Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

47 HFT WinCred persistence bug #124

Merged
merged 3 commits into from
Jul 14, 2020
Merged

Conversation

sgnn7
Copy link
Contributor

@sgnn7 sgnn7 commented Jul 13, 2020

What does this PR do?

What ticket does this PR close?

Connected to #47
Connected to #112

Checklists

Change log

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

Documentation

  • Docs (e.g. READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or
  • This PR does not require updating any documentation

@izgeri
Copy link
Contributor

izgeri commented Jul 13, 2020

@sgnn7 before this wraps up, can you please file an issue to add tests for this and include it in the epic?

@sgnn7 sgnn7 marked this pull request as ready for review July 13, 2020 22:07
@sgnn7 sgnn7 requested a review from a team as a code owner July 13, 2020 22:07
@sgnn7
Copy link
Contributor Author

sgnn7 commented Jul 13, 2020

@izgeri Created: #125

Copy link
Contributor

@doodlesbykumbi doodlesbykumbi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. Left some comments

c = reg.map { |name, _type, data| [name.gsub(/(.)([A-Z])/, '\1_\2').downcase, data] }.to_h
end
rescue
Puppet.notice "Agent's registry did not contain path #{REG_KEY_NAME}. This is normal " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is always normal e.g. when this error is thrown when using HFTs for the (n+1)-th time

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure - that's why the disclaimer is there for "when using HFTs for the first time on a node" on the second line. I'm not sure we can improve this too much since it's an edge case where this condition is not a very suspicious state on the node.

Puppet.debug "Finding Conjur credentials in WinCred storage for uri: #{uri}"
matching_creds = WinCred.enumerate_credentials.select do |cred|
cred[:target].start_with?(uri.to_s) || \
cred[:target] == "#{uri.host}:#{uri.port}" || \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely an improvement!

  1. I worry that this is still brittle since the regex in init.pp isn't parsing the URL and might not get host or host+port.
  2. I'm not sure (right this second) why we need this criteria cred[:target].start_with?(uri.to_s)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I worry that this is still brittle since the regex in init.pp isn't parsing the URL and might not get host or host+port.

It's brittle for sure but keep in mind that for this we are explicitly just fixing the HFT usage which has a very predictable credential name pattern that it will save to the cred manager.

I'm not sure (right this second) why we need this criteria cred[:target].start_with?(uri.to_s)

I fully agree and I think it's effectively doing just a bad version of <scheme>://<host>:<port> comparison which is the pattern we use in README but I explicitly didn't want to possibly change the behavior for current users/setups.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should create an issue to make this more robust. It applies to any scenario where credentials are committed on the agent coming from the puppet server (including HFTs)

sgnn7 added 2 commits July 14, 2020 08:56
This code previously searched for windows credentials that did not match
saved ones when using host-factory tokens on windows (namely `<host>:<port>`),
causing Windows hosts to keep recreating their host identity with the
HF token. This would result in inability to fetch secrets once the HFT
token would expire but with this fix we find our host credentials in the
WinCred storage and can avoid recreating the host identity.
This warning will help troubleshoot machines with better error logging
for when we have a *nix `conjur.conf` file but the matching identity
cannot be found.
@sgnn7 sgnn7 force-pushed the 47-hft-wincred-persistence-bug branch from 57d1d6b to 7982925 Compare July 14, 2020 13:58
This situation is common when using HFTs where the registry will be
empty initially. Here we just ensure that errors result in no fatal
paths to make sure that HFTs can work properly.
@sgnn7 sgnn7 force-pushed the 47-hft-wincred-persistence-bug branch from 7982925 to 79554a2 Compare July 14, 2020 14:26
Copy link
Contributor

@doodlesbykumbi doodlesbykumbi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I feel like this fix is a bandaid for now, since it isn't a perfect alignment of wincred persistence (in the .pp files) and wincred retrieval (what we have here).

@sgnn7
Copy link
Contributor Author

sgnn7 commented Jul 14, 2020

I feel like this fix is a bandaid for now, since it isn't a perfect alignment of wincred persistence (in the .pp files) and wincred retrieval (what we have here).

Agreed! Created the improvements issue as a tracker for that under #127

@sgnn7 sgnn7 merged commit 04b5a56 into master Jul 14, 2020
@sgnn7 sgnn7 deleted the 47-hft-wincred-persistence-bug branch July 14, 2020 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants