From 7895f99d3afc6e97f62f52abe06a6ee8d0f0617f Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 14 Jun 2023 16:56:15 +0200
Subject: admin and cli: hide secret keys unless asked

---
 src/api/admin/key.rs | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

(limited to 'src/api/admin/key.rs')

diff --git a/src/api/admin/key.rs b/src/api/admin/key.rs
index 664fde4c..0d1f799b 100644
--- a/src/api/admin/key.rs
+++ b/src/api/admin/key.rs
@@ -10,7 +10,7 @@ use garage_model::garage::Garage;
 use garage_model::key_table::*;
 
 use crate::admin::error::*;
-use crate::helpers::{json_ok_response, parse_json_body};
+use crate::helpers::{is_default, json_ok_response, parse_json_body};
 
 pub async fn handle_list_keys(garage: &Arc<Garage>) -> Result<Response<Body>, Error> {
 	let res = garage
@@ -44,6 +44,7 @@ pub async fn handle_get_key_info(
 	garage: &Arc<Garage>,
 	id: Option<String>,
 	search: Option<String>,
+	show_secret_key: bool,
 ) -> Result<Response<Body>, Error> {
 	let key = if let Some(id) = id {
 		garage.key_helper().get_existing_key(&id).await?
@@ -56,7 +57,7 @@ pub async fn handle_get_key_info(
 		unreachable!();
 	};
 
-	key_info_results(garage, key).await
+	key_info_results(garage, key, show_secret_key).await
 }
 
 pub async fn handle_create_key(
@@ -68,7 +69,7 @@ pub async fn handle_create_key(
 	let key = Key::new(req.name.as_deref().unwrap_or("Unnamed key"));
 	garage.key_table.insert(&key).await?;
 
-	key_info_results(garage, key).await
+	key_info_results(garage, key, true).await
 }
 
 #[derive(Deserialize)]
@@ -88,10 +89,14 @@ pub async fn handle_import_key(
 		return Err(Error::KeyAlreadyExists(req.access_key_id.to_string()));
 	}
 
-	let imported_key = Key::import(&req.access_key_id, &req.secret_access_key, &req.name);
+	let imported_key = Key::import(
+		&req.access_key_id,
+		&req.secret_access_key,
+		req.name.as_deref().unwrap_or("Imported key"),
+	);
 	garage.key_table.insert(&imported_key).await?;
 
-	key_info_results(garage, imported_key).await
+	key_info_results(garage, imported_key, false).await
 }
 
 #[derive(Deserialize)]
@@ -99,7 +104,7 @@ pub async fn handle_import_key(
 struct ImportKeyRequest {
 	access_key_id: String,
 	secret_access_key: String,
-	name: String,
+	name: Option<String>,
 }
 
 pub async fn handle_update_key(
@@ -129,7 +134,7 @@ pub async fn handle_update_key(
 
 	garage.key_table.insert(&key).await?;
 
-	key_info_results(garage, key).await
+	key_info_results(garage, key, false).await
 }
 
 #[derive(Deserialize)]
@@ -152,7 +157,11 @@ pub async fn handle_delete_key(garage: &Arc<Garage>, id: String) -> Result<Respo
 		.body(Body::empty())?)
 }
 
-async fn key_info_results(garage: &Arc<Garage>, key: Key) -> Result<Response<Body>, Error> {
+async fn key_info_results(
+	garage: &Arc<Garage>,
+	key: Key,
+	show_secret: bool,
+) -> Result<Response<Body>, Error> {
 	let mut relevant_buckets = HashMap::new();
 
 	let key_state = key.state.as_option().unwrap();
@@ -181,7 +190,11 @@ async fn key_info_results(garage: &Arc<Garage>, key: Key) -> Result<Response<Bod
 	let res = GetKeyInfoResult {
 		name: key_state.name.get().clone(),
 		access_key_id: key.key_id.clone(),
-		secret_access_key: key_state.secret_key.clone(),
+		secret_access_key: if show_secret {
+			Some(key_state.secret_key.clone())
+		} else {
+			None
+		},
 		permissions: KeyPerm {
 			create_bucket: *key_state.allow_create_bucket.get(),
 		},
@@ -227,7 +240,8 @@ async fn key_info_results(garage: &Arc<Garage>, key: Key) -> Result<Response<Bod
 struct GetKeyInfoResult {
 	name: String,
 	access_key_id: String,
-	secret_access_key: String,
+	#[serde(skip_serializing_if = "is_default")]
+	secret_access_key: Option<String>,
 	permissions: KeyPerm,
 	buckets: Vec<KeyInfoBucketResult>,
 }
-- 
cgit v1.2.3