Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bosh trap refactor/security fix #11

Merged
merged 2 commits into from
Aug 29, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions bosh/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,18 @@ func (r Runner) Run(data environment.Config, dryRun bool, boshArgs ...string) er
fmt.Sprintf(`bosh_secret="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_CLIENT_SECRET=')"`),
fmt.Sprintf(`bosh_ca_cert="BOSH_CA_CERT=$bosh_ca_path"`),
fmt.Sprintf(`bosh_proxy="BOSH_ALL_PROXY=ssh+socks5://ubuntu@%s:22?private-key=${ssh_key_path}"`, data.OpsManager.IP.String()),
fmt.Sprintf(`bosh_gw_host="BOSH_GW_HOST=%s"`, data.OpsManager.IP.String()),
fmt.Sprintf(`bosh_gw_user="BOSH_GW_USER=ubuntu"`),
fmt.Sprintf(`bosh_gw_private_key="BOSH_GW_PRIVATE_KEY=${ssh_key_path}"`),
}

prereqs := []string{"jq", "om", "ssh"}

if len(boshArgs) > 0 {
lines = append(
lines,
fmt.Sprintf(`trap 'rm -f ${ssh_key_path}' EXIT`),
fmt.Sprintf(`trap 'rm -f ${bosh_ca_path}' EXIT`),
fmt.Sprintf(`/usr/bin/env $bosh_client $bosh_env $bosh_secret $bosh_ca_cert $bosh_proxy bosh %s`, strings.Join(boshArgs, " ")),
fmt.Sprintf(`trap 'rm -f ${ssh_key_path} ${bosh_ca_path}' EXIT`),
fmt.Sprintf(`/usr/bin/env $bosh_client $bosh_env $bosh_secret $bosh_ca_cert $bosh_proxy $bosh_gw_host $bosh_gw_user $bosh_gw_private_key bosh %s`, strings.Join(boshArgs, " ")),
)
prereqs = append(prereqs, "bosh")
} else {
Expand All @@ -62,6 +64,9 @@ func (r Runner) Run(data environment.Config, dryRun bool, boshArgs ...string) er
fmt.Sprintf(`echo "export $bosh_secret"`),
fmt.Sprintf(`echo "export $bosh_ca_cert"`),
fmt.Sprintf(`echo "export $bosh_proxy"`),
fmt.Sprintf(`echo "export $bosh_gw_host"`),
fmt.Sprintf(`echo "export $bosh_gw_user"`),
fmt.Sprintf(`echo "export $bosh_gw_private_key"`),
fmt.Sprintf(`echo "export CREDHUB_SERVER=\"\${BOSH_ENVIRONMENT}:8844\""`),
fmt.Sprintf(`echo "export CREDHUB_PROXY=\"\${BOSH_ALL_PROXY}\""`),
fmt.Sprintf(`echo "export CREDHUB_CLIENT=\"\${BOSH_CLIENT}\""`),
Expand Down
14 changes: 11 additions & 3 deletions bosh/runner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,13 +80,19 @@ var _ = Describe("bosh runner", func() {
`bosh_secret="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_CLIENT_SECRET=')"`,
`bosh_ca_cert="BOSH_CA_CERT=$bosh_ca_path"`,
`bosh_proxy="BOSH_ALL_PROXY=ssh+socks5://[email protected]:22?private-key=${ssh_key_path}"`,
`bosh_gw_host="BOSH_GW_HOST=10.0.0.6"`,
`bosh_gw_user="BOSH_GW_USER=ubuntu"`,
`bosh_gw_private_key="BOSH_GW_PRIVATE_KEY=${ssh_key_path}"`,

