Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: New environment variable obfuscation functionality #355

Open
wants to merge 18 commits into
base: main
Choose a base branch
from

Conversation

matglas
Copy link
Contributor

@matglas matglas commented Sep 20, 2024

What this PR does / why we need it

Implementing obfuscation of environment variables. Capturing secret values like tokens and api keys is a security risk and attestation should not hold that information. Although it is important to know which values are used to adjust the behavior for scripts.

Which issue(s) this PR fixes (optional)

Fixes:

Acceptance Criteria Met

  • Docs changes if needed
  • Testing changes if needed
  • All workflow checks passing (automatically enforced)
  • All review conversations resolved (automatically enforced)
  • DCO Sign-off

Special notes for your reviewer:

The default list can be extended with more variable that should be hidden. This can be extended in the cli with flags that add more items to the list. I think that the default obfuscation list does not need to be 'overridden' but only needs extension.

It also obfuscates based on glob. So if an key would be added like REASON_* it will pick up all REASON_TEST etc. variables. There are a few glob keys that are added by default.

*_TOKEN
SECRET_*
*_API_KEY
*_PASSWORD
*_JWT

Final solution

New flags:

  • --env-filter-sensitive-vars
  • --env-disable-default-sensitive-vars
  • --env-add-sensitive-key can be repeated multiple times.
  • --env-exclude-sensitive-key can be repeated multiple times.

Blocklist is now filter list. It describes better what it does.
Obfuscation is the default behavior.
Variables can be obfuscated or filtered based on glob patterns e.g. *SECRET

There is a default list of globs which is quite restrictive by default allow users to explicitly use exclude-sensitive-key to exclude it from filtering or obfuscation.

*TOKEN*
*SECRET*
*API_KEY*
*PASSWORD*
*JWT*

@matglas matglas force-pushed the env-obfuscate branch 6 times, most recently from 39ceb12 to 790470e Compare September 20, 2024 12:38
@matglas
Copy link
Contributor Author

matglas commented Sep 20, 2024

@jkjell would you be able to do a review?

@kairoaraujo kairoaraujo self-requested a review September 20, 2024 15:20
attestation/environment/obfuscate.go Outdated Show resolved Hide resolved
attestation/environment/obfuscate.go Outdated Show resolved Hide resolved
@matglas
Copy link
Contributor Author

matglas commented Sep 27, 2024

With this latest change I go from default blocking behavior to default obfuscate behavior. And the default list
is the same for blocking and obfuscating. Also the blocking will also use glob patterns now.

Introducing several arguments:

--attestor-environment-block-sensitive-vars
Switch from obfuscate to blocking variables which removes them from the output completely.

--attestor-environment-disable-default-sensitive-vars
Disable the default list of sensitive vars and only use the items mentioned by --attestor-environment-sensitive-key.

--attestor-environment-sensitive-key can be repeated
Add keys to the list of sensitive environment keys.

I believe that as we are still in the v0.x.y versions it should not be a problem to change the default
behavior from blocking to obfuscating. The variables will still not be exposed and switching to blocking
is still possible.

@mikhailswift I need a bit of help on the --attestor-environment-sensitive-key and it looks like you worked on the registry.StringSliceConfigOption. But its not capturing the values correctly somehow. Are you able to help me a bit here?

@matglas
Copy link
Contributor Author

matglas commented Sep 27, 2024

Forget the part about the registry.StringSliceConfigOption. I had a misconfiguration in my debug setup. But I did found another missing part after that 😄 . The function works now properly. It only needs more work on the tests.

@matglas matglas force-pushed the env-obfuscate branch 2 times, most recently from da61a58 to b33029c Compare September 30, 2024 08:34
@matglas
Copy link
Contributor Author

matglas commented Sep 30, 2024

My last changes fixed the tests. I also renamed block to filter. Which seems to me that it is a much more logical.

@matglas matglas force-pushed the env-obfuscate branch 2 times, most recently from 7265fbb to aedf429 Compare September 30, 2024 12:38
@matglas
Copy link
Contributor Author

matglas commented Oct 2, 2024

It looks like we have a challenge with the linux tracing. It also contains all the env vars in the proc info when used. So the behavior needs to pass the same flags there too.

