aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(proto): Make UPD domain field public + ensure consistency across API pkgs

Browse Source
pull/6010/head
Hugo 11 months ago committed by irenarindos
parent fbcc256742
commit 0111123cac
5 changed files with 109 additions and 23 deletions
Show Stats Download Patch File Download Diff File

6
internal/proto/controller/api/resources/credentials/v1/credential.proto
Unescape View File

@ -97,7 +97,7 @@ message UsernamePasswordAttributes {
this: "attributes.username"
that: "Username"
}
]; // @gotags: `class:"public"`
]; // @gotags: `class:"sensitive"`
// Input only. The password associated with the credential.
google.protobuf.StringValue password = 20 [
@ -127,7 +127,7 @@ message UsernamePasswordDomainAttributes {
this: "attributes.username"
that: "Username"
}
]; // @gotags: `class:"public"`
]; // @gotags: `class:"sensitive"`
// Input only. The password associated with the credential.
google.protobuf.StringValue password = 20 [
@ -166,7 +166,7 @@ message SshPrivateKeyAttributes {
this: "attributes.username"
that: "Username"
}
]; // @gotags: `class:"public"`
]; // @gotags: `class:"sensitive"`
// Input only. The SSH private key associated with the credential.
google.protobuf.StringValue private_key = 20 [

2
internal/proto/controller/api/resources/targets/v1/target.proto
Unescape View File

@ -443,7 +443,7 @@ message UsernamePasswordDomainCredential {
string password = 2; // @gotags: `class:"secret"`
// Domain of the credential
string domain = 3; // @gotags: `class:"sensitive"`
string domain = 3; // @gotags: `class:"public"`
}
// The layout of the struct for "credential" field in SessionCredential for a ssh_private_key credential type.

116
internal/tests/api/credentials/credentials_classification_test.go
Unescape View File

@ -5,18 +5,20 @@ package credentials_test
import (
"context"
"encoding/json"
"strings"
"testing"
"time"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/hashicorp/boundary/sdk/pbs/controller/api"
pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/credentials"
"github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/scopes"
"github.com/hashicorp/boundary/sdk/wrapper"
"github.com/hashicorp/eventlogger"
"github.com/hashicorp/eventlogger/filters/encrypt"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/testing/protocmp"
"google.golang.org/protobuf/types/known/structpb"
"google.golang.org/protobuf/types/known/timestamppb"
"google.golang.org/protobuf/types/known/wrapperspb"
@ -35,8 +37,85 @@ func TestCredentialClassification(t *testing.T) {
want *eventlogger.Event
}{
{
"Usernamepassword",
&eventlogger.Event{
name: "usernamePasswordDomainCredential",
in: &eventlogger.Event{
Type: "test",
CreatedAt: now,
Payload: &pb.Credential{
Id: "id",
CredentialStoreId: "cred-store-id",
Scope: &scopes.ScopeInfo{
Id: "scope-id",
Type: "scope-type",
Name: "scope-name",
Description: "scope-descriptione",
ParentScopeId: "scope-parent-scope-id",
},
Name: &wrapperspb.StringValue{
Value: "name",
},
Description: &wrapperspb.StringValue{
Value: "description",
},
CreatedTime: pbNow,
UpdatedTime: pbNow,
Version: 1,
Type: "username_password_domain",
Attrs: &pb.Credential_UsernamePasswordDomainAttributes{
UsernamePasswordDomainAttributes: &pb.UsernamePasswordDomainAttributes{
Username: &wrapperspb.StringValue{Value: "username"},
Password: &wrapperspb.StringValue{Value: "password"},
PasswordHmac: "password-hmac",
Domain: &wrapperspb.StringValue{Value: "domain"},
},
},
AuthorizedActions: []string{
"action-1",
"action-2",
},
},
},
want: &eventlogger.Event{
Type: "test",
CreatedAt: now,
Payload: &pb.Credential{
Id: "id",
CredentialStoreId: "cred-store-id",
Scope: &scopes.ScopeInfo{
Id: "scope-id",
Type: "scope-type",
Name: "scope-name",
Description: "scope-descriptione",
ParentScopeId: "scope-parent-scope-id",
},
Name: &wrapperspb.StringValue{
Value: "name",
},
Description: &wrapperspb.StringValue{
Value: "description",
},
CreatedTime: pbNow,
UpdatedTime: pbNow,
Version: 1,
Type: "username_password_domain",
Attrs: &pb.Credential_UsernamePasswordDomainAttributes{
UsernamePasswordDomainAttributes: &pb.UsernamePasswordDomainAttributes{
Username: &wrapperspb.StringValue{Value: "encrypted:"},
Password: &wrapperspb.StringValue{Value: "[REDACTED]"},
PasswordHmac: "password-hmac",
Domain: &wrapperspb.StringValue{Value: "domain"},
},
},
AuthorizedActions: []string{
"action-1",
"action-2",
},
},
},
},
{
name: "usernamePasswordCredential",
in: &eventlogger.Event{
Type: "test",
CreatedAt: now,
Payload: &pb.Credential{
@ -72,7 +151,7 @@ func TestCredentialClassification(t *testing.T) {
},
},
},
&eventlogger.Event{
want: &eventlogger.Event{
Type: "test",
CreatedAt: now,
Payload: &pb.Credential{
@ -97,7 +176,7 @@ func TestCredentialClassification(t *testing.T) {
Type: "username_password",
Attrs: &pb.Credential_UsernamePasswordAttributes{
UsernamePasswordAttributes: &pb.UsernamePasswordAttributes{
Username: &wrapperspb.StringValue{Value: "username"},
Username: &wrapperspb.StringValue{Value: "encrypted:"},
Password: &wrapperspb.StringValue{Value: "[REDACTED]"},
PasswordHmac: "password-hmac",
},
@ -110,8 +189,8 @@ func TestCredentialClassification(t *testing.T) {
},
},
{
"Default",
&eventlogger.Event{
name: "default",
in: &eventlogger.Event{
Type: "test",
CreatedAt: now,
Payload: &pb.Credential{
@ -148,7 +227,7 @@ func TestCredentialClassification(t *testing.T) {
},
},
},
&eventlogger.Event{
want: &eventlogger.Event{
Type: "test",
CreatedAt: now,
Payload: &pb.Credential{
@ -190,15 +269,22 @@ func TestCredentialClassification(t *testing.T) {
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
wantJSON, err := json.Marshal(tc.want)
require.NoError(t, err)
got, err := testEncryptingFilter.Process(ctx, tc.in)
require.NoError(t, err)
require.NotNil(t, got)
gotJSON, err := json.Marshal(got)
require.NoError(t, err)
assert.JSONEq(t, string(wantJSON), string(gotJSON))
at := cmpopts.AcyclicTransformer("removeEncryptedValue", func(s string) string {
// A sensitive field is by default encrypted and set to an
// `encrypted:<ENCRYPTED_VALUE>` value in the event object.
// This function gets called for each string in the object and
// trims off the encrypted value if it exists so we can make a
// full object comparison.
if strings.HasPrefix(s, "encrypted:") {
return "encrypted:"
}
return s
})
require.Empty(t, cmp.Diff(tc.want.Payload, got.Payload, protocmp.Transform(), at))
})
}
}

