🔒 : avoid credentials leakage through Jobs API

gaia-app · Jul 12, 2020 · 9059bc5 · 9059bc5
1 parent 60ef68d
commit 9059bc5
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 21 deletions.
diff --git a/src/main/java/io/gaia_app/credentials/Credentials.kt b/src/main/java/io/gaia_app/credentials/Credentials.kt
@@ -8,6 +8,8 @@ import org.springframework.data.annotation.Id
 
 import com.fasterxml.jackson.annotation.JsonTypeInfo.As.PROPERTY
 import com.fasterxml.jackson.annotation.JsonTypeInfo.Id.NAME
+import com.fasterxml.jackson.annotation.JsonView
+import com.fasterxml.jackson.databind.annotation.JsonSerialize
 import io.gaia_app.teams.User
 import org.springframework.data.annotation.CreatedBy
 import org.springframework.data.mongodb.core.mapping.DBRef
@@ -31,24 +33,28 @@ abstract class Credentials {
     @DBRef
     lateinit var createdBy: User
 
+    var provider: String
+
+    constructor(provider: String) {
+        this.provider = provider
+    }
+
     abstract fun toEnv(): List<String>
-    abstract fun provider(): String
 }
 
 @Document
-data class AWSCredentials(val accessKey:String, val secretKey:String):Credentials() {
+data class AWSCredentials(val accessKey:String, val secretKey:String):Credentials("aws") {
     override fun toEnv() = listOf("AWS_ACCESS_KEY_ID=$accessKey", "AWS_SECRET_ACCESS_KEY=$secretKey")
-    override fun provider() = "aws"
 }
 
 @Document
-data class GoogleCredentials(val serviceAccountJSONContents:String):Credentials() {
+data class GoogleCredentials(val serviceAccountJSONContents:String):Credentials("google") {
     override fun toEnv() = listOf("GOOGLE_CREDENTIALS=$serviceAccountJSONContents")
-    override fun provider() = "google"
 }
 
 @Document
-data class AzureRMCredentials(val clientId:String, val clientSecret:String):Credentials() {
+data class AzureRMCredentials(val clientId:String, val clientSecret:String):Credentials("azurerm") {
     override fun toEnv() = listOf("ARM_CLIENT_ID=$clientId", "ARM_CLIENT_SECRET=$clientSecret")
-    override fun provider() = "azurerm"
 }
+
+data class EmptyCredentials(val id: String, val name: String, val provider: String)
diff --git a/src/main/java/io/gaia_app/credentials/CredentialsRepository.kt b/src/main/java/io/gaia_app/credentials/CredentialsRepository.kt
@@ -6,7 +6,7 @@ import java.util.*
 
 interface CredentialsRepository: MongoRepository<Credentials, String> {
 
-    fun findAllByCreatedBy(user: User): List<Credentials>
+    fun findAllByCreatedBy(user: User): List<EmptyCredentials>
 
     fun findByIdAndCreatedBy(id: String, createdBy: User): Optional<Credentials>
 }
diff --git a/src/main/java/io/gaia_app/credentials/CredentialsRestController.java b/src/main/java/io/gaia_app/credentials/CredentialsRestController.java
@@ -20,7 +20,7 @@ public CredentialsRestController(CredentialsRepository credentialsRepository) {
     }
 
     @GetMapping
-    public List<Credentials> getAllCredentials(User user) {
+    public List<EmptyCredentials> getAllCredentials(User user) {
         return this.credentialsRepository.findAllByCreatedBy(user);
     }
 

diff --git a/src/main/java/io/gaia_app/runner/StackRunner.java b/src/main/java/io/gaia_app/runner/StackRunner.java
@@ -1,5 +1,6 @@
 package io.gaia_app.runner;
 
