Skip to content

[8.17] (backport #17351) Improve the key validation in secret identifier. #17585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 24, 2025
Merged

[8.17] (backport #17351) Improve the key validation in secret identifier. #17585

merged 2 commits into from
Apr 24, 2025

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Apr 24, 2025

Release notes

  • The keystore has improved validation, and will no longer allow the creation of secrets that cannot be accessed with config replacement parameters (${ ... }).

What does this PR do?

Before this change, key-value can be added to keystore but it might impossible to reference the key because ConfigVariableExpander ignores if key name doesn't align with SUBSTITUTION_PLACEHOLDER_REGEX
Improves user experience with the secret store CLI that when providing key name, LS validates to accept a value which can be used in pipeline (aligns with ConfigVariableExpander#SUBSTITUTION_PLACEHOLDER_REGEX).
If already invalid key(s) were added, it warns to remove/replace the keys.

Why is it important/What is the impact to the user?

No user impact. Keystore CLI restricts adding meaningless keys to keystore.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [] I have made corresponding changes to the documentation
  • [] I have made corresponding change to the default configuration files (and/or docker env variables)
  • I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

This is an automatic backport of pull request #17351 done by [Mergify](https://mergify.com).

@mashhurs @mergify
Improve the key validation in secret identifier. (#17351)
d40c24c 
* Improve the key validation in secret identifier.

* Restrict adding invalid (from ConfigVariableExpander point of view) key names to the keystore through keystore CLI. Keystore now warns on invalid keys if they were already added.

* Key pattern is moved to a central config expander class with its description.

Co-authored-by: Rye Biesemeyer <[email protected]>
(cherry picked from commit d24675a)

# Conflicts:
#	docs/reference/keystore.md
@mergify mergify bot added backport conflicts Detected git conflicts labels Apr 24, 2025
@mergify
Copy link
Contributor Author

mergify bot commented Apr 24, 2025

Cherry-pick of d24675a has failed:

On branch mergify/bp/8.17/pr-17351
Your branch is up to date with 'origin/8.17'.

You are currently cherry-picking commit d24675ae.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   logstash-core/src/main/java/org/logstash/plugins/ConfigVariableExpander.java
	modified:   logstash-core/src/main/java/org/logstash/secret/SecretIdentifier.java
	modified:   logstash-core/src/main/java/org/logstash/secret/cli/SecretStoreCli.java
	modified:   logstash-core/src/test/java/org/logstash/secret/cli/SecretStoreCliTest.java

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   docs/reference/keystore.md

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@mergify mergify bot mentioned this pull request Apr 24, 2025
Merged
3 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Apr 24, 2025

📃 DOCS PREVIEWhttps://logstash_bk_17585.docs-preview.app.elstc.co/diff

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Apr 24, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 24, 2025

💚 Build Succeeded

cc @mashhurs

@mashhurs
Copy link
Contributor

mashhurs commented Apr 24, 2025

Rendered doc:
image

mashhurs
mashhurs approved these changes Apr 24, 2025
View reviewed changes
Copy link
Contributor

@mashhurs mashhurs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@mashhurs mashhurs merged commit a20bf01 into 8.17 Apr 24, 2025
7 checks passed
@mashhurs mashhurs deleted the mergify/bp/8.17/pr-17351 branch April 24, 2025 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaisecheng kaisecheng kaisecheng approved these changes

@mashhurs mashhurs mashhurs approved these changes

Assignees

@mashhurs mashhurs

Labels

backport conflicts Detected git conflicts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@elasticmachine @mashhurs @kaisecheng