Secrets Code Gen #6385
Secrets Code Gen #6385
Conversation
…nto kv_tsp_secrets3
|
/azp run cpp - keyvault |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run cpp - keyvault |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
API change check APIView has identified API level changes in this PR and created following API reviews. |
There was a problem hiding this comment.
George, do we really want to move the header files from, say, <azure/keyvault/secrets.hpp> to <azure/security/keyvault/secrets.hpp>?
This won't align with the rest of the current keyvault libraries, and some of them are in GA state, so we probably won't do the same move for them? And then there will forever be #include <azure/keyvault and #include <azure/security/keyvault which is not great, so is it really worth it? I'd say, keep the include file location the same. If codegen needs some option to support this, let's implement that option in codegen.
|
i guess we could discuss it with Larry and Rick , to be hones i think we made a mistake originally by not including that path , which is in the namespace and the package name , so the headers should have been in azure/security/keyvault/ .... Let me talk with Larry and Rick and circle back when i have a clearer idea. |
|
@gearama, I agree, possibly that was a mistake, but now, I think, we should keep it, because the alternative is not giving us much while making some problems. |
| /** | ||
| * @file | ||
| * @brief DLL export macro. | ||
| */ |
There was a problem hiding this comment.
we should update codegen to include these comments (+comments in the all-inclusive header and dll_import_export as well)
There was a problem hiding this comment.
Do these comments even show up in our published documentation?
There was a problem hiding this comment.
Same comment applies to rtti.hpp - IMHO we should not be including these files in published documentation, so it only affects the comments. And in that case, I'd just throw in a link to a .md file which explains it in detail so we don't need to duplicate all this text.
| #include "azure/keyvault/secrets/dll_import_export.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_backup_secret.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_deleted_secret.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_operations.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_options.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_secret.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_secret_paged_response.hpp" | ||
| #include "azure/keyvault/secrets/keyvault_secret_properties.hpp" | ||
| #include "azure/keyvault/secrets/rtti.hpp" | ||
| #include "azure/keyvault/secrets/secret_client.hpp" |
There was a problem hiding this comment.
Should we update codegen with the features to match the existing header files? It can be done... Diffing will certainly be easier, especially for doxygen comments.
Alternative: keep these headers, but include the new ones from them.
There was a problem hiding this comment.
i don't think we should do that , we include the headers we generate, i'm not sure , we provide the root header file, if poeple decide to include things manually that's on them, we changed header file names before , so i'm not sure there's a point to trying to match underlying things as before.
| @@ -22,15 +21,15 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Secrets { | |||
| /** | |||
| * @brief Represents a long running operation to restore a deleted secret. | |||
| */ | |||
| class RecoverDeletedSecretOperation final : public Azure::Core::Operation<SecretProperties> { | |||
| class RecoverDeletedSecretOperation final : public Azure::Core::Operation<KeyVaultSecret> { | |||
There was a problem hiding this comment.
Should we rename KeyVaultSecret to SecretProperties?
There was a problem hiding this comment.
there is a secret properties already , plus things changes and props that were in the properties meodel moved into the secret and vice versa.
| @@ -21,13 +21,12 @@ using namespace std::chrono_literals; | |||
|
|
|||
| int main() | |||
| { | |||
| // @begin_snippet: SecretSample1CreateCredential | |||
There was a problem hiding this comment.
Why did we remove the snippet coments?
There was a problem hiding this comment.
build issues, for some reason or another, it was saying it couldn't find them, and i couldn't figure out why that is . That script is a black hole that does not explain why something fails
...zure-security-keyvault-secrets/samples/sample1-basic-operations/sample1_basic_operations.cpp
Outdated
Show resolved
Hide resolved
...zure-security-keyvault-secrets/samples/sample1-basic-operations/sample1_basic_operations.cpp
Show resolved
Hide resolved
| std::make_unique<_internal::KeyVaultChallengeBasedAuthenticationPolicy>( | ||
| credential, tokenContext)); |
There was a problem hiding this comment.
