ceph-csi/internal/util/credentials.go

/*
Copyright 2018 The Ceph-CSI Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package util

import (
	"errors"
	"fmt"
	"io/ioutil"
	"os"
)

const (
	credUserID           = "userID"
	credUserKey          = "userKey"
	credAdminID          = "adminID"
	credAdminKey         = "adminKey"
	credMonitors         = "monitors"
	tmpKeyFileLocation   = "/tmp/csi/keys"
	tmpKeyFileNamePrefix = "keyfile-"
)

type Credentials struct {
	ID      string
	KeyFile string
}

func storeKey(key string) (string, error) {
	tmpfile, err := ioutil.TempFile(tmpKeyFileLocation, tmpKeyFileNamePrefix)
	if err != nil {
		return "", fmt.Errorf("error creating a temporary keyfile (%s)", err)
	}
	defer func() {
		if err != nil {
			// don't complain about unhandled error
			_ = os.Remove(tmpfile.Name())
		}
	}()

	if _, err = tmpfile.Write([]byte(key)); err != nil {
		return "", fmt.Errorf("error writing key to temporary keyfile (%s)", err)
	}

	keyFile := tmpfile.Name()
	if keyFile == "" {
		err = fmt.Errorf("error reading temporary filename for key (%s)", err)
		return "", err
	}

	if err = tmpfile.Close(); err != nil {
		return "", fmt.Errorf("error closing temporary filename (%s)", err)
	}

	return keyFile, nil
}

func newCredentialsFromSecret(idField, keyField string, secrets map[string]string) (*Credentials, error) {
	var (
		c  = &Credentials{}
		ok bool
	)

	if len(secrets) == 0 {
		return nil, errors.New("provided secret is empty")
	}
	if c.ID, ok = secrets[idField]; !ok {
		return nil, fmt.Errorf("missing ID field '%s' in secrets", idField)
	}

	key := secrets[keyField]
	if key == "" {
		return nil, fmt.Errorf("missing key field '%s' in secrets", keyField)
	}

	keyFile, err := storeKey(key)
	if err == nil {
		c.KeyFile = keyFile
	}

	return c, err
}

func (cr *Credentials) DeleteCredentials() {
	// don't complain about unhandled error
	_ = os.Remove(cr.KeyFile)
}

func NewUserCredentials(secrets map[string]string) (*Credentials, error) {
	return newCredentialsFromSecret(credUserID, credUserKey, secrets)
}

func NewAdminCredentials(secrets map[string]string) (*Credentials, error) {
	return newCredentialsFromSecret(credAdminID, credAdminKey, secrets)
}

func NewCredentials(id, key string) (*Credentials, error) {
	var c = &Credentials{}

	c.ID = id
	keyFile, err := storeKey(key)
	if err == nil {
		c.KeyFile = keyFile
	}

	return c, err
}

func GetMonValFromSecret(secrets map[string]string) (string, error) {
	if mons, ok := secrets[credMonitors]; ok {
		return mons, nil
	}
	return "", fmt.Errorf("missing %q", credMonitors)
}
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`/*`
Replaces the references to the Kubernete Authors with the Ceph-CSI authors 2019-04-03 08:46:15 +00:00			`Copyright 2018 The Ceph-CSI Authors.`
added cephfs/credentials 2018-04-13 12:31:03 +00:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`package util`
added cephfs/credentials 2018-04-13 12:31:03 +00:00
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`import (`
Add a check for nil secrets Improve the error message if secrets are not provided in request Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2019-09-25 14:45:19 +00:00			`"errors"`
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`"fmt"`
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`"io/ioutil"`
			`"os"`
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`)`
added cephfs/credentials 2018-04-13 12:31:03 +00:00
			`const (`
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`credUserID = "userID"`
			`credUserKey = "userKey"`
			`credAdminID = "adminID"`
			`credAdminKey = "adminKey"`
			`credMonitors = "monitors"`
			`tmpKeyFileLocation = "/tmp/csi/keys"`
			`tmpKeyFileNamePrefix = "keyfile-"`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`)`

Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`type Credentials struct {`
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`ID string`
			`KeyFile string`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`}`

Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`func storeKey(key string) (string, error) {`
			`tmpfile, err := ioutil.TempFile(tmpKeyFileLocation, tmpKeyFileNamePrefix)`
			`if err != nil {`
			`return "", fmt.Errorf("error creating a temporary keyfile (%s)", err)`
			`}`
			`defer func() {`
			`if err != nil {`
Address security concerns reported by 'gosec' gosec reports several issues, none of them looks very critical. With this change the following concerns have been addressed: [pkg/cephfs/nodeserver.go:229] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(targetPath, 0777) [pkg/cephfs/util.go:39] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/rbd/nodeserver.go:156] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(stagingTargetPath, 0777) [pkg/rbd/nodeserver.go:205] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.OpenFile(mountPath, os.O_CREATE\|os.O_RDWR, 0750) [pkg/rbd/rbd_util.go:797] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > ioutil.ReadFile(fPath) [pkg/util/cephcmds.go:35] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/util/credentials.go:47] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(tmpfile.Name()) [pkg/util/credentials.go:92] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(cr.KeyFile) [pkg/util/pidlimit.go:74] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > os.Open(pidsMax) URL: https://github.com/securego/gosec Signed-off-by: Niels de Vos <ndevos@redhat.com> 2019-08-30 10:23:10 +00:00			`// don't complain about unhandled error`
			`_ = os.Remove(tmpfile.Name())`
Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`}`
			`}()`

