[pdm-devel] [PATCH datacenter-manager 3/3] remote config: shadow token secrets when saving

Mon Dec 1 15:39:57 CET 2025

On Mon Dec 1, 2025 at 10:29 AM CET, Fabian Grünbichler wrote:
> but only if the to-be-saved config contains at least one non-shadowed entry, to
> avoid unnecessary work.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>  lib/pdm-config/src/remotes.rs | 39 +++++++++++++++++++++++++++++++++--
>  1 file changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/lib/pdm-config/src/remotes.rs b/lib/pdm-config/src/remotes.rs
> index 93f80eb..677981f 100644
> --- a/lib/pdm-config/src/remotes.rs
> +++ b/lib/pdm-config/src/remotes.rs
> @@ -3,7 +3,7 @@
>  //! Make sure to call [`init`] to inject a concrete `RemoteConfig` instance
>  //! before calling the [`lock_config`], [`config`] or [`save_config`] functions.
>  
> -use std::sync::OnceLock;
> +use std::{collections::HashMap, sync::OnceLock};
>  
>  use anyhow::{bail, Error};
>  
> @@ -86,7 +86,42 @@ impl RemoteConfig for DefaultRemoteConfig {
>          Ok((data, digest.into()))
>      }
>  
> -    fn save_config(&self, config: SectionConfigData<Remote>) -> Result<(), Error> {
> +    fn save_config(&self, mut config: SectionConfigData<Remote>) -> Result<(), Error> {
> +        let mut new_shadow_entries = HashMap::new();
> +        for (id, remote) in config.iter() {
> +            if remote.token != "-" {
> +                new_shadow_entries.insert(
> +                    id.to_string(),
> +                    RemoteShadow {
> +                        ty: remote.ty,
> +                        id: remote.id.clone(),
> +                        token: remote.token.clone(),
> +                    },
> +                );
> +            }
> +        }
> +
> +        // only read and modify shadow config if needed
> +        if !new_shadow_entries.is_empty() {
> +            let shadow_content =
> +                proxmox_sys::fs::file_read_optional_string(REMOTES_SHADOW_FILENAME)?
> +                    .unwrap_or_default();
> +
> +            let mut shadow_config =
> +                RemoteShadow::parse_section_config(REMOTES_SHADOW_FILENAME, &shadow_content)?;
> +
> +            for (id, shadow_entry) in new_shadow_entries.into_iter() {
> +                if let Some(remote) = config.get_mut(&id) {
> +                    remote.token = '-'.to_string();
> +                }
> +                shadow_config.insert(id, shadow_entry);
> +            }
> +            let raw = RemoteShadow::write_section_config(REMOTES_SHADOW_FILENAME, &shadow_config)?;
> +            replace_config(REMOTES_SHADOW_FILENAME, raw.as_bytes())?;
> +        }
> +
> +        // only write out remote.cfg with potentially new shadowed entries
> +        // if shadow file was successfully written!
>          let raw = Remote::write_section_config(REMOTES_CFG_FILENAME, &config)?;
>          replace_config(REMOTES_CFG_FILENAME, raw.as_bytes())
>      }

Right we don't clean up tokens secrets for remotes that have been
removed. I guess we could 'garbage-collect' the shadow file when saving,
removing all entries that don't have a matching section in remotes.cfg?