refactor(server): remove client secret traces from public api

thinktecture · Jul 15, 2024 · 5848500 · 5848500
1 parent fdc684a
commit 5848500
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 67 deletions.
diff --git a/src/Thinktecture.Relay.Server.Abstractions/Persistence/Models/PersistenceModelExtensions.cs b/src/Thinktecture.Relay.Server.Abstractions/Persistence/Models/PersistenceModelExtensions.cs
@@ -61,32 +61,5 @@ public static void UpdateFrom(this Tenant instance, Tenant other)
 			instance.Config ??= new Config();
 			instance.Config.UpdateFrom(other.Config);
 		}
-
-		// copy over secrets when they are complete with values
-		if (other.ClientSecrets is not null)
-		{
-			instance.ClientSecrets ??= new List<ClientSecret>();
-			instance.ClientSecrets.RemoveAll(cs => other.ClientSecrets.All(os => os.Id != cs.Id));
-
-			// only consider secrets that actually have a value
-			foreach (var secret in other.ClientSecrets.Where(o => !String.IsNullOrWhiteSpace(o.Value)))
-			{
-				var existingSecret = instance.ClientSecrets.SingleOrDefault(cs => cs.Id == secret.Id);
-				if (existingSecret is null)
-				{
-					// create new secret, either with given id or with a new one
-					if (secret.Id == Guid.Empty)
-					{
-						secret.Id = Guid.NewGuid();
-					}
-
-					secret.Created = DateTime.UtcNow;
-
-					instance.ClientSecrets.Add(existingSecret = new ClientSecret() { Id = secret.Id, });
-				}
-
-				existingSecret.UpdateFrom(secret);
-			}
-		}
 	}
 }
diff --git a/src/Thinktecture.Relay.Server.Management/DataTransferObjects/Tenant.cs b/src/Thinktecture.Relay.Server.Management/DataTransferObjects/Tenant.cs
@@ -56,9 +56,4 @@ public class Tenant
 	/// Gets or sets maximum delay to wait for until a reconnect of a connector should be attempted again.
 	/// </summary>
 	public TimeSpan? ReconnectMaximumDelay { get; set; }
-
-	/// <summary>
-	/// Gets or sets a list of tenant credentials stored for this tenant.
-	/// </summary>
-	public TenantCredential[] Credentials { get; set; } = Array.Empty<TenantCredential>();
 }
diff --git a/src/Thinktecture.Relay.Server.Management/Extensions/PersistenceModelsExtensions.cs b/src/Thinktecture.Relay.Server.Management/Extensions/PersistenceModelsExtensions.cs
@@ -38,15 +38,6 @@ public static TenantModel ToModel(this TenantEntity tenant)
 			EnableTracing = tenant.Config?.EnableTracing,
 			ReconnectMinimumDelay = tenant.Config?.ReconnectMinimumDelay,
 			ReconnectMaximumDelay = tenant.Config?.ReconnectMaximumDelay,
-
-			// credential property
-			Credentials = tenant.ClientSecrets?.Select(s => new TenantCredential()
-				{
-					Id = s.Id,
-					Created = s.Created,
-					Expiration = s.Expiration,
-				}).ToArray() ??
-				Array.Empty<TenantCredential>(),
 		};
 
 	/// <summary>
@@ -79,15 +70,6 @@ tenant.ReconnectMinimumDelay is not null ||
 			DisplayName = tenant.DisplayName,
 			Description = tenant.Description,
 			Config = config,
-			ClientSecrets = tenant.Credentials.Select(s =>
-				new ClientSecret()
-				{
-					Id = s.Id,
-					Created = s.Created,
-					Value = s.Value ?? Sha512(s.PlainTextValue)!,
-					Expiration = s.Expiration,
-				}
-			).ToList(),
 		};
 
 		if (tenant.RequireAuthentication.HasValue)

diff --git a/src/Thinktecture.Relay.Server.Persistence.EntityFrameworkCore/TenantService.cs b/src/Thinktecture.Relay.Server.Persistence.EntityFrameworkCore/TenantService.cs
@@ -26,7 +26,6 @@ public TenantService(RelayDbContext dbContext)
 		var normalizedName = NormalizeName(tenantName);
 
 		return await _dbContext.Tenants
-			.Include(t => t.ClientSecrets)
 			.Include(t => t.Connections)
 			.Include(t => t.Config)
 			.AsNoTracking()
@@ -39,7 +38,6 @@ public TenantService(RelayDbContext dbContext)
 		var normalizedName = NormalizeName(tenantName);
 
 		return await _dbContext.Tenants
-			.Include(t => t.ClientSecrets)
 			.Include(t => t.Config)
 			.AsNoTracking()
 			.SingleOrDefaultAsync(t => t.NormalizedName == normalizedName, cancellationToken: cancellationToken);
@@ -72,7 +70,6 @@ public TenantService(RelayDbContext dbContext)
 	public async Task<Page<Tenant>> LoadAllTenantsPagedAsync(int skip, int take, CancellationToken cancellationToken)
 		=> await _dbContext.Tenants
 			.Include(t => t.Config)
-			.Include(t => t.ClientSecrets)
 			.AsNoTracking()
 			.OrderBy(t => t.NormalizedName)
 			.ToPagedResultAsync(skip, take, cancellationToken);
@@ -109,7 +106,6 @@ public async Task<bool> UpdateTenantAsync(string tenantName, Tenant tenant, Canc
 
