Add a Secret Masking to Rule Enfocement API View Output

[philipphomberger]

Hi Community,

From My View of perspective Secrets should not show in cleartext in the Rule Enforcement View in the UI and the API. So I add a loop that auto mask the secret to *****.
I'am not 100% happy with the way I do it for get one function because of problem I had with access the keys of the object So I convert the Object to a str and than with eval to a dict.
Maybe someone here have a better Idea.

I wait for your feedback.
Thank you all.

[nzlosh]

The idea seems good but the implementation needs a better architectural solution. Code already exists to handle masking secrets, would it be possible to call that?

st2/st2common/st2common/models/db/execution.py

Line 108 in afedd35

def mask_secrets(self, value):

I've not tested this, but perhaps it can be called like below so secrets are masked?

        execution_dbs_by_id = {}
        for execution_db in execution_dbs:
            execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)

[philipphomberger]

The idea seems good but the implementation needs a better architectural solution. Code already exists to handle masking secrets, would it be possible to call that?

st2/st2common/st2common/models/db/execution.py

Line 108 in afedd35

def mask_secrets(self, value):

I've not tested this, but perhaps it can be called like below so secrets are masked?

        execution_dbs_by_id = {}
        for execution_db in execution_dbs:
            execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)

Thanks @nzlosh I will try it. :)

[philipphomberger]

@nzlosh I have tryed it:
But the functions have a strange behavior than I use them like that:

for rule_enforcement_api in rule_enforcement_apis:
            if "parameters" in str(rule_enforcement_apis[i]):
                secrets = get_secret_parameters(rule_enforcement_api['execution']['action']['parameters'])
                print(f"Parameters before masking: {rule_enforcement_api['execution']['parameters']}")
                rule_enforcement_api['execution']['parameters'] = mask_secret_parameters(parameters=rule_enforcement_api['execution']['action']['parameters'], secret_parameters=secrets)
                print(f"Parameters after masking: {rule_enforcement_api['execution']['parameters']}")
                rule_enforcement_apis[i] = rule_enforcement_api
        return rule_enforcement_apis

Output:
2024-03-25 13:12:02 Parameters before masking: {'key1': 'test1234', 'key2': ’testsecret’}
2024-03-25 13:12:02 Parameters after masking: {'key1': {'type': 'string', 'default': '{{ st2kv.system.customer2_key1 }}'}, 'key2': '********'}

So Iooks like I can not 1:1 use that function. The Secret Masking it self working but the output for the none Secret Parameters get lost.

[philipphomberger]

I tried your Idea as well:

2024-03-25 13:34:49 2024-03-25 12:34:49,799 ERROR [-] Failed to call controller function "get_all" for operation "st2api.controllers.v1.rule_enforcement_views:rule_enforcement_view_controller.get_all": 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:49 Traceback (most recent call last):
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:49     resp = func(**kw)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:49     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:49     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:49     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:49 AttributeError: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:49 2024-03-25 12:34:49,803 ERROR [-] API call failed: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:49 Traceback (most recent call last):
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/error_handling.py", line 49, in __call__
2024-03-25 13:34:49     return self.app(environ, start_response)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/streaming.py", line 46, in __call__
2024-03-25 13:34:49     return self.app(environ, start_response)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 751, in as_wsgi
2024-03-25 13:34:49     resp = self(req)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 649, in __call__
2024-03-25 13:34:49     raise e
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:49     resp = func(**kw)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:49     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:49     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:49   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:49     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:49 AttributeError: 'ActionExecutionDB' object has no attribute 'get' (_exception_class='AttributeError',_exception_message="'ActionExecutionDB' object has no attribute 'get'",_exception_data={})
2024-03-25 13:34:49 2024-03-25 12:34:49,807 INFO [-] fca048a4-5c3f-47df-90d3-49167f6999bd - 500 39 209.912ms (method='GET',path='/v1/ruleenforcements/views/',remote_addr='172.20.0.6',status=500,runtime=209.912,content_length=39,request_id='fca048a4-5c3f-47df-90d3-49167f6999bd')
2024-03-25 13:34:51 2024-03-25 12:34:51,157 INFO [-] c3358be3-66cc-41b0-ac3a-4826f3d1c6ad - GET /v1/ruleenforcements/views/ with query={} (method='GET',path='/v1/ruleenforcements/views/',remote_addr='172.20.0.6',query={},request_id='c3358be3-66cc-41b0-ac3a-4826f3d1c6ad')
2024-03-25 13:34:51 2024-03-25 12:34:51,321 ERROR [-] Failed to call controller function "get_all" for operation "st2api.controllers.v1.rule_enforcement_views:rule_enforcement_view_controller.get_all": 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:51 Traceback (most recent call last):
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:51     resp = func(**kw)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:51     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:51     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:51     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:51 AttributeError: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:51 2024-03-25 12:34:51,322 ERROR [-] API call failed: 'ActionExecutionDB' object has no attribute 'get'
2024-03-25 13:34:51 Traceback (most recent call last):
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/error_handling.py", line 49, in __call__
2024-03-25 13:34:51     return self.app(environ, start_response)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/middleware/streaming.py", line 46, in __call__
2024-03-25 13:34:51     return self.app(environ, start_response)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 751, in as_wsgi
2024-03-25 13:34:51     resp = self(req)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 649, in __call__
2024-03-25 13:34:51     raise e
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/router.py", line 637, in __call__
2024-03-25 13:34:51     resp = func(**kw)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 75, in get_all
2024-03-25 13:34:51     rule_enforcement_apis.json = self._append_view_properties(
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2api/controllers/v1/rule_enforcement_views.py", line 155, in _append_view_properties
2024-03-25 13:34:51     execution_dbs_by_id[str(execution_db.id)] = execution_db.mask_secrets(execution_db)
2024-03-25 13:34:51   File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/db/execution.py", line 124, in mask_secrets
2024-03-25 13:34:51     parameters.update(value.get("action", {}).get("parameters", {}))
2024-03-25 13:34:51 AttributeError: 'ActionExecutionDB' object has no attribute 'get' (_exception_class='AttributeError',_exception_message="'ActionExecutionDB' object has no attribute 'get'",_exception_data={})

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Philipp Homberger seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}