Remove config templating in favour of explicit secret references

After extensive testing and some initial user feedback, it became clear that expressions / templating provides horrible UX, because:

* It's not clear where expressions can be used.
* Expressions are only evaluated at runtime, so users don't get feedback when they reference secrets that don't exist.
* Non-technical users struggle with expression syntax.

Additionally, we don't really *need* the flexibility expressions give us. We just need a way to safely reference managed secrets.

This change introduces support for the `x-secret-ref` JSON schema annotation. Properties annotated with it will be treated as secret references.

When extensions retrieve their runtime config, secret references are transparently resolved.

When extension configs are updated via REST API, it's validated that all referenced secrets exist.

Secret managers now support pagination and filtering for the `listSecrets` operation. This is used to deliver a convenient dropdown with search-as-you-type in the UI. Note that it is expected that not all providers can support pagination natively, in which case they'll need to emulate the desired behaviour, which is what the `env` provider does.

Listing secret metadata no longer requires the `SECRET_MANAGEMENT_READ` permission, but the `SYSTEM_CONFIGURATION_READ` permission. This is because users who maintain configuration are actually the ones that need to know which secrets they can use.

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

api/src/main/openapi/components/schemas/secrets/list-secrets-response.yaml

@@ -15,10 +15,12 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 type: object
+allOf:
+- $ref: "../paginated-response.yaml"
 properties:
   secrets:
     type: array
     items:
-      $ref: "./list-secrets-response-item.yaml"
+      $ref: "./secret-metadata.yaml"
 required:
 - secrets

…/secrets/list-secrets-response-item.yaml …nts/schemas/secrets/secret-metadata.yamlapi/src/main/openapi/components/schemas/secrets/list-secrets-response-item.yaml renamed to api/src/main/openapi/components/schemas/secrets/secret-metadata.yaml api/src/main/openapi/components/schemas/secrets/list-secrets-response-item.yaml renamed to api/src/main/openapi/components/schemas/secrets/secret-metadata.yaml

@@ -15,20 +15,27 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 get:
-  operationId: listSecrets
-  summary: List all secrets
-  description: >-
-    Returns a list of secrets.
-    
-      * Does not include secret *values*, only metadata.
-      * Does not support pagination.
+  operationId: listSecretMetadata
+  summary: List secret metadata
+  description: |-
+    Returns a paginated list of secret metadata.
     
-    Requires the `SECRET_MANAGEMENT` or `SECRET_MANAGEMENT_READ` permission.
+    Requires the `SYSTEM_CONFIGURATION` or `SYSTEM_CONFIGURATION_READ` permission.
   tags:
   - Secrets
+  parameters:
+  - name: q
+    description: >-
+      Optional search text to filter secrets by.
+      Filtering uses case-insensitive "starts with" semantics on the secret name.
+    in: query
+    schema:
+      type: string
+  - $ref: "../components/parameters/page-token.yaml"
+  - $ref: "../components/parameters/pagination-limit.yaml"
   responses:
     "200":
-      description: List of secrets
+      description: Paginated list of secret metadata
       content:
         application/json:
           schema:

api/src/main/openapi/paths/secrets.yaml

@@ -14,6 +14,38 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
+get:
+  operationId: getSecretMetadata
+  summary: Get secret metadata
+  description: |-
+    Returns metadata about a given secret.
+    
+    Requires the `SYSTEM_CONFIGURATION` or `SYSTEM_CONFIGURATION_READ` permission.
+  tags:
+  - Secrets
+  parameters:
+  - name: name
+    in: path
+    description: The name of the secret
+    required: true
+    schema:
+      $ref: "../components/schemas/secrets/secret-name.yaml"
+  responses:
+    "200":
+      description: Secret metadata
+      content:
+        application/json:
+          schema:
+            $ref: "../components/schemas/secrets/secret-metadata.yaml"
+    "401":
+      $ref: "../components/responses/generic-unauthorized-error.yaml"
+    "403":
+      $ref: "../components/responses/generic-forbidden-error.yaml"
+    "404":
+      $ref: "../components/responses/generic-not-found-error.yaml"
+    default:
+      $ref: "../components/responses/generic-error.yaml"
+
 patch:
   operationId: updateSecret
   summary: Update a secret

api/src/main/openapi/paths/secrets__name_.yaml

@@ -53,7 +53,6 @@ public enum Permissions {
     ACCESS_MANAGEMENT_DELETE("Allows delete permissions of users, teams, and API keys"),
     SECRET_MANAGEMENT("Grants full secret management access"),
     SECRET_MANAGEMENT_CREATE("Grants the ability to create secrets"),
-    SECRET_MANAGEMENT_READ("Grants the ability to view secret metadata"),
     SECRET_MANAGEMENT_UPDATE("Grants the ability to update secrets"),
     SECRET_MANAGEMENT_DELETE("Grants the ability to delete secrets"),
     SYSTEM_CONFIGURATION("Allows all access to configuration of the system including notifications, repositories, and email settings"),
@@ -109,7 +108,6 @@ public static class Constants {
         public static final String ACCESS_MANAGEMENT_DELETE = "ACCESS_MANAGEMENT_DELETE";
         public static final String SECRET_MANAGEMENT = "SECRET_MANAGEMENT";
         public static final String SECRET_MANAGEMENT_CREATE = "SECRET_MANAGEMENT_CREATE";
-        public static final String SECRET_MANAGEMENT_READ = "SECRET_MANAGEMENT_READ";
         public static final String SECRET_MANAGEMENT_UPDATE = "SECRET_MANAGEMENT_UPDATE";
         public static final String SECRET_MANAGEMENT_DELETE = "SECRET_MANAGEMENT_DELETE";
         public static final String SYSTEM_CONFIGURATION = "SYSTEM_CONFIGURATION";