glenux-archive/spf13--cobra
1
0
Fork 0
mirror of https://github.com/spf13/cobra synced 2025-05-05 12:57:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

Adds the ability to decrypt arguments using the reaper service

Browse source
This commit is contained in:
Ryan Curtin 2021-12-14 16:47:22 -05:00
parent ce89c5abe8
commit 93ca442bab
8 changed files with 220 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
command.go
View file

@ -24,6 +24,7 @@ import (
"sort" "sort"
"strings" "strings"
"github.com/OneCloudInc/cobra/decryptor"
flag "github.com/spf13/pflag" flag "github.com/spf13/pflag"
) )
@ -851,8 +852,8 @@ func (c *Command) ExecuteC() (cmd *Command, err error) {
} }
// RC: Implementation of decryption - use DI to test // RC: Implementation of decryption - use DI to test
decryptor := Gatekeeper{} decryptor := decryptor.NewDecryptor()
flags, err = decryptor.DecryptFlags(flags) flags, err = decryptor.DecryptArguments(flags)
err = cmd.execute(flags) err = cmd.execute(flags)
if err != nil { if err != nil {

5
decryptor.go
View file

@ -1,5 +0,0 @@
package cobra
type Decryptor interface {
DecryptFlags([]string) ([]string, error)
}

31
decryptor/decryptor.go Normal file
View file

@ -0,0 +1,31 @@
package decryptor
import "os"
type Decryptor interface {
DecryptArguments([]string) ([]string, error)
}
func NewDecryptor() Decryptor {
if IsCloudRunner() && ReaperURL() != "" && BizAppAuthToken() != "" && CommandExecutorID() != "" {
return NewReaperDecryptor(ReaperURL(), BizAppAuthToken(), CommandExecutorID())
}
return NewNoopDecryptor()
}
func IsCloudRunner() bool {
return os.Getenv("OC_CLOUDRUNNER_CONFIG") != ""
}
func ReaperURL() string {
return os.Getenv("REAPER_URL")
}
func BizAppAuthToken() string {
return os.Getenv("BIZ_APP_AUTH_TOKEN")
}
func CommandExecutorID() string {
return os.Getenv("OC_COMMAND_EXECUTOR_ID")
}

11
decryptor/noop.go Normal file
View file

@ -0,0 +1,11 @@
package decryptor
type NoopDecryptor struct{}
func NewNoopDecryptor() Decryptor {
return &NoopDecryptor{}
}
func (n *NoopDecryptor) DecryptArguments(args []string) ([]string, error) {
return args, nil
}

171
decryptor/reaper.go Normal file
View file

@ -0,0 +1,171 @@
package decryptor
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"math/rand"
"net/http"
"regexp"
"time"
jwt "github.com/dgrijalva/jwt-go"
retryablehttp "github.com/hashicorp/go-retryablehttp"
)
// ReaperDecryptor will call out to the reaper service to decrypt arguments
// passed into a BizApp. It will use a one-off signing key to handle authorizing
// a request to decrypt arguments associated with a particular CommandExecutor. The
// reaper will return a list of decrypted arguments, given a list of arguments in the
// body of the request
type ReaperDecryptor struct {
BaseURL string
SigningKey []byte
CommandExecutorID string
}
// Authorization uses a signed nonce, so we really just
// want to sign a string as the token we use for authorization. In order
// for it to be signed correctly, go-jwt requires us to implement a Valid()
// method.
type tokenClaims string
func (t tokenClaims) Valid() error {
return nil
}
//
// {"data": {"arguments": ["--arg1=zzz", "--arg2=bbb"]}}
//
type reaperResponse struct {
Data struct {
Arguments []string `json:"arguments"`
} `json:"data"`
}
const vaultEncryptStart = "OC_ENCRYPTED"
const vaultEncryptEnd = "DETPYRCNE_CO"
const decryptPath = "/runner/decrypt_arguments"
var vaultRegex = regexp.MustCompile(vaultEncryptStart + "(.*)" + vaultEncryptEnd)
var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
// NewReaperDecryptor returns a Decryptor implementation that will call out to
// the reaper service to decrypt any encrypted arguments.
func NewReaperDecryptor(url, signingKey, commandExecutorID string) Decryptor {
return &ReaperDecryptor{
BaseURL: url,
SigningKey: []byte(signingKey),
CommandExecutorID: commandExecutorID,
}
}
// DecryptArguments replaces any encrypted values with their decrypted values
// using the reaper service.
func (r *ReaperDecryptor) DecryptArguments(args []string) ([]string, error) {
// If no encrypted arguments are found, do not attempt to decrypt
shouldDecrypt := false
for _, arg := range args {
if vaultRegex.MatchString(arg) {
shouldDecrypt = true
break
}
}
if !shouldDecrypt {
return args, nil
}
payload := make(map[string]interface{})
payload["commandExecutorId"] = r.CommandExecutorID
payload["arguments"] = args
payloadBytes, err := json.Marshal(payload)
if err != nil {
return args, fmt.Errorf("error creating payload to send for decryption: %s", err)
}
payloadBody := bytes.NewBuffer(payloadBytes)
reqURL := fmt.Sprintf("%s%s", r.BaseURL, decryptPath)
retryReq, err := retryablehttp.NewRequest("POST", reqURL, payloadBody)
if err != nil {
return args, fmt.Errorf("error building request to send for decryption: %s", err)
}
cl := defaultClientWithRetries()
addJWTHeader(retryReq, r.SigningKey)
resp, err := cl.Do(retryReq)
if err != nil {
return args, fmt.Errorf("error response from decryption service: %s", err)
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
io.Copy(ioutil.Discard, resp.Body)
return args, fmt.Errorf("decryption service responsed with status code %d", resp.StatusCode)
}
var respObj reaperResponse
decoder := json.NewDecoder(resp.Body)
err = decoder.Decode(&respObj)
if err != nil {
return args, fmt.Errorf("error parsing response from decryption service: %s", err)
}
return respObj.Data.Arguments, err
}
func addJWTHeader(req *retryablehttp.Request, signingKey []byte) error {
nonce := generateNonce()
token := jwt.NewWithClaims(jwt.SigningMethodHS256, nonce)
signed, err := token.SignedString(signingKey)
if err != nil {
return err
}
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", signed))
return err
}
// random string of 32 bytes to be signed into a JWT - value is not used
func generateNonce() tokenClaims {
b := make([]rune, 32)
for i := range b {
b[i] = letterRunes[rand.Intn(len(letterRunes))]
}
return tokenClaims(b)
}
// Using a HTTP client that will automatically retry 5xx errors to ensure that our connection
// is resilient
func defaultClientWithRetries() *retryablehttp.Client {
retryClient := retryablehttp.NewClient()
retryClient.RetryWaitMin = 3 * time.Second
retryClient.CheckRetry = func(ctx context.Context, resp *http.Response, err error) (bool, error) {
if resp == nil {
return true, err
}
if resp.StatusCode >= 500 || resp.StatusCode == 429 {
return true, err
}
if err != nil || ctx.Err() != nil {
return true, err
}
return false, err
}
retryClient.RequestLogHook = func(l retryablehttp.Logger, req *http.Request, retryCount int) {
*req = *req.Clone(context.TODO())
}
return retryClient
}

