admin and cli: hide secret keys unless asked
This commit is contained in:
parent
4a82f6380e
commit
7895f99d3a
7 changed files with 58 additions and 22 deletions
|
@ -411,6 +411,9 @@ If `id` is set, the key is looked up using its exact identifier (faster).
|
||||||
If `search` is set, the key is looked up using its name or prefix
|
If `search` is set, the key is looked up using its name or prefix
|
||||||
of identifier (slower, all keys are enumerated to do this).
|
of identifier (slower, all keys are enumerated to do this).
|
||||||
|
|
||||||
|
Optionnally, the query parameter `showSecretKey=true` can be set to reveal the
|
||||||
|
associated secret access key.
|
||||||
|
|
||||||
Example response:
|
Example response:
|
||||||
|
|
||||||
```json
|
```json
|
||||||
|
|
|
@ -242,8 +242,13 @@ impl ApiHandler for AdminApiServer {
|
||||||
Endpoint::RevertClusterLayout => handle_revert_cluster_layout(&self.garage, req).await,
|
Endpoint::RevertClusterLayout => handle_revert_cluster_layout(&self.garage, req).await,
|
||||||
// Keys
|
// Keys
|
||||||
Endpoint::ListKeys => handle_list_keys(&self.garage).await,
|
Endpoint::ListKeys => handle_list_keys(&self.garage).await,
|
||||||
Endpoint::GetKeyInfo { id, search } => {
|
Endpoint::GetKeyInfo {
|
||||||
handle_get_key_info(&self.garage, id, search).await
|
id,
|
||||||
|
search,
|
||||||
|
show_secret_key,
|
||||||
|
} => {
|
||||||
|
let show_secret_key = show_secret_key.map(|x| x == "true").unwrap_or(false);
|
||||||
|
handle_get_key_info(&self.garage, id, search, show_secret_key).await
|
||||||
}
|
}
|
||||||
Endpoint::CreateKey => handle_create_key(&self.garage, req).await,
|
Endpoint::CreateKey => handle_create_key(&self.garage, req).await,
|
||||||
Endpoint::ImportKey => handle_import_key(&self.garage, req).await,
|
Endpoint::ImportKey => handle_import_key(&self.garage, req).await,
|
||||||
|
|
|
@ -10,7 +10,7 @@ use garage_model::garage::Garage;
|
||||||
use garage_model::key_table::*;
|
use garage_model::key_table::*;
|
||||||
|
|
||||||
use crate::admin::error::*;
|
use crate::admin::error::*;
|
||||||
use crate::helpers::{json_ok_response, parse_json_body};
|
use crate::helpers::{is_default, json_ok_response, parse_json_body};
|
||||||
|
|
||||||
pub async fn handle_list_keys(garage: &Arc<Garage>) -> Result<Response<Body>, Error> {
|
pub async fn handle_list_keys(garage: &Arc<Garage>) -> Result<Response<Body>, Error> {
|
||||||
let res = garage
|
let res = garage
|
||||||
|
@ -44,6 +44,7 @@ pub async fn handle_get_key_info(
|
||||||
garage: &Arc<Garage>,
|
garage: &Arc<Garage>,
|
||||||
id: Option<String>,
|
id: Option<String>,
|
||||||
search: Option<String>,
|
search: Option<String>,
|
||||||
|
show_secret_key: bool,
|
||||||
) -> Result<Response<Body>, Error> {
|
) -> Result<Response<Body>, Error> {
|
||||||
let key = if let Some(id) = id {
|
let key = if let Some(id) = id {
|
||||||
garage.key_helper().get_existing_key(&id).await?
|
garage.key_helper().get_existing_key(&id).await?
