Bug 1691602

Summary: should encode password when configure default pull secret for project
Product: OpenShift Container Platform Reporter: Yadan Pei <yapei>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED CURRENTRELEASE QA Contact: Yadan Pei <yapei>
Severity: low Docs Contact:
Priority: medium    
Version: 4.1.0CC: aos-bugs, jhadvig, jokerman, mmccomas, spadgett, yapei
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-28 13:30:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yadan Pei 2019-03-22 02:55:10 UTC 
Description of problem:
in Default Pull Secret modal, password is not encoded

Version-Release number of selected component (if applicable):
console commit: io.openshift.build.commit.url=https://github.com/openshift/console/commit/bddf50c90ba2c2ed12658af993bdc30763866723
cluster version: 4.0.0-0.nightly-2019-03-20-153904

How reproducible:
Always

Steps to Reproduce:
1. user login to console, create a project and goes to Home -> Status -> choose your project -> Dashboard view
2. In project Details, we try to add default pull secret for our project
3. Set Secret Name, Method, Registry Address, Username, Password

Actual results:
3. We could find the password is not encoded

Expected results:
3. We should encode the password for security concerns

Additional info:
Comment 1 Jakub Hadvig 2019-03-22 10:01:37 UTC 
Tried to reproduce the issue but without luck.

I've created the Pull Image Secret, entering Name, Method, Registry Address, Username and Password and I could see
that all the data where encoded properly.
Note that the Username and Password are encoded into the 'auth' field in following format 'Username:Password'

So when creating secret with:
Name: secret1
RegistryAdd: secret.k8s.com
Username: foo
Password: bar

the created secret looks like:
------
$ oc get secret secret1 -o yaml
kind: Secret
apiVersion: v1
metadata:
  name: secret1
  namespace: default
  selfLink: /api/v1/namespaces/default/secrets/secret1
  uid: beb1f74e-4c88-11e9-a631-0a79fc8e9920
  resourceVersion: '735952'
  creationTimestamp: '2019-03-22T09:56:21Z'
data:
  .dockerconfigjson: >-
    eyJhdXRocyI6eyJzZWNyZXQuazhzLmNvbSI6eyJhdXRoIjoiWm05dk9tSmhjZz09IiwiZW1haWwiOiIifX19
type: kubernetes.io/dockerconfigjson
------

if you base64 decode the data['.dockerconfigjson'] string you will get following json string:

{"auths":{"secret.k8s.com":{"auth":"Zm9vOmJhcg==","email":""}}}

You can notice the nested 'auth' field which if you base64 decode once again you will get: 'foo:bar' which is the Username:Password I mentioned.
Not sure if I missed something though, can you provide please more info ?
Comment 2 Yadan Pei 2019-03-25 02:16:55 UTC 
This issue only happens in configuring default pull secret modal, which should be located at https://github.com/openshift/console/blob/master/frontend/public/components/modals/configure-ns-pull-secret-modal.jsx#L259

Here's a recording of the screen http://g.recordit.co/QFaWXoshv7.gif

The secret created has encoded data but in the form, password is shown 'redhat' which should be '******'

Let me know if it's still not clear
Comment 3 Jakub Hadvig 2019-03-25 09:19:36 UTC 
Oh, got it, you mean the the password should be hidden to the user.

PR: https://github.com/openshift/console/pull/1333
Comment 4 Yadan Pei 2019-03-26 02:56:19 UTC 
fixed PR not included in commit 7bf984f9acae7f687d7488b3e928c959b0d18862 built with 4.0.0-0.nightly-2019-03-25-180911

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-03-25-180911   True        False         3h49m   Cluster version is 4.0.0-0.nightly-2019-03-25-180911

$ oc get pods -n openshift-console -o yaml | grep console.openshift.io/image
      console.openshift.io/image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c5be6a7d00d5f3d268b2e4f751bf5cad09809845c55be5e0069fda4b17729c5f
$ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c5be6a7d00d5f3d268b2e4f751bf5cad09809845c55be5e0069fda4b17729c5f | grep commit.url
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/7bf984f9acae7f687d7488b3e928c959b0d18862
$ git log 7bf984f9acae7f687d7488b3e928c959b0d18862 | grep '#1333'     // fixed PR not included in 
    Merge pull request #1333 from kyoto/remove-unused-angulars
Comment 6 Yadan Pei 2019-03-28 06:39:58 UTC 
When open Default Pull Secret modal, send string "redhat" to password field, it's invisible to users


Verified on 4.0.0-0.nightly-2019-03-27-213938

$ oc get pods console-59fc497b7c-7dzjv -n openshift-console -o yaml | grep -i image
    console.openshift.io/image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ba886bff6154f33a1c579203c69c8bedd1770fb44026c84767488efec893c88
$ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ba886bff6154f33a1c579203c69c8bedd1770fb44026c84767488efec893c88 | grep commit
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/625390cdcceea0654c7cde1a44c2ce42cb9b0567
$ git log 625390cdcceea0654c7cde1a44c2ce42cb9b0567 | grep '#1333'
    Merge pull request #1333 from jhadvig/BZ1691602