Allow user to locally obfuscate secret in a keystore

[ph]

This PR allow users to define sensitive information into an obfuscated data store on disk instead of having them defined in plaintext in the yaml configuration.

This add a few users facing commands:

# create new keystore to disk 
beat keystore create

# add a new key to the store.
beat keystore add output.elasticsearch.password

# remove a key from the store
beat keystore remove output.elasticsearch.password

# list the configured keys without the sensitive information
beat keystore list

The current implementation doesn't allow user to configure the secret with a custom password, this will come in future improvements of this feature.

How to use it

You can reference keys from the keystore using the same syntax that we use for the environment variables.

password: "${output.elasticsearch.password}"

When we unpack the configuration we will resolve the variables using the following priority:

• Keystore
• Environment variable
• variable expansion

TODO before review

• Fix the checker that prevent the tests from passing on travis :D
• Manual testing
• Split the library update vs this PR, update of the library was needed for a few encryption and terminal improvement.
• fix the suite, the make testsuite fails locally for me.
• movee the CLI test into libbeat
• [ ] raise an error if we try override a config defined in the yaml file. (Another PR)
• add testing around the merging of configs
• Add doc (Done in another PR)
• implement templating

This is the initial version, I don't expect it to be pluggable with every system, but some of the things are in place to make it pluggable.(ie: interface/factory)

closes: #3982

[ph]

Self note: Add test for bad or corrupt keystore.

[ph]

self note: remove this line, thank you vim.

[andrewkroh]

Nice job figuring out the AES-GCM stuff.

[andrewkroh]

s/GenKeystoreCmd/genKeystoreCmd/ (probably you haven't linted yet since it's not marked for review and I'm jumping the gun)

[ph]

I have the linter on as I code, It used to be called GenKeystoreCmd, but I've renamed it since it doesn't need to be exported in any way. Not sure why my linter didn't catch it.

I run:

  Enabled Linters: ['gofmt', 'golint', 'go vet']

[andrewkroh]

How about Failed to create the secret: no key provided?

[andrewkroh]

Since these comments are rendered in our godoc pages can you please add a period to the end of the sentence. https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences

[andrewkroh]

I would only register a defer like this after you have "os.Create()ed" or "os.OpenFile()ed". But based on the code you have I think you could add a single os.Remove() call to the error handling for the failed os.Rename().

[andrewkroh]

You should do this check before adding the above defer or else the file you're asking them to delete will be cleaned up already.

[ph]

I've removed the defer, so this will also fix this.

[andrewkroh]

What about GoString()? Do we need to implement that too to cover %#v or does String() cover that case too? https://golang.org/pkg/fmt/#GoStringer

[ph]

I believe we also need to cover that, I will add a test case for it.

[andrewkroh]

os.Stat is going to return a nil error if the file exists. So should the logic be if err == nil && !override?

[ph]

I've changed the logic, it should if the File exist and we don't want to override.

	if os.IsExist(err) && !override {
		return ErrAlreadyExists
	}

[andrewkroh]

Using os.IsExists() is for checking the error and a nil error will be returned if the file exists. See the implementation for a better understanding.

[andrewkroh]

Based on this description maybe the method should be IsPersisted(). And then the implementation would take into account the dirty flag.

[andrewkroh]

Use filepath.Join().

[andrewkroh]

Use a lower cased error message. https://github.com/golang/go/wiki/CodeReviewComments#error-strings

[ruflin]

Could you update the revision of the dependencies in an separate PR? This would make sure the version change does not break other things and it would make this PR much smaller.

[ph]

Agree, I've marked as a TODO in the PR description.

[ph]

@ruflin @andrewkroh @urso I have updated this PR with the following:

• Support templating in the configuration
• Created commits for the update of the vendored libraries and a corresponding PR at Update Go vendored library for the keystore feature #5735
• Extracted the code I've created to check if a settings was already set by another config into a PR to the ucfg repo Allow to diff two configurations and return the difference in the keys. go-ucfg#93
• removed the progress and the wip in the title.

If you review #5735 I will rebase this PR this will make it easier to review.

Thanks

[ph]

@joshbressers This is the PR for the keystore implementation in filebeat, its closer to the kibana implementation than the LS version.