|
||||||
|
@ -56,7 +57,7 @@ pub async fn handle_get_key_info(
|
||||||
unreachable!();
|
unreachable!();
|
||||||
};
|
};
|
||||||
|
|
||||||
key_info_results(garage, key).await
|
key_info_results(garage, key, show_secret_key).await
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn handle_create_key(
|
pub async fn handle_create_key(
|
||||||
|
@ -68,7 +69,7 @@ pub async fn handle_create_key(
|
||||||
let key = Key::new(req.name.as_deref().unwrap_or("Unnamed key"));
|
let key = Key::new(req.name.as_deref().unwrap_or("Unnamed key"));
|
||||||
garage.key_table.insert(&key).await?;
|
garage.key_table.insert(&key).await?;
|
||||||
|
|
||||||
key_info_results(garage, key).await
|
key_info_results(garage, key, true).await
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Deserialize)]
|
#[derive(Deserialize)]
|
||||||
|
@ -88,10 +89,14 @@ pub async fn handle_import_key(
|
||||||
return Err(Error::KeyAlreadyExists(req.access_key_id.to_string()));
|
return Err(Error::KeyAlreadyExists(req.access_key_id.to_string()));
|
||||||
}
|
}
|
||||||
|
|
||||||
let imported_key = Key::import(&req.access_key_id, &req.secret_access_key, &req.name);
|
let imported_key = Key::import(
|
||||||
|
&req.access_key_id,
|
||||||
|
&req.secret_access_key,
|
||||||
|
req.name.as_deref().unwrap_or("Imported key"),
|
||||||
|
);
|
||||||
garage.key_table.insert(&imported_key).await?;
|
garage.key_table.insert(&imported_key).await?;
|
||||||
|
|
||||||
key_info_results(garage, imported_key).await
|
key_info_results(garage, imported_key, false).await
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Deserialize)]
|
#[derive(Deserialize)]
|
||||||
|
@ -99,7 +104,7 @@ pub async fn handle_import_key(
|
||||||
struct ImportKeyRequest {
|
struct ImportKeyRequest {
|
||||||
access_key_id: String,
|
access_key_id: String,
|
||||||
secret_access_key: String,
|
secret_access_key: String,
|
||||||
name: String,
|
name: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn handle_update_key(
|
pub async fn handle_update_key(
|
||||||
|
@ -129,7 +134,7 @@ pub async fn handle_update_key(
|
||||||
|
|
||||||
garage.key_table.insert(&key).await?;
|
garage.key_table.insert(&key).await?;
|
||||||
|
|
||||||
key_info_results(garage, key).await
|
key_info_results(garage, key, false).await
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Deserialize)]
|
#[derive(Deserialize)]
|
||||||
|
@ -152,7 +157,11 @@ pub async fn handle_delete_key(garage: &Arc<Garage>, id: String) -> Result<Respo
|
||||||
.body(Body::empty())?)
|
.body(Body::empty())?)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn key_info_results(garage: &Arc<Garage>, key: Key) -> Result<Response<Body>, Error> {
|
async fn key_info_results(
|
||||||
|
garage: &Arc<Garage>,
|
||||||
|
key: Key,
|
||||||
|
show_secret: bool,
|
||||||
|
) -> Result<Response<Body>, Error> {
|
||||||
let mut relevant_buckets = HashMap::new();
|
let mut relevant_buckets = HashMap::new();
|
||||||
|
|
||||||
let key_state = key.state.as_option().unwrap();
|
let key_state = key.state.as_option().unwrap();
|
||||||
|
@ -181,7 +190,11 @@ async fn key_info_results(garage: &Arc<Garage>, key: Key) -> Result<Response<Bod
|
||||||
let res = GetKeyInfoResult {
|
let res = GetKeyInfoResult {
|
||||||
name: key_state.name.get().clone(),
|
name: key_state.name.get().clone(),
|
||||||
access_key_id: key.key_id.clone(),
|
access_key_id: key.key_id.clone(),
|
||||||
secret_access_key: key_state.secret_key.clone(),
|
secret_access_key: if show_secret {
|
||||||
|
Some(key_state.secret_key.clone())
|
||||||
|
} else {
|
||||||
|
None
|
||||||
|
},
|
||||||
permissions: KeyPerm {
|
permissions: KeyPerm {
|
||||||
create_bucket: *key_state.allow_create_bucket.get(),
|
create_bucket: *key_state.allow_create_bucket.get(),
|
||||||
},
|
},
|
||||||
|
@ -227,7 +240,8 @@ async fn key_info_results(garage: &Arc<Garage>, key: Key) -> Result<Response<Bod
|
||||||
struct GetKeyInfoResult {
|
struct GetKeyInfoResult {
|
||||||
name: String,
|
name: String,
|
||||||
access_key_id: String,
|
access_key_id: String,
|
||||||
secret_access_key: String,
|
#[serde(skip_serializing_if = "is_default")]
|
||||||
|
secret_access_key: Option<String>,
|
||||||
permissions: KeyPerm,
|
permissions: KeyPerm,
|
||||||
buckets: Vec<KeyInfoBucketResult>,
|
buckets: Vec<KeyInfoBucketResult>,
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,6 +35,7 @@ pub enum Endpoint {
|
||||||
