puppet-horizon

SECRET_KEY is leaked in puppt output

Bug #1987015 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-horizon
Fix Released
High
Takashi Kajinami

Bug Description

The local_settings file stores the SECRET_KEY parameter in a plane text format.
Because we don't disable diff, the key content is displayed in the puppet log, during initial deployment or the key is changed.

https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_35b/853178/5/check/puppet-openstack-integration-7-scenario003-tempest-centos-9-stream/35b383f/logs/puppet-20220819_004654.txt

```
2022-08-19 00:27:11 +0000 /Stage[main]/Horizon/Concat[/etc/openstack-dashboard/local_settings]/File[/etc/openstack-dashboard/local_settings]/content (notice):
--- /etc/openstack-dashboard/local_settings 2022-08-19 00:22:31.424520479 +0000
+++ /tmp/puppet-file20220819-98173-1ohu0iz 2022-08-19 00:27:11.319834990 +0000
@@ -1,54 +1,94 @@
-# -*- coding: utf-8 -*-
...

 # Set custom secret key:
 # You can either set it to a specific value or you can let horizon generate a
@@ -84,25 +134,31 @@
 # (usually behind a load-balancer). Either you have to make sure that a session
 # gets all requests routed to the same dashboard instance or you set the same
 # SECRET_KEY for all of them.
-SECRET_KEY='b7597ab43479af1ad712'
+#SECRET_KEY = secret_key.generate_or_read_from_file(
+# os.path.join(LOCAL_PATH, '.secret_key_store'))
+SECRET_KEY = 'big_secret'

...
```

Takashi Kajinami (kajinamit)
Changed in puppet-horizon:
importance: Undecided → High
assignee: nobody → Takashi Kajinami (kajinamit)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/853744

Changed in puppet-horizon:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/853744
Committed: https://opendev.org/openstack/puppet-horizon/commit/a810ca2b4ef29eb166eb8f1041643a31262be49c
Submitter: "Zuul (22348)"
Branch: master

commit a810ca2b4ef29eb166eb8f1041643a31262be49c
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce

Changed in puppet-horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/853760

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/853760
Committed: https://opendev.org/openstack/puppet-horizon/commit/cf626d236763d9c739a41c06b6b891a0b6f6603f
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit cf626d236763d9c739a41c06b6b891a0b6f6603f
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce
    (cherry picked from commit a810ca2b4ef29eb166eb8f1041643a31262be49c)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/854018

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/854018
Committed: https://opendev.org/openstack/puppet-horizon/commit/06cb3015a33d14d23403371838d4270b6c3d1dbd
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 06cb3015a33d14d23403371838d4270b6c3d1dbd
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce
    (cherry picked from commit a810ca2b4ef29eb166eb8f1041643a31262be49c)
    (cherry picked from commit cf626d236763d9c739a41c06b6b891a0b6f6603f)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/854137

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/854137
Committed: https://opendev.org/openstack/puppet-horizon/commit/69539a2543c8e315231f1d0e0da894058329c065
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 69539a2543c8e315231f1d0e0da894058329c065
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce
    (cherry picked from commit a810ca2b4ef29eb166eb8f1041643a31262be49c)
    (cherry picked from commit cf626d236763d9c739a41c06b6b891a0b6f6603f)
    (cherry picked from commit 06cb3015a33d14d23403371838d4270b6c3d1dbd)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/854892

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/854892
Committed: https://opendev.org/openstack/puppet-horizon/commit/e10f6469ab7355970046c96738e630a07bbdf12b
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit e10f6469ab7355970046c96738e630a07bbdf12b
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce
    (cherry picked from commit a810ca2b4ef29eb166eb8f1041643a31262be49c)
    (cherry picked from commit cf626d236763d9c739a41c06b6b891a0b6f6603f)
    (cherry picked from commit 06cb3015a33d14d23403371838d4270b6c3d1dbd)
    (cherry picked from commit 69539a2543c8e315231f1d0e0da894058329c065)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/855139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/855139
Committed: https://opendev.org/openstack/puppet-horizon/commit/4d20a7aeb11e48e3df3443596a3c9efac87c137e
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 4d20a7aeb11e48e3df3443596a3c9efac87c137e
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce
    (cherry picked from commit a810ca2b4ef29eb166eb8f1041643a31262be49c)
    (cherry picked from commit cf626d236763d9c739a41c06b6b891a0b6f6603f)
    (cherry picked from commit 06cb3015a33d14d23403371838d4270b6c3d1dbd)
    (cherry picked from commit 69539a2543c8e315231f1d0e0da894058329c065)
    (cherry picked from commit e10f6469ab7355970046c96738e630a07bbdf12b)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-horizon (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-horizon/+/855536

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-horizon (stable/train)

Reviewed: https://review.opendev.org/c/openstack/puppet-horizon/+/855536
Committed: https://opendev.org/openstack/puppet-horizon/commit/b1f3b4f89e4f2c3bb226e0be892817934dcb284e
Submitter: "Zuul (22348)"
Branch: stable/train

commit b1f3b4f89e4f2c3bb226e0be892817934dcb284e
Author: Takashi Kajinami <email address hidden>
Date: Fri Aug 19 11:27:04 2022 +0900

    Do not show diff of local_settings(.py)

    ... because the file contains a few sensitive values like SECRET_KEY.

    Conflicts:
            spec/classes/horizon_init_spec.rb

    Resolved conflict caused by RHEL/CentOS 7 support which was removed
    during Ussuri cycle.

    Closes-Bug: #1987015
    Change-Id: Ie96eb626148214270c5a3a041087fcc679c127ce
    (cherry picked from commit a810ca2b4ef29eb166eb8f1041643a31262be49c)
    (cherry picked from commit cf626d236763d9c739a41c06b6b891a0b6f6603f)
    (cherry picked from commit 06cb3015a33d14d23403371838d4270b6c3d1dbd)
    (cherry picked from commit 69539a2543c8e315231f1d0e0da894058329c065)
    (cherry picked from commit e10f6469ab7355970046c96738e630a07bbdf12b)
    (cherry picked from commit 4d20a7aeb11e48e3df3443596a3c9efac87c137e)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon 21.0.0

This issue was fixed in the openstack/puppet-horizon 21.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon 18.6.0

This issue was fixed in the openstack/puppet-horizon 18.6.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon 19.5.0

This issue was fixed in the openstack/puppet-horizon 19.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon 20.4.0

This issue was fixed in the openstack/puppet-horizon 20.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon victoria-eol

This issue was fixed in the openstack/puppet-horizon victoria-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon ussuri-eol

This issue was fixed in the openstack/puppet-horizon ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-horizon train-eol

This issue was fixed in the openstack/puppet-horizon train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.