Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Proposed strategies for additional secret integration into ESDL script #18016

Draft
wants to merge 4 commits into
base: candidate-9.4.x
Choose a base branch
from
Draft

WIP: Proposed strategies for additional secret integration into ESDL script #18016

wants to merge 4 commits into from

Conversation

timothyklemm
Copy link
Contributor

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Cloud-compatibility
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Smoketest:

  • Send notifications about my Pull Request position in Smoketest queue.
  • Test my draft Pull Request.

Testing:

HPCC-26029 Improve ESDL script secret support
e73cd16 
- Add a transactional secret cache to the script context.
- Add secret support to http-post-xml.
- Update secret support in mysql.

Signed-off-by: Tim Klemm <tim.klemm@lexisnexisrisk.com>
@timothyklemm timothyklemm marked this pull request as draft November 10, 2023 15:40
asselitx
asselitx approved these changes Nov 13, 2023
View reviewed changes
Copy link
Contributor

@asselitx asselitx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach looks good to me. The two comments I made are for some possible small changes you might have already had on your radar.

esp/esdlscriptlib/esdl_script.cpp Outdated
JBASE64_Encode(credentials, credentials.length(), encoded, false);
if (method.isEmpty())
method.append("Basic");
method.append(' ').append(encoded);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need a colon between the header name and value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just the value. The only colon is between username and password.

esp/esdlscriptlib/esdl_script.cpp Outdated
if (!secret)
recordException(ESDL_SCRIPT_MissingOperationAttr, "missing http-connect secret");

if (method.isEmpty() || streq(method, "Basic"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Header names are case insensitive. Probably should follow that here unless there is another reason not to.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct about "Authorization" needing to be checked insensitively. "Basic" is part of the value. Values can be case sensitive, and I only see it presented one way.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to make things more interesting, httpbinding.cpp does a case insensitive comparison of "Basic" while httplib.h performs a case sensitive comparison of "Basic". We appear to be inconsistent on handling of the value.

Fortunately, the question is only relevant because I try to reuse the value in the outgoing header instead of treating it as a simple selector. I'll update to treat the input value as a case-insensitive selector and replace it with the header value that seems to be expected.

Tim Klemm added 3 commits November 16, 2023 07:27
Updates from review and discussion comments
603c537
HPCC-26655 Add ESDL script access to "espUser" secrets
61d637b 
Define XPath extension function getSecretKeyValue to lookup a secret and
extract a named value from the matching property tree.

Signed-off-by: Tim Klemm <tim.klemm@lexisnexisrisk.com>
Update from discussion comments
4d308d8
@timothyklemm timothyklemm force-pushed the hpcc-26655-user_secrets branch from ad319c7 to 4d308d8 Compare November 16, 2023 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asselitx asselitx asselitx approved these changes

@afishbeck afishbeck Awaiting requested review from afishbeck

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timothyklemm @asselitx