sergehuber commented on code in PR #760: URL: https://github.com/apache/unomi/pull/760#discussion_r3362956724
########## tools/shell-commands/src/main/resources/META-INF/cxs/migration/migrate-3.1.0-10-tenantInitialization.groovy: ########## @@ -0,0 +1,88 @@ +import org.apache.unomi.shell.migration.service.MigrationContext +import org.apache.unomi.shell.migration.utils.MigrationUtils +import java.time.ZonedDateTime +import java.time.format.DateTimeFormatter +import static org.apache.unomi.shell.migration.service.MigrationConfig.* + +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +MigrationContext context = migrationContext +String esAddress = context.getConfigString("esAddress") +String indexPrefix = context.getConfigString("indexPrefix") +String tenantId = context.getConfigString(TENANT_ID) +ZonedDateTime unifiedDate = ZonedDateTime.now() +String isoDate = unifiedDate.format(DateTimeFormatter.ISO_OFFSET_DATE_TIME) + +// Create the default tenant index and items +context.performMigrationStep("3.1.0-create-tenant-index", () -> { + String baseSettings = MigrationUtils.resourceAsString(bundleContext, "requestBody/2.0.0/base_index_mapping.json") + String mapping = MigrationUtils.extractMappingFromBundles(bundleContext, "tenant.json") + String newIndexSettings = MigrationUtils.buildIndexCreationRequest(baseSettings, mapping, context, false) + + if (!MigrationUtils.indexExists(context.getHttpClient(), esAddress, "${indexPrefix}-tenant")) { + context.printMessage("Creating tenant index: ${indexPrefix}-tenant") + MigrationUtils.createIndex(context.getHttpClient(), esAddress, "${indexPrefix}-tenant", newIndexSettings) + + // Create the default tenant (this might be adjusted based on actual tenant structure) + String defaultTenantJson = """{ + "itemId": "${tenantId}", + "itemType": "tenant", + "name": "Default Tenant", + "tenantId": "system", + "description": "Default tenant created during migration to Unomi V3", + "createdBy": "system-migration-3.1.0", + "lastModifiedBy": "system-migration-3.1.0", + "creationDate": "${isoDate}", + "lastModificationDate": "${isoDate}", + "version": 1, + "status": "ACTIVE", + "apiKeys" : [ + { + "itemId" : "5a3f11a8-38a7-41b0-9fe8-d1ef0b4ad8ca", + "itemType" : "apiKey", + "createdBy": "system-migration-3.1.0", + "lastModifiedBy": "system-migration-3.1.0", + "creationDate" : "${isoDate}", + "lastModificationDate" : "${isoDate}", + "key" : "C606D77D1D219509637A82C062BCD17F13D6DF1501702DC396D4A12D63D4E5F2", + "keyType" : "PUBLIC", + "revoked" : false + }, + { + "itemId" : "3c595ea8-000e-4d0b-a329-0d259cc4d176", + "itemType" : "apiKey", + "createdBy": "system-migration-3.1.0", + "lastModifiedBy": "system-migration-3.1.0", + "creationDate" : "${isoDate}", + "lastModificationDate" : "${isoDate}", + "key" : "503BAABB3A14AEB4B50ACF3C82982FBABECDBAEA83879CA8AECA016A6A9EEA85", Review Comment: Fixed in commit 9eefd885: rather than hardcoding any key, the migration script now generates fresh cryptographically-random keys at migration time using SecureRandom. The keys are printed to the console once (the only opportunity to record them) and also written to a time-limited file under karaf.data/migration/secrets/ that is automatically cleaned up 24 hours after creation by the next migration run. This way no secret ever touches the git repository, and the operator is clearly prompted to save the keys to a vault. The migration step is idempotent — key generation only runs when the tenant index doesn't yet exist. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
