You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2022/11/21 14:26:35 UTC

[GitHub] [beam] eantyshev opened a new pull request, #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

eantyshev opened a new pull request, #24287:
URL: https://github.com/apache/beam/pull/24287

   This is to reuse user's snippets on Playground side
   
   [spec](https://docs.google.com/document/d/1xt0jwdohy5I21XnLn9XkLjN6NvL6dupCs9do_uK0TT0/edit)
   
   ------------------------
   
   Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
   
    - [ ] [**Choose reviewer(s)**](https://beam.apache.org/contribute/#make-your-change) and mention them in a comment (`R: @username`).
    - [ ] Mention the appropriate issue in your description (for example: `addresses #123`), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment `fixes #<ISSUE NUMBER>` instead.
    - [ ] Update `CHANGES.md` with noteworthy changes.
    - [ ] If this contribution is large, please file an Apache [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
   
   See the [Contributor Guide](https://beam.apache.org/contribute) for more tips on [how to make review process smoother](https://beam.apache.org/contribute/get-started-contributing/#make-the-reviewers-job-easier).
   
   To check the build health, please visit [https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md](https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md)
   
   GitHub Actions Tests Status (on master branch)
   ------------------------------------------------------------------------------------------------
   [![Build python source distribution and wheels](https://github.com/apache/beam/workflows/Build%20python%20source%20distribution%20and%20wheels/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule)
   [![Python tests](https://github.com/apache/beam/workflows/Python%20tests/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule)
   [![Java tests](https://github.com/apache/beam/workflows/Java%20Tests/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule)
   [![Go tests](https://github.com/apache/beam/workflows/Go%20tests/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Go+tests%22+branch%3Amaster+event%3Aschedule)
   
   See [CI.md](https://github.com/apache/beam/blob/master/CI.md) for more information about GitHub Actions CI.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1030202299


##########
learning/tour-of-beam/backend/README.md:
##########
@@ -86,10 +86,12 @@ Prerequisites:
     * Billing API
     * Cloud Functions API
     * Firebase Admin API
+    * Secret Manager API
  - set environment variables:
    * PROJECT_ID: GCP id
    * REGION: the region, "us-central1" fe
  - existing setup of Playground backend in a project
+ - create a secret `persistence_key_salt` in Secret Manager

Review Comment:
   thanks for bringing up, added to README



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] olehborysevych commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

olehborysevych commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1029462231


##########
learning/tour-of-beam/backend/README.md:
##########
@@ -101,7 +103,9 @@ gcloud datastore indexes create ./internal/storage/index.yaml
 for endpoint in getSdkList getContentTree getUnitComplete getUserProgress postUnitComplete postUserCode; do
 gcloud functions deploy $endpoint --entry-point $endpoint \
   --region $REGION --runtime go116 --allow-unauthenticated \
-  --trigger-http --set-env-vars="DATASTORE_PROJECT_ID=$PROJECT_ID,GOOGLE_PROJECT_ID=$PROJECT_ID"
+  --trigger-http \
+  --set-env-vars="DATASTORE_PROJECT_ID=$PROJECT_ID,GOOGLE_PROJECT_ID=$PROJECT_ID" \
+  --set-secrets 'PERSISTENCE_KEY_SALT=persistence_key_salt:latest"

Review Comment:
   please check mismatching quotation marks



##########
learning/tour-of-beam/backend/README.md:
##########
@@ -86,10 +86,12 @@ Prerequisites:
     * Billing API
     * Cloud Functions API
     * Firebase Admin API
+    * Secret Manager API
  - set environment variables:
    * PROJECT_ID: GCP id
    * REGION: the region, "us-central1" fe
  - existing setup of Playground backend in a project
+ - create a secret `persistence_key_salt` in Secret Manager

Review Comment:
   @eantyshev  what are the requirements for the key salt value?