[ph]

jenkins test this please

[ph]

Rebased with master, the vendored files are now gone! :)

[ruflin]

Skimmed through the code more on a high level. Looks good to me so far, I think it will be also helpful to play around with this feature. And we should do some follow up PR's which also touch other projects but would be overkill to be added to this PR.

[ruflin]

I suggest you check the error before overwriting the config?

[ruflin]

I initially wanted to comment on why you exit here instead of returning an error and handling it up stream. But I saw that this kind of a common pattern now in cmd package. @exekias Do we need to exit here or could we also return and error? In the past we tried to reduce the places of Exit to 1 place to make testing easier.

[ph]

Most of theses cmd are tested using the python framework, no? In this case exiting early with os.Exit(1) make sense? There is an [helper in cobra](https://github.com/spf13/cobra/blob/e5f66de850af3302fbe378c8acded2b0fa55472c/cobra/cmd/helpers.go#L63 to do that.

[andrewkroh]

We should some helpers like Fatalf and Fatal that log and do os.Exit(1).

[urso]

btw. the log.Fatal(f) methods do print the message + do os.Exit(1). It's common practice to use this one in main function on simple tools.

[urso]

+1 for returning errors and having top-level do the exit handling :)

As cobra requires a Run function one can wrap it like this:

func runWith(fn func (args []string) error) func(*cobra.Command, []string) {
  return func(_ *cobra.Command, args []string) {
    if err := fn(args); err != nil {
      fmt.Error(err)
      os.Exit(1)
    }
  }
}

...

  Run: runWith(func(args []string) error {
    return errors.New("TODO")
  })

[andrewkroh]

yeah, and doing this through the logger has the benefit that the logger can flush and sync before exiting.

[ph]

@urso @andrewkroh I can make the changes on the keystore cmd, we can create another issue to refactor the other command to have the same flow or execution, sound like plan?

[ph]

Actually, lets do a PR with the runWith change and slowly refactor commands, I think its better to split concerns in multiple PR.

[exekias]

Sorry, I missed the notification here, but I totally agree with @urso, those run wrappers are +:100:

[ruflin]

using assert.NotEqual(t, string(v1[:]), string(v2[:])) would probably give a nicer error message.

[ruflin]

A bit scary that we now have interactive terminal support :-D

[ph]

Yes, but all the command can be used without requiring interactive calls, so we are still friendly for orchestration.

[ruflin]

I assume @andrewkroh is not going to like these newlines even thought it's not after a { ;-) Often the err check is directly after without a newline.

[ruflin]

As there are potentially coming more key stores in the future, I'm thinking if we should put each in it's own package. keystore/file/... for this one, so this would be just New. BTW that is refactoring that could also be done in a second step.

[ph]

Agree with that, since the pluggable part of the keystore is not complete, I think we should do it when we add more.

[ruflin]

We should really abstract out on how we write files from the filebeat registry and winlobeat registry: https://github.com/elastic/beats/blob/master/filebeat/registrar/registrar.go#L230 There are strange issues that can happen on shutdown and I remember @andrewkroh fixed on of those in winlogbeat. Having the logic on one place would make sure fixes are applied everywhere.

Also see the safeFileRotate helper: https://github.com/elastic/beats/blob/master/filebeat/registrar/registrar.go#L251

@ph Could we create a follow up meta issue to track such things we should cleanup after getting this PR in. Happy to help with abstracting out this logic.

[ph]

@ruflin I have created #5755 for a specific follow up.

[ph]

@ruflin Also create this meta issue #5757 to do a bit more work.

[urso]

another option to decouple the cobra.Command from the function:

func genCreateKeystoreCmd(name, version string) *cobra.Command {
  var force bool
  cmd := &cobra.Command{
    Use: ...
    Short: ...
    Run: func(cmd *cobra.Command, args []string) {
      if err := runCreateKeystore(name, version, force); err != nil {
        fmt.Error(err)
      }
    }
  }
  cmd.Flags().BoolVar(&force, "force", false, "...")

  return cmd
}

Common options can be added to the parent-command by using PersistentFlags().

[urso]

Wonder if we want a 'secure' Input. One that doesn't echo.

