Secrets Rotation: only write secret files if changed

[szh]

Desired Outcome

Overview:

For conjur secrets rotation functionality for push-to-file mode, the SP's pushtofile package needs to be able to detect changes in secret file content, and conditionally write secret files only if content has been changed since the last write of the file.

Notes:

• For security reasons, the previous content of the secret files should not be cached directly. Instead, we should keep a SHA-256 checksum of the file content to compare against.
• The SHA-256 checksum should not be updated until the secret file has been successfully written (i.e. updated).
• The processing of the pushToWriter() function can be modified to be:
  1. Parse the template for a secret group
  2. Render the secret file content to a bytes.Buffer (using tpl.Execute())
  3. Caclulate the SHA-256 checksum for the bytes.Buffer data
  4. If checksum differs from prefiously cached checksum, write the file
  5. If writing the file is successful, update the cached checksum with the new checksum

Implemented Changes

• Modified push to file logic to store the hash of each group's rendered content
• Before writing to the files, checks if the new content matches the previous hash and only writes if it's different

Connected Issue/Story

CyberArk internal issue link: ONYX-15541

Definition of Done

• P2F does not perform a file write if the content of the group hasn't changed
• P2F performs a file write if the rendered content changes, whether due to a secret or template change

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[diverdane]

Looks great, very nice job on the UT!!!

[diverdane]

Do we need to log an INFO level message here that an individual file has been written?

Or do we assume that the user will deduce that the secret file has been written if we don't see the No change in secret files, no secret files written for this file, but we do see the DAP/Conjur Secrets pushed to shared volume successfully at the very end of the refresh cycle?

[szh]

I don't think it's necessary to add a new log statement for this functionality. Nothing has changed in that scenario and the "Secrets pushed to shared volume" log at the end should be sufficient. I think it's more important to log if they aren't written since this could be a source of problems if, say, the secrets file was deleted.

[diverdane]

Makes sense. The only weird aspect is that the logs will continually show "Secrets pushed to shared volume" when they really aren't (after the first write). But then again, we don't want to make the logs too chatty either.

[codeclimate]

Code Climate has analyzed commit e54f879 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 89.2% (50% is the threshold).

This pull request will bring the total coverage in the repository to 92.5% (0.0% change).

View more on Code Climate.

[diverdane]

LGTM!