ensure node secret ID is not included in event stream (#9510)

2026-01-04 17:35:43 +03:00 · 2020-12-03 12:27:14 -05:00
parent 6318a8ac7b
commit 800d56609d
3 changed files with 64 additions and 5 deletions
--- a/nomad/state/events.go
+++ b/nomad/state/events.go
@@ -80,11 +80,16 @@ func eventFromChange(change memdb.Change) (structs.Event, bool) {
 			if !ok {
 				return structs.Event{}, false
 			}
+
+			// Node secret ID should not be included
+			node := before.Copy()
+			node.SecretID = ""
+
 			return structs.Event{
 				Topic: structs.TopicNode,
-				Key:   before.ID,
+				Key:   node.ID,
 				Payload: &structs.NodeStreamEvent{
-					Node: before,
+					Node: node,
 				},
 			}, true
 		}
@@ -175,11 +180,16 @@ func eventFromChange(change memdb.Change) (structs.Event, bool) {
 		if !ok {
 			return structs.Event{}, false
 		}
+
+		// Node secret ID should not be included
+		node := after.Copy()
+		node.SecretID = ""
+
 		return structs.Event{
 			Topic: structs.TopicNode,
-			Key:   after.ID,
+			Key:   node.ID,
 			Payload: &structs.NodeStreamEvent{
-				Node: after,
+				Node: node,
 			},
 		}, true
 	case "deployment":
--- a/nomad/state/events_test.go
+++ b/nomad/state/events_test.go
@@ -39,7 +39,57 @@ func TestEventFromChange_SingleEventPerTable(t *testing.T) {
 	out := eventsFromChanges(s.db.ReadTxn(), changes)
 	require.Len(t, out.Events, 1)
 	require.Equal(t, out.Events[0].Type, structs.TypeJobRegistered)
+}

+// TestEventFromChange_NodeSecretID ensures that a node's secret ID is not
+// included in a node event
+func TestEventFromChange_NodeSecretID(t *testing.T) {
+	t.Parallel()
+	s := TestStateStoreCfg(t, TestStateStorePublisher(t))
+	defer s.StopEventBroker()
+
+	node := mock.Node()
+	require.NotEmpty(t, node.SecretID)
+
+	// Create
+	changes := Changes{
+		Index:   100,
+		MsgType: structs.NodeRegisterRequestType,
+		Changes: memdb.Changes{
+			{
+				Table:  "nodes",
+				Before: nil,
+				After:  node,
+			},
+		},
+	}
+
+	out := eventsFromChanges(s.db.ReadTxn(), changes)
+	require.Len(t, out.Events, 1)
+
+	nodeEvent, ok := out.Events[0].Payload.(*structs.NodeStreamEvent)
+	require.True(t, ok)
+	require.Empty(t, nodeEvent.Node.SecretID)
+
+	// Delete
+	changes = Changes{
+		Index:   100,
+		MsgType: structs.NodeDeregisterRequestType,
+		Changes: memdb.Changes{
+			{
+				Table:  "nodes",
+				Before: node,
+				After:  nil,
+			},
+		},
+	}
+
+	out2 := eventsFromChanges(s.db.ReadTxn(), changes)
+	require.Len(t, out2.Events, 1)
+
+	nodeEvent2, ok := out2.Events[0].Payload.(*structs.NodeStreamEvent)
+	require.True(t, ok)
+	require.Empty(t, nodeEvent2.Node.SecretID)
 }

 func TestEventsFromChanges_DeploymentUpdate(t *testing.T) {
--- a/website/pages/api-docs/events.mdx
+++ b/website/pages/api-docs/events.mdx
@@ -126,7 +126,6 @@ http://127.0.0.1:4646/v1/event/stream
      "Payload": {
        "Node": {
          "ID": "ccc4ce56-7f0a-4124-b8b1-a4015aa82c40",
-          "SecretID": "089437c0-db81-6622-5490-9d7f9203dae5",
          "Datacenter": "dc1",
          "Name": "nomad-4",
          "HTTPAddr": "127.0.0.1:4646",