feat: add support for decryption scheme from properties in senhasegura Devops Secrets Management (DSM) provider

[felipeosantos]

Problem Statement

The Senhasegura provider has a feature to encrypt sensitive data when returning information. However, External Secrets does not decrypt this sensitive data when creating a secret in Kubernetes.

Related Issue

Feature #3582

Proposed Changes

Implemented a feature to decrypt sensitive data in External Secrets using a private key, designed in a way that allows other providers to also use this feature. Modified the External Secrets type to accept the configuration of a private key (specific to each provider), options such as encryption scheme, private key type, and hash algorithm.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[felipeosantos]

For testing, mock the attached files on Postman and apply the YAML configuration below. However, make sure to change the URL to your Postman mock first.
senhasegura-mock.postman_collection.json

---
apiVersion: v1
kind: Secret
metadata:
  name: senhasegura-dsm-auth
stringData:
  CLIENT_SECRET: "CHANGEME"
  # Optional, used only when sensitive data has been encrypted in senhasegura
  PRIVATE_KEY: |
    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQChzs1R+jA3Goqi
    ropPzF4Ehpbi6VklbeZWP+RoU3rJshONJO6w9tPhbp0YIXrPSM9P5a9xaaNxDR9e
    u84O05+vq3C4P9I0jb5GSjiuznrmsprFWGaGdd4Vr7Fir1oqfeVc+znQFUCvkq7B
    EWobOonl6ktQ2OHBK0bEzXB7qY7P4ETI6owDUL+pkAwHzdnwk4sXMDKBLT3WZVRn
    xPppIJ4VAEph1fJOCIIskxVBh8cAT4QRxsdu8oB7cAuYJLBBKiS/GGIA7vh9sQrb
    +0BAgLqvy+kiQeQhYgF/Y/uVwkgAphFzSjSjoSFQ50nNE2VJA5J6o7QZ413DlIWr
    VJKNZJDbAgMBAAECggEAemklU5te1pExyJka8fu+NNZNWCUI2BQoaZ+0gGiHQAeE
    WwdRvHc/HBC+r/7EFgUTMXKmI7qzd1diIB0caoMXD6M3h2xg7nk9NZf5AeYbfGQq
    SpnyFk8dUHK2U94s7HCKEKnOtukdIrZplo5CI49Ju7JggC1TvPuscj6pliRUclYY
    Pc6pTVaG+bludDR8YkQ1mGi04wMQHpnisegRpMSjt9uZc1jKM7SSaHggu4/vuewo
    CFdra50/MjidIOXd5T5iVYY28J+gR8oCCKySTogNJ3JpNMNAW4FHfime5B+uS0IA
    YI/N8yjT/BPgRt4lQpR+6zi3fpguWNIM71xye1/R4QKBgQDNZNGFOntbFM2NTPYu
    4APRVu4a0gM+JEA/ozuxTigkgaj6dNeJvaNTxcKG0MmGxQLEcvgCDaWIoM6Qrj1K
    YVwdiv1MddRDdSHQjGjNM6n7jNfYVQ2gP+1wDwTMN+eyAW8KoZByaQimmjyBj/Ps
    C8VWPxyrw/UeHqzTazyEIZ2fHQKBgQDJrM2/xx7F63C6GaW+5gMeColxkdYb29Aw
    R3xb2rn5lVPLW0BORQQuepZuaI+ZLTb4Op7V4yAC/S9femFXpgkZa56aacwy1jxb
    R9WO0CWP3QCUCcIBF/4lbJDZ6gQLr51oahXhhjbgGMrlguC/j4R9n3i58EaeukeE
    +Hsu/hMWVwKBgETsWALFJS/jQzbvZI1GTwGoki4d20i3EXhJZnaRK5dUi0fAfbOT
    F4O9ERH8biPzaIJTsjW+LpYyoB6c2aRkF20yft1xjNE2NSquc1yowZnQIX5OzEvC
    KAM6hvmgqPdq08BVhwtdg7GkgDlZ/Rhwur++XfilwVNiJ8yqZ5xPS31hAoGBALnu
    hB5MMPXd86bPoHyYSMV4h3DaOGCkzpLERUXWKOGOp5tzfJzsikdjo68U3VcmVWiT
    ev7MkCXRUMyg4n/RRtBV5PqNkcJIu4qYdq5c/lRdN3xEZsVlXl0Yc49EbghsFx49
    uACdIZiHov/oItbZNRgwXzhl6mXKbceM4tzXR7evAoGBALug2beVoVAl2nAB2RkQ
    Jy3viDKO+C6Z82gsS5x9Wif9cJTppIarZC+t7w33f4WHJiYT1VDxse08dohC5Nn7
    7WWKdtLMSyUaXE46s37Kl5tkTkROj3wBzSIzwLYAwsthcpQVubwDAMsig8EUAdr/
    0IwaauEPX9lBYMZDMYuSAR5n
    -----END PRIVATE KEY-----
    
