Prevent leaks of buildset registry credentials

Because buildset registries may be used by jobs that finish before other jobs are finished using the buildset registry we must be careful not to expose the registry credentials in the jobs that finish sooner. Otherwise logs for the earlier job runs could potentially be used to poison the registry for later jobs. This is likely currently incomplete. Other Zuulians should look over it carefully to ensure we're covering all the bases here. The cases I've identified so far are: * Setting facts that include passwords * Reading and writing to files that include passwords (as content may be logged) * Calling modules with passwords passed as arguments (the module invocation is logged) I've also set no_log on zuul_return that passes up credentials because while the logging for zuul_return is minimal today, I don't want to count on it remaining that way. We also use the yet to be merged secret_data attribute on zuul_return to ensure that zuul_return itself does not expose anything unwanted. Finally it would be great if others could check over the use of buildset_registry variables to make sure there aren't any that got missed. One thing I'm not sure of is whether or not when conditionals get logged and if we need to be careful about their use too. Temporarily remove some buildset-regitry jobs which are in a catch-22. Change-Id: I2dea683e27f00b99a7766bf830981bf91b925265
2020-11-24 15:33:56 -08:00
parent 9b7c1d0f73
commit 4c40b92950
11 changed files with 40 additions and 132 deletions
--- a/roles/build-container-image/tasks/main.yaml
+++ b/roles/build-container-image/tasks/main.yaml
@@ -1,18 +1,19 @@
 - name: Check for results.json
  stat:
-    path: "{{ zuul.executor.work_root }}/results.json"
+    path: "{{ zuul.executor.result_data_file }}"
  register: result_json_stat
  delegate_to: localhost

 # This can be removed if we add this functionality to Zuul directly
 - name: Load information from zuul_return
  set_fact:
-    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+    buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
  when:
    - buildset_registry is not defined
    - result_json_stat.stat.exists
    - result_json_stat.stat.size > 0
-    - "'buildset_registry' in (lookup('file', zuul.executor.work_root + '/results.json') | from_json)"
+    - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')"
+  no_log: true

 - name: Build container images
  include_tasks: build.yaml
--- a/roles/build-docker-image/tasks/main.yaml
+++ b/roles/build-docker-image/tasks/main.yaml
@@ -7,12 +7,13 @@
 # This can be removed if we add this functionality to Zuul directly
 - name: Load information from zuul_return
  set_fact:
-    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+    buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
  when:
    - buildset_registry is not defined
    - result_json_stat.stat.exists
    - result_json_stat.stat.size > 0
-    - "'buildset_registry' in (lookup('file', zuul.executor.work_root + '/results.json') | from_json)"
+    - "'buildset_registry' in (lookup('file', zuul.executor.result_data_file) | from_json).get('secret_data')"
+  no_log: true

 # Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
 # so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
--- a/roles/pull-from-intermediate-registry/tasks/main.yaml
+++ b/roles/pull-from-intermediate-registry/tasks/main.yaml
@@ -2,7 +2,8 @@
 - name: Load information from zuul_return
  when: buildset_registry is not defined
  set_fact:
-    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+    buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
+  no_log: true

 # Start a socat tunnel to the buildset registry to work around the
 # fact that docker does not correctly parse ipv6 addresses.  The socat
@@ -47,10 +48,12 @@
  slurp:
    path: "~/.docker/config.json"
  register: docker_config
+  no_log: true
 - name: Parse docker user configuration
  when: docker_config_stat.stat.exists
  set_fact:
    docker_config: "{{ docker_config.content | b64decode | from_json }}"
+  no_log: true
 - name: Set default docker user configuration
  when: not docker_config_stat.stat.exists
  set_fact:
@@ -74,6 +77,7 @@
    content: "{{ new_docker_config | to_nice_json }}"
    dest: "~/.docker/config.json"
    mode: 0600
+  no_log: true

