Versions Compared

Old Version 38

changes.mady.by.user Bruce Conrad

Saved on

compared with

New Version 39

changes.mady.by.user Phil Windley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The configure pragma's defaults are the empty string since there's no workable default for the Twilio keys. You can see that those variables are referenced in the send_sms() action to create the based URL for the Twilio call. 

We use a parameterized module by declaring its use in the meta block of the ruleset that wants to use the module. The use pragma allows parameters to be supplied for configuration variables. The following shows a ruleset that uses the Twilio module. 

...

languagejs

...

 We avoid putting the keys in the module for two reasons:

  1. Putting keys in the module is security risk since the file may be inadvertently shared or otherwise exposed.

  2. The module should be general purpose, so that it can be used for more than one account. By not putting secrets in the module, we enable it to be used by multiple rulesets with their own keys.

Warning

Security Warning

Don't put keys in rulesets that are publicly hosted, on GitHub for example.

We use a parameterized module by declaring its use in the meta block of the ruleset that wants to use the module. The use pragma allows parameters to be supplied for configuration variables. The following shows a ruleset that uses the Twilio module. 

Code Block
languagejs
ruleset io.picolabs.use_twilio_v2 {
  meta {
    keyuse module io.picolabs.twilio_v2 alias twilio
{        with account_sid = meta:rulesetConfig{"account_sid": "<your}
SID goes here>",             "auth_token" = meta: rulesetConfig{"<your auth _token goes here>" 
"}
   }

  rule use module io.picolabs.twilio_v2 alias twilio
    test_send_sms {
    select when test new_message
   with account_sid = keys:twilio{"account_sid"}twilio:send_sms(event:attr("to"),
              auth_token =  keys:twilio{"auth_token"}   }

  rule test_send_sms {
    select when test new_message
    twilio:send_sms(event:attr("tofrom"),
                    event:attr("frommessage"),

                   event:attr("message")
                   )
  }
}

...

}
}

This pattern uses meta:rulesetConfig() to get information from the configuration data when the ruleset is installed. It passes that information to the module in the use pragma so that uses the Twilio module. By putting the keys in a key pragma, we tell the KRL parser and interpreter that they are keys so that it can take greater care. For example, they could be automatically redacted when shared. 

Warning

Security Warning

Don't put keys in rulesets that are publicly hosted, on GitHub for example. Any ruleset containing keys must be carefully stored so that only authorized parties can see them. See the Security Considerations section of the KRL documentation on keys for more information.

But, putting the keys in the ruleset means that it can't be publicly hosted and we have to take special care to ensure the keys aren't exposed. Consequently, best practice is to store keys in a module specifically designed for keys. That way, you only have to be careful with modules you are aware have keys. 

We can do this by defining a keys module that only contains keys. The provides keys pragma limits which keys are shared with which module for security. 

Code Block
languagejs
ruleset io.picolabs.lesson_keys {
  meta {
    key twilio {
          "account_sid": "<your account SID here>",  
          "auth_token" : "<your auth token here>" 
    }
    provides keys twilio to io.picolabs.use_twilio_v2
  }
}

We modify the preceding ruleset using the keys to load this ruleset as a module like so:

Code Block
languagejs
ruleset io.picolabs.use_twilio_v2 {
  meta {
  	use module io.picolabs.lesson_keys 
    use module io.picolabs.twilio_v2 alias twilio
        with account_sid = keys:twilio{"account_sid"}
             auth_token =  keys:twilio{"auth_token"}
  }

  rule test_send_sms {
    select when test new_message
    twilio:send_sms(event:attr("to"),
                    event:attr("from"),
                    event:attr("message")
                   )
  }
}

For this to work, the module containing the keys must be registered as io.picolabs.lesson_keys because that's the name of the module we load. The ruleset using the keys must be registered as io.picolabs.use_twilio_v2 since that's the name of the ruleset the keys are provided to in the provide keys pragma. You can store the ruleset containing the keys on AWS S3 behind a private URL, on a Web server with Basic Auth, or using some other scheme that will protect it from viewing by people who would steal the keys. The ruleset using the keys can be stored at a public URLmodule has it.