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: senhasegura
  namespace: default
spec:
  provider:
    senhasegura:
      auth:
        clientId: CHANGEME
        clientSecretSecretRef:
          key: CLIENT_SECRET
          name: senhasegura-dsm-auth
      ignoreSslCertificate: false
      module: DSM
      privateKeySecretRef:
        key: PRIVATE_KEY
        name: senhasegura-dsm-auth
      url: https://fe5d01a9-e201-4006-acd3-68e39030a70a.mock.pstmn.io
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: busybox-nexus-ms2
  namespace: default
spec:
  data:
    - remoteRef:
        key: dip_app-cripto_dev
        property: USER_01
      secretKey: OAM_APIGW_INT_USERNAME
    - remoteRef:
        decodingStrategy: Base64
        decryptingStrategy:
          scheme: RSA-OAEP
        key: dip_app-cripto_dev
        property: PASS_01
      secretKey: OAM_APIGW_INT_CLIENTID
  refreshInterval: 120s
  secretStoreRef:
    kind: SecretStore
    name: senhasegura
  target:
    name: busybox-nexus-ms2

[Skarlso]

Hmmm... So I can see the appeal of extending ExternalSecrets to use a decryption scheme, but honestly, I find this a premature optimization kind of approach? Like, NONE of the other providers have anything NEAR such a feature so extending the base type to do this seems overkill.

I would suggest expanding only the Senhasegura provider's type. We follow the least friction path here. Don't add if it's not needed. :) Meaning, we keep changes localised to providers. For example, even CAProvider additions was refactored only after several more providers where using it. Than it was standardised. If we see more than one provider needing decryption we'll add something for that. For now, please keep the changes local to Senhasegura. Thanks 🙇

[felipeosantos]

Ok, thanks for your feedback. I just wanted to explain my reasoning: changing the external secrets type to a decryption schema will impact other providers, even if they are not currently in use. However, this change will make it easier to implement similar functionality if other providers need it in the future. As a matter of fact, I will develop it in such a way that only senhasegura will have this feature. Regarding this change - decryptingStrategy: - remoteRef: conversionStrategy: Default decodingStrategy: Base64 decryptingStrategy: hash: SHA1 privateKeyType: PKCS8 scheme: RSA-OAEP key: dip_app-cripto_dev property: PASS_01 Do you have any considerations? I need to check if the property must be decrypted. Considering that only senhasegura has this feature, how could we define the type?

[Skarlso]

Considering that only senhasegura has this feature, how could we define the type?

These could be defined in the metadata section of the external secret object. And use a Key to define which key you are targeting with this setting.

So like, you could have a section as such:

metadata:
  decryption:
    keyname:
        decryptingStrategy:
          hash: SHA1
          privateKeyType: PKCS8
          scheme: RSA-OAEP
    anotherKeyName:
        decryptingStrategy:
          hash: SHA1
          privateKeyType: PKCS8
          scheme: RSA-OAEP

Doing this, the key would be the map key so you could lookup quickly if a decoding strategy is defined for a specific key.