[ph]

Yes its provided by "golang.org/x/crypto/ssh/terminal" which take care of the different implementation

[ph]

There is one that I use in the add key is provided by a ssh related lib

On Wed, Nov 29, 2017 at 5:41 PM Steffen Siering ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In libbeat/common/terminal/terminal.go <#5687 (comment)>: > @@ -0,0 +1,57 @@ +package terminal + +import ( + "bufio" + "fmt" + "os" + "strings" +) + +// ReadInput Capture user input for a question +func ReadInput() (string, error) { Wonder if we want a 'secure' Input. One that doesn't echo. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5687 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAACgIJDaO2KRdKueKtkI5DkZBsvY2mUks5s7d2egaJpZM4Qnuc3> .

-- ph

[urso]

Why do we need to export this? common.Config type fully wraps go-ucfg, such that no other component has to deal with passing the options.

[ph]

I've removed the export of this field.

[urso]

A minor style one on newline usage :) :

• no newlines between calls + if-block for error handling.
• no newline when using loops to collect into map/array.

[ph]

@tsg I am taking a look, I did most of my tests using filebeat, I will revisit path expansion I have probably miss something when we define a new resolver on the configuration.

[ph]

@tsg The string replacement is working on my side when you are defining it in the configuration yml, I will do a bit more investigation. I also added system env test for filebeat, I will push the changes soon. I will test metricbeat/packetbeat maybe something is different for them.

Concerning the -E, this bug is already present in master, we don't have a condition to stop looking, we have never experienced that errors before because bash variables can't have a "." dot defined in them.

 ⚙  ph@sashimi  ~/go/src/github.com/elastic/beats/filebeat   master  ./filebeat -v -e -E 'cloud.id=${cloud.id}'
runtime: goroutine stack exceeds 1000000000-byte limit
fatal error: stack overflow

runtime stack:
runtime.throw(0x1bb9a8c, 0xe)
        /Users/ph/.gvm/versions/go1.9.2.darwin.amd64/src/runtime/panic.go:605 +0x95

✘ ⚙  ph@sashimi  ~/go/src/github.com/elastic/beats/filebeat   master  ./filebeat -v -e -E 'output.elasticsearch.hosts.0=${output.elasticsearch.hosts.0}'
runtime: goroutine stack exceeds 1000000000-byte limit
fatal error: stack overflow

runtime stack:
runtime.throw(0x1bb9a8c, 0xe)
        /Users/ph/.gvm/versions/go1.9.2.darwin.amd64/src/runtime/panic.go:605 +0x95
runtime.newstack(0x0)
        /Users/ph/.gvm/versions/go1.9.2.darwin.amd64/src/runtime/stack.go:1050 +0x6e1
runtime.morestack()

[ph]

For the -E, seems we don't configure the keystore resolver at the right time.

[ph]

@tsg The problem is ./metricbeat -e -E 'cloud.id=${cloud.id}' is a cyclic reference (same problem in the configuration yaml) and well u-cfg doesn't deal well with that, the problem is we need varExp to correctly get the path to the keystore so we can create the variable resolver for the secrets.

In short, ucfg, try to make the configuration concrete when we merge.

I think we need to implement a PartialyConcrete concept in our configuration, still trying to figure out how to do it.

[exekias]

I stumbled upon the cyclic issue with autodiscover too, ended up namespacing everything with data. prefix. Perhaps we can modify ucfg to ignore cyclic errors as unresolved, and let next resolvers in the chain fill that variable (in this case, the key store)

[ph]

I stumbled upon the cyclic issue with autodiscover too, ended up namespacing everything with data. prefix. Perhaps we can modify ucfg to ignore cyclic errors as unresolved, and let next resolvers in the chain fill that variable (in this case, the key store)

I am looking into that, going in the rabbit hole :)

[houndci-bot]

exported function GetKeystorePath should have comment or be unexported

[ph]

@tsg @exekias I went deep into the rabbit hole on this one but I don't have the fix for it, to not waste any more time I need to sync with @urso on that because I think this will need internal changes on ucfg to correctly fixes our uses cases. I've experimented with a lot of different ways to fix it, and it ends all the same. I had the prior discussion with @urso concerning improvements that we wanted to make on the config, I think we should take this one our priority.