@matglas matglas force-pushed the env-obfuscate branch 2 times, most recently from f8bdde2 to ecacd4e Compare October 2, 2024 12:40
kairoaraujo
kairoaraujo previously approved these changes Oct 2, 2024
Copy link
Collaborator

@kairoaraujo kairoaraujo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Waiting for others feedback

@matglas
Copy link
Contributor Author

matglas commented Oct 3, 2024

@ChaosInTheCRD and I had a conversation on Slack about the implementation because there is a 'hidden' use of Environment inside the commandrun attestor. It used to use the FilterEnvironmentArray but the behavior is completely changing because of the new flags. Because of this commandrun can not use it correctly anymore.

We discussed that is might be best to introduce the current new flags not on the environment attestor level, but move them to the global flags. This way the flags can be used both in Environment and Commandrun Attestor.

Also the filtering and obfuscation methods need to made generic for. So not specifically as part of the attestors.

@kairoaraujo @ChaosInTheCRD if we agree on this I'll implement the change that way. A 👍 is enough.

@axi92
Copy link

axi92 commented Oct 11, 2024

Nice to see that this gets implemented! 👍
I asked about that in a discussion in-toto/witness#510
I love to see the support for bamboo from Atlassian too.
Since the original list was from a separate repo I posted an issue there Puliczek/awesome-list-of-secrets-in-environment-variables#12. Maybe it could be implemented here as well?

(PS: Is that not more a feature than a chore pr?)

@matglas
Copy link
Contributor Author

matglas commented Oct 11, 2024

The purpose of the obfuscation is to have a general list of sensitive keys. And they cover the aspect of keys that are matched based on glob. The current that is captured by glob is already covering a lot. Also we do not want to obfuscate all bamboo values I believe.

With the additional flags you can anything that is not covered by these 'sane defaults'. If there is something that is really missing in the sane defaults we could of course add that. See the list here attestation/environment/sensitive_env_vars.go.

@axi92
Copy link

axi92 commented Oct 14, 2024

Yes, obfuscating all bamboo variables would not make sense. With the list https://github.com/matglas/go-witness/blob/ecacd4ec0ba7a4a12664d3e5d75eedbd433bb9f2/attestation/environment/sensitive_env_vars.go#L24-L28 of defaults are those case sensitive?

Secret and password are already covered right now.
But sshKey and passphrase is missing, if an env variable contains one of those two, they are obfuscated per default on bamboo.

@matglas
Copy link
Contributor Author

matglas commented Oct 14, 2024

... are those case sensitive?

Yes they are.

Secret and password are already covered right now. But sshKey and passphrase is missing, if an env variable contains one of those two, they are obfuscated per default on bamboo.

These are valuable additions indeed. I'll include them.

@matglas matglas force-pushed the env-obfuscate branch 4 times, most recently from 9c8284c to 8a69303 Compare October 14, 2024 11:35
matglas and others added 14 commits October 17, 2024 09:06
Co-authored-by: Kairo Araujo <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Adding flags to behave blocking or obfuscating and adding new keys.

Signed-off-by: Matthias Glastra <[email protected]>
Co-authored-by: Kairo Araujo <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
Signed-off-by: Matthias Glastra <[email protected]>
mainProgram: c.Path,
processes: make(map[int]*ProcessInfo),
hash: actx.Hashes(),
environmentBlockList: r.environmentBlockList,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just as a sanity check, we're ensuring backwards compatibility here right? Again, been out of the loop on this last week or two but just asking the questions to ensure that this was all considered 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes backward compatibility on the tracing. But with the side note that we now do not filter anymore but use configuration of the EnvironmentCapturer

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you don't see a problem with that we can resolve this conversation.

@matglas matglas changed the title chore: New environment variable obfuscation functionality feat: New environment variable obfuscation functionality Nov 15, 2024
Signed-off-by: Matthias Glastra <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants