`getSecretKey` template function shouldn't exist

[budimanjojo]

Is your feature request related to a problem? Please describe.

getSecretKey template function (https://external-secrets.io/latest/guides/templating/#rsa-decryption-data-from-provider) introduced by this PR is likely to be problematic for security reasons.
It opens a door to do something like this:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: test
spec:
  # THIS IS NOT USED AT ALL, CAN BE ANY STORE YOU HAVE
  secretStoreRef:
    name: a-secret-store
    kind: SecretStore
  target:
    template:
      data:
        password: '{{ getSecretKey "a-secret-name" "another-namespace" "a-key" }}'
  # THIS IS NOT USED TOO; it's just a requirement for the validating webhook
  dataFrom:
    - extract:
        key: something

As seen above, I created an ExternalSecret just to get value of a secret key from another namespace.
Normally, I should setup the Kubernetes provider with appropriate RBAC to do something like this.

Describe the solution you'd like

I don't have any solution to offer, but I think this function shouldn't be available for the users. The appropriate way to get a secret from a Kubernetes cluster should be to use the already available Kubernetes provider.
This feature was not even introduced for Kubernetes provider in the first place.

I'm also guilty because I'm using this right now to make external-secrets as an easy "secret replicator" as it is convenient not to setup RBAC and Kubernetes secret store but I feel bad not telling people about the security issue that might be exploited by a bad actor.

Another solution is to make this feature exclusive for Senhasegura Devops Secrets Management (DSM) or to have a switch to turn this feature off completely, I really don't know.

I'm also tagging @felipeosantos as they're the feature implementer.

Thanks before!

[Skarlso]

That's a good find. Thanks! We should definitely do something around this.

[felipeosantos]

I suggest removing this function and implementing getSecretsKey directly in the main functionality where it was originally created - rsaDecrypt. However, I’m not fully aware of the impact of removing this function. Still, I agree that it represents a significant issue in terms of security context.

Another alternative to reduce the impact, I believe, would be to limit the scope to the namespace where the External Secrets are applied, since RBAC is normally enforced at the namespace level.

Thanks very much for the feedback about this problem @budimanjojo.

[budimanjojo]

For me, the better approach in the long run is to have something like Decoding Strategies but for decryption. Where you provide a secret that has private key to it (ExternalSecret requires the secret to be in the same namespace and ClusterExternalSecret has a field to define namespace of the secret). But that should be the future aim as this requires apiVersion bumping I guess?

For current situation, where you might only use this feature only for Senhasegura, maybe implement this only for the provider specifically, not sure if this require apiVersion bump, I think not?

[budimanjojo]

But on the second thought, I think currently there's no other provider other than Senhasegura has this feature? Maybe adding it only for providers that can do this is enough even in the long run.

[Skarlso]

Yeah, making it provider specific might limit the impact.

[felipeosantos]

@budimanjojo if you look at the PR, you’ll see that the first version was implemented this way, similar to the decoding strategy. Considering the functionality, in my opinion, the best approach would be to create a rsaDecryptWithSecret, essentially combining rsaDecrypt with getSecretKey.
It sounds strange for a provider to reference a secret containing a private key to decrypt data and then rely on a templating function to perform that decryption.

[budimanjojo]

Yeah that would work too for a quick workaround.

[budimanjojo]

I read some docs and found out that you can actually use multiple secret stores in one ES with data[].sourceRef. Not sure why not suggest using two secret stores to achieve this? You'll need to setup Kubernetes provider (or any other provider tbh) as the source of the private key like so:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: test
spec:
  secretStoreRef:
    kind: SecretStore # or ClusterSecretStore
    name: senhasegura
  target:
    name: test
    template:
      data:
        password: '{{ rsaDecrypt "RSA-OAEP" "SHA1" .password_encrypted_binary .privatekey }}'
  data:
    - secretKey: privatekey
      remoteRef:
        key: a-secretname-in-cluster
        property: privatekey
      sourceRef:
        storeRef:
          kind: SecretStore # or ClusterSecretStore
          name: kubernetes # name of the k8s provider
    - secretKey: password_encrypted_binary
      remoteRef:
        key: the-key-name-from-senhaseguara

Wouldn't this be a better solution? You simply replace the getSecretKey function with any supported provider (I use fake provider to test this out).

[felipeosantos]

I would like to proceed with removing the templating function getSecretKey, keep rsaDecrypt for the scenario illustrated below, and introduce a new function called rsaDecryptSecretRef.
The main reason is that returning the private key in the same response that provides the encrypted data does not make much sense from a security perspective.

When I initially implemented rsaDecrypt, my goal was to simplify the functionality by splitting it into two methods: rsaDecrypt and getSecretKey. However, this approach fell short in meeting the security requirements.
I’d like to make these adjustments as soon as possible, since exposing the getSecretKey function allows privileged access to the cluster with relatively little effort.

[felipeosantos]

Looking at the example, I noticed the following property:

sourceRef:
  storeRef:
    kind: SecretStore # or ClusterSecretStore
    name: kubernetes # name of the k8s provider

I’ll interpret and understand the usage in this way, but if it refers to a different SecretStore, that would be a good approach as well.

[budimanjojo]

I’ll interpret and understand the usage in this way, but if it refers to a different SecretStore, that would be a good approach as well.

Yes, the secret store can be any supported provider, meaning you have a dedicated SecretStore or ClusterSecretStore that has the private key to decrypt secrets pulled from Senhasegura. It's more powerful than getSecretKey that can only be a secret from local cluster.

[Skarlso]

@felipeosantos sounds like a plan. Can I assign you to this issue in that case?