<img src="images/rh-logo.png" width="40%">

## Protecting Plaintext Secrets

# CASTELLAN DEEP DIVE DEMO

### Moisés Guimarães de Medeiros

# DISCLAIMER

This presentation is intended for the OpenStack IdM team to understand Castellan's capabilities using HashiCorp Vault as a backend and to discuss it's usage as an oslo.config.driver.

# CASTELLAN

### generic key manager interface

* Developed by the Barbican team.

* Enables the use of a deployment specific key manager.

* Supports OpenStack Barbican and HashiCorp Vault so far.


What is Castellan? Well...

...so basically, it gives you the capability to switch the key manager

without having to modify the source code of your service/application.

# HASHICORP VAULT

### secures, stores, and tightly controls access

* Tokens
* API keys
* Passwords
* Certificates
* Other secrets

And what is Vault...

...which is exactly what we need to protect

the plaintext secrets in configuration files.

# CASTELLAN + VAULT

## castellan.conf

In [6]:
from os import environ as env

config = """
[key_manager]
backend = vault
auth_type = token
token = {0}

[vault]
root_token_id = {0}
vault_url = {1}
""".format(env["VAULT_TEST_ROOT_TOKEN"], env["VAULT_TEST_VAULT_ADDR"])

with open("castellan.conf", "w") as config_file:
    config_file.write(config)

In [7]:
print(config)


[key_manager]
backend = vault
auth_type = token
token = 711bf33d-a88c-4216-b283-92b018638c17

[vault]
root_token_id = 711bf33d-a88c-4216-b283-92b018638c17
vault_url = http://127.0.0.1:8200



How can we make castellan talk to vault?

We need a configuration file for that...

... there are also two other options:

* use_ssl

* ssl_ca_crt_file

# KeyManager

In [21]:
from oslo_config import cfg
from castellan import key_manager
from castellan.common import utils

conf = cfg.ConfigOpts()

# args must be set to [] inside jupyter notebook
conf(args=[], default_config_files=["castellan.conf"])

mngr = key_manager.API(conf)

ctx = utils.credential_factory(conf)

In [22]:
type(mngr)

castellan.key_manager.vault_key_manager.VaultKeyManager

In [23]:
[attr for attr in dir(mngr) if not attr.startswith("_")]

['create_key', 'create_key_pair', 'delete', 'get', 'list', 'store']

In [24]:
type(ctx)

castellan.common.credentials.token.Token

In [25]:
[attr for attr in dir(ctx) if not attr.startswith("_")]

['token']

Using the configuration from the castellan.conf file

I can create a KeyManager using the key_manager.API()

factory method...

...it creates a key_manager according to the conf file

and we can see here what can this manager actually do.

# VaultKeyManager

## listing secrets

Right now there is a bug in the list() method

but I the fix is submitted for review @ gerrit

### listing secrets

In [20]:
mngr.list(ctx)

KeyManagerError: 'data'

When I try to list when there are no

secrets stored, it crashes!

Also, there is the need to pass a context object to the key manager (show ctx on code)

if missing, the manager will raise(Forbidden()),

but no further checks are actually done in the

context other than checking if it is not None.

# VaultKeyManager

## storing secrets

To store secrets we have three different methods

### asymmetric keys

In [26]:
secret_id_01 = mngr.create_key_pair(ctx, "RSA", 2048)
secret_id_01

('b49551b714c34070a9f2044333e347f1', '8d95e33377b74575b4d5118a25b72436')

### symmetric keys

In [27]:
secret_id_02 = mngr.create_key(ctx, "AES", int(256/8))
secret_id_02

'4ebb8fc800394cf3bf21273d9ad939e9'

### arbitrary data

In [28]:
from castellan.common.objects.opaque_data import OpaqueData

secret_id_03 = mngr.store(ctx, OpaqueData(b"super_secret_data"))
secret_id_03

'dcd69dec37064d258f62e1c6d6265d28'

Notice that the first one actually

returns a tuple with two secret_ids

and the last one, we need to wrap

the value in an OpaqueData object.

The data also has to be a byte string.

