Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secret survey var type, for passwords #1846

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add secret survey var type, for passwords #1846

wants to merge 1 commit into from

Conversation

tothakos-code
Copy link

Adding a new survey var type Secret so you can prompt for passwords and such on a task run.
Secret type vars are passed to ansible as extra vars, but not saved to the database for security reasons and not returned by the API.
Rerunning a task with a secret survey var will always show an empty field.

This solves the issue #1373 and partly #904

This PR is an improved version of this PR: #1598

@fiftin
Copy link
Collaborator

fiftin commented Mar 20, 2024

Thank you @tothakos-code
Will review soon.

@fiftin
Copy link
Collaborator

fiftin commented Apr 29, 2024

I'm sorry I don't like this solution because it's a bit misleading: If you run playbook in DEBUG mode you will see the secrets.

@fiftin
Copy link
Collaborator

fiftin commented Apr 29, 2024

It is not secrets, it is masked variables. So I don't see reason to add separate field for this.

@tothakos-code
Copy link
Author

The need for this feature is you can type passwords at the start of playbook runs and you don't need to store it in a vault committed to a git repo. The secret type is meant for variables that need to be masked for security reasons. In ansible currently there is no way to mark a variable as no_log so it will be always printed, with debug mode enabled sadly.

I think the problem is with DEBUG mode then. With debug mode enabled all variables are printed to the screen even vaulted ones. I don't think we can do anything about this(at this time). Semaphore saves this output in plain text so all vaulted variables(usually password, api keys, etc..) would be visible also to. I think this is encryption at rest and is a critical security vulnerability.

I had an other idea to put these variables in an vault and pass the vault file to ansible as an argument, but it still prints them in debug mode so we can't go around that. But I think we should do everything to keep secrets secrets.

Maybe limiting debug mode to project owners only by default and project owners can give out rights to this feature? Encrypting the debug output or even better not saving them at all because of this, only printing them to the user that run them? Putting a warning to debug mode that every variable will be printed in clear text is a minimum. But these ideas to solve the vulnerability, which would solve the printing problem. Let me know what do you think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@fiftin fiftin

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tothakos-code @fiftin @tboerger