+import io.gaia_app.credentials.CredentialsRepository;
 import io.gaia_app.modules.bo.TerraformModule;
 import io.gaia_app.stacks.bo.Job;
 import io.gaia_app.stacks.bo.JobType;
@@ -9,14 +10,6 @@
 import io.gaia_app.stacks.repository.StackRepository;
 import io.gaia_app.stacks.repository.StepRepository;
 import io.gaia_app.stacks.workflow.JobWorkflow;
-import io.gaia_app.modules.bo.TerraformModule;
-import io.gaia_app.stacks.bo.Job;
-import io.gaia_app.stacks.bo.JobType;
-import io.gaia_app.stacks.bo.Stack;
-import io.gaia_app.stacks.bo.StackState;
-import io.gaia_app.stacks.repository.StackRepository;
-import io.gaia_app.stacks.repository.StepRepository;
-import io.gaia_app.stacks.workflow.JobWorkflow;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.scheduling.annotation.Async;
 import org.springframework.stereotype.Service;
@@ -39,17 +32,19 @@ public class StackRunner {
     private StackRepository stackRepository;
     private JobRepository jobRepository;
     private StepRepository stepRepository;
+    private CredentialsRepository credentialsRepository;
 
     private Map<String, Job> jobs = new HashMap<>();
 
     @Autowired
     public StackRunner(DockerRunner dockerRunner, StackCommandBuilder stackCommandBuilder,
-                       StackRepository stackRepository, JobRepository jobRepository, StepRepository stepRepository) {
+                       StackRepository stackRepository, JobRepository jobRepository, StepRepository stepRepository, CredentialsRepository credentialsRepository) {
         this.dockerRunner = dockerRunner;
         this.stackCommandBuilder = stackCommandBuilder;
         this.stackRepository = stackRepository;
         this.jobRepository = jobRepository;
         this.stepRepository = stepRepository;
+        this.credentialsRepository = credentialsRepository;
     }
 
     private String managePlanScript(Job job, Stack stack, TerraformModule module) {
@@ -127,6 +122,9 @@ private void treatJob(JobWorkflow jobWorkflow, Consumer<JobWorkflow> jobActionFn
 
     @Async
     public void plan(JobWorkflow jobWorkflow, TerraformModule module, Stack stack) {
+        if(stack.getCredentialsId() != null){
+            jobWorkflow.getJob().setCredentials(this.credentialsRepository.findById(stack.getCredentialsId()).orElseThrow());
+        }
         treatJob(
             jobWorkflow,
             JobWorkflow::plan,
@@ -137,6 +135,9 @@ public void plan(JobWorkflow jobWorkflow, TerraformModule module, Stack stack) {
 
     @Async
     public void apply(JobWorkflow jobWorkflow, TerraformModule module, Stack stack) {
+        if(stack.getCredentialsId() != null){
+            jobWorkflow.getJob().setCredentials(this.credentialsRepository.findById(stack.getCredentialsId()).orElseThrow());
+        }
         treatJob(
             jobWorkflow,
             JobWorkflow::apply,
@@ -147,6 +148,9 @@ public void apply(JobWorkflow jobWorkflow, TerraformModule module, Stack stack)
 
     @Async
     public void retry(JobWorkflow jobWorkflow, TerraformModule module, Stack stack) {
+        if(stack.getCredentialsId() != null){
+            jobWorkflow.getJob().setCredentials(this.credentialsRepository.findById(stack.getCredentialsId()).orElseThrow());
+        }
         stepRepository.deleteByJobId(jobWorkflow.getJob().getId());
         treatJob(
             jobWorkflow,

diff --git a/src/main/java/io/gaia_app/stacks/bo/Job.java b/src/main/java/io/gaia_app/stacks/bo/Job.java
@@ -1,9 +1,11 @@
 package io.gaia_app.stacks.bo;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import io.gaia_app.credentials.Credentials;
 import io.gaia_app.modules.bo.TerraformImage;
 import io.gaia_app.teams.User;
 import io.gaia_app.modules.bo.TerraformImage;
+import org.springframework.data.annotation.Transient;
 import org.springframework.data.mongodb.core.mapping.DBRef;
 
 import java.time.Duration;
@@ -28,6 +30,9 @@ public class Job {
     private List<Step> steps = new ArrayList<>(2);
     @DBRef
     private User user;
+
+    @Transient
+    @JsonIgnore
     private Credentials credentials;
 