### listing secrets

In [30]:
secrets = mngr.list(ctx)

secrets

[<castellan.common.objects.symmetric_key.SymmetricKey at 0x7f8818ebb390>,
 <castellan.common.objects.public_key.PublicKey at 0x7f881826cc88>,
 <castellan.common.objects.private_key.PrivateKey at 0x7f88182772e8>,
 <castellan.common.objects.opaque_data.OpaqueData at 0x7f8818277278>]

In [31]:
[secret.id for secret in secrets]

['4ebb8fc800394cf3bf21273d9ad939e9',
 '8d95e33377b74575b4d5118a25b72436',
 'b49551b714c34070a9f2044333e347f1',
 'dcd69dec37064d258f62e1c6d6265d28']

Here we can see the secrets stored in

vault by the code in the previous slide.

# VaultKeyManager

## fetching secrets

### fetching secrets

In [32]:
secret = mngr.get(ctx, secret_id_01[0])

print(secret.get_encoded())

b'-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4cw55RupSL/rC\nyYFbIHITAwJnoF85M0E7DlV57rWdiG7v9k76ffKnjSE4gqCNB31oXKuIoMmXHCIW\n5fWcxn3C+zkWkKUVBKXr7QOFii2csD0rrfOdnGi+NCyKzHBorfNFk0VeElliVUSu\nJQhj9M5NpQU9JRnK9MZtJA3AHn24EIoipR6A68zYkktRE1Y1rEnU5R7aowh5hOkK\nUO47IGtwVFkYtknXBJJA8Yy0SxVGZiltxM9w7reAlwqe79H1YvcChnOSJ81Sre3l\nHoJ6wzJmLHENPHnbR/KyNWv6mYAqIMTpldM1ZhlK1bDSwcx8q4S3PMN77S/l6eTT\nK1xvYT1RAgMBAAECggEAf4NzPx5qgdUPm7foyJHeqwwKjo9NJWMstmILb5c6USTv\n5M63/O4zYefsTn/n9Hd4GDzwjSzzEJdvbbsemHqUmMZKyjHHHoevGTIqnBhRviAM\nufSxFYX613uES5RYJdYT90Z/zzAKQTPHnkiVy1yDfyQVQhczBJ9BylQBeY7axPLl\nYq71L4uS/d1YbRL+jEQXfp0hf4PsR2txrRbToD10tvmHFVvjzllnQvGBRvipbhQh\nwWWOmiA0KIp72a2ht6bVsF+92HI7TI/m4uUqTINh0xPaagA6jMk6WFo944hhLR5i\nJSsCHn+e509VMvY1Rt76dJiFrUbgzR7Ixw9jNYhtUQKBgQDkyo0z2Zjfgk3UR1CT\n4lvd65lRzqKfJISPIxMoTY49oStxsDbe6CWDd28jHZg9vBXHBZUq7XfQJYCyiilD\n9s4+sy1ItwY4wGGjTUTQktWLW0S1JyGmGHQ9tFslV9jPhEFlga965cxdV/YbRR3l\nsaYMswSrqy6ZUJQFeUqoDTCRdQKBgQDOYon5oq5DBw8eV

### fetching secrets

In [33]:
secret = mngr.get(ctx, secret_id_01[1])

print(secret.get_encoded())

b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuHMOeUbqUi/6wsmBWyBy\nEwMCZ6BfOTNBOw5Vee61nYhu7/ZO+n3yp40hOIKgjQd9aFyriKDJlxwiFuX1nMZ9\nwvs5FpClFQSl6+0DhYotnLA9K63znZxovjQsisxwaK3zRZNFXhJZYlVEriUIY/TO\nTaUFPSUZyvTGbSQNwB59uBCKIqUegOvM2JJLURNWNaxJ1OUe2qMIeYTpClDuOyBr\ncFRZGLZJ1wSSQPGMtEsVRmYpbcTPcO63gJcKnu/R9WL3AoZzkifNUq3t5R6CesMy\nZixxDTx520fysjVr+pmAKiDE6ZXTNWYZStWw0sHMfKuEtzzDe+0v5enk0ytcb2E9\nUQIDAQAB\n-----END PUBLIC KEY-----\n'


In [34]:
secret = mngr.get(ctx, secret_id_02)

print(secret.get_encoded())

b'\x8b:t\x90\xd5\xa3\xae\x8c\xbeN@\x81Ir9NU\tu\x82i\xc9\x14\xfc\x89\xe4\t)5\xfd=\x13'


In [35]:
secret = mngr.get(ctx, secret_id_03)

print(secret.get_encoded())

b'super_secret_data'


# VaultKeyManager

## deleting secrets

### deleting secrets

In [36]:
secrets = mngr.list(ctx)

for secret in secrets:
  mngr.delete(ctx, secret.id)

mngr.list(ctx)

KeyManagerError: 'data'

# OSLO CONFIG

Oslo Config is an OpenStack library

for parsing configuration options

from the command line and configuration

files so far, but we are adding more

capabilities to it. Here is a sample config...

