-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt passwords before putting them on the queue as args #19006
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,6 +26,18 @@ def self.raw_create_in_provider(manager, params) | |
create!(create_params) | ||
end | ||
|
||
def self.password_attribute_keys | ||
self::API_ATTRIBUTES.map do |k, v| | ||
k if v[:type] == :password | ||
end.compact | ||
end | ||
|
||
def self.encrypt_queue_params(params) | ||
encrypted_params = params.slice(*password_attribute_keys) | ||
encrypted_params.transform_values! { |v| ManageIQ::Password.try_encrypt(v) } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just putting this as a note to anyone else that sees this and is confused: There is no
NOTE: My original concern for bringing this up is because I know the specs for the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for this explanation...I really couldn't understand why there was no decrypt step. |
||
params.merge(encrypted_params) | ||
end | ||
|
||
def raw_update_in_provider(params) | ||
update!(self.class.params_to_attributes(params.except(:task_id, :miq_task_id))) | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since
API_ATTRIBUTES
are mapped to different DB columns as part of the.params_to_attributes
, maybe include.encrypted_columns
fromPasswordMixin
to this list before mapping?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I did this specifically for the API attributes. For other attributes you could use
.encrypted_columns
like you said. I can change the name to be more clear. Maybeapi_attribute_password_keys
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess what I'm saying is if the API attributes and the encrypted columns were the same then I wouldn't need this method.
Since that's the case then I wouldn't want to confuse the two. I'm not sure what the benefit of having both here would be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was only just suggesting this in the off chance something else besides the UI ends up queuing a credential operation, and isn't using the
API_ATTRIBUTE
keys to do it. I think the method name is fine as is.Not a big deal though, so I don't think this is worth stopping a merge to consider this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that would even work. Pretty sure
params_to_attributes
would break the cred data (we assume that the input has theAPI_ATTRIBUTES
-style keys)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I concede...
manageiq/app/models/manageiq/providers/embedded_ansible/automation_manager/vault_credential.rb
Line 29 in 712d9cd
Though I had done a
||=
in some places, but I guess not.You win this time Carboni! (shakes fist in air while onlookers look on in wonder...)