Skip to content

Allow users to set a secrets.toml file in their home directory #6230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vdonato merged 1 commit into from
Mar 20, 2023
Merged

Allow users to set a secrets.toml file in their home directory #6230

vdonato merged 1 commit into from
Mar 20, 2023
+197 −62

Conversation

@vdonato
Copy link
Collaborator

@vdonato vdonato commented Mar 4, 2023
edited
Loading

📚 Context

As part of the upcoming st.connection feature, we thought that it'd be useful to allow
users to set secrets via a global ~/.streamlit/secrets.toml file along with the per-project
secrets.toml files that are supported today.

This works similarly to how config.toml files currently do: values set in the global
secrets.toml file are overwritten by those set in per-project files.

  • What kind of change does this PR introduce?

    • Feature

🧠 Description of Changes

  • This is a visible (user-facing) change

🧪 Testing Done

  • Added/Updated unit tests

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 4, 2023
View reviewed changes
lib/streamlit/runtime/secrets.py Outdated

Check notice

Code scanning / CodeQL

Unused global variable

The global variable 'secrets_singleton' is not used.
@vdonato vdonato force-pushed the global-secrets-toml-file branch 3 times, most recently from ff2351c to 2f9babd Compare March 7, 2023 00:30
@vdonato vdonato marked this pull request as ready for review March 7, 2023 00:31
vdonato
vdonato commented Mar 7, 2023
View reviewed changes
@tconkling tconkling self-requested a review March 7, 2023 19:11
tconkling
tconkling approved these changes Mar 7, 2023
View reviewed changes
Copy link
Contributor

@tconkling tconkling left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

I'm agnostic on this, but I wonder if we actually want "a local secrets file replaces the global secrets file" as opposed to "a local secrets file overrides the global secrets"?

I ask because my initial assumption was that the feature would use a "replace" (not "override") strategy for handling multiple secrets file. (I think "override" is a reasonable strategy as long as it doesn't violate user expectation in a dangerous way.) Should we get an opinion from Harsh or another security-minded eng?

@vdonato
Copy link
Collaborator Author

vdonato commented Mar 7, 2023
edited
Loading

I'm agnostic on this, but I wonder if we actually want "a local secrets file replaces the global secrets file" as opposed to "a local secrets file overrides the global secrets"?

Ah, yeah possibly. I chose the current behavior to be consistent with how config.toml files work, but we may want to be a bit more careful here due to the fact that we're dealing with user secrets. Will leave it up to @sfc-gh-jcarroll to make a decision (+would appreciate input from @sfc-gh-hpathak), and I can make adjustments to the behavior in case we want a local file to fully replace the global one.

@vdonato vdonato force-pushed the global-secrets-toml-file branch from 2f9babd to 8246f6d Compare March 8, 2023 00:07
@sfc-gh-jcarroll
Copy link
Contributor

sfc-gh-jcarroll commented Mar 8, 2023
edited
Loading

override vs replace

I made a quick straw poll here, but my thought was override - I think it's the most flexible/powerful and also consistent with other common tools like git, vscode and streamlit itself.

@sfc-gh-tsimons previously suggested surfacing to the developer if secrets are being drawn from multiple files. I think that would do a lot to mitigate the risk of accidentally leaking global secrets. Could we easily log to the developer if multiple files are found when the app launches (and/or when secret file changed, if we reload)? Something like:

Secrets found in both /Users/jcarroll/.streamlit/secrets.toml and /Users/jcarroll/python/streamlit/st-explore/.streamlit/secrets.toml. Loading both, local secrets will take precedence over global secrets.

@vdonato
Copy link
Collaborator Author

vdonato commented Mar 10, 2023

Could we easily log to the developer if multiple files are found when the app launches (and/or when secret file changed, if we reload)?

Yep, this should be a pretty easy change -- I can update this PR to log the message to stdout if we detect both files

@vdonato vdonato force-pushed the global-secrets-toml-file branch from 8246f6d to 9107198 Compare March 10, 2023 00:42
vdonato
vdonato commented Mar 10, 2023
View reviewed changes
lib/streamlit/runtime/secrets.py
Comment on lines +208 to +212
if len([p for p in self._file_paths if os.path.exists(p)]) > 1:
_LOGGER.info(
f"Secrets found in multiple locations: {', '.join(self._file_paths)}. "
"When multiple secret.toml files exist, local secrets will take precedence over global secrets."
)
Copy link
Collaborator Author

@vdonato vdonato Mar 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sfc-gh-jcarroll heads up that I tweaked the message wording slightly because the way this code is implemented now allows us to watch an arbitrary list of secrets.toml files.

I think it's quite unlikely that we'll ever want to watch more than 2, but on the off chance that we do it seems worth it to me to make the error message not refer to an exact number

@vdonato
Copy link
Collaborator Author

vdonato commented Mar 13, 2023

Manual testing looked fine to me on both Windows and MacOS -- should be good to merge once some security process wraps up

@sfc-gh-jcarroll
Copy link
Contributor

sfc-gh-jcarroll commented Mar 13, 2023

3 out of 3 votes for "Override" rather than "replace" in the case of multiple files from our resident power users ✅

@vdonato vdonato added the security-assessment-completed Security assessment has been completed for PR label Mar 15, 2023
@vdonato vdonato merged commit ab4794d into streamlit:develop Mar 20, 2023
@vdonato vdonato deleted the global-secrets-toml-file branch March 20, 2023 21:20
tconkling added a commit to tconkling/streamlit that referenced this pull request Mar 20, 2023
@tconkling
Merge branch 'develop' into tim/SendMessageToHostInterface
e41a0c4 
* develop:
  Tweak no-else-return config options (streamlit#6343)
  Allow users to set a secrets.toml file in their home directory (streamlit#6230)
  Add support for number and boolean types in categorical columns (streamlit#6248)
tconkling added a commit to tconkling/streamlit that referenced this pull request Mar 27, 2023
@tconkling
Merge branch 'develop' into tim/StubOutStreamlitView
6b8aaee 
* develop:
  StreamlitEndpoints.buildMediaURL (streamlit#6366)
  Set a default for RuntimeConfig.cache_storage_manager (streamlit#6361)
  FullScreenWrapper: add a type declaration for react context usage (streamlit#6364)
  Improve st.help (and st.write's usage of st.help!) (streamlit#5857)
  Fix regression with query_params  (streamlit#6348)
  Have util.calc_md5 also take bytes (streamlit#6358)
  Improve deploy button (streamlit#6223)
  Return whether a secrets.toml file is successfully parsed (streamlit#6333)
  Add `.webp` to list of safe static file extensions (streamlit#6331)
  AppContext docstrings (streamlit#6353)
  fix: upgrade command-line-args from 5.0.2 to 5.2.1 (streamlit#6258)
  fix: upgrade flatbuffers from 1.11.0 to 1.12.0 (streamlit#6259)
  sendMessageToHost: no longer a global function (streamlit#6345)
  Tweak no-else-return config options (streamlit#6343)
  Allow users to set a secrets.toml file in their home directory (streamlit#6230)
  Add support for number and boolean types in categorical columns (streamlit#6248)
  Add support for period type in st.table and st.dataframe (streamlit#5429)
  Add ability to turn off anchors (streamlit#6158)
  Add sqlalchemy mypy types to test-requirements.txt (streamlit#6329)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@sfc-gh-jcarroll sfc-gh-jcarroll sfc-gh-jcarroll left review comments

@tconkling tconkling tconkling approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

security-assessment-completed Security assessment has been completed for PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vdonato @sfc-gh-jcarroll @tconkling