feat(secret): add SecretService caller guard with ENFORCE default

Add caller guard modes (ENFORCE, AUDIT, DISABLED) to SecretService,
thread OperationContext through encrypt/decrypt call sites, and default
SECRET_SERVICE_CALLER_GUARD_MODE to ENFORCE. Document secure-by-default
secret handling for OSS datahub-actions and Cloud embedded executors.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: david-leifker

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/connection/ConnectionMapper.java

@@ -13,6 +13,7 @@
 import com.linkedin.entity.EnvelopedAspect;
 import com.linkedin.entity.EnvelopedAspectMap;
 import com.linkedin.metadata.Constants;
+import io.datahubproject.metadata.context.OperationContext;
 import io.datahubproject.metadata.services.SecretService;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -70,7 +71,9 @@ private static DataHubConnectionDetails mapConnectionDetails(
         com.linkedin.datahub.graphql.generated.DataHubConnectionDetailsType.valueOf(
             gmsDetails.getType().toString()));
     if (gmsDetails.hasJson() && ConnectionUtils.canManageConnections(context)) {
-      result.setJson(mapJsonConnectionDetails(gmsDetails.getJson(), secretService));
+      result.setJson(
+          mapJsonConnectionDetails(
+              context.getOperationContext(), gmsDetails.getJson(), secretService));
     }
     if (gmsDetails.hasName()) {
       result.setName(gmsDetails.getName());
@@ -79,11 +82,18 @@ private static DataHubConnectionDetails mapConnectionDetails(
   }
 
   private static DataHubJsonConnection mapJsonConnectionDetails(
+      @Nullable final OperationContext opContext,
       @Nonnull final com.linkedin.connection.DataHubJsonConnection gmsJsonConnection,
       @Nonnull final SecretService secretService) {
     final DataHubJsonConnection result = new DataHubJsonConnection();
-    // Decrypt the BLOB!
-    result.setBlob(secretService.decrypt(gmsJsonConnection.getEncryptedBlob()));
+    // Browsers should never receive decrypted connection blobs — they contain raw credentials.
+    // Skip decryption for human agents; the SecretService guard acts as a backstop.
+    if (opContext != null
+        && opContext.getRequestContext() != null
+        && opContext.getRequestContext().getAgentClass().isHuman()) {
+      return result;
+    }
+    result.setBlob(secretService.decrypt(opContext, gmsJsonConnection.getEncryptedBlob()));
     return result;
   }
 

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/connection/UpsertConnectionResolver.java

@@ -62,7 +62,9 @@ public CompletableFuture<DataHubConnection> get(final DataFetchingEnvironment en
                     input.getJson() != null
                         // Encrypt payload
                         ? new DataHubJsonConnection()
-                            .setEncryptedBlob(_secretService.encrypt(input.getJson().getBlob()))
+                            .setEncryptedBlob(
+                                _secretService.encrypt(
+                                    context.getOperationContext(), input.getJson().getBlob()))
                         : null,
                     input.getName());
 

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/CreateSecretResolver.java

@@ -63,7 +63,7 @@ public CompletableFuture<String> get(final DataFetchingEnvironment environment)
                   DataHubSecretValueMapper.map(
                       null,
                       input.getName(),
-                      _secretService.encrypt(input.getValue()),
+                      _secretService.encrypt(context.getOperationContext(), input.getValue()),
                       input.getDescription(),
                       new AuditStamp()
                           .setActor(UrnUtils.getUrn(context.getActorUrn()))

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/GetSecretValuesResolver.java

@@ -80,7 +80,9 @@ public CompletableFuture<List<SecretValue>> get(final DataFetchingEnvironment en
                           final DataHubSecretValue secretValue =
                               new DataHubSecretValue(aspect.getValue().data());
                           // Now decrypt the encrypted secret.
-                          final String decryptedSecretValue = decryptSecret(secretValue.getValue());
+                          final String decryptedSecretValue =
+                              _secretService.decrypt(
+                                  context.getOperationContext(), secretValue.getValue());
                           return new SecretValue(secretValue.getName(), decryptedSecretValue);
                         } else {
                           // No secret exists
@@ -100,8 +102,4 @@ public CompletableFuture<List<SecretValue>> get(final DataFetchingEnvironment en
     throw new AuthorizationException(
         "Unauthorized to perform this action. Please contact your DataHub administrator.");
   }
-
-  private String decryptSecret(final String encryptedSecret) {
-    return _secretService.decrypt(encryptedSecret);
-  }
 }

datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/UpdateSecretResolver.java

@@ -61,7 +61,7 @@ public CompletableFuture<String> get(final DataFetchingEnvironment environment)
                   DataHubSecretValueMapper.map(
                       response,
                       input.getName(),
-                      secretService.encrypt(input.getValue()),
+                      secretService.encrypt(context.getOperationContext(), input.getValue()),
                       input.getDescription(),
                       null);
 

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/connection/UpsertConnectionResolverTest.java

