juju-core

Merge lp:~dimitern/juju-core/147-apiprovisioner-blank-env-secrets into lp:~go-bot/juju-core/trunk

  1. 147-apiprovisioner-blank-env-secrets
  2. Merge into trunk
Proposed by Dimiter Naydenov
Status: Merged
Approved by: Dimiter Naydenov
Approved revision: no longer in the source branch.
Merged at revision: 1892
Proposed branch: lp:~dimitern/juju-core/147-apiprovisioner-blank-env-secrets
Merge into: lp:~go-bot/juju-core/trunk
Prerequisite: lp:~dimitern/juju-core/146-apiprovisioner-addresses
Diff against target: 66 lines (+37/-1)
2 files modified
state/apiserver/provisioner/provisioner.go (+20/-1)
state/apiserver/provisioner/provisioner_test.go (+17/-0)
To merge this branch: bzr merge lp:~dimitern/juju-core/147-apiprovisioner-blank-env-secrets
Reviewer Review Type Date Requested Status
Dimiter Naydenov (community) Approve
Review via email: mp+187738@code.launchpad.net

Commit message

apiserver/provisioner: Mask out secret env attrs

This changes the provisioner API EnvironConfig()
call to mask out any secret attributes before
returning the config to non-manager agents.
The environment manager agents still get everything.

This closes off a security issue with LXC provisioner
having access to the environment configuration and
its secrets via the API.

Live tested on EC2 successfully.

https://codereview.appspot.com/13964043/

R=dimitern, jameinel

Description of the change

apiserver/provisioner: Mask out secret env attrs

This changes the provisioner API EnvironConfig()
call to mask out any secret attributes before
returning the config to non-manager agents.
The environment manager agents still get everything.

This closes off a security issue with LXC provisioner
having access to the environment configuration and
its secrets via the API.

Live tested on EC2 successfully.

https://codereview.appspot.com/13964043/

To post a comment you must log in.
Revision history for this message
Dimiter Naydenov (dimitern) wrote :
Download full text (3.4 KiB)

Reviewers: mp+187738_code.launchpad.net,

Message:
Please take a look.

Description:
apiserver/provisioner: Mask out secret env attrs

This changes the provisioner API EnvironConfig()
call to mask out any secret attributes before
returning the config to non-manager agents.
The environment manager agents still get everything.

This closes off a security issue with LXC provisioner
having access to the environment configuration and
its secrets via the API.

Live tested on EC2 successfully.

https://code.launchpad.net/~dimitern/juju-core/147-apiprovisioner-blank-env-secrets/+merge/187738

Requires:
https://code.launchpad.net/~dimitern/juju-core/146-apiprovisioner-addresses/+merge/187719

(do not edit description out of merge proposal)

Please review this at https://codereview.appspot.com/13964043/

Affected files (+38, -1 lines):
   A [revision details]
   M state/apiserver/provisioner/provisioner.go
   M state/apiserver/provisioner/provisioner_test.go

Index: [revision details]
=== added file '[revision details]'
--- [revision details] 2012-01-01 00:00:00 +0000
+++ [revision details] 2012-01-01 00:00:00 +0000
@@ -0,0 +1,2 @@
+Old revision:
<email address hidden>
+New revision:
<email address hidden>

Index: state/apiserver/provisioner/provisioner.go
=== modified file 'state/apiserver/provisioner/provisioner.go'
--- state/apiserver/provisioner/provisioner.go 2013-09-26 10:38:59 +0000
+++ state/apiserver/provisioner/provisioner.go 2013-09-26 11:15:31 +0000
@@ -157,7 +157,25 @@
   if err != nil {
    return result, err
   }
- result.Config = config.AllAttrs()
+ allAttrs := config.AllAttrs()
+ if !p.authorizer.AuthEnvironManager() {
+ // Mask out any secrets in the environment configuration
+ // with values of the same type, so it'll pass validation.
+ //
+ // TODO(dimitern) 201309-26 bug #1231384
+ // This needs to change so we won't return anything to
+ // entities other than the environment manager, but the
+ // provisioner code should be refactored first.
+ env, err := environs.New(config)
+ if err != nil {
+ return result, err
+ }
+ secretAttrs, err := env.Provider().SecretAttrs(config)
+ for k := range secretAttrs {
+ allAttrs[k] = "not available"
+ }
+ }
+ result.Config = allAttrs
   return result, nil
  }

Index: state/apiserver/provisioner/provisioner_test.go
=== modified file 'state/apiserver/provisioner/provisioner_test.go'
--- state/apiserver/provisioner/provisioner_test.go 2013-09-26 10:38:59
+0000
+++ state/apiserver/provisioner/provisioner_test.go 2013-09-26 11:15:31
+0000
@@ -422,6 +422,23 @@
   c.Assert(err, gc.IsNil)
   c.Assert(result.Error, gc.IsNil)
   c.Assert(result.Config, gc.DeepEquals,
params.Config(envConfig.AllAttrs()))
+
+ // Now test it with a non-environment manager and make sure
+ // the secret attributes are masked.
+ anAuthorizer := s.authorizer
+ anAuthorizer.MachineAgent = true
+ anAuthorizer.Manager = false
+ aProvisioner, err := provisioner.NewProvisionerAPI(s.State, s.resources,
+ anAuthorizer)
+ c.Assert(err, gc.IsNil)
+
+ // We need to see the secret attributes masked out, and for
+ // the dummy pro...