## sample config file

[DEFAULT]

my_service_token = f125-2748-fc58-4e5e-dc54-4a16-64d3-1155

my_service_key = i8Jxdj+cQYP3n+gDxlmNFpDCBtjP3ObqFaGmZzlw=

[db]

username = node_xyz

password = Y6EK}WjyfnQTRyTV%pdD7XTw


## sample config as a dictionary

In [37]:
sample_conf = {
    "DEFAULT": {
        "my_service_token": "f125-2748-fc58-4e5e-dc54-4a16-64d3-1155",
        "my_service_key": "i8Jxdj+cQYP3n+gDxlmNFpDCBtjP3ObqFaGmZzlw=",
    },
    "db": {
        "username": "node_xyz",
        "password": "Y6EK}WjyfnQTRyTV%pdD7XTw",
    }
}

In [38]:
sample_conf['db']['username']

'node_xyz'

## exchanging values for secret ids

In [39]:
mapped_conf = {}

for group, options in sample_conf.items():
    mapped_conf[group] = {}
    
    for option, value in options.items():
        mapped_conf[group][option] = mngr.store(
            ctx, OpaqueData(value.encode()))
        
with open("option_mapping.conf", "w") as mapping_file:
    for group, options in mapped_conf.items():
        mapping_file.write("[{}]\n".format(group))

        for option, value in options.items():
            mapping_file.write("{} = {}\n".format(option, value))
        
        mapping_file.write("\n")

## sample mapping file

In [40]:
with open("option_mapping.conf", "r") as mapping_file:
    print(mapping_file.read())

[db]
username = 9afd11c7d9ce4de38c2f8ed36618f863
password = 8855dfc4d7ca4e83b3e65ab8db8f6c6e

[DEFAULT]
my_service_key = 18b198597b914968a2263e23468a01f3
my_service_token = b4b99d6d1e0549408d58f9b3a8bb0212




In [41]:
mapped_conf["db"]["username"]

'9afd11c7d9ce4de38c2f8ed36618f863'

In [42]:
mngr.get(ctx, mapped_conf["db"]["username"])

<castellan.common.objects.opaque_data.OpaqueData at 0x7f88182124e0>

In [43]:
mngr.get(ctx, mapped_conf["db"]["username"]).get_encoded()

b'node_xyz'

# POLICIES

Everything in Vault is path based, and policies are no exception.

Here is a very simple policy which grants read capabilities to the path "secret/foo":

```
path "secret/foo" {
  capabilities = ["read"]
}
```

In [44]:
policy_template = """
path secret/{} {{
  capabilities = ["read"]
}}
"""

with open("policy.conf", "w") as policy_file:
    for options in mapped_conf.values():
        for secret_id in options.values():
            policy_file.write(policy_template.format(secret_id))

# POLICIES

In [45]:
with open("policy.conf", "r") as policy_file:
    print(policy_file.read())


path secret/9afd11c7d9ce4de38c2f8ed36618f863 {
  capabilities = ["read"]
}

path secret/8855dfc4d7ca4e83b3e65ab8db8f6c6e {
  capabilities = ["read"]
}

path secret/18b198597b914968a2263e23468a01f3 {
  capabilities = ["read"]
}

path secret/b4b99d6d1e0549408d58f9b3a8bb0212 {
  capabilities = ["read"]
}



# CONCERNS

# CONCERN #1

### castellan can't update secrets

<img src="images/crud.png">

There is no way to update a secret through Castellan API.

The available options are:

* Keep the secret_id and update directly through Vault;
* Generate a new secret and update the mapping file with the new secret_id;
* Add an update method to Castellan.

# CONCERN #2

### no control over secret's path

```
path "secret/node-xzy/*" {
  capabilities = ["read"]
}


path "secret/node-xzy-*" {
  capabilities = ["read"]
}
```

There is no way to group one nodes' secrets

in a specific path to get make policies easier

or to get rid of them all without having to

go through each secret id.

# QUESTIONS?