cs
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ public static Gen<Uri> Uri() {

public static Gen<ISecret<T>> ISecret<T>() {
if (typeof(T) == typeof(string)) {
return Arb.Generate<string>().Select(s => (ISecret<T>)new SecretValue<string>(s));
return Arb.Generate<string>().Select(s => (ISecret<T>)new SecretAddress<string>(new Uri("http://test")));
}

if (typeof(T) == typeof(GithubAuth)) {
return Arb.Generate<GithubAuth>().Select(s => (ISecret<T>)new SecretValue<GithubAuth>(s));
return Arb.Generate<GithubAuth>().Select(s => (ISecret<T>)new SecretAddress<T>(new Uri("http://test")));
} else {
throw new Exception($"Unsupported secret type {typeof(T)}");
}
Expand Down

0 comments on commit 36d36cd

Please sign in to comment.