Skip to content

Fix default credentials being used if secrets aren't resolved #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 21, 2025
Merged

Fix default credentials being used if secrets aren't resolved #31

merged 7 commits into from
Aug 21, 2025

Conversation

edmundmiller
Copy link
Member

Fixes silent fallback to default credentials when workspace secrets aren't resolved.
This pull request adds robust support for using secrets as database credentials in nf-sqldb plugin configurations, with improved error handling and documentation.

Added some documentation and some tests for it as well!

@edmundmiller
fix: detect unresolved secrets in SqlDataSource
accb952 
Add resolveCredential method to SqlDataSource that detects unresolved
workspace secrets patterns like 'secrets.ATHENA_USER' and '[secret]'.
This prevents silent fallback to default credentials when secrets
aren't properly resolved by Nextflow's secrets system.

The method provides comprehensive error messages with troubleshooting
guidance for common secrets configuration issues.

Fixes issue where plugin would use default username 'sa' instead of
failing fast when workspace secrets were not accessible.

Signed-off-by: Edmund Miller <[email protected]>
@edmundmiller
test: add comprehensive secrets handling test coverage
77caa0c 
Add test cases for:
- Detection of 'secrets.PATTERN' unresolved secrets
- Detection of '[secret]' placeholder patterns
- Proper handling of null and empty credentials
- Fallback constructor behavior with secrets
- Comprehensive error message validation
- Integration testing with ChannelSqlExtension

Ensures robust validation of secrets detection functionality and
provides regression protection for the secrets handling feature.

Signed-off-by: Edmund Miller <[email protected]>
@edmundmiller edmundmiller self-assigned this Aug 21, 2025
@edmundmiller
docs: add comprehensive secrets usage documentation
6d6f724 
Add docs/secrets.md with detailed guidance on:
- Configuring workspace secrets with database credentials
- Setting up secrets in Seqera Platform
- Local development with Nextflow secrets command
- Troubleshooting common secrets configuration issues
- Error pattern identification and resolution

Update README.md to reference the new secrets documentation.

Provides users with complete guidance for secure credential management
in production deployments, especially for cloud databases like AWS Athena.

Signed-off-by: Edmund Miller <[email protected]>
@edmundmiller
refactor: simplify and streamline test cases
017e0df 
Reduce test redundancy by:
- Using parameterized test for multiple secret patterns
- Combining similar test scenarios
- Removing excessive error message validation
- Keeping only essential test coverage

Maintains complete functionality validation while reducing test
complexity and maintenance overhead.

Signed-off-by: Edmund Miller <[email protected]>
@edmundmiller
test: expand parameterized test coverage for credential handling
c6b2fec 
Enhance the credential input test to cover all original scenarios:
- Valid credentials should be accepted as-is
- Null/empty inputs should default to 'sa'
- Invalid secret patterns should throw exceptions

Uses Spock's parameterized testing to maintain complete test coverage
while keeping the test code concise and maintainable.

Signed-off-by: Edmund Miller <[email protected]>
@edmundmiller edmundmiller marked this pull request as ready for review August 21, 2025 16:53
edmundmiller and others added 2 commits August 21, 2025 11:53
@edmundmiller @claude
test: require AWS credentials for Athena integration test
1806945 
Add @requires annotation to skip AWS Athena test when required
environment variables are not available, preventing test failures
in environments without AWS credentials configured.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Edmund Miller <[email protected]>
@edmundmiller @claude
chore: update changelog for version 0.7.1
68adb18 
Add changelog entry documenting secrets detection fixes and
documentation improvements for the 0.7.1 release.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Edmund Miller <[email protected]>
bentsherman
bentsherman approved these changes Aug 21, 2025
View reviewed changes
Copy link
Member

@bentsherman bentsherman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Are you able to merge on your own?

@edmundmiller edmundmiller merged commit 3d66366 into master Aug 21, 2025
6 of 7 checks passed
@edmundmiller
Copy link
Member Author

Yep! I'll make a release 🤞🏻

@edmundmiller edmundmiller deleted the secrets branch August 21, 2025 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bentsherman bentsherman bentsherman approved these changes

Assignees

@edmundmiller edmundmiller

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edmundmiller @bentsherman