"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Omar Polo <op@omarpolo.com>
Subject:
Re: RFC: secrets for gotd
To:
Stefan Sperling <stsp@stsp.name>
Cc:
gameoftrees@openbsd.org
Date:
Sun, 25 Aug 2024 23:19:20 +0200

Download raw body.

Thread
On 2024/08/25 20:31:37 +0200, Stefan Sperling <stsp@stsp.name> wrote:
> On Sun, Aug 25, 2024 at 07:46:01PM +0200, Omar Polo wrote:
> > Currently gotd.conf holds some sensible data for http notifications in
> > plain.  Furthermore gotd.conf has to be world-readable to not break
> > gotsh(1).
> 
> gitwrapper, not gotsh

woops, right!

> > So, here's a proposal to break out the secrets in a separate config file
> > which can (and must) be owned by root and not world-readable.  When
> > parsing the files for gotsh(1) or similar purpose we can skip the
> > "include".
> > 
> > It's mostly about syntax and taste, hence an RFC instead of a diff.
> > Let's bikeshed a bit and once we reach a consensus I'll start working on
> > it.
> > 
> > While here I couldn't help but also try to move "insecure" before "url",
> > because otherwise I would read it as "insecure auth", which could also be
> > fine, or "insecure hmac" which is... curious :)
> 
> I agree that moving the insecure keyword to the front makes sense.
>  
> > # /etc/gotd.secrets.conf
> > auth "xyz" {
> > 	username "flan"
> > 	password "flan123!"
> > }
> > 
> > hmac "abc" {
> > 	secret "o0wgEB5QyRRKUwHlobeVX1JguCvkTBBohhQnINbxaOs="
> > }
> > 
> > 
> > # /etc/gotd.conf
> > include secret "/etc/gotd.secrets.conf"  # root-owned; skipped by gotsh
> 
> I would prefer "include secrets" since the file can contain multiple
> secrets.

yeah, it reads better.

> > repository "src.git" {
> > 	path "/var/git/src.git"
> > 	permit rw :developers
> > 	permit ro anonymous
> > 
> > 	notify {
> > 		branch "main"
> > 
> > 		insecure url "http://some.other.host:8080/foo" auth "xyz"
> > 		# or
> > 		insecure url "http://..." hmac "abc"
> > 		# or even both
> > 	}
> > }
> > 
> > 
> > Using for `url "..." auth' an undefined label or an hmac value will
> > produce an error.  Likewise for `url "..." hmac'.
> > 
> > 
> > Opinions?
> 
> I like this proposal. I don't see a problem with implementing this.
> 
> Is there any specific reason you didn't copy the smtpd table-based design?
> I was thinking we could probably just steal code from there.

My first idea was something table-like, but then I realized it wouldn't
fit well here.

smtpd tables work by attaching a table to a rule, as in:

	listen on all auth <foo>

Then, at runtime, smtpd will lookup the table foo for some key (username
in this case).  With gotd we don't have this kind of queries at runtime.
We have to specify in the configuration the key too.  The config would
look like:

	url "..." auth <foo> "flan"

at which point we might just give `auth "flan"`.

At that point, why not also use a {}-style syntax for the secret file
too?  It helps to visually distinguish the entries that are used for
hmac and HTTP auth.

but also something more smtpd-table could work for me.

	# /etc/gotd.secrets.conf
	flan		s3cr3tp4ssw0rd
	secret1		<hmac-secret>
	...