You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2021/09/15 14:49:06 UTC
[brooklyn-ui] branch master updated (a82bb1b -> 02e9d17)
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-ui.git.
from a82bb1b do a docker logout as part of jenkins build
new c989341 use scroll for error (otherwise overflows) and
new db4cb5a fix typo re sensitive config warning
new 175df2b remove hard-coded regex for sensitive fields, take from server
new d4650ad display warning in composer when writing plaintext values
new 02e9d17 This closes #287
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../config-sensor-table.directive.js | 6 ++---
.../main/inspect/summary/summary.controller.js | 4 ++--
.../components/catalog-saver/catalog-saver.less | 6 +++++
.../catalog-saver.modal.template.html | 4 ++--
.../providers/blueprint-service.provider.js | 28 ++++++++++++++++++++++
.../spec-editor/spec-editor.directive.js | 4 ++--
.../utils/sensitive-field/sensitive-field.js | 23 ++++++++++++++++--
ui-modules/utils/server-status/server-status.js | 6 +++++
8 files changed, 70 insertions(+), 11 deletions(-)
[brooklyn-ui] 02/05: fix typo re sensitive config warning
Posted by he...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-ui.git
commit db4cb5a7097ff9d3a0135651df98d67fcf192443
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Wed Sep 15 12:10:19 2021 +0100
fix typo re sensitive config warning
---
.../app/components/config-sensor-table/config-sensor-table.directive.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js b/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js
index 00ba0dd..5e6f486 100644
--- a/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js
+++ b/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js
@@ -44,7 +44,7 @@ export function configSensorTableDirective(brSnackbar) {
function link(scope) {
scope.items = [];
scope.mapInfo = {};
- scope.WARNING_TEXT = 'This value is identified as potentially sensitive based on the name and so it ' +
+ scope.WARNING_TEXT = 'This value is identified as potentially sensitive based on the name and so is ' +
'blurred here by default. However it is supplied in the blueprint as plaintext which is not secure. An ' +
'external provider should be used to store this value with a DSL expression supplied in the blueprint to ' +
'retrieve the value.';
[brooklyn-ui] 01/05: use scroll for error (otherwise overflows) and
Posted by he...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-ui.git
commit c989341c22abd4bbaa6693e98e4c8d8894c2f1a6
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Wed Sep 15 12:09:45 2021 +0100
use scroll for error (otherwise overflows) and
don't auto-dismiss (not enough time to read it); user can manually dismiss by pressing the X
---
.../app/components/catalog-saver/catalog-saver.less | 6 ++++++
.../app/components/catalog-saver/catalog-saver.modal.template.html | 4 ++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.less b/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.less
index a7faa18..a313b9c 100644
--- a/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.less
+++ b/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.less
@@ -25,3 +25,9 @@
width: 400px;
}
}
+
+.add-to-catalog-modal {
+ .error-scroll {
+ overflow: scroll;
+ }
+}
diff --git a/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.modal.template.html b/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.modal.template.html
index 4f82358..71a9c63 100644
--- a/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.modal.template.html
+++ b/ui-modules/blueprint-composer/app/components/catalog-saver/catalog-saver.modal.template.html
@@ -127,9 +127,9 @@
</div>
</div>
