add option to delete old versions when storing identity in gcp secret manager

[havetisyan]

Description

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the GCP identity storage mechanism by adding an option to automatically manage and clean up old secret versions in Google Cloud Secret Manager. This prevents an indefinite accumulation of secret versions, improving resource management and security posture by ensuring only a specified number of recent versions are kept. The changes include modifying the core storage function, introducing a dedicated cleanup routine, and adding robust testing for the new functionality.

Highlights

• GCP Secret Version Management: Introduced a new keepRecentVersions parameter to the StoreAthenzIdentityInSecretManagerCustomFormat function, allowing users to specify how many recent secret versions to retain in GCP Secret Manager. If set to a value greater than zero, older versions will be automatically destroyed.
• Automatic Old Version Cleanup: Implemented a destroyOldSecretVersions function that lists all active secret versions, sorts them by creation time, and destroys any versions exceeding the specified keepRecentVersions limit, while always preserving the newly added version.
• Improved Testability: Added interfaces (SecretVersionIteratorIface, SecretManagerClientIface) and a wrapper (secretManagerClientWrapper) to abstract GCP Secret Manager client operations, facilitating easier testing of the version cleanup logic.
• Comprehensive Unit Tests: Included extensive unit tests for the new secret version cleanup functionality, covering various scenarios such as no versions, versions within/at/beyond the limit, handling destroyed/disabled versions, new version preservation, and error conditions during listing and destroying.

Changelog

• libs/go/sia/gcp/functions/identity.go
  • Added errors, sort, and iterator imports.
  • Modified StoreAthenzIdentityInSecretManagerCustomFormat to accept a keepRecentVersions integer parameter.
  • Integrated logic to call destroyOldSecretVersions after adding a new secret version if keepRecentVersions is positive.
  • Implemented destroyOldSecretVersions function to list, sort, and destroy older secret versions.
  • Defined SecretVersionIteratorIface and SecretManagerClientIface interfaces for abstracting GCP Secret Manager operations.
  • Created secretManagerClientWrapper to adapt the concrete secretmanager.Client to the new interface.
• libs/go/sia/gcp/functions/identity_test.go
  • Added secretmanagerpb, iterator, and timestamppb imports for testing.
  • Introduced mockSecretVersionIterator and mockSecretManagerClient to mock GCP Secret Manager client behavior for testing.
  • Added makeSecretVersion helper function for creating test secret version objects.
  • Implemented TestDestroyOldSecretVersions with multiple test cases to validate the secret version cleanup logic under various conditions.

Activity

• No specific activity (comments, reviews, or progress updates) was provided in the pull request description.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a useful feature to automatically clean up old secret versions in GCP Secret Manager when a new identity is stored. However, it also introduces a potential Insecure Direct Object Reference (IDOR) vulnerability by allowing unvalidated secret names to be used in resource name construction, which could lead to unauthorized access or deletion of secrets in other projects. Additionally, there's a potential logic issue in the version cleanup that might result in keeping more versions than specified, and the code can be optimized by using server-side filtering when listing secret versions for better efficiency.