From fab4786ba93944b3ab56d6f5581f532a92c56452 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philip=20Dub=C3=A9?= Date: Tue, 8 Oct 2024 01:19:13 +0000 Subject: [PATCH] nexus: update secrecy (#2127) --- nexus/Cargo.lock | 4 ++-- nexus/flow-rs/src/grpc.rs | 2 +- nexus/peer-mysql/src/ast.rs | 5 +++-- nexus/peer-snowflake/Cargo.toml | 2 +- nexus/peer-snowflake/src/auth.rs | 13 +++++-------- nexus/peer-snowflake/src/lib.rs | 4 ++-- nexus/peer-snowflake/src/stream.rs | 2 +- 7 files changed, 15 insertions(+), 17 deletions(-) diff --git a/nexus/Cargo.lock b/nexus/Cargo.lock index 0061c58251..5788d0dc04 100644 --- a/nexus/Cargo.lock +++ b/nexus/Cargo.lock @@ -3596,9 +3596,9 @@ checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b" [[package]] name = "secrecy" -version = "0.8.0" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e" +checksum = "ba079fa568d52545cd70b334b2ce6f88f62b8fc2bda9290f48a0578388a49331" dependencies = [ "zeroize", ] diff --git a/nexus/flow-rs/src/grpc.rs b/nexus/flow-rs/src/grpc.rs index 958b31d515..8548b91152 100644 --- a/nexus/flow-rs/src/grpc.rs +++ b/nexus/flow-rs/src/grpc.rs @@ -306,7 +306,7 @@ impl FlowGrpcClient { pub async fn resync_mirror(&mut self, flow_job_name: &str) -> anyhow::Result<()> { let resync_mirror_req = pt::peerdb_route::ResyncMirrorRequest { flow_job_name: flow_job_name.to_owned(), - drop_stats: true + drop_stats: true, }; let response = self.client.resync_mirror(resync_mirror_req).await?; let resync_mirror_response = response.into_inner(); diff --git a/nexus/peer-mysql/src/ast.rs b/nexus/peer-mysql/src/ast.rs index 90fb837d38..b0b6c01630 100644 --- a/nexus/peer-mysql/src/ast.rs +++ b/nexus/peer-mysql/src/ast.rs @@ -108,13 +108,14 @@ pub fn rewrite_query(peername: &str, query: &mut Query) { } } Expr::Cast { - data_type: DataType::Time(_, ref mut tzinfo), .. + data_type: DataType::Time(_, ref mut tzinfo), + .. } => { *tzinfo = TimezoneInfo::None; } Expr::Cast { ref mut data_type, .. - } if matches!(data_type, DataType::Timestamp(..)) =>{ + } if matches!(data_type, DataType::Timestamp(..)) => { *data_type = DataType::Datetime(None); } _ => {} diff --git a/nexus/peer-snowflake/Cargo.toml b/nexus/peer-snowflake/Cargo.toml index 05dc416c5e..e74c543181 100644 --- a/nexus/peer-snowflake/Cargo.toml +++ b/nexus/peer-snowflake/Cargo.toml @@ -20,7 +20,7 @@ pgwire.workspace = true pt = { path = "../pt" } reqwest = { version = "0.12", default-features = false, features = ["json", "gzip", "rustls-tls"] } rsa = { version = "0.9.2", features = ["pem", "pkcs5"] } -secrecy = { version = "0.8.0" } +secrecy = "0.10" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" sha2 = "0.10" diff --git a/nexus/peer-snowflake/src/auth.rs b/nexus/peer-snowflake/src/auth.rs index 4ec1a90823..321d00da0b 100644 --- a/nexus/peer-snowflake/src/auth.rs +++ b/nexus/peer-snowflake/src/auth.rs @@ -1,7 +1,4 @@ -use std::{ - str::FromStr, - time::{SystemTime, UNIX_EPOCH}, -}; +use std::time::{SystemTime, UNIX_EPOCH}; use anyhow::Context; use base64::prelude::{Engine as _, BASE64_STANDARD}; @@ -9,7 +6,7 @@ use jsonwebtoken::{encode as jwt_encode, Algorithm, EncodingKey, Header}; use rsa::pkcs1::EncodeRsaPrivateKey; use rsa::pkcs8::{DecodePrivateKey, EncodePublicKey}; use rsa::RsaPrivateKey; -use secrecy::{Secret, SecretString}; +use secrecy::SecretString; use serde::Serialize; use sha2::{Digest, Sha256}; use tracing::info; @@ -32,7 +29,7 @@ pub struct SnowflakeAuth { refresh_threshold: u64, expiry_threshold: u64, last_refreshed: u64, - current_jwt: Option>, + current_jwt: Option, } impl SnowflakeAuth { @@ -128,14 +125,14 @@ impl SnowflakeAuth { let header: Header = Header::new(Algorithm::RS256); let encoded_jwt = jwt_encode(&header, &jwt_claims, &private_key_jwt)?; - let secret = SecretString::from_str(&encoded_jwt)?; + let secret = SecretString::from(encoded_jwt); self.current_jwt = Some(secret); Ok(()) } - pub fn get_jwt(&mut self) -> anyhow::Result<&Secret> { + pub fn get_jwt(&mut self) -> anyhow::Result<&SecretString> { if SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs() >= (self.last_refreshed + self.refresh_threshold) { diff --git a/nexus/peer-snowflake/src/lib.rs b/nexus/peer-snowflake/src/lib.rs index d04a369d32..e0af65b58c 100644 --- a/nexus/peer-snowflake/src/lib.rs +++ b/nexus/peer-snowflake/src/lib.rs @@ -153,7 +153,7 @@ impl SnowflakeQueryExecutor { async fn process_query(&self, query_str: &str) -> anyhow::Result { let mut auth = self.auth.clone(); let jwt = auth.get_jwt()?; - let secret = jwt.expose_secret().clone(); + let secret = jwt.expose_secret(); // TODO: for things other than SELECTs, the robust way to handle retrys is by // generating a UUID from our end to mark the query as unique and then sending it with the request. // If we need to retry, send same UUID with retry=true parameter set and Snowflake should prevent duplicate execution. @@ -216,7 +216,7 @@ impl SnowflakeQueryExecutor { ) -> anyhow::Result { let mut auth = self.auth.clone(); let jwt = auth.get_jwt()?; - let secret = jwt.expose_secret().clone(); + let secret = jwt.expose_secret(); let response = self .reqwest_client .get(format!( diff --git a/nexus/peer-snowflake/src/stream.rs b/nexus/peer-snowflake/src/stream.rs index efac7b7e1f..5cd6e117b0 100644 --- a/nexus/peer-snowflake/src/stream.rs +++ b/nexus/peer-snowflake/src/stream.rs @@ -209,7 +209,7 @@ impl SnowflakeRecordStream { self.partition_number += 1; self.partition_index = 0; let partition_number = self.partition_number; - let secret = self.auth.get_jwt()?.expose_secret().clone(); + let secret = self.auth.get_jwt()?.expose_secret(); let statement_handle = self.result_set.statementHandle.clone(); let url = self.endpoint_url.clone(); println!("Secret: {:#?}", secret);