@@ -42,8 +42,8 @@ public class UpsertConnectionResolverTest {
   public void setUp() {
     connectionService = Mockito.mock(ConnectionService.class);
     secretService = Mockito.mock(SecretService.class);
-    Mockito.when(secretService.encrypt("{}")).thenReturn("encrypted");
-    Mockito.when(secretService.decrypt("encrypted")).thenReturn("{}");
+    Mockito.when(secretService.encrypt(Mockito.any(), Mockito.eq("{}"))).thenReturn("encrypted");
+    Mockito.when(secretService.decrypt(Mockito.any(), Mockito.eq("encrypted"))).thenReturn("{}");
     resolver = new UpsertConnectionResolver(connectionService, secretService);
   }
 

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/CreateSecretResolverTest.java

@@ -33,7 +33,7 @@ public void testGetSuccess() throws Exception {
     // Create resolver
     EntityClient mockClient = Mockito.mock(EntityClient.class);
     SecretService mockSecretService = Mockito.mock(SecretService.class);
-    Mockito.when(mockSecretService.encrypt(Mockito.eq(TEST_INPUT.getValue())))
+    Mockito.when(mockSecretService.encrypt(Mockito.any(), Mockito.eq(TEST_INPUT.getValue())))
         .thenReturn("encryptedvalue");
     CreateSecretResolver resolver = new CreateSecretResolver(mockClient, mockSecretService);
 

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/GetSecretValuesResolverTest.java

@@ -38,7 +38,8 @@ public void testGetSuccess() throws Exception {
     // Create resolver
     EntityClient mockClient = Mockito.mock(EntityClient.class);
     SecretService mockSecretService = Mockito.mock(SecretService.class);
-    Mockito.when(mockSecretService.decrypt(Mockito.eq(getTestSecretValue().getValue())))
+    Mockito.when(
+            mockSecretService.decrypt(Mockito.any(), Mockito.eq(getTestSecretValue().getValue())))
         .thenReturn(decryptedSecretValue);
 
     DataHubSecretValue returnedValue = getTestSecretValue();

datahub-graphql-core/src/test/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/UpdateSecretResolverTest.java

@@ -73,7 +73,8 @@ public void testGetSuccess() throws Exception {
     Mockito.when(mockEnv.getContext()).thenReturn(mockContext);
 
     Mockito.when(mockClient.exists(any(), any())).thenReturn(true);
-    Mockito.when(mockSecretService.encrypt(TEST_INPUT.getValue())).thenReturn("encrypted_value");
+    Mockito.when(mockSecretService.encrypt(Mockito.any(), Mockito.eq(TEST_INPUT.getValue())))
+        .thenReturn("encrypted_value");
     final EntityResponse entityResponse = new EntityResponse();
     final EnvelopedAspectMap aspectMap = new EnvelopedAspectMap();
     aspectMap.put(
@@ -85,7 +86,8 @@ public void testGetSuccess() throws Exception {
 
     // Invoke the resolver
     resolver.get(mockEnv).join();
-    Mockito.verify(mockSecretService, Mockito.times(1)).encrypt(TEST_INPUT.getValue());
+    Mockito.verify(mockSecretService, Mockito.times(1))
+        .encrypt(Mockito.any(), Mockito.eq(TEST_INPUT.getValue()));
     Mockito.verify(mockClient, Mockito.times(1)).ingestProposal(any(), any(), anyBoolean());
   }
 
@@ -101,7 +103,9 @@ public void testGetSuccessWithSpecialCharacters() throws Exception {
 
     Mockito.when(mockClient.exists(any(), any())).thenReturn(true);
     // The secret value should NOT be escaped before encryption
-    Mockito.when(mockSecretService.encrypt(TEST_INPUT_WITH_SPECIAL_CHARS.getValue()))
+    Mockito.when(
+            mockSecretService.encrypt(
+                Mockito.any(), Mockito.eq(TEST_INPUT_WITH_SPECIAL_CHARS.getValue())))
         .thenReturn("encrypted_special_value");
     final EntityResponse entityResponse = new EntityResponse();
     final EnvelopedAspectMap aspectMap = new EnvelopedAspectMap();
@@ -117,7 +121,7 @@ public void testGetSuccessWithSpecialCharacters() throws Exception {
 
     // Verify that the secret value was passed to encrypt WITHOUT escaping
     Mockito.verify(mockSecretService, Mockito.times(1))
-        .encrypt(Mockito.eq("password\nwith/slashes\"and\\backslashes"));
+        .encrypt(Mockito.any(), Mockito.eq("password\nwith/slashes\"and\\backslashes"));
     Mockito.verify(mockClient, Mockito.times(1)).ingestProposal(any(), any(), anyBoolean());
   }
 

docs-website/sidebars.js

@@ -721,6 +721,7 @@ module.exports = {
     },
     {
       "DataHub Cloud Release History": [
+        "docs/managed-datahub/release-notes/v_2_0_0",
         "docs/managed-datahub/release-notes/v_1_1_0",
         "docs/managed-datahub/release-notes/v_1_0_0",
         "docs/managed-datahub/release-notes/v_0_3_17",