empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 00:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Obfuscate enroll secret in error (#16684)

Browse Source 
When attempting to set an enroll secret which already exists in DB,
error message no longer contains the secret in cleartext.
#16621 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
This commit is contained in:
Victor Lyuboslavsky 2024-02-09 13:31:34 -06:00 committed by GitHub
parent d402f72c81
commit 6aedcf97be
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changes/16621-obfuscate-enroll-secret Normal file
View File

@ -0,0 +1 @@
When attempting to set an enroll secret which already exists in DB, error message no longer contains the secret in cleartext.

4
server/datastore/mysql/app_configs.go
View File

@ -147,6 +147,10 @@ func applyEnrollSecretsDB(ctx context.Context, q sqlx.ExtContext, teamID *uint,
args = append(args, s.Secret, teamID, secretCreatedAt)
}
if _, err := q.ExecContext(ctx, sql, args...); err != nil {
if isDuplicate(err) {
// Obfuscate the secret in the error message
err = alreadyExists("secret", fleet.MaskedPassword)
}
return ctxerr.Wrap(ctx, err, "insert secrets")
}
}

6
server/datastore/mysql/app_configs_test.go
View File

@ -3,7 +3,9 @@ package mysql
import (
"context"
"encoding/json"
"fmt"
"sort"
"strings"
"testing"
"time"
@ -319,8 +321,9 @@ func testAppConfigEnrollSecretUniqueness(t *testing.T, ds *Datastore) {
team1, err := ds.NewTeam(context.Background(), &fleet.Team{Name: "team1"})
require.NoError(t, err)
const secret = "one_secret"
expectedSecrets := []*fleet.EnrollSecret{
{Secret: "one_secret"},
{Secret: secret},
}
err = ds.ApplyEnrollSecrets(context.Background(), &team1.ID, expectedSecrets)
require.NoError(t, err)
@ -328,6 +331,7 @@ func testAppConfigEnrollSecretUniqueness(t *testing.T, ds *Datastore) {
// Same secret at global level should not be allowed
err = ds.ApplyEnrollSecrets(context.Background(), nil, expectedSecrets)
require.Error(t, err)
assert.False(t, strings.Contains(err.Error(), secret), fmt.Sprintf("error should not contain secret in plaintext: %s", err.Error()))
}
func testAppConfigDefaults(t *testing.T, ds *Datastore) {