##########
learning/tour-of-beam/backend/README.md:
##########
@@ -101,7 +103,9 @@ gcloud datastore indexes create ./internal/storage/index.yaml
 for endpoint in getSdkList getContentTree getUnitComplete getUserProgress postUnitComplete postUserCode; do
 gcloud functions deploy $endpoint --entry-point $endpoint \
   --region $REGION --runtime go116 --allow-unauthenticated \
-  --trigger-http --set-env-vars="DATASTORE_PROJECT_ID=$PROJECT_ID,GOOGLE_PROJECT_ID=$PROJECT_ID"
+  --trigger-http \
+  --set-env-vars="DATASTORE_PROJECT_ID=$PROJECT_ID,GOOGLE_PROJECT_ID=$PROJECT_ID" \
+  --set-secrets 'PERSISTENCE_KEY_SALT=persistence_key_salt:latest"

Review Comment:
   can we have some kind of fallback in case we will decide to go without a salt from secrets? just asking ))



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1028428415


##########
.github/workflows/tour_of_beam_examples_ci.yml:
##########
@@ -16,10 +16,10 @@
 name: Tour Of Beam Examples CI
 
 on:
-  push:
+  pull_request:
     paths:

Review Comment:
   this prevented ToB Examples CI from running



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1028430917


##########
learning/tour-of-beam/backend/internal/service/persistence_key.go:
##########
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"os"
+	"strings"
+
+	tob "beam.apache.org/learning/tour-of-beam/backend/internal"
+)
+
+func makePersistenceKey(sdk tob.Sdk, unitId, uid string) string {
+	h := sha256.New()
+	// never share!
+	plainKey := strings.Join(
+		[]string{os.Getenv("PERSISTENCE_KEY_SALT"), sdk.String(), unitId, uid},
+		"|")
+	_, err := h.Write([]byte(plainKey))
+	if err != nil {

Review Comment:
   writing to an in-memory structure is bad enough to panic



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1030405542


##########
learning/tour-of-beam/backend/README.md:
##########
@@ -101,7 +103,9 @@ gcloud datastore indexes create ./internal/storage/index.yaml
 for endpoint in getSdkList getContentTree getUnitComplete getUserProgress postUnitComplete postUserCode; do

Review Comment:
   +



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on PR #24287:
URL: https://github.com/apache/beam/pull/24287#issuecomment-1328298891

   After some thought, decided to get rid of service-wide secret completely
   First, having a system-wide secret is not a good practice [owasp guidelines for storing passwords](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting)
   
   Second, we don't have to re-caclulate persistence_key every call: we can calculate it once and store in tb_user_progress entity.
   This removes over-complication in `generatePersistenceKey`, as it doesn't need to depend on (SDK, unitID, userID), if we choose a secure random source.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] olehborysevych commented on pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

olehborysevych commented on PR #24287:
URL: https://github.com/apache/beam/pull/24287#issuecomment-1325256251

   R: @damccorm 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1028430917


##########
learning/tour-of-beam/backend/internal/service/persistence_key.go:
##########
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"os"
+	"strings"
+
+	tob "beam.apache.org/learning/tour-of-beam/backend/internal"
+)
+
+func makePersistenceKey(sdk tob.Sdk, unitId, uid string) string {
+	h := sha256.New()
+	// never share!
+	plainKey := strings.Join(
+		[]string{os.Getenv("PERSISTENCE_KEY_SALT"), sdk.String(), unitId, uid},
+		"|")
+	_, err := h.Write([]byte(plainKey))
+	if err != nil {

Review Comment:
   failing to write to in-memory structure is bad enough to panic



