Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NC | Secret Keys Encryption Gaps #7979

Merged
merged 1 commit into from
Apr 22, 2024
Merged

NC | Secret Keys Encryption Gaps #7979

merged 1 commit into from
Apr 22, 2024

Conversation

romayalon
Copy link
Contributor

@romayalon romayalon commented Apr 16, 2024
edited
Loading

Explain the changes

  1. Master Key Manager -

    • MasterKey & MasterKeysByID type declarations and some other JSDoc updates
    • create_master_keys_exec() - handle MASTER_KEYS_ALREADY_EXIST error with regular return.
    • get_master_keys_json() - refactoring (see GAP 1).

  2. Config.js -

    • Added master keys configuration validation - validate_nc_master_keys_config() -
      Checked for the correctness of the master keys configuration.
      On executable flow - Checked that the executable files exist and can be executed.

  3. Unit Tests additions -

    • Executable flow tests.
    • Config tests for master keys related configurations.

Issues: Fixed #xxx / Gap #xxx

  1. GAP 1- get_master_keys_json() - should be built based on master_keys_by_id and not just the active key.
  2. GAP 2 - Need to update the upstream doc.
  3. GAP 3 - Add more unit tests.

Testing Instructions:

  1. sudo jest --testRegex=jest_tests/test_nc_master_keys_exec
  2. sudo jest --testRegex=jest_tests/test_nc_nsfs_config_schema
  • Doc added/updated
  • Tests added

@romayalon romayalon force-pushed the romy-nc-secret-encryption branch 4 times, most recently from 0e4cc15 to 912987c Compare April 16, 2024 20:53
@romayalon romayalon requested a review from guymguym April 17, 2024 06:55
@romayalon romayalon force-pushed the romy-nc-secret-encryption branch 2 times, most recently from bce0de4 to 561f77c Compare April 18, 2024 11:35
@romayalon romayalon requested review from guymguym and removed request for guymguym April 18, 2024 12:34
@romayalon romayalon force-pushed the romy-nc-secret-encryption branch from 561f77c to 9508d82 Compare April 21, 2024 08:11
@guymguym guymguym added this to the 5.15.3 milestone Apr 21, 2024
guymguym
guymguym reviewed Apr 22, 2024
View reviewed changes
config.js Outdated Show resolved Hide resolved
config.js Outdated Show resolved Hide resolved
src/cmd/manage_nsfs.js
@@ -95,6 +95,7 @@ async function main(argv = minimist(process.argv.slice(2))) {
const user_input = user_input_from_file || argv;
config_root = argv.config_root ? String(argv.config_root) : config.NSFS_NC_CONF_DIR;
if (!config_root) throw_cli_error(ManageCLIError.MissingConfigDirPath);
if (argv.config_root) config.NSFS_NC_CONF_DIR = String(argv.config_root);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this still needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the argv.config_root?
I would love to remove it, it's very annoying

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so why did you add it in this PR? is it needed for any case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to the option of passing config_root,
I added it because if we won't update it the master_keys.json will get written to /etc/noobaa.conf.d/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why would it be created always in etc? our config.js code already handles config_dir_redirect no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, but this was initially introduced before we had anything, and for cases when there is not config_dir_redirect.
I think we use it only for tests

src/manage_nsfs/nc_master_key_manager.js Outdated Show resolved Hide resolved
src/manage_nsfs/nc_master_key_manager.js Outdated Show resolved Hide resolved
src/manage_nsfs/nc_master_key_manager.js Show resolved Hide resolved
src/manage_nsfs/nc_master_key_manager.js Outdated Show resolved Hide resolved
@romayalon romayalon force-pushed the romy-nc-secret-encryption branch from 1605f3a to bc54fe2 Compare April 22, 2024 10:12
@romayalon
master keys fixes
477ef92 
Signed-off-by: Romy <35330373+romayalon@users.noreply.github.com>
@romayalon romayalon force-pushed the romy-nc-secret-encryption branch from 1a24129 to 477ef92 Compare April 22, 2024 11:15
@romayalon romayalon merged commit 1dff5db into noobaa:master Apr 22, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guymguym guymguym guymguym approved these changes

Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
5.15.3
Development

Successfully merging this pull request may close these issues.
2 participants
@romayalon @guymguym