feat(ipa): Add sensitive fields guidance in IPA-111 and OpenAPI markings in IPA-117#77
feat(ipa): Add sensitive fields guidance in IPA-111 and OpenAPI markings in IPA-117#77AgustinBettati wants to merge 4 commits into
Conversation
…ngs in IPA-117 CLOUDP-412562
AgustinBettati
force-pushed
the
CLOUDP-412562-ipa-111-117-sensitive-fields
branch
from
00bb50c to
c620d81
Compare
AgustinBettati
requested review from
andmatei,
andreaangiolillo,
drinkbird,
maks-m-mongo-leaf,
matt-condon,
saisundar and
wtrocki
|
|
||
| Some resource fields carry secrets — passwords, API keys, private credentials. | ||
| The API design **must** prevent accidental exposure of these values in | ||
| responses. Sensitive fields **must** be marked in OpenAPI so that consumers and |
There was a problem hiding this comment.
[nit] Marked seems vague and not actionable. Do we want to introduce password format?
There was a problem hiding this comment.
The new IPA-111-must-mark-sensitive-fields guideline now points to IPA-117 via dependsOn and shows format: password plus writeOnly: true in the examples, so the marking is concrete.
| the required annotations), and **must** follow one of the following | ||
| information-flow patterns: | ||
|
|
||
| - **Write-only.** The client submits the value on [Create](0106.mdx) (or |
There was a problem hiding this comment.
Can we change format to clearly indicate use cases:
Using given > then:
For use cases when when secret is set by client ... use Write-only....
For backend sent credentials...
Having those without entry conditions can lead to confusion as backend sent credentials (generated) are quite common and we do have active engagements where we will have more of those.
There was a problem hiding this comment.
The patterns are now split into atomic guidelines, each stating its entry condition: client supplied secrets use write only, server generated secrets use create response only. (taking big reference from your PR)
|
|
||
| - **Write-only.** The client submits the value on [Create](0106.mdx) (or | ||
| [Update](0107.mdx)) and the server **must not** return it in any response. | ||
| - **Reveal-once.** For values the client cannot retrieve later (e.g. |
There was a problem hiding this comment.
"Reveal" would apply more to UI rather than API.
If we handling credentials send by clients then we might not need it revealed (backend can return masked values if we want to). If backend generates password then it is only returned on create (POST) actions.
There was a problem hiding this comment.
Renamed the pattern to create response only across the guideline id, body, and references, since it names the actual API behaviour (returned in the Create response, excluded from Get and List)
| [Get](0104.mdx) or [List](0105.mdx) responses. Reveal-once is the sanctioned | ||
| exception to the [schema consistency rule](0101.mdx#resources). | ||
|
|
||
| When a masked representation of a sensitive field (e.g. `****` or a last-4 |
There was a problem hiding this comment.
This is likely handling case of updating user password? Can we introduce:
When updating user password..
There was a problem hiding this comment.
Added a write only password on Update example to the write only guideline
yelizhenden-mdb
left a comment
yelizhenden-mdb
left a comment
There was a problem hiding this comment.
General feedback: I noticed that most guidelines are currently written in paragraph form. We should structure them so they are lintable where applicable. Ideally, every sentence should function as a distinct, actionable guideline. Could you try refactoring this to follow that approach?
To echo @wtrocki's comment, using a 'Given
wtrocki
left a comment
wtrocki
left a comment
There was a problem hiding this comment.
Let's hold off with merge for now as team is wrapping refactor to the new format
|
Just saw Yeliz/Wojciechs comments after I already approved, sorry about that! The content is good, but I agree with the earlier comments that the format can be adjusted a bit to align with our efforts for the AI agent workflows |
Migrate PR #77 content into structured <Guideline> components per CONTRIBUTING.md. Addresses review feedback: atomic guidelines, enforcement prop, correct/incorrect examples, workflows. IPA-111: mark sensitive fields, write-only / reveal-once patterns, redacted sibling properties. IPA-117: use format:password on secrets, not on redacted siblings.
wtrocki
force-pushed
the
CLOUDP-412562-ipa-111-117-sensitive-fields
branch
from
c620d81 to
5c0f635
Compare
wtrocki
changed the title
|
Created #113 for your convinience. |
AgustinBettati
force-pushed
the
CLOUDP-412562-ipa-111-117-sensitive-fields
branch
from
5c0f635 to
c620d81
Compare
AgustinBettati
changed the title
…-117-sensitive-fields
- Rename reveal-once pattern to create-response-only (API-oriented term, avoids UI 'reveal' connotation) across guideline ID, body, and references. - Add a write-only password-on-Update example to illustrate the common user-credential case. - Set IPA-117 format:password guidelines to enforcement=review (secret identification is a semantic judgment, not deterministically lintable). CLOUDP-412562
|
@wtrocki thanks for #113. I rebased this PR onto main and adopted your component structure, so the two now carry the same atomic guidelines, examples, and workflows for IPA-111 and IPA-117. Differences on top of yours (besides address comments above):
I believe we can continue any adjustment on this PR (and close the related one). |
…riteOnly writeOnly excludes a field from all responses, including the Create response, so it cannot express a server-generated secret returned once on creation. Model it as readOnly on the Create response schema and absent from the Get and List schemas instead. CLOUDP-412562
wtrocki
left a comment
wtrocki
left a comment
There was a problem hiding this comment.
Awesome work!
Closed my PR as example.
[nit] I'm personally not 100% sure if we we need to have two separate IPA for similar terms, but I trust your judgement on this
4 participants
Formalizes how secret-carrying fields (passwords, API keys, credentials) are modeled.
****, last-4) must be modeled as a separate read-only redacted sibling property, never sharing the raw field's name.format: passwordon properties whose value is itself a secret; do not use it on redacted sibling properties.Ticket: CLOUDP-412562