Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a Secret Masking to Rule Enfocement API View Output #6170

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

philipphomberger
Copy link

Hi Community,

From My View of perspective Secrets should not show in cleartext in the Rule Enforcement View in the UI and the API. So I add a loop that auto mask the secret to *****.
I'am not 100% happy with the way I do it for get one function because of problem I had with access the keys of the object So I convert the Object to a str and than with eval to a dict.
Maybe someone here have a better Idea.

I wait for your feedback.
Thank you all.

Add a Secret Masking to the API Output.
@pull-request-size pull-request-size bot added the size/M PR that changes 30-99 lines. Good size to review. label Mar 25, 2024
@philipphomberger philipphomberger changed the title Add a Secret Masking to Reule Enfocement API View Output Add a Secret Masking to Rule Enfocement API View Output Mar 25, 2024
@nzlosh
Copy link
Contributor

nzlosh commented Mar 25, 2024

The idea seems good but the implementation needs a better architectural solution. Code already exists to handle masking secrets, would it be possible to call that?

def mask_secrets(self, value):

I've not tested this, but perhaps it can be called like below so secrets are masked?

        execution_dbs_by_id = {}
        for execution_db in execution_dbs:
            execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)

@philipphomberger
Copy link
Author

The idea seems good but the implementation needs a better architectural solution. Code already exists to handle masking secrets, would it be possible to call that?

def mask_secrets(self, value):

I've not tested this, but perhaps it can be called like below so secrets are masked?

        execution_dbs_by_id = {}
        for execution_db in execution_dbs:
            execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)

Thanks @nzlosh I will try it. :)

@philipphomberger
Copy link
Author

philipphomberger commented Mar 25, 2024

@nzlosh I have tryed it:
But the functions have a strange behavior than I use them like that:

for rule_enforcement_api in rule_enforcement_apis:
            if "parameters" in str(rule_enforcement_apis[i]):
                secrets = get_secret_parameters(rule_enforcement_api['execution']['action']['parameters'])
                print(f"Parameters before masking: {rule_enforcement_api['execution']['parameters']}")
                rule_enforcement_api['execution']['parameters'] = mask_secret_parameters(parameters=rule_enforcement_api['execution']['action']['parameters'], secret_parameters=secrets)
                print(f"Parameters after masking: {rule_enforcement_api['execution']['parameters']}")
                rule_enforcement_apis[i] = rule_enforcement_api
        return rule_enforcement_apis

Output:
2024-03-25 13:12:02 Parameters before masking: {'key1': 'test1234', 'key2': ’testsecret’}
2024-03-25 13:12:02 Parameters after masking: {'key1': {'type': 'string', 'default': '{{ st2kv.system.customer2_key1 }}'}, 'key2': '********'}

So Iooks like I can not 1:1 use that function. The Secret Masking it self working but the output for the none Secret Parameters get lost.

@philipphomberger
Copy link
Author

I tried your Idea as well:

2024-03-25 13:34:49 2024-03-25 12:34:49,799 ERROR [-] Failed to call controller function "get_all" for operation "st2api.controllers.v1.rule_enforcement_views:rule_enforcement_view_controller.get_all": 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:49 Traceback (most recent call last):
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:49     resp = func(**kw)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:49     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:49     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:49     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:49 AttributeError: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:49 2024-03-25 12:34:49,803 ERROR [-] API call failed: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:49 Traceback (most recent call last):
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/error_handling.py", line 49, in __call__
2024-03-25 13:34:49     return self.app(environ, start_response)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/streaming.py", line 46, in __call__
2024-03-25 13:34:49     return self.app(environ, start_response)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 751, in as_wsgi
2024-03-25 13:34:49     resp = self(req)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 649, in __call__
2024-03-25 13:34:49     raise e
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:49     resp = func(**kw)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:49     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:49     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:49     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:49 AttributeError: 'ActionExecutionDB' object has no attribute 'get' (_exception_class='AttributeError',_exception_message="'ActionExecutionDB' object has no attribute 'get'",_exception_data={})
2024-03-25 13:34:49 2024-03-25 12:34:49,807 INFO [-] fca048a4-5c3f-47df-90d3-49167f6999bd - 500 39 209.912ms (method='GET',path='/v1/ruleenforcements/views/',remote_addr='172.20.0.6',status=500,runtime=209.912,content_length=39,request_id='fca048a4-5c3f-47df-90d3-49167f6999bd')
2024-03-25 13:34:51 2024-03-25 12:34:51,157 INFO [-] c3358be3-66cc-41b0-ac3a-4826f3d1c6ad - GET /v1/ruleenforcements/views/ with query={} (method='GET',path='/v1/ruleenforcements/views/',remote_addr='172.20.0.6',query={},request_id='c3358be3-66cc-41b0-ac3a-4826f3d1c6ad')
2024-03-25 13:34:51 2024-03-25 12:34:51,321 ERROR [-] Failed to call controller function "get_all" for operation "st2api.controllers.v1.rule_enforcement_views:rule_enforcement_view_controller.get_all": 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:51 Traceback (most recent call last):
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:51     resp = func(**kw)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:51     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:51     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:51     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:51 AttributeError: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:51 2024-03-25 12:34:51,322 ERROR [-] API call failed: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:51 Traceback (most recent call last):
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/error_handling.py", line 49, in __call__
2024-03-25 13:34:51     return self.app(environ, start_response)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/streaming.py", line 46, in __call__
2024-03-25 13:34:51     return self.app(environ, start_response)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 751, in as_wsgi
2024-03-25 13:34:51     resp = self(req)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 649, in __call__
2024-03-25 13:34:51     raise e
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:51     resp = func(**kw)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:51     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:51     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:51     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:51 AttributeError: 'ActionExecutionDB' object has no attribute 'get' (_exception_class='AttributeError',_exception_message="'ActionExecutionDB' object has no attribute 'get'",_exception_data={})

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


Philipp Homberger seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size/M PR that changes 30-99 lines. Good size to review.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants