Skip to content

Secure handling and validation of protected secrets #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sellakumaran merged 2 commits into from
Jan 10, 2026
Merged

Secure handling and validation of protected secrets #150

sellakumaran merged 2 commits into from
Jan 10, 2026
+456 −124

Conversation

@sellakumaran
Copy link
Contributor

@sellakumaran sellakumaran commented Jan 9, 2026
edited
Loading

  • Validate existing client secrets for blueprints; create new secret only if invalid or expired
  • Decrypt protected secrets before writing to .env/appsettings.json for Python, Node.js, and .NET projects
  • Refactor FIC creation logic for clarity and idempotency
  • Lower log level for existing FIC detection to Debug
  • Add tests to verify correct decryption and writing of secrets for all supported platforms
  • Improves security, reliability, and test coverage of secret management

Fixes #148

@sellakumaran
Secure handling and validation of protected secrets
8864f19 
- Validate existing client secrets for blueprints; create new secret only if invalid or expired
- Decrypt protected secrets before writing to .env/appsettings.json for Python, Node.js, and .NET projects
- Refactor FIC creation logic for clarity and idempotency
- Lower log level for existing FIC detection to Debug
- Add tests to verify correct decryption and writing of secrets for all supported platforms
- Improves security, reliability, and test coverage of secret management
@sellakumaran sellakumaran requested a review from a team as a code owner January 9, 2026 20:43
Copilot AI review requested due to automatic review settings January 9, 2026 20:43
@sellakumaran sellakumaran requested a review from a team as a code owner January 9, 2026 20:43
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances secret management security by validating existing client secrets before creating new ones, properly decrypting protected secrets before writing them to configuration files, and refactoring Federated Identity Credential (FIC) creation logic for improved clarity and idempotency.

Key changes:

  • Implements client secret validation with retry logic to avoid unnecessary secret regeneration for existing blueprints
  • Adds secret decryption calls in ProjectSettingsSyncHelper for Python, Node.js, and .NET projects to ensure plaintext secrets are written to .env and appsettings.json files
  • Refactors FIC creation logic to use a unified code path for both new and existing blueprints, simplifying the implementation
  • Adds comprehensive test coverage for protected and unprotected secret handling across platforms

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
ProjectSettingsSyncHelperTests.cs Adds six new test methods verifying correct decryption and writing of protected/unprotected secrets for Python, Node.js, and .NET platforms
FederatedCredentialService.cs Changes log level from Information to Debug for existing FIC detection to reduce log noise
ProjectSettingsSyncHelper.cs Adds SecretProtectionHelper.UnprotectSecret calls to decrypt secrets before writing to .env files (Python/Node.js) with logger parameter additions
BlueprintSubcommand.cs Implements ValidateClientSecretAsync method for secret validation, adds conditional secret creation logic, and simplifies FIC creation with unified retry logic

@sellakumaran
Refactor secret validation; add test for unprotected secret
8a66380 
Refactored BlueprintSubcommand to decrypt secrets and create HttpClient outside the retry loop, improving efficiency and preventing socket exhaustion. Added a test to ProjectSettingsSyncHelperTests to verify that unprotected client secrets are written as-is to appsettings.json.
@sellakumaran sellakumaran merged commit d842342 into main Jan 10, 2026
5 checks passed
@sellakumaran sellakumaran deleted the users/sellak/envUpdate branch January 10, 2026 00:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@skg-marimuthu skg-marimuthu skg-marimuthu approved these changes

@mengyimicro mengyimicro mengyimicro approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

.env file clientsecret is encrypted

4 participants

@sellakumaran @skg-marimuthu @mengyimicro