GetKeyInfo {
|
GetKeyInfo {
|
||||||
id: Option<String>,
|
id: Option<String>,
|
||||||
search: Option<String>,
|
search: Option<String>,
|
||||||
|
show_secret_key: Option<String>,
|
||||||
},
|
},
|
||||||
DeleteKey {
|
DeleteKey {
|
||||||
id: String,
|
id: String,
|
||||||
|
@ -104,11 +105,11 @@ impl Endpoint {
|
||||||
POST ("/v0/layout/apply" | "/v1/layout/apply") => ApplyClusterLayout,
|
POST ("/v0/layout/apply" | "/v1/layout/apply") => ApplyClusterLayout,
|
||||||
POST ("/v0/layout/revert" | "/v1/layout/revert") => RevertClusterLayout,
|
POST ("/v0/layout/revert" | "/v1/layout/revert") => RevertClusterLayout,
|
||||||
// API key endpoints
|
// API key endpoints
|
||||||
GET ("/v0/key" | "/v1/key") if id => GetKeyInfo (query_opt::id, query_opt::search),
|
GET "/v1/key" if id => GetKeyInfo (query_opt::id, query_opt::search, query_opt::show_secret_key),
|
||||||
GET ("/v0/key" | "/v1/key") if search => GetKeyInfo (query_opt::id, query_opt::search),
|
GET "/v1/key" if search => GetKeyInfo (query_opt::id, query_opt::search, query_opt::show_secret_key),
|
||||||
POST ("/v0/key" | "/v1/key") if id => UpdateKey (query::id),
|
POST "/v1/key" if id => UpdateKey (query::id),
|
||||||
POST ("/v0/key" | "/v1/key") => CreateKey,
|
POST "/v1/key" => CreateKey,
|
||||||
POST ("/v0/key/import" | "/v1/key/import") => ImportKey,
|
POST "/v1/key/import" => ImportKey,
|
||||||
DELETE ("/v0/key" | "/v1/key") if id => DeleteKey (query::id),
|
DELETE ("/v0/key" | "/v1/key") if id => DeleteKey (query::id),
|
||||||
GET ("/v0/key" | "/v1/key") => ListKeys,
|
GET ("/v0/key" | "/v1/key") => ListKeys,
|
||||||
// Bucket endpoints
|
// Bucket endpoints
|
||||||
|
@ -153,6 +154,7 @@ generateQueryParameters! {
|
||||||
"search" => search,
|
"search" => search,
|
||||||
"globalAlias" => global_alias,
|
"globalAlias" => global_alias,
|
||||||
"alias" => alias,
|
"alias" => alias,
|
||||||
"accessKeyId" => access_key_id
|
"accessKeyId" => access_key_id,
|
||||||
|
"showSecretKey" => show_secret_key
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -152,6 +152,10 @@ pub fn json_ok_response<T: Serialize>(res: &T) -> Result<Response<Body>, Error>
|
||||||
.body(Body::from(resp_json))?)
|
.body(Body::from(resp_json))?)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn is_default<T: Default + PartialEq>(v: &T) -> bool {
|
||||||
|
*v == T::default()
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
|
@ -41,12 +41,17 @@ impl AdminRpcHandler {
|
||||||
Ok(AdminRpc::KeyList(key_ids))
|
Ok(AdminRpc::KeyList(key_ids))
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn handle_key_info(&self, query: &KeyOpt) -> Result<AdminRpc, Error> {
|
async fn handle_key_info(&self, query: &KeyInfoOpt) -> Result<AdminRpc, Error> {
|
||||||
let key = self
|
let mut key = self
|
||||||
.garage
|
.garage
|
||||||
.key_helper()
|
.key_helper()
|
||||||
.get_existing_matching_key(&query.key_pattern)
|
.get_existing_matching_key(&query.key_pattern)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
|
if !query.show_secret {
|
||||||
|
key.state.as_option_mut().unwrap().secret_key = "(redacted)".into();
|
||||||
|
}
|
||||||
|
|
||||||
self.key_info_result(key).await
|
self.key_info_result(key).await
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -328,7 +328,7 @@ pub enum KeyOperation {
|
||||||
|
|
||||||
/// Get key info
|
/// Get key info
|
||||||
#[structopt(name = "info", version = garage_version())]
|
#[structopt(name = "info", version = garage_version())]
|
||||||
Info(KeyOpt),
|
Info(KeyInfoOpt),
|
||||||
|
|
||||||
/// Create new key
|
/// Create new key
|
||||||
#[structopt(name = "create", version = garage_version())]
|
#[structopt(name = "create", version = garage_version())]
|
||||||
|
@ -356,9 +356,12 @@ pub enum KeyOperation {
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Serialize, Deserialize, StructOpt, Debug)]
|
#[derive(Serialize, Deserialize, StructOpt, Debug)]
|
||||||
pub struct KeyOpt {
|
pub struct KeyInfoOpt {
|
||||||
/// ID or name of the key
|
/// ID or name of the key
|
||||||
pub key_pattern: String,
|
pub key_pattern: String,
|
||||||
|
/// Whether to display the secret key
|
||||||
|
#[structopt(long = "show-secret")]
|
||||||
|
pub show_secret: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Serialize, Deserialize, StructOpt, Debug)]
|
#[derive(Serialize, Deserialize, StructOpt, Debug)]
|
||||||
|
|
Loading…
Reference in a new issue