From 227645629538335c407ffa93b1c4b010dc042c56 Mon Sep 17 00:00:00 2001 From: Andrey Antukh Date: Tue, 17 Mar 2026 10:39:26 +0100 Subject: [PATCH] :sparkles: Add minor compatibility adjustments for audit archive task (#8491) --- .gitignore | 1 + backend/scripts/_env | 1 + backend/src/app/config.clj | 1 + backend/src/app/loggers/audit.clj | 2 +- .../src/app/loggers/audit/archive_task.clj | 12 ++--- backend/src/app/main.clj | 11 ++-- backend/src/app/setup.clj | 54 ++++++++----------- common/src/app/common/schema.cljc | 17 +++--- 8 files changed, 48 insertions(+), 51 deletions(-) diff --git a/.gitignore b/.gitignore index d0a13534b4..60561d6bcf 100644 --- a/.gitignore +++ b/.gitignore @@ -62,6 +62,7 @@ /frontend/test-results/ /frontend/.shadow-cljs /other/ +/scripts/ /nexus/ /tmp/ /vendor/**/target diff --git a/backend/scripts/_env b/backend/scripts/_env index 0026d9f901..f57c6121ec 100644 --- a/backend/scripts/_env +++ b/backend/scripts/_env @@ -2,6 +2,7 @@ export PENPOT_NITRATE_SHARED_KEY=super-secret-nitrate-api-key export PENPOT_EXPORTER_SHARED_KEY=super-secret-exporter-api-key +export PENPOT_NEXUS_SHARED_KEY=super-secret-nexus-api-key export PENPOT_SECRET_KEY=super-secret-devenv-key # DEPRECATED: only used for subscriptions diff --git a/backend/src/app/config.clj b/backend/src/app/config.clj index d0a80f6515..a0d680c199 100644 --- a/backend/src/app/config.clj +++ b/backend/src/app/config.clj @@ -103,6 +103,7 @@ [:exporter-shared-key {:optional true} :string] [:nitrate-shared-key {:optional true} :string] + [:nexus-shared-key {:optional true} :string] [:management-api-key {:optional true} :string] [:telemetry-uri {:optional true} :string] diff --git a/backend/src/app/loggers/audit.clj b/backend/src/app/loggers/audit.clj index c374b432f9..89119b04e1 100644 --- a/backend/src/app/loggers/audit.clj +++ b/backend/src/app/loggers/audit.clj @@ -120,7 +120,7 @@ ;; an external storage and data cleared. (def ^:private schema:event - [:map {:title "event"} + [:map {:title "AuditEvent"} [::type ::sm/text] [::name ::sm/text] [::profile-id ::sm/uuid] diff --git a/backend/src/app/loggers/audit/archive_task.clj b/backend/src/app/loggers/audit/archive_task.clj index 4eb87d595e..62024e573b 100644 --- a/backend/src/app/loggers/audit/archive_task.clj +++ b/backend/src/app/loggers/audit/archive_task.clj @@ -10,14 +10,11 @@ [app.common.logging :as l] [app.common.schema :as sm] [app.common.transit :as t] - [app.common.uuid :as uuid] [app.config :as cf] [app.db :as db] [app.http.client :as http] [app.setup :as-alias setup] - [app.tokens :as tokens] [integrant.core :as ig] - [lambdaisland.uri :as u] [promesa.exec :as px])) ;; This is a task responsible to send the accumulated events to @@ -52,19 +49,18 @@ (defn- send! [{:keys [::uri] :as cfg} events] - (let [token (tokens/generate cfg - {:iss "authentication" - :uid uuid/zero}) + (let [skey (-> cfg ::setup/shared-keys :nexus) body (t/encode {:events events}) headers {"content-type" "application/transit+json" "origin" (str (cf/get :public-uri)) - "cookie" (u/map->query-string {:auth-token token})} + "x-shared-key" (str "nexus " skey)} params {:uri uri :timeout 12000 :method :post :headers headers :body body} resp (http/req! cfg params)] + (if (= (:status resp) 204) true (do @@ -109,7 +105,7 @@ (def ^:private schema:handler-params [:map ::db/pool - ::setup/props + ::setup/shared-keys ::http/client]) (defmethod ig/assert-key ::handler diff --git a/backend/src/app/main.clj b/backend/src/app/main.clj index 693752080a..383578531e 100644 --- a/backend/src/app/main.clj +++ b/backend/src/app/main.clj @@ -466,16 +466,17 @@ ::setup/shared-keys {::setup/props (ig/ref ::setup/props) - :nitrate (cf/get :nitrate-shared-key) - :exporter (cf/get :exporter-shared-key)} + :nexus (cf/get :nexus-shared-key) + :nitrate (cf/get :nitrate-shared-key) + :exporter (cf/get :exporter-shared-key)} ::setup/clock {} :app.loggers.audit.archive-task/handler - {::setup/props (ig/ref ::setup/props) - ::db/pool (ig/ref ::db/pool) - ::http.client/client (ig/ref ::http.client/client)} + {::setup/shared-keys (ig/ref ::setup/shared-keys) + ::http.client/client (ig/ref ::http.client/client) + ::db/pool (ig/ref ::db/pool)} :app.loggers.audit.gc-task/handler {::db/pool (ig/ref ::db/pool)} diff --git a/backend/src/app/setup.clj b/backend/src/app/setup.clj index 7406cbca93..2a860f4262 100644 --- a/backend/src/app/setup.clj +++ b/backend/src/app/setup.clj @@ -82,45 +82,37 @@ (db/tx-run! cfg (fn [{:keys [::db/conn]}] (db/xact-lock! conn 0) (when-not key - (l/warn :hint (str "using autogenerated secret-key, it will change on each restart and will invalidate " - "all sessions on each restart, it is highly recommended setting up the " - "PENPOT_SECRET_KEY environment variable"))) + (l/wrn :hint (str "using autogenerated secret-key, it will change " + "on each restart and will invalidate " + "all sessions on each restart, it is highly " + "recommended setting up the " + "PENPOT_SECRET_KEY environment variable"))) (let [secret (or key (generate-random-key))] (-> (get-all-props conn) (assoc :secret-key secret) (assoc :tokens-key (keys/derive secret :salt "tokens")) (update :instance-id handle-instance-id conn (db/read-only? pool))))))) -(sm/register! ::props [:map-of :keyword ::sm/any]) - - (defmethod ig/init-key ::shared-keys [_ {:keys [::props] :as cfg}] (let [secret (get props :secret-key)] - (d/without-nils - {:exporter - (let [key (or (get cfg :exporter) - (-> (keys/derive secret :salt "exporter") - (bc/bytes->b64-str true)))] - (if (or (str/empty? key) - (str/blank? key)) - (do - (l/wrn :hint "exporter key is disabled because empty string found") - nil) - (do - (l/inf :hint "exporter key initialized" :key (d/obfuscate-string key)) - key))) + (reduce (fn [keys id] + (let [key (or (get cfg id) + (-> (keys/derive secret :salt (name id)) + (bc/bytes->b64-str true)))] + (if (or (str/empty? key) + (str/blank? key)) + (do + (l/wrn :id (name id) :hint "key is disabled because empty string found") + keys) + (do + (l/inf :id (name id) :hint "key initialized" :key (d/obfuscate-string key)) + (assoc keys id key))))) + {} + [:exporter + :nitrate + :nexus]))) - :nitrate - (let [key (or (get cfg :nitrate) - (-> (keys/derive secret :salt "nitrate") - (bc/bytes->b64-str true)))] - (if (or (str/empty? key) - (str/blank? key)) - (do - (l/wrn :hint "nitrate key is disabled because empty string found") - nil) - (do - (l/inf :hint "nitrate key initialized" :key (d/obfuscate-string key)) - key)))}))) +(sm/register! ::props [:map-of :keyword ::sm/any]) +(sm/register! ::shared-keys [:map-of :keyword ::sm/text]) diff --git a/common/src/app/common/schema.cljc b/common/src/app/common/schema.cljc index 87d0784969..e2ec0c7ae5 100644 --- a/common/src/app/common/schema.cljc +++ b/common/src/app/common/schema.cljc @@ -5,7 +5,7 @@ ;; Copyright (c) KALEIDOS INC (ns app.common.schema - (:refer-clojure :exclude [deref merge parse-uuid parse-long parse-double parse-boolean type keys]) + (:refer-clojure :exclude [deref merge parse-uuid parse-long parse-double parse-boolean type keys select-keys]) #?(:cljs (:require-macros [app.common.schema :refer [ignoring]])) (:require #?(:clj [malli.dev.pretty :as mdp]) @@ -93,6 +93,11 @@ [& items] (apply mu/merge (map schema items))) +(defn select-keys + [s keys & {:as opts}] + (let [s (schema s)] + (mu/select-keys s keys opts))) + (defn assoc-key "Add a key & value to a schema of type [:map]. If the first level node of the schema is not a map, will do a depth search to find the first map node and add the key there." @@ -138,10 +143,10 @@ (mu/optional-keys schema keys default-options))) (defn required-keys - ([schema] - (mu/required-keys schema nil default-options)) - ([schema keys] - (mu/required-keys schema keys default-options))) + ([s] + (mu/required-keys (schema s) nil default-options)) + ([s keys] + (mu/required-keys (schema s) keys default-options))) (defn transformer [& transformers] @@ -646,7 +651,7 @@ {:title "set" :description "Set of Strings" :error/message "should be a set of strings" - :gen/gen (-> kind sg/generator sg/set) + :gen/gen (sg/mcat (fn [_] (sg/generator kind)) sg/int) :decode/string decode :decode/json decode :encode/string encode-string