Update argument parsing to remove dependency on yargs and make more robust #1019
Conversation
…obust Signed-off-by: Andre Kurait <[email protected]>
AndreKurait
requested review from
chelma,
gregschohn,
lewijacn,
mikaylathompson,
peternied and
sumobrian
as code owners
| // Extract command prefix | ||
| const commandPrefix = baseCommand.substring(0, baseCommand.indexOf('--')).trim(); | ||
| const baseArgs = baseCommand.substring(baseCommand.indexOf('--')); | ||
| export function parseArgsToDict(argString: string | undefined): Record<string, string[]> { |
There was a problem hiding this comment.
Note: We're not using the values (only keys) as of now (except the unit tests). I wanted to keep this since it's written, working, and tested
| let replayerCommand = `/runJavaWithClasspath.sh org.opensearch.migrations.replay.TrafficReplayer ${osClusterEndpoint} --insecure --kafka-traffic-brokers ${brokerEndpoints} --kafka-traffic-topic logging-traffic-topic --kafka-traffic-group-id ${groupId}` | ||
| let command = `/runJavaWithClasspath.sh org.opensearch.migrations.replay.TrafficReplayer ${osClusterEndpoint}` | ||
| const extraArgsDict = parseArgsToDict(props.extraArgs) | ||
| command = appendArgIfNotInExtraArgs(command, extraArgsDict, "--insecure") |
There was a problem hiding this comment.
Note: In a followup, we need to figure out how a customer might exclude this, most likely through a cluster setting in cdk.context.json
There was a problem hiding this comment.
Seems like that's the way to go - we exclude kafkaConnection in a similar manner in the code above.
Signed-off-by: Andre Kurait <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1019 +/- ##
============================================
+ Coverage 80.20% 80.30% +0.10%
- Complexity 2722 2727 +5
============================================
Files 365 366 +1
Lines 13603 13605 +2
Branches 941 941
============================================
+ Hits 10910 10926 +16
+ Misses 2118 2104 -14
Partials 575 575
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
deployment/cdk/opensearch-service-migration/lib/service-stacks/capture-proxy-es-stack.ts
Outdated
Show resolved
Hide resolved
| } | ||
| // Split based on '--' at the start of the string or preceded by whitespace, use non-capturing groups to include -- in parts | ||
| const parts = argString.split(/(?=\s--|^--)/).filter(Boolean); |
There was a problem hiding this comment.
Worst case scenario here is that you could misparse something like
--setHeader from-client \"Search Agent --alpine --classic\"
and you'd then drop any arguments that already existed that were named '--alpine' or '--classic', right?
I'd like to see the map eventually supported as just a map of keys and values (possibly the empty string) - and all of it is just concatenated together w/ spaces between. That way, it's clear what keys are being used and what to strike.
Given that the code was even more problematic before, I'm fine w/ this being a follow up task.
There was a problem hiding this comment.
This would be a change in the customer cdk.context.json to have extra args be a map and not a string?
There was a problem hiding this comment.
Yes, that's the worst case, something like --setHeader from-client \"Search Agent --destinationUri \"
An existing --classic in your case wouldn't be dropped because of the " character after
There was a problem hiding this comment.
correct - to accept the value as a dictionary/map and not just as a string (I'd support both using instanceof). For later though.
| let replayerCommand = `/runJavaWithClasspath.sh org.opensearch.migrations.replay.TrafficReplayer ${osClusterEndpoint} --insecure --kafka-traffic-brokers ${brokerEndpoints} --kafka-traffic-topic logging-traffic-topic --kafka-traffic-group-id ${groupId}` | ||
| let command = `/runJavaWithClasspath.sh org.opensearch.migrations.replay.TrafficReplayer ${osClusterEndpoint}` | ||
| const extraArgsDict = parseArgsToDict(props.extraArgs) | ||
| command = appendArgIfNotInExtraArgs(command, extraArgsDict, "--insecure") |
There was a problem hiding this comment.
Seems like that's the way to go - we exclude kafkaConnection in a similar manner in the code above.
| if (props.clusterAuthDetails.basicAuth.password) { | ||
| console.warn("Password passed in plain text, this is insecure and will leave" + | ||
| "your password exposed.") |
There was a problem hiding this comment.
did we support this before? I don't see it in the old patch & don't want to add it shortly before we cut a major release.
There was a problem hiding this comment.
There's two places today we create plaintext secrets, as well as RFS supports it directly as an inline arg.
The experience without this PR/fix is that we concat the argument --auth-header-user-and-secret username undefined and the replayer fails on startup.
If you'd like instead we can throw an error here saying "Plaintext password in cdk.context.json with replayer is not supported" and have it be a build time exception.
There was a problem hiding this comment.
do we have a jira to stop accepting plaintext passwords and to stop accepting them on the command line. With that, I'm fine moving forward. As it is, I consider these major security risks and we shouldn't let the user store secrets in so many places unencrypted.
As long as the secret is in a task definition, I suppose it doesn't matter if we put it here too - we just need to reverse this too when we lock down the other code
There was a problem hiding this comment.
Signed-off-by: Andre Kurait <[email protected]>
Description
Simplify CDK ExtraArg processing to remove yargs and make more robust.
Fixed places where parameter values which may have spaces weren't wrapped in quotes.
Removed cdk dependency on yargs
Fixed an issue where List arguments would split on
,incorrectly e.g.--setHeader name "value1,value2"Fixed an issue where ExtraArgs wouldn't correctly handle multi arity commands e.g.
--setHeader name valueFixed a bug in how user supplied plaintext password was being supplied to the replayer
Issues Resolved
https://opensearch.atlassian.net/browse/MIGRATIONS-2025
Is this a backport? If so, please add backport PR # and/or commits #
Testing
Unit testing, AWS Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.