New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #269. Initial work to support secrets. #278
Conversation
@dmlloyd please, let me know if you think this is going into the right direction :) |
implementation/src/main/java/io/smallrye/config/ConfigSourceInterceptorContext.java
Outdated
Show resolved
Hide resolved
implementation/src/main/java/io/smallrye/config/SecretKeys.java
Outdated
Show resolved
Hide resolved
@dmlloyd This should be more in line with your review. I think there are still 2 thing we need to figure out:
|
implementation/src/main/java/io/smallrye/config/SecretKeys.java
Outdated
Show resolved
Hide resolved
Using the exception model, we don't need to filter the property names in any way: the key is not secret, and anyway property expressions could reference the key so the existence of the key can't really be hidden. To "re-lock" we could have opposite methods which run a function of some sort with the lock flag re-set. |
Yes, it would be handled by the exception model. In my mind, to be extra safe, I thought that we could configure all the secret keys plus any expansion variables that may contain sensitive information and exclude them in the property names. |
We don't need to go to that extent. If we rely solely on an exception model, and a user accesses a property with a variable in it which expands to a secret, we get behavior like this:
So we don't need to do any complex analysis (which is always dangerous when talking about security anyways) for this case. There doesn't seem to be any need to exclude the names of secret properties from this perspective: we have one unified protection mechanism, so that's only one thing that can potentially fail. |
Yes, my idea was not to do any complex analysis. It would on the user to add those names into the secret list and we could just exclude them from everywhere (include the list properties). Nevermind, lets not touch property names. |
Furthermore I'd imagine a logger would capture exceptions anyway, to be able to handle a variety of situations. Consider in this example that
Catching exceptions for the exceptional cases really makes this easy. The logger doesn't really need any special knowledge, it just needs to catch |
Yes, that is ok. Unless I'm missing something, the case that I wanted to prevent is when you have the lock open and you have the logger in the middle, but you don't want to log the access, right? |
If the question is "do we log accesses to secret keys", I think the answer is probably "why not?": if you're logging config accesses then you probably want that information as well. But whether or not it is actually logged, you still have to figure out whether it's secret, so you'd eventually need something like: try {
ConfigValue maybeLocked = doLocked(() -> context.proceed(name));
log(name, maybeLocked.getValue());
} catch (SecurityException e) {
log(name, "<locked>");
} catch (RuntimeException e) {
log(name, "<access error>");
}
return context.proceed(name); |
Yes, I think we can log secret config access, but omitting the value of course. That is why we need a |
I think it should be better now :) |
d5f9127
to
371c9d1
Compare
implementation/src/main/java/io/smallrye/config/SmallRyeConfig.java
Outdated
Show resolved
Hide resolved
e8c8db4
to
a98d04a
Compare
implementation/src/main/java/io/smallrye/config/SecretKeys.java
Outdated
Show resolved
Hide resolved
implementation/src/main/java/io/smallrye/config/SmallRyeConfigBuilder.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the above comments, it's looking good.
Thanks, let me fix that. |
This is the initial work to implement #269 .
A new class
SecretKeys
can be configured with the key names to be considered secrets and access to these keys is protected unless it is explicitly asked for.There are still some open questions:
ConfigSource#getPropertyNames
? We could wrap it in our own source, but then it will become a different type for the user. Is this acceptable?SecretKeys
in the interceptor chain, so we can control access from the interceptors as well. This requires to add a getter method inConfigSourceInterceptorContext
.