From eb71cc1be13f8ff4a6133b66733e12b4a9023152 Mon Sep 17 00:00:00 2001 From: Joe Shaw Date: Wed, 8 Feb 2023 15:15:20 -0500 Subject: [PATCH 1/4] use secret store client keys when creating secret store entries --- go.mod | 3 +- go.sum | 45 ++------------- pkg/api/interface.go | 3 + pkg/commands/secretstoreentry/create.go | 32 +++++++++++ .../secretstoreentry/secretstoreentry_test.go | 55 +++++++++++++++++-- pkg/mock/api.go | 14 +++++ 6 files changed, 104 insertions(+), 48 deletions(-) diff --git a/go.mod b/go.mod index 474e09969..7609f6f78 100644 --- a/go.mod +++ b/go.mod @@ -29,12 +29,13 @@ require ( ) require ( - github.com/fastly/go-fastly/v7 v7.1.0 + github.com/fastly/go-fastly/v7 v7.2.0 github.com/kennygrant/sanitize v1.2.4 github.com/mholt/archiver v3.1.1+incompatible github.com/otiai10/copy v1.9.0 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 github.com/tcnksm/go-gitconfig v0.1.2 + golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be ) require ( diff --git a/go.sum b/go.sum index c73c0c87f..4c2b8b628 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,3 @@ -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g= github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 h1:AUNCr9CiJuwrRYS3XieqF+Z9B9gNxo/eANAJCF2eiN4= @@ -14,14 +13,13 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= -github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 h1:iFaUwBSo5Svw6L7HYpRu/0lE3e0BaElwnNO1qkNQxBY= github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s= github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustinkirkland/golang-petname v0.0.0-20191129215211-8e5a1ed0cff0 h1:90Ly+6UfUypEF6vvvW5rQIv9opIL8CbmW9FT20LDQoY= github.com/dustinkirkland/golang-petname v0.0.0-20191129215211-8e5a1ed0cff0/go.mod h1:V+Qd57rJe8gd4eiGzZyg4h54VLHmYVVw54iMnlAMrF8= -github.com/fastly/go-fastly/v7 v7.1.0 h1:Xrx4WvFEslI7Ry8KXgTk7OPKFe4VU2aDULSPlSmIzTU= -github.com/fastly/go-fastly/v7 v7.1.0/go.mod h1:WdssHSSIe41/a5juIJagw8MCTA9m7xQ1TVLRcBQQuS8= +github.com/fastly/go-fastly/v7 v7.2.0 h1:d2FlF2vwtXkCmp+hC5fmn6+wvrsZsC8ZhTfoaehQXzQ= +github.com/fastly/go-fastly/v7 v7.2.0/go.mod h1:K32VeBzD+RJikDMUSKPpYfno8YBMXmNWjgGAn6I/OU8= github.com/fastly/kingpin v2.1.12-0.20191105091915-95d230a53780+incompatible h1:FhrXlfhgGCS+uc6YwyiFUt04alnjpoX7vgDKJxS6Qbk= github.com/fastly/kingpin v2.1.12-0.20191105091915-95d230a53780+incompatible/go.mod h1:U8UynVoU1SQaqD2I4ZqgYd5lx3A1ipQYn4aSt2Y5h6c= github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w= @@ -75,10 +73,8 @@ github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Cl github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= -github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8= github.com/nicksnyder/go-i18n v1.10.1 h1:isfg77E/aCD7+0lD/D00ebR2MV5vgeQ276WYyDaCRQc= github.com/nicksnyder/go-i18n v1.10.1/go.mod h1:e4Di5xjP9oTVrC6y3C7C0HoSYXjSbhh/dU0eUV32nB4= github.com/nwaples/rardecode v1.1.0/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0= @@ -129,51 +125,20 @@ github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo= github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be h1:fmw3UbQh+nxngCAHrDCCztao/kbYFnWjoqop8dHx05A= +golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18= golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg= golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= -golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -181,9 +146,7 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -honnef.co/go/tools v0.2.2/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY= diff --git a/pkg/api/interface.go b/pkg/api/interface.go index d20c674d3..6ed34a27e 100644 --- a/pkg/api/interface.go +++ b/pkg/api/interface.go @@ -1,6 +1,7 @@ package api import ( + "crypto/ed25519" "net/http" "github.com/fastly/go-fastly/v7/fastly" @@ -345,6 +346,8 @@ type Interface interface { GetSecret(i *fastly.GetSecretInput) (*fastly.Secret, error) DeleteSecret(i *fastly.DeleteSecretInput) error ListSecrets(i *fastly.ListSecretsInput) (*fastly.Secrets, error) + CreateClientKey() (*fastly.ClientKey, error) + GetSigningKey() (ed25519.PublicKey, error) CreateResource(i *fastly.CreateResourceInput) (*fastly.Resource, error) } diff --git a/pkg/commands/secretstoreentry/create.go b/pkg/commands/secretstoreentry/create.go index 6ea332d11..f2998bc6f 100644 --- a/pkg/commands/secretstoreentry/create.go +++ b/pkg/commands/secretstoreentry/create.go @@ -110,6 +110,38 @@ func (c *CreateCommand) Exec(in io.Reader, out io.Writer) error { return errMaxSecretLength } + ck, err := c.Globals.APIClient.CreateClientKey() + if err != nil { + c.Globals.ErrLog.Add(err) + return err + } + + // TODO(joeshaw): Don't pull the signing key from the API, ship it + // with the source. + // + // We could override that with a flag or envvar, but it's safest to + // distribute them separately. + sk, err := c.Globals.APIClient.GetSigningKey() + if err != nil { + c.Globals.ErrLog.Add(err) + return err + } + + if !ck.ValidateSignature(sk) { + err := fmt.Errorf("unable to validate signature of client key") + c.Globals.ErrLog.Add(err) + return err + } + + wrapped, err := ck.Encrypt(c.Input.Secret) + if err != nil { + c.Globals.ErrLog.Add(err) + return err + } + + c.Input.Secret = wrapped + c.Input.ClientKey = ck.PublicKey + o, err := c.Globals.APIClient.CreateSecret(&c.Input) if err != nil { c.Globals.ErrLog.Add(err) diff --git a/pkg/commands/secretstoreentry/secretstoreentry_test.go b/pkg/commands/secretstoreentry/secretstoreentry_test.go index e266d3006..5eaf2f53c 100644 --- a/pkg/commands/secretstoreentry/secretstoreentry_test.go +++ b/pkg/commands/secretstoreentry/secretstoreentry_test.go @@ -2,6 +2,8 @@ package secretstoreentry_test import ( "bytes" + "crypto/ed25519" + "crypto/rand" "encoding/hex" "errors" "fmt" @@ -9,6 +11,7 @@ import ( "path" "runtime" "testing" + "time" "github.com/fastly/cli/pkg/app" "github.com/fastly/cli/pkg/commands/secretstoreentry" @@ -16,6 +19,7 @@ import ( "github.com/fastly/cli/pkg/mock" "github.com/fastly/cli/pkg/testutil" "github.com/fastly/go-fastly/v7/fastly" + "golang.org/x/crypto/nacl/box" ) func TestCreateSecretCommand(t *testing.T) { @@ -33,6 +37,33 @@ func TestCreateSecretCommand(t *testing.T) { } doesNotExistFile := path.Join(tmpDir, "DOES-NOT-EXIST") + ckPub, ckPriv, err := box.GenerateKey(rand.Reader) + if err != nil { + t.Fatal(err) + } + + skPub, skPriv, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + t.Fatal(err) + } + + ck := &fastly.ClientKey{ + PublicKey: ckPub[:], + Signature: ed25519.Sign(skPriv, ckPub[:]), + ExpiresAt: time.Now().Add(time.Hour), + } + + mockCreateClientKey := func() (*fastly.ClientKey, error) { return ck, nil } + mockGetSigningKey := func() (ed25519.PublicKey, error) { return skPub, nil } + + decrypt := func(ciphertext []byte) (string, error) { + plaintext, ok := box.OpenAnonymous(nil, ciphertext, ckPub, ckPriv) + if !ok { + return "", errors.New("failed to decrypt") + } + return string(plaintext), nil + } + scenarios := []struct { args string stdin string @@ -67,9 +98,13 @@ func TestCreateSecretCommand(t *testing.T) { args: fmt.Sprintf("create --store-id %s --name %s --stdin", storeID, secretName), stdin: secretValue, api: mock.API{ + CreateClientKeyFn: mockCreateClientKey, + GetSigningKeyFn: mockGetSigningKey, CreateSecretFn: func(i *fastly.CreateSecretInput) (*fastly.Secret, error) { - if secret := string(i.Secret); secret != secretValue { - return nil, fmt.Errorf("invalid secret: %s", secret) + if got, err := decrypt(i.Secret); err != nil { + return nil, err + } else if got != secretValue { + return nil, fmt.Errorf("invalid secret: %s", got) } return &fastly.Secret{ Name: i.Name, @@ -84,9 +119,13 @@ func TestCreateSecretCommand(t *testing.T) { { args: fmt.Sprintf("create --store-id %s --name %s --file %s", storeID, secretName, secretFile), api: mock.API{ + CreateClientKeyFn: mockCreateClientKey, + GetSigningKeyFn: mockGetSigningKey, CreateSecretFn: func(i *fastly.CreateSecretInput) (*fastly.Secret, error) { - if secret := string(i.Secret); secret != secretValue { - return nil, fmt.Errorf("invalid secret: %s", secret) + if got, err := decrypt(i.Secret); err != nil { + return nil, err + } else if got != secretValue { + return nil, fmt.Errorf("invalid secret: %s", got) } return &fastly.Secret{ Name: i.Name, @@ -100,9 +139,13 @@ func TestCreateSecretCommand(t *testing.T) { { args: fmt.Sprintf("create --store-id %s --name %s --file %s --json", storeID, secretName, secretFile), api: mock.API{ + CreateClientKeyFn: mockCreateClientKey, + GetSigningKeyFn: mockGetSigningKey, CreateSecretFn: func(i *fastly.CreateSecretInput) (*fastly.Secret, error) { - if secret := string(i.Secret); secret != secretValue { - return nil, fmt.Errorf("invalid secret: %s", secret) + if got, err := decrypt(i.Secret); err != nil { + return nil, err + } else if got != secretValue { + return nil, fmt.Errorf("invalid secret: %s", got) } return &fastly.Secret{ Name: i.Name, diff --git a/pkg/mock/api.go b/pkg/mock/api.go index 5b11405fa..fecbd9426 100644 --- a/pkg/mock/api.go +++ b/pkg/mock/api.go @@ -1,6 +1,8 @@ package mock import ( + "crypto/ed25519" + "github.com/fastly/go-fastly/v7/fastly" ) @@ -336,6 +338,8 @@ type API struct { GetSecretFn func(i *fastly.GetSecretInput) (*fastly.Secret, error) DeleteSecretFn func(i *fastly.DeleteSecretInput) error ListSecretsFn func(i *fastly.ListSecretsInput) (*fastly.Secrets, error) + CreateClientKeyFn func() (*fastly.ClientKey, error) + GetSigningKeyFn func() (ed25519.PublicKey, error) CreateResourceFn func(i *fastly.CreateResourceInput) (*fastly.Resource, error) } @@ -1710,6 +1714,16 @@ func (m API) ListSecrets(i *fastly.ListSecretsInput) (*fastly.Secrets, error) { return m.ListSecretsFn(i) } +// CreateClientKey implements Interface. +func (m API) CreateClientKey() (*fastly.ClientKey, error) { + return m.CreateClientKeyFn() +} + +// GetSigningKey implements Interface. +func (m API) GetSigningKey() (ed25519.PublicKey, error) { + return m.GetSigningKeyFn() +} + // CreateResource implements Interface. func (m API) CreateResource(i *fastly.CreateResourceInput) (*fastly.Resource, error) { return m.CreateResourceFn(i) From 7ea675105be636fa58099e2e2a37afb8f8bead8b Mon Sep 17 00:00:00 2001 From: Joe Shaw Date: Mon, 13 Feb 2023 14:40:33 -0500 Subject: [PATCH 2/4] encode the signing key, and check it against the API --- pkg/commands/secretstoreentry/create.go | 31 ++++++++++++++++++++----- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/pkg/commands/secretstoreentry/create.go b/pkg/commands/secretstoreentry/create.go index 9df543e86..f7d27da93 100644 --- a/pkg/commands/secretstoreentry/create.go +++ b/pkg/commands/secretstoreentry/create.go @@ -2,6 +2,7 @@ package secretstoreentry import ( "bytes" + "encoding/base64" "encoding/hex" "fmt" "io" @@ -21,6 +22,24 @@ const ( maxSecretLen = maxSecretKiB * 1024 ) +// The signing key is a public key that is used to sign client keys. +// It's meant to be a long-lived key and infrequently (if ever) rotated. +// Hardcoding it in the CLI gives us the benefit of distributing it via +// a different channel from the client keys its signing. +// +// When we do rotate it, we will need to update this value and release a +// new version of the CLI. However, users can also override this with +// the FASTLY_USE_API_SIGNING_KEY environment variable. +var signingKey []byte = mustDecode("CrO/A92vkxEZjtTW7D/Sr+1EMf/q9BahC0sfLkWa+0k=") + +func mustDecode(s string) []byte { + b, err := base64.StdEncoding.DecodeString(s) + if err != nil { + panic(err) + } + return b +} + // NewCreateCommand returns a usable command registered under the parent. func