We should keep using this policy, not need to drop it just because codegen doesn't emit it.
We could add a code injection context for policies initialization (codegen: replace SecretClient policies initialization), or channel that through config (replaceAuthPolicy = {include: 'azure/keyvault/shared/keyvault_challenge_based_auth.hpp', statement = 'std::make_unique<_internal::KeyVaultChallengeBasedAuthenticationPolicy>(credential, tokenContext)'}), although code injection is probably a better solution, because it would allow for constructor overloads with different auth policy depending on parameters.
You can even do it today, with // codegen: insert after includes + // codegen: replace KeyClient::KeyClient, and maybe it is how it should be done, without implementing the codegen: replace SecretClient policies initialization - that is what that feature was done for, keeping this scenario in mind.
There was a problem hiding this comment.
fi we want to add codegen support to do that maybe we should, but i'm not sure that is a secure way to auth, what we have now works. some architect or lead should give their opinion. My initial reaction is that we don't need it and it's not secure so we shouldn't have it.
There was a problem hiding this comment.
Challenge-Based auth is not secure? You must be confusing it with something else.
What we have now works, but it won't work in gov clouds, for example. CHallenge-Based auth is like BearerTokenAuth v 1.1 - it is backwards compatible. We should not be dropping it. I think you should inject it by using //codegen: replace SecretClient::SecretClient in the .cpp file.
| * @brief Set a secret in a specified key vault. | ||
| * | ||
| * @param name The name of the secret. | ||
| * @param secret The secret definition. | ||
| * | ||
| * @brief The SET operation adds a secret to the Azure Key Vault. If the named secret already | ||
| * exists, Azure Key Vault creates a new version of that secret. This operation requires the | ||
| * secrets/set permission. | ||
| * @param secretName The name of the secret. The value you provide may be copied globally for | ||
| * the purpose of running the service. The value provided should not include personally | ||
| * identifiable or sensitive information. | ||
| * @param secret The secret to set. |
There was a problem hiding this comment.
Are doxygen docs good?
The ones I've seen do look good, and not only good but in most cases better, but can we do something to review all of them in a diff, any ideas?
If we want to correct some of them, we can also add // codegen: replace SecretClient::SetSecret comment injection context.
There was a problem hiding this comment.
i don't understand the question
There was a problem hiding this comment.
Can we have a meeting like the ApiView one, but for the generated documentation?
There was a problem hiding this comment.
I'm no longer "requesting changes" in this PR, but I don't know how will we proceed, like what level of review is expected, and how you want to approach it - do we check in first, and then hold some review for the docs and the ApiView, or do we fix all/most of the things before you merge this PR?
Most of the feedback I've left is not directly to you, but to be discussed within our team to make a decision, like we did this morning about the headers path and the Models namespace.
I guess I could set this to "Approved", and I see the reasons to not set this to Approved, depending on how we are going to interpret it for such big and fundamental PR.
antkmsft
dismissed
their stale review
not requesting anything specifically, not approving yet either
|
Generally I'm OK with the changes. But I'd love to see an APIView of the current changes - the one in apiview currently is from January and it's way out-of-date :(. |
…asic-operations/sample1_basic_operations.cpp Co-authored-by: Anton Kolesnyk <[email protected]>
Generate KV Secrets from tsp with the latest codegen and typespec
From a Secrets POV all is well we have a thing going on, code is generates, compiling and testing
on the innfra side work that needs to happen to streamlline it further
move client tsp and tsconfig info into the specs repo thus the configs come as part of the downloading of TSPs thus no more file copy. It is still very useful as part of local development and rapid turn around for fixes for example for names.
publish codegen to NPM so then we don't need all the magic git operations to get the generator, it would be obtained and invoke by the tsp-client command
Right now we are at parity with the previous API surface , there are changes to the models but the methods should be fine
Pull Request Checklist
Please leverage this checklist as a reminder to address commonly occurring feedback when submitting a pull request to make sure your PR can be reviewed quickly:
See the detailed list in the contributing guide.