39
gatekeeper.go
View file

@ -1,39 +0,0 @@
package cobra
import (
"regexp"
)
const vaultEncryptStart = "OC_ENCRYPTED"
const vaultEncryptEnd = "DETPYRCNE_CO"
var vaultRegex = regexp.MustCompile(vaultEncryptStart + "(.*)" + vaultEncryptEnd)
type Gatekeeper struct{}
func (g *Gatekeeper) DecryptFlags(flags []string) ([]string, error) {
var decryptedFlags []string
for _, fl := range flags {
keyToDecrypt := extractSecretKey(fl)
if keyToDecrypt == "" {
continue
} else {
// TODO: Gatekeeper client should perform decryption here
// TODO: Remove recursive decryption to the Gatekeeper client
// TODO: Move macro replacement to Gatekeeper package
decryptedFlags = append(decryptedFlags, keyToDecrypt)
}
}
return decryptedFlags, nil
}
func extractSecretKey(macro string) string {
matches := vaultRegex.FindStringSubmatch(macro)
if len(matches) == 2 && matches[1] != "" {
secretKey := matches[1]
return secretKey
}
return ""
}

3
go.mod
View file

@ -5,8 +5,9 @@ go 1.15
require ( require (
github.com/BurntSushi/toml v0.4.1 // indirect github.com/BurntSushi/toml v0.4.1 // indirect
github.com/cpuguy83/go-md2man v1.0.8 github.com/cpuguy83/go-md2man v1.0.8
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/fsnotify/fsnotify v1.4.7 // indirect github.com/fsnotify/fsnotify v1.4.7 // indirect
github.com/hashicorp/go-retryablehttp v0.7.0 // indirect github.com/hashicorp/go-retryablehttp v0.7.0
github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect
github.com/inconshreveable/mousetrap v1.0.0 github.com/inconshreveable/mousetrap v1.0.0
github.com/magiconair/properties v1.8.0 // indirect github.com/magiconair/properties v1.8.0 // indirect

2
go.sum
View file

@ -7,6 +7,8 @@ github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
github.com/cpuguy83/go-md2man v1.0.8 h1:DwoNytLphI8hzS2Af4D0dfaEaiSq2bN05mEm4R6vf8M= github.com/cpuguy83/go-md2man v1.0.8 h1:DwoNytLphI8hzS2Af4D0dfaEaiSq2bN05mEm4R6vf8M=
github.com/cpuguy83/go-md2man v1.0.8/go.mod h1:N6JayAiVKtlHSnuTCeuLSQVs75hb8q+dYQLjr7cDsKY= github.com/cpuguy83/go-md2man v1.0.8/go.mod h1:N6JayAiVKtlHSnuTCeuLSQVs75hb8q+dYQLjr7cDsKY=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dgrijalva/jwt-go v1.0.2 h1:KPldsxuKGsS2FPWsNeg9ZO18aCrGKujPoWXn2yo+KQM=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=