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] eantyshev commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

eantyshev commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1029607531


##########
learning/tour-of-beam/backend/README.md:
##########
@@ -101,7 +103,9 @@ gcloud datastore indexes create ./internal/storage/index.yaml
 for endpoint in getSdkList getContentTree getUnitComplete getUserProgress postUnitComplete postUserCode; do
 gcloud functions deploy $endpoint --entry-point $endpoint \
   --region $REGION --runtime go116 --allow-unauthenticated \
-  --trigger-http --set-env-vars="DATASTORE_PROJECT_ID=$PROJECT_ID,GOOGLE_PROJECT_ID=$PROJECT_ID"
+  --trigger-http \
+  --set-env-vars="DATASTORE_PROJECT_ID=$PROJECT_ID,GOOGLE_PROJECT_ID=$PROJECT_ID" \
+  --set-secrets 'PERSISTENCE_KEY_SALT=persistence_key_salt:latest"

Review Comment:
   If we don't set PERSISTENCE_KEY_SALT in postUserCode CF, then empty salt is used, and everything works but with some minor security risks:
   It would be possible to calculate the persistence_key for another user as `sha256(SDK, unitID, userID)`
   But Firebase User ID isn't exposed too, unless someone is already eavesdropping on another user's session. Quite a minor risk, maybe
   
   But, if at some point we decide to set PERSISTENCE_KEY_SALT non-empty, there'll be no way to keep user progresses, so better to decide now



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] github-actions[bot] commented on pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #24287:
URL: https://github.com/apache/beam/pull/24287#issuecomment-1325257804

   Stopping reviewer notifications for this pull request: review requested by someone other than the bot, ceding control


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] damccorm merged pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

damccorm merged PR #24287:
URL: https://github.com/apache/beam/pull/24287


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] github-actions[bot] commented on pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #24287:
URL: https://github.com/apache/beam/pull/24287#issuecomment-1323330970

   Assigning reviewers. If you would like to opt out of this review, comment `assign to next reviewer`:
   
   R: @damccorm for label build.
   
   Available commands:
   - `stop reviewer notifications` - opt out of the automated review tooling
   - `remind me after tests pass` - tag the comment author after tests pass
   - `waiting on author` - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)
   
   The PR bot will only process comments in the main thread (not review comments).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] damccorm commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

damccorm commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1030600050


##########
learning/tour-of-beam/backend/internal/service/persistence_key.go:
##########
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"os"
+	"strings"
+
+	tob "beam.apache.org/learning/tour-of-beam/backend/internal"
+)
+
+func makePersistenceKey(sdk tob.Sdk, unitId, uid string) string {
+	h := sha256.New()
+	// never share!
+	plainKey := strings.Join(
+		[]string{os.Getenv("PERSISTENCE_KEY_SALT"), sdk.String(), unitId, uid},

Review Comment:
   That could potentially happen if someone fails to set the secret when deploying, right?



##########
learning/tour-of-beam/backend/internal/service/persistence_key.go:
##########
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"os"
+	"strings"
+
+	tob "beam.apache.org/learning/tour-of-beam/backend/internal"
+)
+
+func makePersistenceKey(sdk tob.Sdk, unitId, uid string) string {
+	h := sha256.New()
+	// never share!
+	plainKey := strings.Join(
+		[]string{os.Getenv("PERSISTENCE_KEY_SALT"), sdk.String(), unitId, uid},

Review Comment:
   Should we validate/panic if PERSISTENCE_KEY_SALT isn't set?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [beam] olehborysevych commented on a diff in pull request #24287: [Tour Of Beam] persistence_key for Pg::SaveSnippet

Posted by GitBox <gi...@apache.org>.

olehborysevych commented on code in PR #24287:
URL: https://github.com/apache/beam/pull/24287#discussion_r1030363768


##########
learning/tour-of-beam/backend/README.md:
##########
@@ -101,7 +103,9 @@ gcloud datastore indexes create ./internal/storage/index.yaml
 for endpoint in getSdkList getContentTree getUnitComplete getUserProgress postUnitComplete postUserCode; do

Review Comment:
   @eantyshev could you please also fix getUnitComplete -> getUnitContent here please
   and also TOB_LEARNING_PATH -> TOB_LEARNING_ROOT below 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org