1691602 – should encode password when configure default pull secret for project

Bug 1691602 - should encode password when configure default pull secret for project

Summary: should encode password when configure default pull secret for project

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	4.1.0
Assignee:	Jakub Hadvig
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-03-22 02:55 UTC by Yadan Pei
Modified:	2019-05-06 13:00 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-28 13:30:55 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Description Yadan Pei 2019-03-22 02:55:10 UTC

Description of problem:
in Default Pull Secret modal, password is not encoded

Version-Release number of selected component (if applicable):
console commit: io.openshift.build.commit.url=https://github.com/openshift/console/commit/bddf50c90ba2c2ed12658af993bdc30763866723
cluster version: 4.0.0-0.nightly-2019-03-20-153904

How reproducible:
Always

Steps to Reproduce:
1. user login to console, create a project and goes to Home -> Status -> choose your project -> Dashboard view
2. In project Details, we try to add default pull secret for our project
3. Set Secret Name, Method, Registry Address, Username, Password

Actual results:
3. We could find the password is not encoded

Expected results:
3. We should encode the password for security concerns

Additional info:

Comment 1 Jakub Hadvig 2019-03-22 10:01:37 UTC

Tried to reproduce the issue but without luck.

I've created the Pull Image Secret, entering Name, Method, Registry Address, Username and Password and I could see
that all the data where encoded properly.
Note that the Username and Password are encoded into the 'auth' field in following format 'Username:Password'

So when creating secret with:
Name: secret1
RegistryAdd: secret.k8s.com
Username: foo
Password: bar

the created secret looks like:
------
$ oc get secret secret1 -o yaml
kind: Secret
apiVersion: v1
metadata:
  name: secret1
  namespace: default
  selfLink: /api/v1/namespaces/default/secrets/secret1
  uid: beb1f74e-4c88-11e9-a631-0a79fc8e9920
  resourceVersion: '735952'
  creationTimestamp: '2019-03-22T09:56:21Z'
data:
  .dockerconfigjson: >-
    eyJhdXRocyI6eyJzZWNyZXQuazhzLmNvbSI6eyJhdXRoIjoiWm05dk9tSmhjZz09IiwiZW1haWwiOiIifX19
type: kubernetes.io/dockerconfigjson
------

if you base64 decode the data['.dockerconfigjson'] string you will get following json string:

{"auths":{"secret.k8s.com":{"auth":"Zm9vOmJhcg==","email":""}}}

You can notice the nested 'auth' field which if you base64 decode once again you will get: 'foo:bar' which is the Username:Password I mentioned.
Not sure if I missed something though, can you provide please more info ?

Comment 2 Yadan Pei 2019-03-25 02:16:55 UTC

This issue only happens in configuring default pull secret modal, which should be located at https://github.com/openshift/console/blob/master/frontend/public/components/modals/configure-ns-pull-secret-modal.jsx#L259

Here's a recording of the screen http://g.recordit.co/QFaWXoshv7.gif

The secret created has encoded data but in the form, password is shown 'redhat' which should be '******'

Let me know if it's still not clear

Comment 3 Jakub Hadvig 2019-03-25 09:19:36 UTC

Oh, got it, you mean the the password should be hidden to the user.

PR: https://github.com/openshift/console/pull/1333

Comment 4 Yadan Pei 2019-03-26 02:56:19 UTC

fixed PR not included in commit 7bf984f9acae7f687d7488b3e928c959b0d18862 built with 4.0.0-0.nightly-2019-03-25-180911

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-03-25-180911   True        False         3h49m   Cluster version is 4.0.0-0.nightly-2019-03-25-180911

$ oc get pods -n openshift-console -o yaml | grep console.openshift.io/image
      console.openshift.io/image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c5be6a7d00d5f3d268b2e4f751bf5cad09809845c55be5e0069fda4b17729c5f
$ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c5be6a7d00d5f3d268b2e4f751bf5cad09809845c55be5e0069fda4b17729c5f | grep commit.url
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/7bf984f9acae7f687d7488b3e928c959b0d18862
$ git log 7bf984f9acae7f687d7488b3e928c959b0d18862 | grep '#1333'     // fixed PR not included in 
    Merge pull request #1333 from kyoto/remove-unused-angulars

Comment 6 Yadan Pei 2019-03-28 06:39:58 UTC

When open Default Pull Secret modal, send string "redhat" to password field, it's invisible to users


Verified on 4.0.0-0.nightly-2019-03-27-213938

$ oc get pods console-59fc497b7c-7dzjv -n openshift-console -o yaml | grep -i image
    console.openshift.io/image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ba886bff6154f33a1c579203c69c8bedd1770fb44026c84767488efec893c88
$ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3ba886bff6154f33a1c579203c69c8bedd1770fb44026c84767488efec893c88 | grep commit
             io.openshift.build.commit.url=https://github.com/openshift/console/commit/625390cdcceea0654c7cde1a44c2ce42cb9b0567
$ git log 625390cdcceea0654c7cde1a44c2ce42cb9b0567 | grep '#1333'
    Merge pull request #1333 from jhadvig/BZ1691602

Note You need to log in before you can comment on or make changes to this bug.