Added ability to pass in encrypted key/values into the CLI and API

[nmaludy]

Closes #4545

This PR adds the ability to pass in encrypted key/value pairs on the CLI and via the API. The values remain encrypted and then are decrypted prior to being stored in the database.

To signify to the CLI that these values must be decrypted this adds a -d/--debug flag to st2 key set, example:

st2 key set -e -d myencryptedvalue ABC123

A new metadata parameter is now allowed in st2 key load data files called decrypt: true this signifies that the value for a given key is encrypted and needs to be decrypted before being processed.

- name: myencryptedvalue
  value: ABC123
  decrypt: true
  secret: true

Finally the API endpoint PUT /api/v1/keys/{name} accepts a new parameter decrypt that again signifies that the value is encrypted and must be decrypted:

PUT /api/v1/keys/myencryptedvalue
{
  "name": "myencryptedvalue",
  "value": "ABC123",
  "decrypt": true,
  "secret": true
}

The decrypting operation is handled within the API so that st2client doesn't rely on st2common. This also makes it a consistent experience from CLI and API.

TODO

• st2docs PR once this design is approved - Documentation on how to load pre-encrypted secrets into the datastore st2docs#869

[arm4b]

FYI this comes from the StackStorm/puppet-st2#250 PR where @nmaludy had no choice but to copy entire python cryptography code for st2 decrypt.

This PR solves it by adding new option to CLI/API.

[Kami]

Thanks for contributing this change.

Could we avoid the decrypt -> encrypt round-trip and simply tell API the value is encrypted and to store it as-is?

The limitation of course is that the value needs to be encrypted with the same key which is used by the StackStorm installation. But that's also the case with this approach.

I guess the only downside of that approach would be that there is no "integrity check" on write - user would only find out that encrypted value is corrupted or not encrypted with the same key which is used on this particular installation on access / read time.

[nmaludy]

@Kami right, i intentionally decrypt the value prior to saving to the datastore, so that the key validity is checked on write rather than read (at some point in the future).

[Kami]

Alright, in this case I'm find with this approach 👍

It's almost always better to do integrity checks early on, on write :)

[nmaludy]

I'm thinking about renaming the flag from --decrypt to --preencrypted

Does that seem more clear?

[Kami]

Yeah, --decrypt is a bit config. Perhaps encrypted which signals that a value is already encrypted?

[Kami]

Thanks for updating the PR.

How do you think this should tie into RBAC? It would probably be safer if only admins can pass pre-encrypted values to the PUT API to avoid potential secrets leakage?

In theory, we could allow every user to use this functionality since we only use decrypt on the API side to ensure encrypted value is encrypted with the correct key and not corrupted, but then we need to be careful that we never return plain-text decrypted version back to the user inside PUT response.

[Kami]

Per discussion with @nmaludy on Slack, I made the following changes:

1. Change option name from decrypt to pre_encrypted

After some more thought, pre_encrypted is much better name and doesn't cause any confusion with decrypt which does something totally different.

It signals the API that the value is already encrypted and should be used and stored as-is.

We do actually perform decryption on the API side, but that's an implementation detail and only done to ensure the integrity of the value (to ensure it has been encrypted with the correct key and that it's not corrupted).

Besides, that, we treat and store value as-is.

2. Make sure pre_encrypted always implies secret=True

If we didn't do that, any user could read / decrypt any pre-encrypted value which is a big no-no and a security issue.

3. Only allow RBAC admins to use pre_encrypted=True

This is an additional safe guard.

Primary use case for this feature is migration / restore of datastore values from one StackStorm instance which uses the same crypto key to another using st2 key load command.

I still need to work on the test coverage, especially around the security edge cases to ensure there is no accidental secrets leakage.

[Kami]

Added test cases, and made the changes so st2 key list -n 100 -j > data.json ; st2 key load data.json now also works out of the box for encrypted values without needing to manipulate the format in data.json.

I approved the PR, but since it's touches a security critical code, I also requested review from @m4dcoder.

[bigmstone]

👍

[m4dcoder]

Why not just simply name the argument --encrypted?

[Kami]

Yeah, I was thinking about it, but I thought it might be a bit confusing in combination with the existing --encrypt argument.

I'n fine either way though.

[m4dcoder]

Adding mutually exclusive to the args will minimize the confusion.

[m4dcoder]

Can we make the args --encrypt and --encrypted/--pre-encrypted mutually exclusive? Meaning these args cannot both be present at the same time.

[Kami]

Good point, will add it.

[m4dcoder]

This is a surprise. How come we are adding decrypt attribute in this API spec?

[Kami]

You are commenting on an old diff, attribute is now named pre_encrypted.

[Kami]

Made CLI flags mutually exclusive - 970b3eb and changed the argument and CLI flag name from --pre-encrypted to --encrypted - 88607e3.

[m4dcoder]

LGTM. Not going to nit pick on ya but I couldn't find a specific unit test case for failure of checking integrity of setting an encrypted value.

[m4dcoder]

I may have missed it but I don't see a unit test that shows failure in checking integrity.

[Kami]

Good catch - I did plan to add that one, but forgot to.

Will add it.

[Kami]

Added in 17427bf.