This way, there is no need to change the ref type.

[felipeosantos]

Actually, there is a section in external secret types, wouldn't it be that?

How could I implement this in this case without the properties existing in the object? Is there already an example in the project for me to check?

[Skarlso]

ah, I honestly though that ES would have a metadata field similar to what PushSecret has. But I can see that it doesn't.

Okay, how about this. You could create a template method that can have certain arguments that let's you decode the given value?

And if you do that, that would be something that EVERY provider could use. :) WDYT?

[Skarlso]

Talked it over with the rest of the team, and the Template idea can be a really nice one to allow this feature for the other providers as well. :) 👍

[felipeosantos]

I implemented a new solution without the need to refactor other providers. I created a new interface that "extends" the v1beta1.SecretsClient interface. This way, only those who implement the new interface will have the feature to decrypt sensitive data. I will conduct new tests with another provider to see the behavior. WDYT?

[Skarlso]

But you are still extending remoteRef with a capability that is only supported by a single provider. 🤔

[felipeosantos]

The idea is to have it work like the base64 feature. In this process, I need this feature too. I honestly don't see any problem with this format; the only difference between these features is how the private key is retrieved by the provider. I will still need to understand how the template works to try implementing your suggestion

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[Skarlso]

@felipeosantos Are you doing the template stuff then? :)

[felipeosantos]

Sorry, @Skarlso, but I still haven't had time to implement the template. However, in my company, we are already using many microservices with this format. I need to think about how to migrate to the template format as well. That's why I'm maintaining this fork. In fact, I intend to implement the template format ASAP. Do you prefer to close this PR, and I’ll open a new one when I implement the feature this way?

[Skarlso]

It's fine, you can leave this open and go from here I think.

[github-actions]

This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[felipeosantos]

Hello @Skarlso, I will start an implementation with the template. Could you please remove the Stale tag?

[Skarlso]

Sure!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
2 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[Skarlso]

This looks okay now, I'm waiting for @felipeosantos to put that back that test with a different name and some explanation that it's not an exploit. :D

[gusfcarvalho]

IMO if this is an encrypted file only, it should be created as part of the test setup, and available only in memory.

[felipeosantos]

IMO if this is an encrypted file only, it should be created as part of the test setup, and available only in memory.

About the rsaDecrypt function unit test - it was implemented. But for the template function unit test, I used a similar approach that involved complex data (e.g., a PFX file), and in my case, purely encrypted data. However, if you prefer that I generate the data dynamically, I can do that without any problem - though it will involve writing some helper functions, which might make the template test more complex.

[Skarlso]

Hmmm, I don't know. I don't want an entire encryption suit in the tests just to test decryption. But I also don't really want a file that could potentially be flagged as insecure or malicious data just because it's unreadable and looks like garbage.

Argh. How much code would be involved with the encryption library? Because I also don't really want to " just test it in production " :D

[gusfcarvalho]

Hmmm, I don't know. I don't want an entire encryption suit in the tests just to test decryption. But I also don't really want a file that could potentially be flagged as insecure or malicious data just because it's unreadable and looks like garbage.

Argh. How much code would be involved with the encryption library? Because I also don't really want to " just test it in production " :D

counter argument to implement the helper functions needed - if something breaks / a user complain its not working, we have a contract test to refer to. It will be easier to simulate with "their data"

[felipeosantos]

Hmmm, I don't know. I don't want an entire encryption suit in the tests just to test decryption. But I also don't really want a file that could potentially be flagged as insecure or malicious data just because it's unreadable and looks like garbage.
Argh. How much code would be involved with the encryption library? Because I also don't really want to " just test it in production " :D

counter argument to implement the helper functions needed - if something breaks / a user complain its not working, we have a contract test to refer to. It will be easier to simulate with "their data"

I will adjust this point.

[Skarlso]

@felipeosantos Please ping me when I can continue.

[felipeosantos]

@felipeosantos Please ping me when I can continue.

Done!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Skarlso]

Thank you so much for all the effort you've put into this!