     public Job() {

diff --git a/src/test/java/io/gaia_app/credentials/CredentialsRestControllerIT.java b/src/test/java/io/gaia_app/credentials/CredentialsRestControllerIT.java
@@ -37,13 +37,21 @@ void setup() {
     @Test
     @WithMockUser("Darth Vader")
     void users_shouldBeAbleToViewTheirOwnCredentials_forListAccess() throws Exception {
+        mockMvc.perform(get("/api/credentials"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$", hasSize(1)))
+            .andExpect(jsonPath("$[0].provider", is("aws")));
+    }
+
+    @Test
+    @WithMockUser("Darth Vader")
+    void credentialsDetailsShouldNotLeak_forListAccess() throws Exception {
         mockMvc.perform(get("/api/credentials"))
             .andExpect(status().isOk())
             .andExpect(jsonPath("$", hasSize(1)))
             .andExpect(jsonPath("$[0].provider", is("aws")))
-            .andExpect(jsonPath("$[0].accessKey", is("DEATH_STAR_KEY")))
-            .andExpect(jsonPath("$[0].secretKey", is("DEATH_STAR_SECRET")))
-            .andExpect(jsonPath("$[0].createdBy.username", is("Darth Vader")));
+            .andExpect(jsonPath("$[0].accessKey").doesNotExist())
+            .andExpect(jsonPath("$[0].secretKey").doesNotExist());
     }
 
     @Test

diff --git a/src/test/java/io/gaia_app/runner/StackRunnerTest.java b/src/test/java/io/gaia_app/runner/StackRunnerTest.java
@@ -1,5 +1,8 @@
 package io.gaia_app.runner;
 
+import io.gaia_app.credentials.AWSCredentials;
+import io.gaia_app.credentials.CredentialsRepository;
+import io.gaia_app.credentials.EmptyCredentials;
 import io.gaia_app.modules.bo.TerraformModule;
 import io.gaia_app.stacks.bo.Job;
 import io.gaia_app.stacks.bo.JobType;
@@ -18,6 +21,7 @@
 
 import java.util.Optional;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.Mockito.*;
 
@@ -39,6 +43,9 @@ class StackRunnerTest {
     @Mock
     private StepRepository stepRepository;
 
+    @Mock
+    private CredentialsRepository credentialsRepository;
+
     @Mock
     private JobWorkflow jobWorkflow;
 
@@ -393,4 +400,52 @@ void retry_shouldSaveJobAndSteps() {
         verify(stepRepository, times(2)).saveAll(job.getSteps());
     }
 
+    @Test
+    void credentialsShouldBeInjected_whenRunningAPlan(){
+        // given
+        stack.setCredentialsId("dummy");
+        var credentials = new AWSCredentials("dummy","dummy");
+
+        when(credentialsRepository.findById("dummy")).thenReturn(Optional.of(credentials));
+
+        // when
+        stackRunner.plan(jobWorkflow, module, stack);
+
+        // then
+        verify(credentialsRepository).findById("dummy");
+        assertThat(job.getCredentials()).isEqualTo(credentials);
+    }
+
+    @Test
+    void credentialsShouldBeInjected_whenRunningAnApply(){
+        // given
+        stack.setCredentialsId("dummy");
+        var credentials = new AWSCredentials("dummy","dummy");
+
+        when(credentialsRepository.findById("dummy")).thenReturn(Optional.of(credentials));
+
+        // when
+        stackRunner.apply(jobWorkflow, module, stack);
+
+        // then
+        verify(credentialsRepository).findById("dummy");
+        assertThat(job.getCredentials()).isEqualTo(credentials);
+    }
+
+    @Test
+    void credentialsShouldBeInjected_whenRunningARetry(){
+        // given
+        stack.setCredentialsId("dummy");
+        var credentials = new AWSCredentials("dummy","dummy");
+
+        when(credentialsRepository.findById("dummy")).thenReturn(Optional.of(credentials));
+
+        // when
+        stackRunner.retry(jobWorkflow, module, stack);
+
+        // then
+        verify(credentialsRepository).findById("dummy");
+        assertThat(job.getCredentials()).isEqualTo(credentials);
+    }
+
 }