NewCreateCommand(parent cmd.Registerer, g *global.Data, m manifest.Data) *CreateCommand { c := CreateCommand{ @@ -94,7 +113,6 @@ func (c *CreateCommand) Exec(in io.Reader, out io.Writer) error { case c.secretFile != "": var err error - // nosemgrep: trailofbits.go.questionable-assignment.questionable-assignment if c.Input.Secret, err = os.ReadFile(c.secretFile); err != nil { return err } @@ -117,17 +135,18 @@ func (c *CreateCommand) Exec(in io.Reader, out io.Writer) error { return err } - // TODO(joeshaw): Don't pull the signing key from the API, ship it - // with the source. - // - // We could override that with a flag or envvar, but it's safest to - // distribute them separately. sk, err := c.Globals.APIClient.GetSigningKey() if err != nil { c.Globals.ErrLog.Add(err) return err } + if !bytes.Equal(sk, signingKey) && os.Getenv("FASTLY_USE_API_SIGNING_KEY") == "" { + err := fmt.Errorf("API signing key does not match expected value") + c.Globals.ErrLog.Add(err) + return err + } + if !ck.ValidateSignature(sk) { err := fmt.Errorf("unable to validate signature of client key") c.Globals.ErrLog.Add(err) From cfe4dfa0fcbba9845bfbc13cea0c02d1d19ab0b7 Mon Sep 17 00:00:00 2001 From: Joe Shaw Date: Mon, 13 Feb 2023 15:31:24 -0500 Subject: [PATCH 3/4] set env var for signing key checks in tests --- pkg/commands/secretstoreentry/secretstoreentry_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/commands/secretstoreentry/secretstoreentry_test.go b/pkg/commands/secretstoreentry/secretstoreentry_test.go index 5eaf2f53c..0d85afadd 100644 --- a/pkg/commands/secretstoreentry/secretstoreentry_test.go +++ b/pkg/commands/secretstoreentry/secretstoreentry_test.go @@ -181,6 +181,11 @@ func TestCreateSecretCommand(t *testing.T) { opts.APIClient = mock.APIClient(testcase.api) + // Tests generate their own signing keys, which won't match + // the hardcoded value. Loosen the validation checks. + os.Setenv("FASTLY_USE_API_SIGNING_KEY", "1") + defer os.Unsetenv("FASTLY_USE_API_SIGNING_KEY") + err := app.Run(opts) testutil.AssertErrorContains(t, err, testcase.wantError) From b530745a76bfe6d9127b62ee6597d76d163d7307 Mon Sep 17 00:00:00 2001 From: Joe Shaw Date: Tue, 14 Feb 2023 10:49:57 -0500 Subject: [PATCH 4/4] use testing.Setenv; fix a typo --- pkg/commands/secretstoreentry/create.go | 2 +- pkg/commands/secretstoreentry/secretstoreentry_test.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/commands/secretstoreentry/create.go b/pkg/commands/secretstoreentry/create.go index f7d27da93..3bac204ff 100644 --- a/pkg/commands/secretstoreentry/create.go +++ b/pkg/commands/secretstoreentry/create.go @@ -25,7 +25,7 @@ const ( // The signing key is a public key that is used to sign client keys. // It's meant to be a long-lived key and infrequently (if ever) rotated. // Hardcoding it in the CLI gives us the benefit of distributing it via -// a different channel from the client keys its signing. +// a different channel from the client keys it's signing. // // When we do rotate it, we will need to update this value and release a // new version of the CLI. However, users can also override this with diff --git a/pkg/commands/secretstoreentry/secretstoreentry_test.go b/pkg/commands/secretstoreentry/secretstoreentry_test.go index 0d85afadd..5530f43b8 100644 --- a/pkg/commands/secretstoreentry/secretstoreentry_test.go +++ b/pkg/commands/secretstoreentry/secretstoreentry_test.go @@ -182,9 +182,9 @@ func TestCreateSecretCommand(t *testing.T) { opts.APIClient = mock.APIClient(testcase.api) // Tests generate their own signing keys, which won't match - // the hardcoded value. Loosen the validation checks. - os.Setenv("FASTLY_USE_API_SIGNING_KEY", "1") - defer os.Unsetenv("FASTLY_USE_API_SIGNING_KEY") + // the hardcoded value. Disable the check against the + // hardcoded value. + t.Setenv("FASTLY_USE_API_SIGNING_KEY", "1") err := app.Run(opts)