6
sdk/pbs/controller/api/resources/credentials/credential.pb.go
Unescape View File

@ -257,7 +257,7 @@ func (*Credential_UsernamePasswordDomainAttributes) isCredential_Attrs() {}
type UsernamePasswordAttributes struct {
state protoimpl.MessageState `protogen:"open.v1"`
// The username associated with the credential.
Username *wrapperspb.StringValue `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty" class:"public"` // @gotags: `class:"public"`
Username *wrapperspb.StringValue `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty" class:"sensitive"` // @gotags: `class:"sensitive"`
// Input only. The password associated with the credential.
Password *wrapperspb.StringValue `protobuf:"bytes,20,opt,name=password,proto3" json:"password,omitempty" class:"secret"` // @gotags: `class:"secret"`
// Output only. The hmac value of the password.
@ -320,7 +320,7 @@ func (x *UsernamePasswordAttributes) GetPasswordHmac() string {
type UsernamePasswordDomainAttributes struct {
state protoimpl.MessageState `protogen:"open.v1"`
// The username associated with the credential.
Username *wrapperspb.StringValue `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty" class:"public"` // @gotags: `class:"public"`
Username *wrapperspb.StringValue `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty" class:"sensitive"` // @gotags: `class:"sensitive"`
// Input only. The password associated with the credential.
Password *wrapperspb.StringValue `protobuf:"bytes,20,opt,name=password,proto3" json:"password,omitempty" class:"secret"` // @gotags: `class:"secret"`
// Output only. The hmac value of the password.
@ -392,7 +392,7 @@ func (x *UsernamePasswordDomainAttributes) GetDomain() *wrapperspb.StringValue {
type SshPrivateKeyAttributes struct {
state protoimpl.MessageState `protogen:"open.v1"`
// The username associated with the credential.
Username *wrapperspb.StringValue `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty" class:"public"` // @gotags: `class:"public"`
Username *wrapperspb.StringValue `protobuf:"bytes,10,opt,name=username,proto3" json:"username,omitempty" class:"sensitive"` // @gotags: `class:"sensitive"`
// Input only. The SSH private key associated with the credential.
PrivateKey *wrapperspb.StringValue `protobuf:"bytes,20,opt,name=private_key,proto3" json:"private_key,omitempty" class:"secret"` // @gotags: `class:"secret"`
// Output only. The hmac value of the SSH private key.

2
sdk/pbs/controller/api/resources/targets/target.pb.go
Unescape View File

@ -1359,7 +1359,7 @@ type UsernamePasswordDomainCredential struct {
// Password of the credential
Password string `protobuf:"bytes,2,opt,name=password,proto3" json:"password,omitempty" class:"secret"` // @gotags: `class:"secret"`
// Domain of the credential
Domain string `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty" class:"sensitive"` // @gotags: `class:"sensitive"`
Domain string `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty" class:"public"` // @gotags: `class:"public"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}

Write Preview
Loading…
Cancel
Save