2018-02-05 16:05:59 -05:00
|
|
|
package middleware // import "github.com/docker/docker/api/server/middleware"
|
2016-02-24 13:17:43 -05:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bufio"
|
2018-04-19 15:30:59 -07:00
|
|
|
"context"
|
2016-02-24 13:17:43 -05:00
|
|
|
"encoding/json"
|
|
|
|
|
"io"
|
|
|
|
|
"net/http"
|
2016-06-30 13:15:43 -07:00
|
|
|
"strings"
|
2016-02-24 13:17:43 -05:00
|
|
|
|
|
|
|
|
"github.com/docker/docker/api/server/httputils"
|
|
|
|
|
"github.com/docker/docker/pkg/ioutils"
|
2017-07-26 14:42:13 -07:00
|
|
|
"github.com/sirupsen/logrus"
|
2016-02-24 13:17:43 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// DebugRequestMiddleware dumps the request to logger
|
2016-04-08 16:22:39 -07:00
|
|
|
func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
2016-02-24 13:17:43 -05:00
|
|
|
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
2016-03-07 08:59:48 +01:00
|
|
|
logrus.Debugf("Calling %s %s", r.Method, r.RequestURI)
|
2016-02-24 13:17:43 -05:00
|
|
|
|
2019-10-12 20:40:19 +02:00
|
|
|
if r.Method != http.MethodPost {
|
2016-02-24 13:17:43 -05:00
|
|
|
return handler(ctx, w, r, vars)
|
|
|
|
|
}
|
|
|
|
|
if err := httputils.CheckForJSON(r); err != nil {
|
|
|
|
|
return handler(ctx, w, r, vars)
|
|
|
|
|
}
|
|
|
|
|
maxBodySize := 4096 // 4KB
|
|
|
|
|
if r.ContentLength > int64(maxBodySize) {
|
|
|
|
|
return handler(ctx, w, r, vars)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
body := r.Body
|
|
|
|
|
bufReader := bufio.NewReaderSize(body, maxBodySize)
|
|
|
|
|
r.Body = ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
|
|
|
|
|
|
|
|
|
|
b, err := bufReader.Peek(maxBodySize)
|
|
|
|
|
if err != io.EOF {
|
|
|
|
|
// either there was an error reading, or the buffer is full (in which case the request is too large)
|
|
|
|
|
return handler(ctx, w, r, vars)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var postForm map[string]interface{}
|
|
|
|
|
if err := json.Unmarshal(b, &postForm); err == nil {
|
2019-07-03 16:16:22 +02:00
|
|
|
maskSecretKeys(postForm)
|
2016-02-24 13:17:43 -05:00
|
|
|
formStr, errMarshal := json.Marshal(postForm)
|
|
|
|
|
if errMarshal == nil {
|
|
|
|
|
logrus.Debugf("form data: %s", string(formStr))
|
|
|
|
|
} else {
|
|
|
|
|
logrus.Debugf("form data: %q", postForm)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return handler(ctx, w, r, vars)
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-06-30 13:15:43 -07:00
|
|
|
|
2019-07-03 16:16:22 +02:00
|
|
|
func maskSecretKeys(inp interface{}) {
|
2016-06-30 13:15:43 -07:00
|
|
|
if arr, ok := inp.([]interface{}); ok {
|
|
|
|
|
for _, f := range arr {
|
2019-07-03 16:16:22 +02:00
|
|
|
maskSecretKeys(f)
|
2016-06-30 13:15:43 -07:00
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-06-29 16:04:47 -07:00
|
|
|
|
2016-06-30 13:15:43 -07:00
|
|
|
if form, ok := inp.(map[string]interface{}); ok {
|
DebugRequestMiddleware: unconditionally scrub data field
Commit 77b8465d7e68ca102d7aae839c7b3fe0ecd28398 added a secret update
endpoint to allow updating labels on existing secrets. However, when
implementing the endpoint, the DebugRequestMiddleware was not updated
to scrub the Data field (as is being done when creating a secret).
When updating a secret (to set labels), the Data field should be either
`nil` (not set), or contain the same value as the existing secret. In
situations where the Data field is set, and the `dockerd` daemon is
running with debugging enabled / log-level debug, the base64-encoded
value of the secret is printed to the daemon logs.
The docker cli does not have a `docker secret update` command, but
when using `docker stack deploy`, the docker cli sends the secret
data both when _creating_ a stack, and when _updating_ a stack, thus
leaking the secret data if the daemon runs with debug enabled:
1. Start the daemon in debug-mode
dockerd --debug
2. Initialize swarm
docker swarm init
3. Create a file containing a secret
echo secret > my_secret.txt
4. Create a docker-compose file using that secret
cat > docker-compose.yml <<'EOF'
version: "3.3"
services:
web:
image: nginx:alpine
secrets:
- my_secret
secrets:
my_secret:
file: ./my_secret.txt
EOF
5. Deploy the stack
docker stack deploy -c docker-compose.yml test
6. Verify that the secret is scrubbed in the daemon logs
DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create
DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}
7. Re-deploy the stack to trigger an "update"
docker stack deploy -c docker-compose.yml test
8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged
DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34
DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}
This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields.
