Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old PAT patterns are not supported #42

Closed
gal-legit opened this issue Nov 11, 2022 · 13 comments
Closed

Old PAT patterns are not supported #42

gal-legit opened this issue Nov 11, 2022 · 13 comments
Labels
bug Something isn't working

Comments

@gal-legit
Copy link
Collaborator

gal-legit commented Nov 11, 2022
edited

TL;DR

As @carltonmason commented in #10, PATs generated for GHES instances might have a different pattern.
Remove the user-friendly checks (length & the ghp_ prefix) for GHES.

edit:
The issue is not with GHES but with old-style PATs (see comments for more info).
Instead of removing the check, we will just support the older pattern too.

Expected behavior

accept the custom PAT

Observed behavior

No response

Version

v0.1.5

On which operating system are you using legitify?

Linux

Relevant log output

No response

Additional information

No response
@gal-legit gal-legit added the bug Something isn't working label Nov 11, 2022
@gal-legit gal-legit mentioned this issue Nov 11, 2022
Closed
@gal-legit
Copy link
Collaborator Author

gal-legit commented Nov 14, 2022
edited

After some research, we found that:
https://github.blog/changelog/2021-03-04-authentication-token-format-updates/

That means that for backward compatibility, we need to support either:

  • 40 characters including the ghp_ prefix
  • 36 characters without any prefix

The other prefixes (gho_/ghu_/ghs_/ghr_) are irrelevant, as they cannot be used for legitify anyway.
@carltonmason can you please confirm that the rules defined above would work for your PAT?

@gal-legit gal-legit changed the title Custom PAT patterns do not work for GHES Old PAT patterns do not work for GHES Nov 14, 2022
@gal-legit gal-legit changed the title Old PAT patterns do not work for GHES Old PAT patterns are not supported Nov 14, 2022
@gal-legit gal-legit mentioned this issue Nov 14, 2022
Merged
2 tasks
@carltonmason
Copy link

I believe they will @gal-legit . Thanks.

@gal-legit
Copy link
Collaborator Author

@carltonmason Great! I'm closing the issue for now.
Just note that in order to run the original command with your server you'd need to do either of the following:

 go run main.go analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository

Or:

export SERVER_URL=https://github.ibm.com/
 go run main.go analyze --org CICD-CPP-Ops --namespace repository

@carltonmason
Copy link

carltonmason commented Nov 16, 2022
edited

@gal-legit thank, I just tried and it doesn't complain about my GH token any more. I didn't get any output related to pass or fail though...

go run main.go analyze --org CICD-CPP-Ops --namespace repository
 ___      _______  _______  ___   _______  ___   _______  __   __
|   |    |       ||       ||   | |       ||   | |       ||  | |  |
|   |    |    ___||    ___||   | |_     _||   | |    ___||  |_|  |
|   |    |   |___ |   | __ |   |   |   |  |   | |   |___ |       |
|   |___ |    ___||   ||  ||   |   |   |  |   | |    ___||_     _|
|       ||   |___ |   |_| ||   |   |   |  |   | |   |      |   |
|_______||_______||_______||___|   |___|  |___| |___|      |___|
By Legit Security

Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option

Gathering collection metadata...
repository 7 / 7 [==============================================================] 100 %

Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+

@noamd-legit
Copy link
Contributor

Hey @carltonmason,
The issue is fixed in the main branch. Could you check it out? We want to make sure it works as expected before we publish a release with GHES support.

@carltonmason
Copy link

@noamd-legit Sorry for the delay, I was out on vaca for a few days last week. I can't get it to build now.

go run main.go analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
go: downloading github.com/google/go-github v17.0.0+incompatible
/Users/ckmason/.go/pkg/mod/github.com/ossf/scorecard/v4@v4.4.0/clients/githubrepo/branches.go:23:2: github.com/google/go-github@v17.0.0+incompatible: reading https://proxy.golang.org/github.com/google/go-github/@v/v17.0.0+incompatible.zip: 401 Unauthorized
/Users/ckmason/.go/pkg/mod/github.com/bradleyfalzon/ghinstallation/v2@v2.0.4/transport.go:15:2: github.com/google/go-github@v17.0.0+incompatible: reading https://proxy.golang.org/github.com/google/go-github/@v/v17.0.0+incompatible.zip: 401 Unauthorized
internal/collected/github/organization.go:7:2: github.com/google/go-github@v17.0.0+incompatible: reading https://proxy.golang.org/github.com/google/go-github/@v/v17.0.0+incompatible.zip: 401 Unauthorized

@gal-legit
Copy link
Collaborator Author

gal-legit commented Nov 28, 2022
edited

@carltonmason
the unauthorized responses are weird; I tried reaching those addresses without credentials, and they work for me. Maybe you have a mirror in your internal network?
Anyway, I ran mod vendor locally and pushed it on branch gofri/mod_vendor.
Can you please use this branch and run the following commands to see if it works?

git fetch && git checkout gofri/mod_vendor
go build -mod vendor
./legitify analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository

p.s. as @noamd-legit mentioned, we plan on releasing an official release once we confirm that it works for you, so you'll be able to take the binaries off-the-shelf.

@carltonmason
Copy link

@gal-legit thanks, I was able to build everything but, not getting any output:

 ./legitify analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
 ___      _______  _______  ___   _______  ___   _______  __   __
|   |    |       ||       ||   | |       ||   | |       ||  | |  |
|   |    |    ___||    ___||   | |_     _||   | |    ___||  |_|  |
|   |    |   |___ |   | __ |   |   |   |  |   | |   |___ |       |
|   |___ |    ___||   ||  ||   |   |   |  |   | |    ___||_     _|
|       ||   |___ |   |_| ||   |   |   |  |   | |   |      |   |
|_______||_______||_______||___|   |___|  |___| |___|      |___|
By Legit Security

Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option

Gathering collection metadata...

Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+

I tried using a different GHE org and it at least shows "Gathering collection metadata"... but no real report.

./legitify analyze --server-url https://github.ibm.com/ --org Tron --namespace repository --scorecard yes
 ___      _______  _______  ___   _______  ___   _______  __   __
|   |    |       ||       ||   | |       ||   | |       ||  | |  |
|   |    |    ___||    ___||   | |_     _||   | |    ___||  |_|  |
|   |    |   |___ |   | __ |   |   |   |  |   | |   |___ |       |
|   |___ |    ___||   ||  ||   |   |   |  |   | |    ___||_     _|
|       ||   |___ |   |_| ||   |   |   |  |   | |   |      |   |
|_______||_______||_______||___|   |___|  |___| |___|      |___|
By Legit Security

Gathering collection metadata...
repository 135 / 135 [==============================================================] 100 %

Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+

@gal-legit
Copy link
Collaborator Author

@carltonmason
That's weird. We tried to test it on several different instances and didn't get any problems.
Can you please share the error.log file you get?

p.s. feel free to contact us at gal@legitsecurity.com or noam@legitsecurity.com if the logs contain anything confidential.

@carltonmason
Copy link

OK, getting further now, the error.log was helpful.

2022/11/29 08:15:42 Using Github Enterprise Endpoint: https://github.ibm.com

2022/11/29 08:15:42 failed to collect organization User has no access to the requested organization: ckmason

I fixed by GITHUB_TOKEN value and can now re-run. Not getting any output to stdout but the error.log contains some hopefully useful content:

./legitify analyze --server-url https://github.ibm.com/ --org CICD-CPP-Ops --namespace repository
 ___      _______  _______  ___   _______  ___   _______  __   __
|   |    |       ||       ||   | |       ||   | |       ||  | |  |
|   |    |    ___||    ___||   | |_     _||   | |    ___||  |_|  |
|   |    |   |___ |   | __ |   |   |   |  |   | |   |___ |       |
|   |___ |    ___||   ||  ||   |   |   |  |   | |    ___||_     _|
|       ||   |___ |   |_| ||   |   |   |  |   | |   |      |   |
|_______||_______||_______||___|   |___|  |___| |___|      |___|
By Legit Security

Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option

Gathering collection metadata...
repository 7 / 7 [==============================================================] 100 %

Findings summary:
+---+-----------+--------+----------+--------+--------+---------+
| # | Namespace | Policy | Severity | Passed | Failed | Skipped |
+---+-----------+--------+----------+--------+--------+---------+
ckmason@cartons-mbp:legitify (gofri/mod_vendor)$ cat error.log
2022/11/29 08:18:50 Using Github Enterprise Endpoint: https://github.ibm.com

2022/11/29 08:18:51 attempt 1/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 2/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 3/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 4/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 attempt 5/5 failed: collect repositories for CICD-CPP-Ops with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51 all 5 attempts failed (collect repositories for CICD-CPP-Ops) with err: Field 'blocksCreations' doesn't exist on type 'BranchProtectionRule'
2022/11/29 08:18:51

@gal-legit
Copy link
Collaborator Author

gal-legit commented Nov 29, 2022
edited

@carltonmason thanks for sharing the logs.
Looks like you're using EE version <3.5 (v3.4 vs v3.5).
we'll add backward compatibility for that as well. meanwhile, I pushed a commit that removes this field to gofri/mod_vendor, please pull and retry.

@noamd-legit FYI, I think we can omit it altogether for now since we don't have a policy for that anyway

@carltonmason
Copy link

Alright, it worked! Finally get to see a report. FYI, contents of error.log below. Note also that our version of GHE doesn't yet support GH Actions.

cat error.log
2022/11/29 08:58:48 Using Github Enterprise Endpoint: https://github.ibm.com

2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/docs: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/docs/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-ci: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-ci/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-issues: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-issues/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/argocd-install: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/argocd-install/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository actions settings for CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory: GET https://github.ibm.com/api/v3/repos/CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory/actions/permissions/workflow: 404 Not Found []
2022/11/29 08:58:50 error getting repository dependency manifests for CICD-CPP-Ops/docs: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-ci: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-ci: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-issues: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-evidence: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting repository dependency manifests for CICD-CPP-Ops/argocd-install: Field 'dependencyGraphManifests' doesn't exist on type 'Repository'
2022/11/29 08:58:51 error getting scorecard result for argocd-install: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting scorecard result for docs: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-issues: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 error getting scorecard result for scd-argocd-backup-and-restore-inventory: getting local directory client: error in IsValid: unsupported host: github.ibm.com
2022/11/29 08:58:51 missing permission: "repo" on:
    - repository:CICD-CPP-Ops/argocd-install [Cannot read repository actions settings]
    - repository:CICD-CPP-Ops/docs [Cannot read repository actions settings]
    - repository:CICD-CPP-Ops/scd-argocd-backup-and-restore [Cannot read repository actions settings]
    - repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-ci [Cannot read repository actions settings]
    - repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-evidence [Cannot read repository actions settings]
    - repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-inventory [Cannot read repository actions settings]
    - repository:CICD-CPP-Ops/scd-argocd-backup-and-restore-issues [Cannot read repository actions settings]

@noamd-legit noamd-legit mentioned this issue Nov 30, 2022
Merged
2 tasks
@gal-legit
Copy link
Collaborator Author

@carltonmason, That's awesome! Thanks for the feedback! We hope that the report was helpful :)
We'll release a new official version shortly.

p.s. for security reasons, we recommend redacting the names of private repositories in your comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carltonmason @noamd-legit @gal-legit