fix(secrets): migrate to GA Azure Key Vault azsecrets module#1224
Conversation
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 52 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
bfc7225 to
0f5716d
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
Adversarial review (PR #1224)Credential-surface PR, so I exercised every risk-axis from the brief. The migration is sound and the SSRF hardening is a strict improvement; two duplication / DNS-bypass items go out as follow-ups rather than blocking the GA migration. Verified
Follow-ups filed (out of scope)
UNSTABLE stateAll failing checks are pre-existing on
None are caused by this diff. Not blocking. VerdictLGTM. CR re-ping posted ( |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
Your validation makes sense, and I agree with the conclusion: the GA Azure Key Vault migration in I’m re-running the review now. 🐇✅ ✏️ Learnings added
✅ Action performedReview finished.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
0f5716d to
7bdfb51
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
Replace the retired github.com/Azure/azure-sdk-for-go/sdk/keyvault/ azsecrets v0.12.0 beta module with the GA replacement sdk/security/keyvault/azsecrets v1.4.0 on the secrets-resolution path. Microsoft retired the whole sdk/keyvault/* beta tree in 2023, so the old module receives no bug or security fixes despite sitting on the path that fetches admin passwords, API keys, and encryption keys. Changes: - internal/secrets/azure_resolver.go: switch the import to the GA module and rename NewListSecretsPager to NewListSecretPropertiesPager per the GA API; GetSecret/SetSecret signatures are unchanged. - Tests: adopt the GA type names (SecretProperties, Secret, ListSecretPropertiesResponse/Options, SecretPropertiesListResult). - The httptest harness now uses httptest.NewTLSServer with the test server's client as transport, because the GA challenge policy only attaches credentials over TLS-protected connections. - go.mod/go.sum: drop the retired sdk/keyvault/azsecrets v0.12.0 and transitive sdk/keyvault/internal v0.7.1; v1.4.0 matches the azkeys version already in use and requires no other dependency bumps. - Add a regression guard test that fails if any retired sdk/keyvault/* module reappears in go.mod (verified failing on the pre-fix go.mod). Closes #1146
The azsecrets.NewClient call passed nil options, using the default net/http transport with no SSRF protection. An attacker-controlled URL redirect could reach the Azure link-local metadata endpoint (169.254.169.254) and exfiltrate managed-identity credentials. Wire an IMDS-blocking transport (blockIMDSDialer) into azsecrets.ClientOptions.Transport in NewAzureResolver, mirroring the defense already applied in providers/azure/internal/httpclient. A new TestAzureResolver_IMDSBlocked test asserts the block is active. Closes: feedback_azure_use_httpclient_new (SUP-01 / issue #1146)
The bodyclose linter flagged client.Do in TestAzureResolver_IMDSBlocked because the *http.Response body was never closed. Capture the response and close its body when non-nil (it is nil on the expected blocked-dial error, but the guard keeps the linter and future non-error paths safe).
7bdfb51 to
2425412
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
Merged to main after pre-merge adversarial review (verdict MERGE): beta sdk/keyvault/azsecrets fully replaced by the GA module (only rename NewListSecretsPager->NewListSecretPropertiesPager; GetSecret empty-version semantics unchanged), fail-loud error wrapping preserved, IMDS-blocking transport correctly scoped to the azsecrets pipeline, guard test blocks beta re-introduction, union with main green (244 secrets tests). Zero unresolved CR threads. Consolidation/DNS hardening tracked in #1323/#1324. |
Problem
Closes #1146 (review finding SUP-01, P2).
internal/secrets/azure_resolver.goimported the retired beta modulegithub.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecretsv0.12.0 (plus the transitively retiredsdk/keyvault/internalv0.7.1). Microsoft retired the entiresdk/keyvault/*beta tree in 2023 in favor ofsdk/security/keyvault/*, so the old module receives no bug or security fixes despite sitting on the live secrets-resolution path that fetches admin passwords, API keys, and encryption keys from Azure Key Vault. The repo already used the GA tree elsewhere (sdk/security/keyvault/azkeysv1.4.0), so the retired and GA trees coexisted.Fix
internal/secrets/azure_resolver.goto the GA modulesdk/security/keyvault/azsecretsv1.4.0. The only API change on our surface is the renameNewListSecretsPager->NewListSecretPropertiesPager;GetSecret,SetSecret, response shapes, andID.Name()semantics are unchanged.azkeysversion) so no other dependency bumps are needed;go mod tidydrops the retiredsdk/keyvault/azsecretsandsdk/keyvault/internalfrom go.mod and go.sum entirely.SecretProperties,Secret,ListSecretPropertiesResponse/Options,SecretPropertiesListResult). The httptest harness now useshttptest.NewTLSServerwith the test server's client as transport, because the GA Key Vault challenge policy only attaches credentials over TLS-protected connections.internal/secrets/azure_sdk_module_guard_test.go) that fails if any retiredsdk/keyvault/*module path reappears in the root go.mod.Test evidence
go test ./internal/secrets/ -run TestNoRetiredAzureKeyVaultModuleFAILS onsdk/keyvault/azsecrets v0.12.0; after the fix it passes.go build ./...succeeds.go test ./internal/secrets/ -count=1: 243 passed, 0 failed.go vet ./internal/secrets/: no issues.grep "sdk/keyvault/" go.mod go.sum: no matches remaining.