 # Pull the images

@@ -92,7 +96,7 @@
      register: result
      until: result is success
      when: "'metadata' in zj_zuul_artifact and zj_zuul_artifact.metadata.type | default('') == 'container_image'"
-      loop: "{{ zuul.artifacts | default([]) }}"
+      loop: "{{ zuul_artifacts | default([]) }}"
      loop_control:
        loop_var: zj_zuul_artifact
  always:
@@ -103,3 +107,4 @@
        content: "{{ docker_config | to_nice_json }}"
        dest: "~/.docker/config.json"
        mode: 0600
+      no_log: true
--- a/roles/pull-from-intermediate-registry/vars/main.yaml
+++ b/roles/pull-from-intermediate-registry/vars/main.yaml
@@ -0,0 +1,3 @@
+# The tests override this variable, which is why we don't use
+# zuul.artifacts directly.
+zuul_artifacts: "{{ zuul.artifacts }}"
--- a/roles/push-to-intermediate-registry/tasks/push.yaml
+++ b/roles/push-to-intermediate-registry/tasks/push.yaml
@@ -2,7 +2,8 @@
 - name: Load information from zuul_return
  when: buildset_registry is not defined
  set_fact:
-    buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}"
+    buildset_registry: "{{ (lookup('file', zuul.executor.result_data_file) | from_json)['secret_data']['buildset_registry'] }}"
+  no_log: true

 # Start a socat tunnel to the buildset registry to work around the
 # fact that docker does not correctly parse ipv6 addresses.  The socat
@@ -47,10 +48,12 @@
  slurp:
    path: "~/.docker/config.json"
  register: docker_config
+  no_log: true
 - name: Parse docker user configuration
  when: docker_config_stat.stat.exists
  set_fact:
    docker_config: "{{ docker_config.content | b64decode | from_json }}"
+  no_log: true
 - name: Set default docker user configuration
  when: not docker_config_stat.stat.exists
  set_fact:
@@ -74,6 +77,7 @@
    content: "{{ new_docker_config | to_nice_json }}"
    dest: "~/.docker/config.json"
    mode: 0600
+  no_log: true

 # Push the images
 - name: Push images to intermediate registry
@@ -91,3 +95,4 @@
        content: "{{ docker_config | to_nice_json }}"
        dest: "~/.docker/config.json"
        mode: 0600
+      no_log: true
--- a/roles/run-buildset-registry/tasks/main.yaml
+++ b/roles/run-buildset-registry/tasks/main.yaml
@@ -31,6 +31,7 @@
  set_fact:
    registry_password: "{{ lookup('password', '/dev/null') }}"
    registry_secret: "{{ lookup('password', '/dev/null') }}"
+  no_log: true

 - name: Write registry config
  template:
@@ -74,8 +75,13 @@
      username: zuul
      password: "{{ registry_password }}"
      cert: "{{ certificate }}"
+  no_log: true

 - name: Return registry information to Zuul
  zuul_return:
-    data:
+    secret_data:
      buildset_registry: "{{ buildset_registry }}"
+  # This isn't strictly necessary with the current implemenation of
+  # zuul_return but we set no_log: true in case the verbosity
+  # changes.
+  no_log: true
--- a/roles/use-buildset-registry/tasks/main.yaml
+++ b/roles/use-buildset-registry/tasks/main.yaml
@@ -100,6 +100,7 @@
    buildset_registry: "{{ buildset_registry }}"
    buildset_registry_alias: "{{ buildset_registry_alias }}"
    namespaces: "{{ buildset_registry_namespaces }}"
+  no_log: true

 - name: Ensure buildkit directory exists
  become: yes
@@ -114,6 +115,7 @@
    buildset_registry: "{{ buildset_registry }}"
    buildset_registry_alias: "{{ buildset_registry_alias }}"
    namespaces: "{{ buildset_registry_namespaces }}"
+  no_log: true

 # We use 'block' here to cause the become to apply to all the tasks
 # (which does not automatically happen with include_tasks).
--- a/roles/use-buildset-registry/tasks/user-config.yaml
+++ b/roles/use-buildset-registry/tasks/user-config.yaml
@@ -32,11 +32,13 @@
        }
  set_fact:
    docker_config: "{{ docker_config | combine(new_config, recursive=True) }}"
+  no_log: true
 - name: Save docker user configuration
  copy:
    content: "{{ docker_config | to_nice_json }}"
    dest: "~/.docker/config.json"
    mode: 0600
+  no_log: true
 # The next two tasks are for supporting the "containers" tools (ie,
 # not docker); this directory doesn't exist on Xenial.
 - name: Check if /run/user exists
@@ -49,6 +51,7 @@
    content: "{{ docker_config | to_nice_json }}"
    dest: "/run/user/{{ ansible_user_uid }}/auth.json"
    mode: 0600
+  no_log: true
 # The next two tasks are for supporting k8s
 - name: Check if /var/lib/kubelet exists
  stat: