#1640 Provide for passing credentials to SRPMfromSCM
Merged 2 years ago by tkopecek. Opened 2 years ago by electronghost.

file modified
@@ -4764,6 +4764,10 @@ 

          rootopts = {'install_group': 'srpm-build',

                      'setup_dns': True,

                      'repo_id': repo_id}

+         if self.options.scm_credentials_dir is not None and os.path.isdir(self.options.scm_credentials_dir):

+             rootopts['bind_opts'] = {'dirs' : {self.options.scm_credentials_dir : '/credentials',}}

+             ## Force internal_dev_setup back to true because bind_opts is used to turn it off

+             rootopts['internal_dev_setup'] = True

          br_arch = self.find_arch('noarch', self.session.host.getHost(), self.session.getBuildConfig(build_tag['id'], event=event_id))

          broot = BuildRoot(self.session, self.options, build_tag['id'], br_arch, self.id, **rootopts)

          broot.workdir = self.workdir
@@ -6156,6 +6160,7 @@ 

                  'createrepo_update': True,

                  'pkgurl': None,

                  'allowed_scms': '',

+                 'scm_credentials_dir': None,

                  'support_rpm_source_layout': True,

                  'yum_proxy': None,

                  'maven_repo_ignore': '*.md5 *.sha1 maven-metadata*.xml _maven.repositories '

file modified
@@ -69,6 +69,20 @@ 

  ; is run by default.

  allowed_scms=scm.example.com:/cvs/example git.example.org:/example svn.example.org:/users/*:no


+ ; A directory to bind mount into Source RPM creation so that some

+ ; credentials can be supplied when required to fetch sources, e.g.

+ ; when the place the sources are fetched from requires all accesses to

+ ; be authenticated in order to satisfy auditing requirements.

+ ;

+ ; The directory specified here will turn up in the SRPMfromSCM chroot

+ ; as /credentials. It is up to whatever implements "make_source_cmd"

+ ; to make appropriate use of any credentials supplied.

+ ;

+ ; Be aware that this means "make_source_cmd" has access to these

+ ; credentials and could steal them; any credentials supplied

+ ; should be easily disabled, and not used for other purposes.

+ ; scm_credentials_dir = /etc/kojid/scmcredentials


  ; The mail host to use for sending email notifications



Some places force every access to their systems to be authenticated for
audit purposes, which means even an https fetch of a source tarball
needs access to some sort of credential.

Provide for a directory intended to contain credentials to be
bind-mounted into the BuildRoot for the BuildSRPMFromSCM task as
"/credentials". Whatever runs a a result of the source_cmd ("make
sources") is responsible for doing something useful with the contents.

rebased onto 4b1246cdd9e1fab229a1edf86c1fe7070f93d17f

2 years ago

I'm worried about exposing credentials in such way (It can be even downloaded via save-failed-tree task by anyone - with proper config it should work anyway). On the other hand, I've no better idea now, so if there is some other +1, I'm ok with merging it.

@mikem @breilly @julian8628

There are a variety of ways that credentials could be exfiltrated even if you don't allow save-failed-tree. However, the alternative is to provide credential-free access to anything "make sources" is allowed to see, which won't fly.

I considered more elaborate means of handling this, but it essentially boils down to the same thing; "make sources" has access to the credentials.

(Unless and until we can have SELinux inside the mock environment, at which point combining that with enforcing gpg signatures when installing packages to generate the mock environment with appropriate policies would allow the credentials to be accessed only by known "safe" utilities, but save-failed-tree probably doesn't work so well any more then)

Ultimately the purpose of these credentials is to satisfy an auditing requirement, and I'm expecting them to be changed regularly by an automated process.

rebased onto 5c7a3b816217dd2fff2d49cf388e5a642080917c

2 years ago

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 years ago

Can we have some warning in docs to indicate the potential risks?

It is also possible to expose the credentials by some aforethought make_source_cmd

rebased onto 6bf476b34edbad6d7be526d61d83bb4463d88942

2 years ago

rebased onto 7edd560

2 years ago

Commit 160780c fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago

Metadata Update from @jcupova:
- Pull-request tagged with: testing-done

2 years ago