- <div uib-alert class="alert-danger" ng-if="state.error" dismiss-on-timeout="10000" close="state.error = undefined">
+ <div uib-alert class="alert-danger" ng-if="state.error" close="state.error = undefined">
<h4>Failed to save</h4>
- <p>{{state.error}}</p>
+ <p class="error-scroll">{{state.error}}</p>
</div>
</div>
[brooklyn-ui] 03/05: remove hard-coded regex for sensitive fields,
take from server
Posted by he...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-ui.git
commit 175df2bd3da952cface4526a0be1719699d0b1d6
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Wed Sep 15 12:24:17 2021 +0100
remove hard-coded regex for sensitive fields, take from server
---
.../config-sensor-table.directive.js | 4 ++--
.../main/inspect/summary/summary.controller.js | 4 ++--
.../spec-editor/spec-editor.directive.js | 4 ++--
.../utils/sensitive-field/sensitive-field.js | 23 ++++++++++++++++++++--
ui-modules/utils/server-status/server-status.js | 6 ++++++
5 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js b/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js
index 5e6f486..043fb68 100644
--- a/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js
+++ b/ui-modules/app-inspector/app/components/config-sensor-table/config-sensor-table.directive.js
@@ -20,7 +20,7 @@ import angular from "angular";
import ngSanitize from "angular-sanitize";
import ngClipboard from "ngclipboard";
import template from "./config-sensor-table.template.html";
-import { SENSITIVE_FIELD_REGEX } from "brooklyn-ui-utils/sensitive-field/sensitive-field";
+import { isSensitiveFieldName } from "brooklyn-ui-utils/sensitive-field/sensitive-field";
const MODULE_NAME = 'inspector.config-sensor.table';
@@ -85,7 +85,7 @@ export function brLinkyFilter($filter, $state, $sanitize) {
} else if (!angular.isString(input)) {
return angular.toJson(input);
} else if (angular.isObject(key) && angular.isString(key.name)
- && (key.name.indexOf('ssh') > -1 || SENSITIVE_FIELD_REGEX.test(key.name))) {
+ && (key.name.indexOf('ssh') > -1 || isSensitiveFieldName(key.name))) {
return input;
} else if (angular.isObject(key) && key.links && key.links.hasOwnProperty('action:open')) {
let matches = key.links['action:open'].match(/\#\/v1\/applications\/([^\/]+)\/entities\/([^\/]+)/i);
diff --git a/ui-modules/app-inspector/app/views/main/inspect/summary/summary.controller.js b/ui-modules/app-inspector/app/views/main/inspect/summary/summary.controller.js
index e2eecb3..c7895af 100644
--- a/ui-modules/app-inspector/app/views/main/inspect/summary/summary.controller.js
+++ b/ui-modules/app-inspector/app/views/main/inspect/summary/summary.controller.js
@@ -20,7 +20,7 @@ import angular from "angular";
import map from "lodash/map";
import {HIDE_INTERSTITIAL_SPINNER_EVENT} from 'brooklyn-ui-utils/interstitial-spinner/interstitial-spinner';
import template from "./summary.template.html";
-import { SENSITIVE_FIELD_REGEX } from 'brooklyn-ui-utils/sensitive-field/sensitive-field';
+import { isSensitiveFieldName } from 'brooklyn-ui-utils/sensitive-field/sensitive-field';
export const summaryState = {
name: 'main.inspect.summary',
@@ -106,7 +106,7 @@ export function summaryController($scope, $state, $stateParams, $q, $http, $http
value,
// marking as unsafe if the field name looks sensitive
// and the unresolved value does *not* come from a secure external source
- isUnsafe: SENSITIVE_FIELD_REGEX.test(key.trim()) &&
+ isUnsafe: isSensitiveFieldName(key.trim()) &&
!vm.config[key].toString().startsWith('$brooklyn:'),
}));
}
diff --git a/ui-modules/blueprint-composer/app/components/spec-editor/spec-editor.directive.js b/ui-modules/blueprint-composer/app/components/spec-editor/spec-editor.directive.js
index 86eccba..23a59f2 100644
--- a/ui-modules/blueprint-composer/app/components/spec-editor/spec-editor.directive.js
+++ b/ui-modules/blueprint-composer/app/components/spec-editor/spec-editor.directive.js
@@ -28,7 +28,7 @@ import brooklynDslEditor from '../dsl-editor/dsl-editor';
import brooklynDslViewer from '../dsl-viewer/dsl-viewer';
import template from './spec-editor.template.html';
import {graphicalState} from '../../views/main/graphical/graphical.state';
-import {SENSITIVE_FIELD_REGEX} from 'brooklyn-ui-utils/sensitive-field/sensitive-field';
+import {isSensitiveFieldName} from 'brooklyn-ui-utils/sensitive-field/sensitive-field';
import {computeQuickFixesForIssue} from '../quick-fix/quick-fix';
import scriptTagDecorator from 'brooklyn-ui-utils/script-tag-non-overwrite/script-tag-non-overwrite';
@@ -772,7 +772,7 @@ export function specEditorDirective($rootScope, $templateCache, $injector, $sani
};
specEditor.isSensitiveField = (item) => {
// should the field support masking
- return SENSITIVE_FIELD_REGEX.test(item.name);
+ return isSensitiveFieldName(item.name);
};
specEditor.isHiddenSensitiveField = (item) => {
// is the field currently in a masked state
diff --git a/ui-modules/utils/sensitive-field/sensitive-field.js b/ui-modules/utils/sensitive-field/sensitive-field.js
index d964bc2..64c164a 100644
--- a/ui-modules/utils/sensitive-field/sensitive-field.js
+++ b/ui-modules/utils/sensitive-field/sensitive-field.js
@@ -19,7 +19,6 @@
import angular from 'angular';
const MODULE_NAME = 'brooklyn.component.sensitive-field';
-export const SENSITIVE_FIELD_REGEX = /^.*(passw(or)?d|credentials?|secret|private|access\.certs?|access\.keys?).*$/i;
const CLASS_NAME = 'sensitive-field';
const CLASS_NAME_SHOW = 'sensitive-field-show';
@@ -28,6 +27,26 @@ angular.module(MODULE_NAME, [])
export default MODULE_NAME;
+var SENSITIVE_FIELDS = ['password','passwd','credential','secret','private','access.certs','access.keys'];
+var SENSITIVE_FIELDS_BLOCKED = false;
+
+export function isSensitiveFieldPlaintextValueBlocked() {
+ return SENSITIVE_FIELDS_BLOCKED;
+}
+export function isSensitiveFieldName(name) {
+ if (!name && !name.toLowerCase) return false;
+ let ln = name.toLowerCase();
+ return !! SENSITIVE_FIELDS.find(f => ln.indexOf(f)>=0);
+}
+export function setSensitiveFields(list, blocked) {
+ let old = SENSITIVE_FIELDS;
+ if (blocked === true || blocked === false) {
+ SENSITIVE_FIELDS_BLOCKED = blocked;
+ }
+ if (list) SENSITIVE_FIELDS = list;
+ return old;
+}
+
export function SensitiveFieldDirective() {
return {
restrict: 'A',
@@ -35,7 +54,7 @@ export function SensitiveFieldDirective() {
link: link
};
function link($scope, $element) {
- if (SENSITIVE_FIELD_REGEX.test($scope.fieldName.trim()) || $scope.hideValue) {
+ if (isSensitiveFieldName($scope.fieldName.trim()) || $scope.hideValue) {
$element.addClass(CLASS_NAME);
$element.bind('click', clickEventHandler);
} else {
diff --git a/ui-modules/utils/server-status/server-status.js b/ui-modules/utils/server-status/server-status.js
index ca483b1..0f15b32 100644
--- a/ui-modules/utils/server-status/server-status.js
+++ b/ui-modules/utils/server-status/server-status.js
@@ -21,6 +21,7 @@ import './server-status.less';
import angular from 'angular';
import uibModal from 'angular-ui-bootstrap/src/modal/index-nocss';
import modalTemplate from './server-status.template.html';
+import {setSensitiveFields} from "../sensitive-field/sensitive-field";
const MODULE_NAME = 'br.utils.server-status';
const COOKIE_KEY = "br-server-status";
@@ -95,6 +96,11 @@ export function BrServerStatusDirective() {
} else if (!stateData.healthy) {
state = BrServerStatusModalController.STATES.UNHEALTHY;
}
+
+ let sensitiveFields = stateData['brooklyn.security.sensitive.fields'];
+ if (sensitiveFields) {
+ setSensitiveFields(sensitiveFields.tokens, sensitiveFields['plaintext.blocked']);
+ }
}
previousState = state;
$rootScope.$broadcast('br-server-state-update', {state: state, stateData: stateData});
[brooklyn-ui] 04/05: display warning in composer when writing
plaintext values
Posted by he...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-ui.git
commit d4650adfc5f7aff7804e0095af672e2e9c5d96ed
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Wed Sep 15 12:41:29 2021 +0100
display warning in composer when writing plaintext values
---
.../providers/blueprint-service.provider.js | 28 ++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/ui-modules/blueprint-composer/app/components/providers/blueprint-service.provider.js b/ui-modules/blueprint-composer/app/components/providers/blueprint-service.provider.js
index e2d0aa4..acb9c4a 100644
--- a/ui-modules/blueprint-composer/app/components/providers/blueprint-service.provider.js
+++ b/ui-modules/blueprint-composer/app/components/providers/blueprint-service.provider.js
@@ -22,6 +22,7 @@ import {Issue, ISSUE_LEVEL} from '../util/model/issue.model';
import {Dsl} from "../util/model/dsl.model";
import jsYaml from "js-yaml";
import typeNotFoundIcon from "../../img/icon-not-found.svg";
+import {isSensitiveFieldName, isSensitiveFieldPlaintextValueBlocked} from 'brooklyn-ui-utils/sensitive-field/sensitive-field';
const MODULE_NAME = 'brooklyn.composer.service.blueprint-service';
const TAG = 'SERVICE :: BLUEPRINT :: ';
@@ -427,6 +428,30 @@ function BlueprintService($log, $q, $sce, paletteApi, iconGenerator, dslService,
}
function refreshConfigConstraints(entity) {
+ function checkSensitiveFields(config) {
+ if (isSensitiveFieldPlaintextValueBlocked() && isSensitiveFieldName(config.name)) {
+ let v = entity.config.get(config.name);
+ if (!v) return;
+ let t = typeof v;
+ if (t === 'object') return;
+ let invalid = false;
+ if (t === 'string') {
+ if (t.length) {
+ if (t.startsWith("$brooklyn:")) {
+ invalid = false;
+ } else {
+ invalid = true;
+ }
+ }
+ } else if (t === 'number') {
+ invalid = true;
+ }
+ if (invalid) {
+ let message = `Plaintext values are not permitted for <samp>${config.name}</samp>. <br/>Use DSL with externalized configuration.`;
+ entity.addIssue(Issue.builder().group('config').ref(config.name).message($sce.trustAsHtml(message)).build());
+ }
+ }
+ }
function checkConstraints(config) {
for (let constraintO of config.constraints) {
let message = null;
@@ -506,6 +531,9 @@ function BlueprintService($log, $q, $sce, paletteApi, iconGenerator, dslService,
return $q((resolve) => {
if (entity.miscData.has('config')) {
entity.miscData.get('config')
+ .forEach(checkSensitiveFields);
+
+ entity.miscData.get('config')
.filter(config => config.constraints && config.constraints.length > 0)
.forEach(checkConstraints);
}
[brooklyn-ui] 05/05: This closes #287
Posted by he...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-ui.git
commit 02e9d17dcdb286e7b671a840406de4cdedc3a189
Merge: a82bb1b d4650ad
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Wed Sep 15 15:48:48 2021 +0100
This closes #287
.../config-sensor-table.directive.js | 6 ++---
.../main/inspect/summary/summary.controller.js | 4 ++--
.../components/catalog-saver/catalog-saver.less | 6 +++++
.../catalog-saver.modal.template.html | 4 ++--
.../providers/blueprint-service.provider.js | 28 ++++++++++++++++++++++
.../spec-editor/spec-editor.directive.js | 4 ++--
.../utils/sensitive-field/sensitive-field.js | 23 ++++++++++++++++--
ui-modules/utils/server-status/server-status.js | 6 +++++
8 files changed, 70 insertions(+), 11 deletions(-)