From bcd2511a7269ceb72c5c4a255fa760de85dea1e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Tue, 22 Jun 2021 15:00:45 +0200 Subject: [PATCH] ceph: do not leak key encryption key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When evaluating the potential "warning" key from the json output we were not hiding stdout (1) from the output, so the key was leaked. Also the warning check for the key was not perfect, it only checked for the command to succeed, but we should introspect it since the "warning" key is always present unlike the "error" one. We now only print the warning or the error is present. Signed-off-by: Sébastien Han --- pkg/operator/ceph/cluster/osd/spec.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pkg/operator/ceph/cluster/osd/spec.go b/pkg/operator/ceph/cluster/osd/spec.go index 56c9d8e88cd3..642dc8cf9d17 100644 --- a/pkg/operator/ceph/cluster/osd/spec.go +++ b/pkg/operator/ceph/cluster/osd/spec.go @@ -246,15 +246,20 @@ fi curl "${ARGS[@]}" "$VAULT_ADDR"/v1/"$VAULT_BACKEND_PATH"/"$KEK_NAME" > "$CURL_PAYLOAD" # Check for warnings in the payload -if python3 -c "import sys, json; print(json.load(sys.stdin)[\"warnings\"], end='')" 2> /dev/null < "$CURL_PAYLOAD"; then - # We could get a warning but it is not necessary an issue, so if there is no key we exit - if ! python3 -c "import sys, json; print(json.load(sys.stdin)${PYTHON_DATA_PARSE}[\"$KEK_NAME\"], end='')" 2> /dev/null < "$CURL_PAYLOAD"; then - exit 1 +if warning=$(python3 -c "import sys, json; print(json.load(sys.stdin)[\"warnings\"], end='')" 2> /dev/null < "$CURL_PAYLOAD"); then + if [[ "$warning" != None ]]; then + # We could get a warning but it is not necessary an issue, so if there is no key we exit + if ! python3 -c "import sys, json; print(json.load(sys.stdin)${PYTHON_DATA_PARSE}[\"$KEK_NAME\"], end='')" &> /dev/null < "$CURL_PAYLOAD"; then + echo "no encryption key $KEK_NAME present in vault" + echo "$warning" + exit 1 + fi fi fi # Check for errors in the payload -if python3 -c "import sys, json; print(json.load(sys.stdin)[\"errors\"], end='')" 2> /dev/null < "$CURL_PAYLOAD"; then +if error=$(python3 -c "import sys, json; print(json.load(sys.stdin)[\"errors\"], end='')" 2> /dev/null < "$CURL_PAYLOAD"); then + echo "$error" exit 1 fi