Concerning the cyclic reference, I have applied a fix to detect when a cyclic reference happens an error should be returned, the problem is theses errors are not bubbled up in the stack they are just ignored and this happen before reaching the stack. Also, I was expecting my changes to break the test suite which was not the case.

Like @exekias said I think the following would solve the problem, we load or merges configuration we should be able (via a flag?) to retain Reference as a type of the configuration.

This would allow us to do work with partially resolved options:

• Load defaults (unresolved references can exist)
• Merge Configuration files (unresolved references can exist)
• Merge Flags overrides. (unresolved reference can exist)
• Configure and initialize the keystore. (Can resolve a subset of reference, needed to bootstrap the keystore)
• Call a resolve function on the configuration (Force every unresolved reference to be resolved, can fail)
• Cyclic references are marked as unresolved and will make the resolve function fails.
• Unpack should also force a resolve this will make the code maintain his old behavior.

The configuration is a chicken/egg problem, and without supporting partially resolved configuration, I don't think we can support Option keys that can exist in the configuration for template tags. (ie -E 'cloud.id=${cloud.id}'), to work around these issues, @exekias has prefixed his options with data.*.

Also, another thing I've tried in my local experimentations is to make sure resolverEnv which is used by both the keystore and the environment variables need to be applied before any internal key reference; this fixes some cyclic reference issues but not all. Also no tests breaks with that changes..

[ph]

After discussing with @monicasarbu we think we can move it forward without fixing the cyclic reference in that PR and do it in another PR.

@tsg I will double check everything with my lastest changes and ping you for another real world testing.

[ph]

@tsg Ready for another round of testing!

[tsg]

I wonder if path.data (typically /usr/share/beatname/data is the right place for the keystore. Alternatively we could consider path.config (typically /etc/beatname)?

We should probably follow what ES/KB did, do you know?

Also, I guess we'd want to check the permissions on the file like we do with the YAML config files.

[ph]

Right, /etc/beatname make more sense, I haven't checked ES/KB I will verify that and make the change if needed.

We do check for permission https://github.com/elastic/beats/pull/5687/files#diff-33a534765f797732e272dc741db414f4R233 if StrictPerm(0600) is True.

[tsg]

@ph did you do any tests of the commands on Windows? Just very slightly worried about the terminal.Prompt calls and how they are implemented on Windows.

[ph]

@tsg Concerning windows, I've tested it early and it was OK, but I will do another complete run just to be on the safe side.

[ph]

@tsg small issue on windows powershell, will get a fix for that. Good point, I am still assuming more compatibility than I should coming from the jvm.

[ph]

@tsg Windows is all good and happy now with the exact same behavior as unix. ssh/terminal for readPassword handle windows gracefully

[ph]

@tsg I've addressed your concerns, adding log debug when successfully resolving keys from the keystore and where the keystore is loaded. Also I've changed the default path of the keystore to ${path.config}/${beatname}.keystore instead of ${path.data}/keystore to reflect Elasticsearch installation.

[ph]

jenkins test this please

[tsg]

@ph The last Jenkins run is almost green, but there's a failure on Windows that looks related to the PR:

16:50:16 System testing filebeat
16:55:25 S..S.........S.............................................FSSSSSS..................................S............S......SS......S...............
16:55:25 ======================================================================
16:55:25 FAIL: Test that we correctly do string replacement with values from the keystore
16:55:25 ----------------------------------------------------------------------
16:55:25 Traceback (most recent call last):
16:55:25   File "C:\Users\jenkins\workspace\elastic+beats+pull-request+multijob-windows\beat\filebeat\label\windows\src\github.com\elastic\beats\filebeat\tests\system\test_keystore.py", line 36, in test_keystore_with_present_key
16:55:25     proc.check_kill_and_wait(1)
16:55:25   File "C:\Users\jenkins\workspace\elastic+beats+pull-request+multijob-windows\beat\filebeat\label\windows\src\github.com\elastic\beats\filebeat\tests\system\../../../libbeat/tests/system\beat\beat.py", line 91, in check_kill_and_wait
16:55:25     return self.check_wait(exit_code=exit_code)
16:55:25   File "C:\Users\jenkins\workspace\elastic+beats+pull-request+multijob-windows\beat\filebeat\label\windows\src\github.com\elastic\beats\filebeat\tests\system\../../../libbeat/tests/system\beat\beat.py", line 80, in check_wait
16:55:25     exit_code, actual_exit_code)
16:55:25 AssertionError: Expected exit code to be 1, but it was 2
16:55:25 

I triggered another Travis run on Filebeat as well.

