delete secret on object delete (#1085)

2025-06-16 11:58:09 +00:00 · 2021-07-21 16:04:27 -04:00
parent 041d3cc204
commit 3269dbb1aa
3 changed files with 98 additions and 2 deletions
--- a/src/api-service/app/onefuzzlib/orm.py
+++ b/src/api-service/app/onefuzzlib/orm.py
@ -40,7 +40,7 @@ from pydantic import BaseModel
 from typing_extensions import Protocol

 from .azure.table import get_client
-from .secrets import save_to_keyvault
+from .secrets import delete_remote_secret_data, save_to_keyvault
 from .telemetry import track_event_filtered
 from .updates import queue_update

@ -249,6 +249,28 @@ def hide_secrets(data: B, hider: Callable[[SecretData], SecretData]) -> B:
    return data


+# NOTE: the actual deletion must come from the `deleter` callback function
+def delete_secrets(data: B, deleter: Callable[[SecretData], None]) -> None:
+    for field in data.__fields__:
+        field_data = getattr(data, field)
+        if isinstance(field_data, SecretData):
+            deleter(field_data)
+        elif isinstance(field_data, BaseModel):
+            delete_secrets(field_data, deleter)
+        elif isinstance(field_data, list):
+            for entry in field_data:
+                if isinstance(entry, BaseModel):
+                    delete_secrets(entry, deleter)
+                elif isinstance(entry, SecretData):
+                    deleter(entry)
+        elif isinstance(field_data, dict):
+            for value in field_data.values():
+                if isinstance(value, BaseModel):
+                    delete_secrets(value, deleter)
+                elif isinstance(value, SecretData):
+                    deleter(value)
+
+
 # NOTE: if you want to include Timestamp in a model that uses ORMMixin,
 # it must be maintained as part of the model.
 class ORMMixin(ModelMixin):
@ -363,6 +385,8 @@ class ORMMixin(ModelMixin):
    def delete(self) -> None:
        partition_key, row_key = self.get_keys()

+        delete_secrets(self, delete_remote_secret_data)
+
        client = get_client()
        try:
            client.delete_entity(
--- a/src/api-service/app/onefuzzlib/secrets.py
+++ b/src/api-service/app/onefuzzlib/secrets.py
@ -80,3 +80,8 @@ def delete_secret(secret_url: str) -> None:
    (vault_url, secret_name) = parse_secret_url(secret_url)
    keyvault_client = get_keyvault_client(vault_url)
    keyvault_client.begin_delete_secret(secret_name)
+
+
+def delete_remote_secret_data(data: SecretData) -> None:
+    if isinstance(data.secret, SecretAddress):
+        delete_secret(data.secret.url)