From 52f3a98cc813e0bf2eebff536fbfe502c09640cf Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Mon, 15 Nov 2021 19:12:58 +0100 Subject: [PATCH] preserve GCS credentials on update if not set credentials were not preserved if "prefer_database_credentials" was set to true Fixes #613 --- go.mod | 2 +- go.sum | 4 ++-- httpd/api_user.go | 4 +++- httpd/httpd_test.go | 13 +++++++++++++ vfs/vfs.go | 4 ++-- 5 files changed, 21 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 63cb76f3..efda38f9 100644 --- a/go.mod +++ b/go.mod @@ -128,7 +128,7 @@ require ( golang.org/x/text v0.3.7 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20211112145013-271947fe86fd // indirect + google.golang.org/genproto v0.0.0-20211115160612-a5da7257a6f7 // indirect gopkg.in/ini.v1 v1.64.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect diff --git a/go.sum b/go.sum index bf7b61f3..5d7378c6 100644 --- a/go.sum +++ b/go.sum @@ -1190,8 +1190,8 @@ google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEc google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211016002631-37fc39342514/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211021150943-2b146023228c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211112145013-271947fe86fd h1:8jqRgiTTWyKMDOM2AvhjA5dZLBSKXg1yFupPRBV/4fQ= -google.golang.org/genproto v0.0.0-20211112145013-271947fe86fd/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211115160612-a5da7257a6f7 h1:0LoCYJF53PEqtJOntKxGD72X/c8Xto5EZ4HLrt9D80I= +google.golang.org/genproto v0.0.0-20211115160612-a5da7257a6f7/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= diff --git a/httpd/api_user.go b/httpd/api_user.go index fdaa5c6e..68c27319 100644 --- a/httpd/api_user.go +++ b/httpd/api_user.go @@ -245,7 +245,9 @@ func updateEncryptedSecrets(fsConfig *vfs.Filesystem, currentS3AccessSecret, cur fsConfig.AzBlobConfig.SASURL = currentAzSASUrl } case sdk.GCSFilesystemProvider: - if fsConfig.GCSConfig.Credentials.IsNotPlainAndNotEmpty() { + // for GCS credentials will be cleared if we enable automatic credentials + // so keep the old credentials here if no new credentials are provided + if !fsConfig.GCSConfig.Credentials.IsPlain() { fsConfig.GCSConfig.Credentials = currentGCSCredentials } case sdk.CryptedFilesystemProvider: diff --git a/httpd/httpd_test.go b/httpd/httpd_test.go index 00640e60..bab633a2 100644 --- a/httpd/httpd_test.go +++ b/httpd/httpd_test.go @@ -2802,6 +2802,19 @@ func TestUserHiddenFields(t *testing.T) { assert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetKey()) assert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData()) + // update the GCS user and check that the credentials are preserved + user2.FsConfig.GCSConfig.Credentials = kms.NewEmptySecret() + _, _, err = httpdtest.UpdateUser(user2, http.StatusOK, "") + assert.NoError(t, err) + + user2, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK) + assert.NoError(t, err) + assert.Empty(t, user2.Password) + assert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetKey()) + assert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetAdditionalData()) + assert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetStatus()) + assert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetPayload()) + _, err = httpdtest.RemoveUser(user1, http.StatusOK) assert.NoError(t, err) _, err = httpdtest.RemoveUser(user2, http.StatusOK) diff --git a/vfs/vfs.go b/vfs/vfs.go index 6229df92..5433338a 100644 --- a/vfs/vfs.go +++ b/vfs/vfs.go @@ -311,7 +311,7 @@ func (c *GCSFsConfig) isEqual(other *GCSFsConfig) bool { // Validate returns an error if the configuration is not valid func (c *GCSFsConfig) Validate(credentialsFilePath string) error { - if c.Credentials == nil { + if c.Credentials == nil || c.AutomaticCredentials == 1 { c.Credentials = kms.NewEmptySecret() } if c.Bucket == "" { @@ -329,7 +329,7 @@ func (c *GCSFsConfig) Validate(credentialsFilePath string) error { if c.Credentials.IsEncrypted() && !c.Credentials.IsValid() { return errors.New("invalid encrypted credentials") } - if !c.Credentials.IsValidInput() && c.AutomaticCredentials == 0 { + if c.AutomaticCredentials == 0 && !c.Credentials.IsValidInput() { fi, err := os.Stat(credentialsFilePath) if err != nil { return fmt.Errorf("invalid credentials %v", err)