[tsg]

LGTM, if the test failure is solved.

[ph]

@tsg I've pushed a new commit for the test on windows, I will monitor the greeness of it. The Appveyor tests are also failing for winlogbeat, but this should not be related to anything this PR touch,.

[dol]

Consider replacing pbkdf2 with a never key derivation function like scrypt or even Argon2. Argon2 was very recently merged into golang.org/x/crypto/ .
Some resources about the topic:
https://www.linkedin.com/pulse/top-password-hashing-schemes-employ-today-chintan-jain-mba-cissp
https://download.libsodium.org/doc/password_hashing/
https://core.trac.wordpress.org/ticket/39499
https://gitlab.com/cryptsetup/cryptsetup/issues/119

In addition I would recommend to store the key derivation function and the iteration along side with the VERSION|SALT|IV|PAYLOAD.
If you decide to change the iteration count or the key derivation function you don't need to increase the file format version.
This is kind of similar to the https://secure.php.net/manual/en/function.password-hash.php. In your case the the key would be left out.

With this implementation it's possible to increase the key derivation parameters to prevent faster CPU/GPU's. To achieve this the maintainer needs to alter the key derivation parameters from time to time and if a change is detected from the key derivation parameters stored in the storage file the encrypted payload needs to be decrypted and encrypted with the new parameters.
Similar to https://secure.php.net/manual/en/function.password-needs-rehash.php

To reduce code duplication I would extract the passwordBytes generation passwordBytes := pbkdf2.Key(password, salt, iterationsCount, keyLength, sha512.New) to it own private function.

Btw: The rest of the encryption part looks good to me.

[ph]

@dol I've created the following issues:

#6015
#6016

I will do the change right away to add the function in the format and check for argon2.

[ph]

Good suggestion I will do a follow up on that.

On Fri, Jan 5, 2018 at 6:29 PM Dominic ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In libbeat/keystore/file_keystore.go <#5687 (comment)>: > + // randomly generate the salt and the initialization vector, this information will be saved + // on disk in the file as part of the header + iv, err := common.RandomBytes(iVLength) + + if err != nil { + return nil, err + } + + salt, err := common.RandomBytes(saltLength) + if err != nil { + return nil, err + } + + // Stretch the user provided key + password, _ := k.password.Get() + passwordBytes := pbkdf2.Key(password, salt, iterationsCount, keyLength, sha512.New) Consider replacing pbkdf2 with a never key derivation function like scrypt or even Argon2. Argon2 was very recently merged into golang.org/x/crypto/ . Some resources about the topic: https://www.linkedin.com/pulse/top-password-hashing-schemes-employ-today-chintan-jain-mba-cissp https://download.libsodium.org/doc/password_hashing/ https://core.trac.wordpress.org/ticket/39499 https://gitlab.com/cryptsetup/cryptsetup/issues/119 In addition I would recommend to store the key derivation function and the iteration along side with the VERSION|SALT|IV|PAYLOAD. If you decide to change the iteration count or the key derivation function you don't need to increase the file format version. This is kind of similar to the https://secure.php.net/manual/en/function.password-hash.php. In your case the the key would be left out. With this implementation it's possible to increase the key derivation parameters to prevent faster CPU/GPU's. To achieve this the maintainer needs to alter the key derivation parameters from time to time and if a change is detected from the key derivation parameters stored in the storage file the encrypted payload needs to be decrypted and encrypted with the new parameters. Similar to https://secure.php.net/manual/en/function.password-needs-rehash.php To reduce code duplication I would extract the passwordBytes generation passwordBytes := pbkdf2.Key(password, salt, iterationsCount, keyLength, sha512.New) to it own private function. Btw: The rest of the encryption part looks good to me. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#5687 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAACgIZqPS5LnJi_-FzjyI2BdzmSYzG7ks5tHrBHgaJpZM4Qnuc3> .

-- ph