Add an IV to the codefresh-token secret (#205)

* Added IV to codefresh-token secret

* naming fixes

* encode bytes to base64

* fixes

* bump

* bump

Author: danielm-codefresh

Makefile

@@ -1,4 +1,4 @@
-VERSION=v0.0.191
+VERSION=v0.0.192
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")

cmd/commands/runtime.go

@@ -30,7 +30,10 @@ package commands
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/hex"
 	"fmt"
+	"io"
 	"os"
 	"strconv"
 	"strings"
@@ -81,6 +84,7 @@ type (
 	RuntimeInstallOptions struct {
 		RuntimeName          string
 		RuntimeToken         string
+		RuntimeStoreIV       string
 		IngressHost          string
 		Insecure             bool
 		InstallDemoResources bool
@@ -118,16 +122,16 @@ type (
 	}
 
 	summaryLogLevels string
-	summaryLog struct {
+	summaryLog       struct {
 		message string
-		level 	summaryLogLevels
+		level   summaryLogLevels
 	}
 )
 
 const (
 	Success summaryLogLevels = "Success"
-	Failed summaryLogLevels = "Failed"
-	Info summaryLogLevels = "Info"
+	Failed  summaryLogLevels = "Failed"
+	Info    summaryLogLevels = "Info"
 )
 
 var summaryArr []summaryLog
@@ -313,14 +317,20 @@ func getComponents(rt *runtime.Runtime, opts *RuntimeInstallOptions) []string {
 	return componentNames
 }
 
-func createRuntimeOnPlatform(ctx context.Context, opts *model.RuntimeInstallationArgs) (string, error) {
+func createRuntimeOnPlatform(ctx context.Context, opts *model.RuntimeInstallationArgs) (string, string, error) {
 	runtimeCreationResponse, err := cfConfig.NewClient().V2().Runtime().Create(ctx, opts)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create a new runtime: %s. Error: %w", opts.RuntimeName, err)
+	}
 
+	const IV_LENGTH = 16
+	iv := make([]byte, IV_LENGTH)
+	_, err = io.ReadFull(rand.Reader, iv)
 	if err != nil {
-		return "", fmt.Errorf("failed to create a new runtime: %s. Error: %w", opts.RuntimeName, err)
+		return "", "", fmt.Errorf("failed to create an initialization vector: %s. Error: %w", opts.RuntimeName, err)
 	}
 
-	return runtimeCreationResponse.NewAccessToken, nil
+	return runtimeCreationResponse.NewAccessToken, hex.EncodeToString(iv), nil
 }
 
 func RunRuntimeInstall(ctx context.Context, opts *RuntimeInstallOptions) error {
@@ -353,7 +363,7 @@ func RunRuntimeInstall(ctx context.Context, opts *RuntimeInstallOptions) error {
 
 	defer postInstallationHandler(ctx, opts, &err)
 
-	token, err := createRuntimeOnPlatform(ctx, &model.RuntimeInstallationArgs{
+	token, iv, err := createRuntimeOnPlatform(ctx, &model.RuntimeInstallationArgs{
 		RuntimeName:    opts.RuntimeName,
 		Cluster:        server,
 		RuntimeVersion: runtimeVersion,
@@ -367,6 +377,7 @@ func RunRuntimeInstall(ctx context.Context, opts *RuntimeInstallOptions) error {
 	}
 
 	opts.RuntimeToken = token
+	opts.RuntimeStoreIV = iv
 	rt.Spec.Cluster = server
 	rt.Spec.IngressHost = opts.IngressHost
 	rt.Spec.Repo = opts.InsCloneOpts.Repo
@@ -1155,7 +1166,7 @@ func configureAppProxy(ctx context.Context, opts *RuntimeInstallOptions, rt *run
 }
 
 func createEventsReporter(ctx context.Context, cloneOpts *git.CloneOptions, opts *RuntimeInstallOptions, rt *runtime.Runtime) error {
-	runtimeTokenSecret, err := getRuntimeTokenSecret(opts.RuntimeName, opts.RuntimeToken)
+	runtimeTokenSecret, err := getRuntimeTokenSecret(opts.RuntimeName, opts.RuntimeToken, opts.RuntimeStoreIV)
 	if err != nil {
 		return fmt.Errorf("failed to create codefresh token secret: %w", err)
 	}
@@ -1289,7 +1300,7 @@ var getProjectInfoFromFile = func(repofs fs.FS, name string) (*argocdv1alpha1.Ap
 	return proj, appSet, nil
 }
 