`echo "export BOSH_ENV_NAME=env-name"`,
`echo "export $bosh_client"`,
`echo "export $bosh_env"`,
`echo "export $bosh_secret"`,
`echo "export $bosh_ca_cert"`,
`echo "export $bosh_proxy"`,
`echo "export $bosh_gw_host"`,
`echo "export $bosh_gw_user"`,
`echo "export $bosh_gw_private_key"`,
`echo "export CREDHUB_SERVER=\"\${BOSH_ENVIRONMENT}:8844\""`,
`echo "export CREDHUB_PROXY=\"\${BOSH_ALL_PROXY}\""`,
`echo "export CREDHUB_CLIENT=\"\${BOSH_CLIENT}\""`,
Expand Down Expand Up @@ -134,10 +140,12 @@ var _ = Describe("bosh runner", func() {
`bosh_secret="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_CLIENT_SECRET=')"`,
`bosh_ca_cert="BOSH_CA_CERT=$bosh_ca_path"`,
`bosh_proxy="BOSH_ALL_PROXY=ssh+socks5://[email protected]:22?private-key=${ssh_key_path}"`,
`bosh_gw_host="BOSH_GW_HOST=10.0.0.6"`,
`bosh_gw_user="BOSH_GW_USER=ubuntu"`,
`bosh_gw_private_key="BOSH_GW_PRIVATE_KEY=${ssh_key_path}"`,

`trap 'rm -f ${ssh_key_path}' EXIT`,
`trap 'rm -f ${bosh_ca_path}' EXIT`,
`/usr/bin/env $bosh_client $bosh_env $bosh_secret $bosh_ca_cert $bosh_proxy bosh arg1 arg2 arg3`,
`trap 'rm -f ${ssh_key_path} ${bosh_ca_path}' EXIT`,
`/usr/bin/env $bosh_client $bosh_env $bosh_secret $bosh_ca_cert $bosh_proxy $bosh_gw_host $bosh_gw_user $bosh_gw_private_key bosh arg1 arg2 arg3`,
}))

Expect(err).NotTo(HaveOccurred())
Expand Down
8 changes: 5 additions & 3 deletions integration/fixtures/bosh_cmd_script.sh
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ bosh_env="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_ENVIRONMENT=')"
bosh_secret="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_CLIENT_SECRET=')"
bosh_ca_cert="BOSH_CA_CERT=$bosh_ca_path"
bosh_proxy="BOSH_ALL_PROXY=ssh+socks5://[email protected]:22?private-key=${ssh_key_path}"
trap 'rm -f ${ssh_key_path}' EXIT
trap 'rm -f ${bosh_ca_path}' EXIT
/usr/bin/env $bosh_client $bosh_env $bosh_secret $bosh_ca_cert $bosh_proxy bosh deployments
bosh_gw_host="BOSH_GW_HOST=35.225.148.133"
bosh_gw_user="BOSH_GW_USER=ubuntu"
bosh_gw_private_key="BOSH_GW_PRIVATE_KEY=${ssh_key_path}"
trap 'rm -f ${ssh_key_path} ${bosh_ca_path}' EXIT
/usr/bin/env $bosh_client $bosh_env $bosh_secret $bosh_ca_cert $bosh_proxy $bosh_gw_host $bosh_gw_user $bosh_gw_private_key bosh deployments
6 changes: 6 additions & 0 deletions integration/fixtures/bosh_creds_script.sh
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,18 @@ bosh_env="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_ENVIRONMENT=')"
bosh_secret="$(echo $bosh_all | tr ' ' '\n' | grep 'BOSH_CLIENT_SECRET=')"
bosh_ca_cert="BOSH_CA_CERT=$bosh_ca_path"
bosh_proxy="BOSH_ALL_PROXY=ssh+socks5://[email protected]:22?private-key=${ssh_key_path}"
bosh_gw_host="BOSH_GW_HOST=35.225.148.133"
bosh_gw_user="BOSH_GW_USER=ubuntu"
bosh_gw_private_key="BOSH_GW_PRIVATE_KEY=${ssh_key_path}"
echo "export BOSH_ENV_NAME=manatee"
echo "export $bosh_client"
echo "export $bosh_env"
echo "export $bosh_secret"
echo "export $bosh_ca_cert"
echo "export $bosh_proxy"
echo "export $bosh_gw_host"
echo "export $bosh_gw_user"
echo "export $bosh_gw_private_key"
echo "export CREDHUB_SERVER=\"\${BOSH_ENVIRONMENT}:8844\""
echo "export CREDHUB_PROXY=\"\${BOSH_ALL_PROXY}\""
echo "export CREDHUB_CLIENT=\"\${BOSH_CLIENT}\""
Expand Down