Currently, only the `secrets` and `configs` endpoints use a field with this
name, and no other POST API endpoints use a data field, so scrubbing this
field unconditionally will only scrub requests for those endpoints.
If a new endpoint is added in future where this field should not be scrubbed,
we can re-introduce more fine-grained (path-specific) handling.
This patch introduces some change in behavior:
- In addition to secrets, requests to create or update _configs_ will
now have their `Data` field scrubbed. Generally, the actual data should
not be interesting for debugging, so likely will not be problematic.
In addition, scrubbing this data for configs may actually be desirable,
because (even though they are not explicitely designed for this purpose)
configs may contain sensitive data (credentials inside a configuration
file, e.g.).
- Requests that send key/value pairs as a "map" and that contain a
key named "data", will see the value of that field scrubbed. This
means that (e.g.) setting a `label` named `data` on a config, will
scrub/mask the value of that label.
- Note that this is already the case for any label named `jointoken`,
`password`, `secret`, `signingcakey`, or `unlockkey`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7ce4be93ae8edd2da62a588e01c67313a4aba0c)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-02 14:21:03 +02:00
|
|
|
scrub := []string{
|
|
|
|
|
// Note: The Data field contains the base64-encoded secret in 'secret'
|
|
|
|
|
// and 'config' create and update requests. Currently, no other POST
|
|
|
|
|
// API endpoints use a data field, so we scrub this field unconditionally.
|
|
|
|
|
// Change this handling to be conditional if a new endpoint is added
|
|
|
|
|
// in future where this field should not be scrubbed.
|
|
|
|
|
"data",
|
|
|
|
|
"jointoken",
|
|
|
|
|
"password",
|
|
|
|
|
"secret",
|
|
|
|
|
"signingcakey",
|
|
|
|
|
"unlockkey",
|
|
|
|
|
}
|
2016-06-30 13:15:43 -07:00
|
|
|
loop0:
|
|
|
|
|
for k, v := range form {
|
DebugRequestMiddleware: unconditionally scrub data field
Commit 77b8465d7e68ca102d7aae839c7b3fe0ecd28398 added a secret update
endpoint to allow updating labels on existing secrets. However, when
implementing the endpoint, the DebugRequestMiddleware was not updated
to scrub the Data field (as is being done when creating a secret).
When updating a secret (to set labels), the Data field should be either
`nil` (not set), or contain the same value as the existing secret. In
situations where the Data field is set, and the `dockerd` daemon is
running with debugging enabled / log-level debug, the base64-encoded
value of the secret is printed to the daemon logs.
The docker cli does not have a `docker secret update` command, but
when using `docker stack deploy`, the docker cli sends the secret
data both when _creating_ a stack, and when _updating_ a stack, thus
leaking the secret data if the daemon runs with debug enabled:
1. Start the daemon in debug-mode
dockerd --debug
2. Initialize swarm
docker swarm init
3. Create a file containing a secret
echo secret > my_secret.txt
4. Create a docker-compose file using that secret
cat > docker-compose.yml <<'EOF'
version: "3.3"
services:
web:
image: nginx:alpine
secrets:
- my_secret
secrets:
my_secret:
file: ./my_secret.txt
EOF
5. Deploy the stack
docker stack deploy -c docker-compose.yml test
6. Verify that the secret is scrubbed in the daemon logs
DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create
DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}
7. Re-deploy the stack to trigger an "update"
docker stack deploy -c docker-compose.yml test
8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged
DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34
DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}
This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields.
Currently, only the `secrets` and `configs` endpoints use a field with this
name, and no other POST API endpoints use a data field, so scrubbing this
field unconditionally will only scrub requests for those endpoints.
If a new endpoint is added in future where this field should not be scrubbed,
we can re-introduce more fine-grained (path-specific) handling.
This patch introduces some change in behavior:
- In addition to secrets, requests to create or update _configs_ will
now have their `Data` field scrubbed. Generally, the actual data should
not be interesting for debugging, so likely will not be problematic.
In addition, scrubbing this data for configs may actually be desirable,
because (even though they are not explicitely designed for this purpose)
configs may contain sensitive data (credentials inside a configuration
file, e.g.).
- Requests that send key/value pairs as a "map" and that contain a
key named "data", will see the value of that field scrubbed. This
means that (e.g.) setting a `label` named `data` on a config, will
scrub/mask the value of that label.
- Note that this is already the case for any label named `jointoken`,
`password`, `secret`, `signingcakey`, or `unlockkey`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7ce4be93ae8edd2da62a588e01c67313a4aba0c)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-02 14:21:03 +02:00
|
|
|
for _, m := range scrub {
|
2016-06-30 13:15:43 -07:00
|
|
|
if strings.EqualFold(m, k) {
|
|
|
|
|
form[k] = "*****"
|
|
|
|
|
continue loop0
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-07-03 16:16:22 +02:00
|
|
|
maskSecretKeys(v)
|
2017-06-29 16:04:47 -07:00
|
|
|
}
|
2016-06-30 13:15:43 -07:00
|
|
|
}
|
|
|
|
|
}
|