-func getRuntimeTokenSecret(namespace string, token string) ([]byte, error) {
+func getRuntimeTokenSecret(namespace string, token string, iv string) ([]byte, error) {
 	return yaml.Marshal(&v1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
@@ -1300,7 +1311,8 @@ func getRuntimeTokenSecret(namespace string, token string) ([]byte, error) {
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
-			store.Get().CFTokenSecretKey: []byte(token),
+			store.Get().CFTokenSecretKey:   []byte(token),
+			store.Get().CFStoreIVSecretKey: []byte(iv),
 		},
 	})
 }
@@ -1514,12 +1526,12 @@ func postInstallationHandler(ctx context.Context, opts *RuntimeInstallOptions, e
 		log.G(ctx).Warn("installation failed, performing installation rollback")
 		err := RunRuntimeUninstall(ctx, &RuntimeUninstallOptions{
 			RuntimeName: opts.RuntimeName,
-			Timeout: store.Get().WaitTimeout,
-			CloneOpts: opts.InsCloneOpts,
+			Timeout:     store.Get().WaitTimeout,
+			CloneOpts:   opts.InsCloneOpts,
 			KubeFactory: opts.KubeFactory,
-			SkipChecks: true,
-			Force: true,
-			FastExit: false,
+			SkipChecks:  true,
+			Force:       true,
+			FastExit:    false,
 		})
 		if err != nil {
 			log.G(ctx).Errorf("installation rollback failed: %w", err)
@@ -1529,7 +1541,7 @@ func postInstallationHandler(ctx context.Context, opts *RuntimeInstallOptions, e
 	printSummaryToUser()
 }
 
-func appendLogToSummary(message string, err error){
+func appendLogToSummary(message string, err error) {
 	if err != nil {
 		summaryArr = append(summaryArr, summaryLog{message, Failed})
 	} else {
@@ -1546,7 +1558,7 @@ func printSummaryToUser() {
 		} else {
 			fmt.Printf("%s\n", summaryArr[i].message)
 		}
-    }
+	}
 	//clear array to avoid double printing
 	summaryArr = []summaryLog{}
 }

docs/releases/release_notes.md

@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.191/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.192/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.191/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.192/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf

manifests/app-proxy/app-proxy.deploy.yaml

@@ -86,6 +86,11 @@ spec:
                 secretKeyRef:
                   name: codefresh-token
                   key: token
+            - name: RUNTIME_STORE_IV
+              valueFrom:
+                secretKeyRef:
+                  name: codefresh-token
+                  key: encryptionIV
             - name: STORE_BACKEND
               valueFrom:
                 configMapKeyRef:

manifests/app-proxy/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Kustomization
 images:
   - name: quay.io/codefresh/cap-app-proxy
     newName: quay.io/codefresh/cap-app-proxy
-    newTag: v0.0.19
+    newTag: v0.0.20
 resources:
   - app-proxy.deploy.yaml
   - app-proxy.svc.yaml

manifests/runtime.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: "{{ namespace }}"
 spec:
   defVersion: 1.0.0
-  version: 0.0.191
+  version: 0.0.192
   bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
   components:
     - name: events

pkg/store/store.go

@@ -75,6 +75,7 @@ type Store struct {
 	CFRuntimeType                        string
 	CFTokenSecret                        string
 	CFTokenSecretKey                     string
+	CFStoreIVSecretKey                   string
 	CodefreshCM                          string
 	CodefreshSA                          string
 	ComponentsReporterName               string
@@ -163,6 +164,7 @@ func init() {
 	s.ArgoCDAgentReporterName = "argocd-agent"
 	s.ArgoCDAgentSA = "argocd-agent"
 	s.CFTokenSecretKey = "token"
+	s.CFStoreIVSecretKey = "encryptionIV"
 	s.CodefreshCM = "codefresh-cm"
 	s.CodefreshSA = "codefresh-sa"
 	s.ComponentsReporterName = "components-reporter"