			`if _, err = tmpfile.Write([]byte(key)); err != nil {`
			`return "", fmt.Errorf("error writing key to temporary keyfile (%s)", err)`
			`}`

			`keyFile := tmpfile.Name()`
			`if keyFile == "" {`
			`err = fmt.Errorf("error reading temporary filename for key (%s)", err)`
			`return "", err`
			`}`

			`if err = tmpfile.Close(); err != nil {`
			`return "", fmt.Errorf("error closing temporary filename (%s)", err)`
			`}`

			`return keyFile, nil`
			`}`

			`func newCredentialsFromSecret(idField, keyField string, secrets map[string]string) (*Credentials, error) {`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`var (`
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`c = &Credentials{}`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`ok bool`
			`)`

Add a check for nil secrets Improve the error message if secrets are not provided in request Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2019-09-25 14:45:19 +00:00			`if len(secrets) == 0 {`
			`return nil, errors.New("provided secret is empty")`
			`}`
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`if c.ID, ok = secrets[idField]; !ok {`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`return nil, fmt.Errorf("missing ID field '%s' in secrets", idField)`
			`}`

Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`key := secrets[keyField]`
			`if key == "" {`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`return nil, fmt.Errorf("missing key field '%s' in secrets", keyField)`
			`}`

Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`keyFile, err := storeKey(key)`
			`if err == nil {`
			`c.KeyFile = keyFile`
			`}`

			`return c, err`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`}`

Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`func (cr *Credentials) DeleteCredentials() {`
Address security concerns reported by 'gosec' gosec reports several issues, none of them looks very critical. With this change the following concerns have been addressed: [pkg/cephfs/nodeserver.go:229] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(targetPath, 0777) [pkg/cephfs/util.go:39] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/rbd/nodeserver.go:156] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.Chmod(stagingTargetPath, 0777) [pkg/rbd/nodeserver.go:205] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM) > os.OpenFile(mountPath, os.O_CREATE\|os.O_RDWR, 0750) [pkg/rbd/rbd_util.go:797] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > ioutil.ReadFile(fPath) [pkg/util/cephcmds.go:35] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) > exec.Command(program, args...) [pkg/util/credentials.go:47] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(tmpfile.Name()) [pkg/util/credentials.go:92] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW) > os.Remove(cr.KeyFile) [pkg/util/pidlimit.go:74] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) > os.Open(pidsMax) URL: https://github.com/securego/gosec Signed-off-by: Niels de Vos <ndevos@redhat.com> 2019-08-30 10:23:10 +00:00			`// don't complain about unhandled error`
			`_ = os.Remove(cr.KeyFile)`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`}`

Use --keyfile option to pass keys to all Ceph CLIs Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-25 19:29:17 +00:00			`func NewUserCredentials(secrets map[string]string) (*Credentials, error) {`
			`return newCredentialsFromSecret(credUserID, credUserKey, secrets)`
			`}`

			`func NewAdminCredentials(secrets map[string]string) (*Credentials, error) {`
			`return newCredentialsFromSecret(credAdminID, credAdminKey, secrets)`
			`}`

			`func NewCredentials(id, key string) (*Credentials, error) {`
			`var c = &Credentials{}`

			`c.ID = id`
			`keyFile, err := storeKey(key)`
			`if err == nil {`
			`c.KeyFile = keyFile`
			`}`

			`return c, err`
added cephfs/credentials 2018-04-13 12:31:03 +00:00			`}`
allow ceph mon stored in secret so when mon changes, cephfs driver can get latest mons and override old ones Signed-off-by: Huamin Chen <hchen@redhat.com> 2019-01-18 15:27:48 +00:00
Modify RBD plugin to use a single ID and move the id and key into the secret RBD plugin needs only a single ID to manage images and operations against a pool, mentioned in the storage class. The current scheme of 2 IDs is hence not needed and removed in this commit. Further, unlike CephFS plugin, the RBD plugin splits the user id and the key into the storage class and the secret respectively. Also the parameter name for the key in the secret is noted in the storageclass making it a variant and hampers usability/comprehension. This is also fixed by moving the id and the key to the secret and not retaining the same in the storage class, like CephFS. Fixes #270 Testing done: - Basic PVC creation and mounting Signed-off-by: ShyamsundarR <srangana@redhat.com> 2019-06-01 21:26:42 +00:00			`func GetMonValFromSecret(secrets map[string]string) (string, error) {`
allow ceph mon stored in secret so when mon changes, cephfs driver can get latest mons and override old ones Signed-off-by: Huamin Chen <hchen@redhat.com> 2019-01-18 15:27:48 +00:00			`if mons, ok := secrets[credMonitors]; ok {`
			`return mons, nil`
			`}`
			`return "", fmt.Errorf("missing %q", credMonitors)`
			`}`