 		var existingTenant = await _dbContext.Tenants
 			.Include(t => t.Config)
-			.Include(t => t.ClientSecrets)
 			.SingleOrDefaultAsync(t => t.NormalizedName == tenant.NormalizedName, cancellationToken: cancellationToken);
 
 		if (existingTenant is null) return false;

diff --git a/src/docker/docker-compose.yml b/src/docker/docker-compose.yml
@@ -29,6 +29,17 @@ x-logging: &logging
 configs:
   erlang-cookie:
     content: VEhJUyBJUyBUSElOS1RFQ1RVUkUh
+  curl-headers:
+    content: |
+      Accept: application/json
+      Content-Type: application/json
+      Api-Key: write-key
+  test-tenant-1:
+    content: |
+      { "name": "TestTenant1", "displayName": "Test Tenant 1" }
+  test-tenant-2:
+    content: |
+      { "name": "TestTenant2", "displayName": "Test Tenant 2" }
 
 services:
   relay-transport-rabbitmq-1:
@@ -74,9 +85,10 @@ services:
       - postgresql-data:/var/lib/postgresql/data
     healthcheck:
       test:
-        [
-          "CMD-SHELL", "pg_isready", "-d", "db_prod"
-        ]
+        - "CMD-SHELL"
+        - "pg_isready"
+        - "-d"
+        - "db_prod"
       interval: 10s
       timeout: 60s
       retries: 10
@@ -97,9 +109,8 @@ services:
       - sqlserver-data:/var/opt/mssql/data
     healthcheck:
       test:
-        [
-          "CMD-SHELL", "/opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P '<Strong!Passw0rd>' -Q 'SELECT 1' || exit 1"
-        ]
+        - "CMD-SHELL"
+        - "/opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P '<Strong!Passw0rd>' -Q 'SELECT 1' || exit 1"
       interval: 10s
       timeout: 60s
       retries: 10
@@ -119,7 +130,10 @@ services:
         condition: service_healthy
       relay-persistence-sqlserver:
         condition: service_healthy
-    entrypoint: ["dotnet", "Thinktecture.Relay.Server.Docker.dll", "migrate-only=true"]
+    entrypoint:
+      - "dotnet"
+      - "Thinktecture.Relay.Server.Docker.dll"
+      - "migrate-only=true"
 
   relay-management-api:
     <<: *defaults
@@ -142,7 +156,20 @@ services:
     depends_on:
       - relay-server-migrations
       - relay-management-api
-    command: [ "sh", "-c", "sleep 5 && curl -H \"Accept: application/json\" -H \"Content-Type: application/json\" -H \"Api-Key: write-key\" --data-raw '{ \"name\": \"TestTenant1\", \"credentials\": [{ \"plainTextValue\": \"<Strong!Passw0rd>\" }]}' http://relay-management-api:5000/management/tenants && curl -H \"Accept: application/json\" -H \"Content-Type: application/json\" -H \"Api-Key: write-key\" --data-raw '{ \"name\": \"TestTenant2\", \"credentials\": [{ \"plainTextValue\": \"<Strong!Passw0rd>\" }]}' http://relay-management-api:5000/management/tenants" ]
+    configs:
+      - source: curl-headers
+        target: /headers
+        mode: 0644
+      - source: test-tenant-1
+        target: /test-tenant-1.json
+        mode: 0644
+      - source: test-tenant-2
+        target: /test-tenant-2.json
+        mode: 0644
+    command:
+      - "sh"
+      - "-c"
+      - "curl -H @/headers -d @/test-tenant-1.json http://relay-management-api:5000/management/tenants && curl -H @/headers -d @/test-tenant-2.json http://relay-management-api:5000/management/tenants"
 
   relay-identityprovider:
     <<: *defaults
@@ -158,7 +185,10 @@ services:
         KC_HEALTH_ENABLED: true
         KC_METRICS_ENABLED: true
         KC_HOSTNAME_DEBUG: true
-    command: [ "start-dev", "--http-port=5002", "--import-realm" ]
+    command:
+      - "start-dev"
+      - "--http-port=5002"
+      - "--import-realm"
 
   relay-server-a:
     <<: *defaults
@@ -213,9 +243,9 @@ services:
       <<: *logging
       Serilog__Properties__System: Connector_A2
       RelayConnector__RelayServerBaseUri: http://relay-server-a:5000
-      RelayConnector__TenantName: TestTenant1
+      RelayConnector__TenantName: TestTenant2
     depends_on:
-      - relay-connector-a1
+      - relay-server-a
 
   relay-connector-b1:
     <<: *defaults
@@ -225,7 +255,7 @@ services:
       <<: *logging
       Serilog__Properties__System: Connector_B1
       RelayConnector__RelayServerBaseUri: http://relay-server-b:5000
-      RelayConnector__TenantName: TestTenant2
+      RelayConnector__TenantName: TestTenant1
     depends_on:
       - relay-server-b
   relay-connector-b2:
@@ -238,7 +268,7 @@ services:
       RelayConnector__RelayServerBaseUri: http://relay-server-b:5000
       RelayConnector__TenantName: TestTenant2
     depends_on:
-      - relay-connector-b1
+      - relay-server-b
 
   relay-httpbin:
     <<: *defaults