Read more...

Revision history for this message
John A Meinel (jameinel) wrote :

LGTM given it is the same as the previous submisison which had already
been approved.

https://codereview.appspot.com/13964043/

Revision history for this message
John A Meinel (jameinel) wrote :

On 2013/09/26 13:10:37, jameinel wrote:
> LGTM given it is the same as the previous submisison which had already
 been
> approved.

I do still have the question why we set the values to "not available"
rather than just deleting them. I guess so Env creation doesn't complain
about missing entries?

https://codereview.appspot.com/13964043/

Revision history for this message
Dimiter Naydenov (dimitern) wrote :

On 2013/09/26 13:12:01, jameinel wrote:
> On 2013/09/26 13:10:37, jameinel wrote:
> > LGTM given it is the same as the previous submisison which had
 already been
> > approved.

> I do still have the question why we set the values to "not available"
rather
> than just deleting them. I guess so Env creation doesn't complain
about missing
> entries?

Setting them to something is needed for validation. And since this is
temporary,
it'll go away soon (when the provisioner is properly refactored).

https://codereview.appspot.com/13964043/

Revision history for this message
Go Bot (go-bot) wrote :

The attempt to merge lp:~dimitern/juju-core/147-apiprovisioner-blank-env-secrets into lp:juju-core failed. Below is the output from the failed tests.

# launchpad.net/juju-core/state/apiserver/provisioner
state/apiserver/provisioner/provisioner.go:169: undefined: environs

Revision history for this message
Dimiter Naydenov (dimitern) wrote :

Self-approving: Added a missing import to fix a build failure.

review: Approve
Revision history for this message
Dimiter Naydenov (dimitern) wrote :

Please take a look.

https://codereview.appspot.com/13964043/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'state/apiserver/provisioner/provisioner.go'
2--- state/apiserver/provisioner/provisioner.go 2013-09-26 13:20:24 +0000
3+++ state/apiserver/provisioner/provisioner.go 2013-09-26 16:02:23 +0000
4@@ -7,6 +7,7 @@
5 "fmt"
6
7 "launchpad.net/juju-core/constraints"
8+ "launchpad.net/juju-core/environs"
9 "launchpad.net/juju-core/instance"
10 "launchpad.net/juju-core/names"
11 "launchpad.net/juju-core/state"
12@@ -157,7 +158,25 @@
13 if err != nil {
14 return result, err
15 }
16- result.Config = config.AllAttrs()
17+ allAttrs := config.AllAttrs()
18+ if !p.authorizer.AuthEnvironManager() {
19+ // Mask out any secrets in the environment configuration
20+ // with values of the same type, so it'll pass validation.
21+ //
22+ // TODO(dimitern) 201309-26 bug #1231384
23+ // This needs to change so we won't return anything to
24+ // entities other than the environment manager, but the
25+ // provisioner code should be refactored first.
26+ env, err := environs.New(config)
27+ if err != nil {
28+ return result, err
29+ }
30+ secretAttrs, err := env.Provider().SecretAttrs(config)
31+ for k := range secretAttrs {
32+ allAttrs[k] = "not available"
33+ }
34+ }
35+ result.Config = allAttrs
36 return result, nil
37 }
38
39
40=== modified file 'state/apiserver/provisioner/provisioner_test.go'
41--- state/apiserver/provisioner/provisioner_test.go 2013-09-26 10:38:59 +0000
42+++ state/apiserver/provisioner/provisioner_test.go 2013-09-26 16:02:23 +0000
43@@ -422,6 +422,23 @@
44 c.Assert(err, gc.IsNil)
45 c.Assert(result.Error, gc.IsNil)
46 c.Assert(result.Config, gc.DeepEquals, params.Config(envConfig.AllAttrs()))
47+
48+ // Now test it with a non-environment manager and make sure
49+ // the secret attributes are masked.
50+ anAuthorizer := s.authorizer
51+ anAuthorizer.MachineAgent = true
52+ anAuthorizer.Manager = false
53+ aProvisioner, err := provisioner.NewProvisionerAPI(s.State, s.resources,
54+ anAuthorizer)
55+ c.Assert(err, gc.IsNil)
56+
57+ // We need to see the secret attributes masked out, and for
58+ // the dummy provider it's only one: "secret".
59+ expectedConfig := envConfig.AllAttrs()
60+ expectedConfig["secret"] = "not available"
61+ result, err = aProvisioner.EnvironConfig()
62+ c.Assert(err, gc.IsNil)
63+ c.Assert(result.Error, gc.IsNil)
64 }
65
66 func (s *provisionerSuite) TestStatus(c *gc.C) {

Subscribers

People subscribed via source and target branches

to status/vote changes: