add template func encrypteAesWithVault and strengthen security for senstive secrets

Author: stephencheng

biz/impl/runtime.go

@@ -8,10 +8,12 @@
 package impl
 
 import (
+	"github.com/mohae/deepcopy"
 	"github.com/upcmd/up/model/core"
 	"github.com/upcmd/up/model/stack"
 	"github.com/upcmd/up/utils"
 	u "github.com/upcmd/up/utils"
+	"strings"
 )
 
 var (
@@ -114,6 +116,20 @@ func ConfigRuntime() *utils.UpConfig {
 	return TaskerRuntime().Tasker.Config
 }
 
+func debugVault() {
+	u.Ppmsg("Vault", GetVault())
+}
+
+func secureCache(cache *core.Cache) *core.Cache {
+	tmpCache := deepcopy.Copy(*cache).(core.Cache)
+	for k, _ := range tmpCache {
+		if strings.HasPrefix(k, "secure_") {
+			tmpCache.Delete(k)
+		}
+	}
+	return &tmpCache
+}
+
 func debugVars() {
 	u.PlnBlue("-debug vars-")
 

biz/impl/step.go

@@ -112,7 +112,7 @@ func (step *Step) getRuntimeExecVars(fromBlock bool) *core.Cache {
 		}
 	}
 	u.Pfvvvv("current exec runtime vars:")
-	u.Ppmsgvvvv(resultVars)
+	u.Ppmsgvvvv(secureCache(resultVars))
 
 	StepRuntime().ContextVars = resultVars
 	//so far the execvars includes: scope vars + scope dvars + global runtime vars + task vars
@@ -123,7 +123,7 @@ func (step *Step) getRuntimeExecVars(fromBlock bool) *core.Cache {
 	mergo.Merge(resultVars, varsWithDvars, mergo.WithOverride)
 
 	//so far the resultVars includes: the local vars + dvars rendered using execvars
-	u.Ppmsgvvvhint(u.Spf("%s: final context exec vars:", ConfigRuntime().ModuleName), resultVars)
+	u.Ppmsgvvvhint(u.Spf("%s: final context exec vars:", ConfigRuntime().ModuleName), secureCache(resultVars))
 	//debugVars()
 	return resultVars
 }

biz/impl/tasker.go

@@ -193,7 +193,7 @@ func (t *Tasker) loadInstancesContext() {
 	func() {
 		u.Pvvvv("---------group vars----------")
 		for k, v := range t.ExpandedContext {
-			u.Pfvvvv("%s: %s", k, u.Sppmsg(*v))
+			u.Pfvvvv("%s: %s", k, u.Sppmsg(secureCache(v)))
 		}
 		u.Pfvvvv("groups members:%s\n", t.GroupMembersList)
 
@@ -212,7 +212,7 @@ func (t *Tasker) MergeRuntimeGlobalDvars() {
 	}
 
 	t.RuntimeVarsAndDvarsMerged = &mergedVars
-	u.Ppmsgvvvvhint("-------runtime global final merged with dvars-------", mergedVars)
+	u.Ppmsgvvvvhint("-------runtime global final merged with dvars-------", secureCache(&mergedVars))
 }
 
 func (t *Tasker) loadExecProfileEnvVars() {
@@ -377,8 +377,8 @@ func (t *Tasker) MergeUptoRuntimeGlobalVars() {
 	mergo.Merge(&runtimevars, *t.RuntimeGlobalVars, mergo.WithOverride)
 
 	u.Pfvvvv("merged[ %s ] runtime vars:", t.InstanceName)
-	u.Ppmsgvvvv(runtimevars)
-	u.Dvvvvv(runtimevars)
+	u.Ppmsgvvvv(secureCache(&runtimevars))
+	u.Dvvvvv(secureCache(&runtimevars))
 
 	t.RuntimeVarsMerged = &runtimevars
 }

biz/impl/template.go

@@ -80,6 +80,22 @@ func FuncMapInit() {
 			u.PpmsgvvvvvHigh("ymlToObj", obj)
 			return obj
 		},
+		//use the encryption key stored in vault instead of plain value in general cache
+		"encrypteAesWithVault": func(enckeyName string, plain string) string {
+			var encryptionkey string
+			if enckeyName != "" {
+				//use vault as first priority
+				opt := GetVault().Get(enckeyName)
+				if opt == nil {
+					opt = (StepRuntime().ContextVars).Get(enckeyName)
+				}
+				encryptionkey = opt.(string)
+			}
+
+			encrypted := Render(u.Spf(`{{encryptAES "%s" "%s"}}`, encryptionkey, plain), "")
+
+			return encrypted
+		},
 		//regObj will keep the golang object intact and register it to cache
 		//same effect of: '{{ func_return_a_obj arg | objToYml|ymlToObj|reg "instances" }}'
 		"regObj": func(varname string, obj interface{}) interface{} {

tests/functests/c0202.yml

@@ -0,0 +1,57 @@
+doc_meta: |
+  folder: security
+  title: encrypteAesWithVault template func to retrieve and encrypt
+  head: |
+    Add a template func encrypteAesWithVault to retrieve the encryption key stored in vault and encypt based on the key
+
+  sections:
+    - title: Demo
+      log: yes
+
+scopes:
+
+  - name: nonprod
+    members:
+      - dev
+    dvars:
+      - name: enc_key
+        value: my_enc_key
+        flags:
+          - secret
+
+tasks:
+  -
+    name: task
+    task:
+      -
+        func: cmd
+        dvars:
+
+          - name: value_encrypted
+            desc: |
+              encrypteAesWithVault will use the encryption key named enc_key stored in vault to encrypt
+              it falls back to the normal cached store to get the enc_key if it does not exist
+            value: '{{ "ENV_AAA" | encrypteAesWithVault "enc_key" }}'
+            flags:
+              - vvvv
+              - taskScope
+
+          - name: ENV_AAA
+            value: '{{.value_encrypted}}'
+            flags:
+              - secure
+
+        do:
+          - name: print
+            cmd: |
+              var: {{.ENV_AAA}}
+              decrypted secure var: {{.secure_ENV_AAA}}
+          -
+            name: inspect
+            desc: the vars in caller after invoking module task
+            cmd:
+              - exec_vars
+              - exec_base_vars
+              - exec_base_env_vars_configured
+              - exec_env_vars_configured
+              - debug_vars