PASS-11: Fix git push vulnerability (#90)

* PASS-11: Fix git push vulnerability
premiscale · Feb 13, 2024 · 70d3d40 · 70d3d40
1 parent 2e3428f
commit 70d3d40
Show file tree

Hide file tree

Showing 11 changed files with 38 additions and 16 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -5,7 +5,7 @@ setup: true
 
 orbs:
   dynamic: bjd2385/[email protected]
-  general: premiscale/general@1.1.2
+  general: premiscale/general@1.2.0
   slack: circleci/[email protected]
 
 

diff --git a/.circleci/helm.operator-crds.yml b/.circleci/helm.operator-crds.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.1.2
+  general: premiscale/general@1.2.0
 
 
 workflows:

diff --git a/.circleci/helm.yml b/.circleci/helm.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.1.2
+  general: premiscale/general@1.2.0
 
 
 workflows:

diff --git a/.circleci/src.yml b/.circleci/src.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 
 orbs:
-  general: premiscale/general@1.1.2
+  general: premiscale/general@1.2.0
   slack: circleci/[email protected]
 
 

diff --git a/.circleci/tests.yml b/.circleci/tests.yml
@@ -8,7 +8,7 @@ executors:
 
 
 orbs:
-  general: premiscale/general@1.1.2
+  general: premiscale/general@1.2.0
 
 
 jobs:

diff --git a/Dockerfile b/Dockerfile
@@ -29,7 +29,11 @@ RUN useradd -rm -d /opt/pass-operator -s /bin/bash -g operator -u 10001 operator
 
 WORKDIR /opt/pass-operator
 
-RUN chown -R operator:operator .
+RUN chown -R operator:operator . \
+    && mkdir /hooks \
+    && printf "[pull]\\n    rebase = true\\n[core]\\n    hooksPath = /hooks" > /etc/gitconfig
+COPY --chown=root:root --chmod=555 bin/pre-push.sh /hooks/pre-push
+
 USER 10001
 
 ARG PYTHON_USERNAME
@@ -43,7 +47,6 @@ ENV PATH=${PATH}:/opt/pass-operator/.local/bin
 
 # Set up SSH and install the pass-operator package from my private registry.
 RUN mkdir -p "$HOME"/.local/bin "$HOME"/.ssh "$HOME"/.gnupg \
-    && printf "[pull]\\n    rebase = true" > "$HOME"/.gitconfig \
     && chmod 700 "$HOME"/.gnupg \
     && pip install --upgrade pip \
     && pip install --no-cache-dir --no-input --extra-index-url="${PYTHON_INDEX}" pass-operator=="${PYTHON_PACKAGE_VERSION}"
@@ -61,6 +64,6 @@ ENV OPERATOR_INTERVAL=60 \
     PASS_GIT_BRANCH=main \
     PASS_SSH_PRIVATE_KEY=""
 
-COPY bin/entrypoint.sh /entrypoint.sh
+COPY --chown=operator:operator --chmod=550 bin/entrypoint.sh /entrypoint.sh
 
 ENTRYPOINT [ "/tini", "--", "/entrypoint.sh" ]
diff --git a/bin/pre-push.sh b/bin/pre-push.sh
@@ -0,0 +1,4 @@
+#! /usr/bin/env bash
+# Prevent pushing to any remotes.
+
+/usr/bin/false
diff --git a/helm/operator-crds/values.yaml b/helm/operator-crds/values.yaml
@@ -0,0 +1 @@
+
diff --git a/img/pass-operator-flow.png b/img/pass-operator-flow.png
diff --git a/src/operator/daemon.py b/src/operator/daemon.py
@@ -10,6 +10,7 @@
 from kubernetes import client, config
 from http import HTTPStatus
 from concurrent.futures import ThreadPoolExecutor
+from functools import partial
 from src.operator.git import pull, clone
 from src.operator.utils import LogLevel
 from src.operator.secret import PassSecret, ManagedSecret
@@ -48,6 +49,9 @@ def reconciliation(body: kopf.Body, **_: Any) -> None:
     Reconcile state of a managed secret against the pass store. Update secrets' data if a mismatch
     is found. Kopf timers are triggered on an object-by-object basis, so this method will
     automatically revisit every PassSecret, iff it resides in the same namespace as the operator.
+
+    Args:
+        body [kopf.Body]: raw body of the PassSecret.
     """
 
     # Ensure the GPG key ID in ~/.password-store/${PASS_DIRECTORY}/.gpg-id did not change with the git update.
@@ -293,7 +297,7 @@ def main() -> int:
 
     config.load_incluster_config()
 
-    if not env['PASS_GIT_URL'] :
+    if not env['PASS_GIT_URL']:
         log.error('Must provide a valid git URL (PASS_GIT_URL)')
         sys.exit(1)
 
@@ -345,7 +349,10 @@ def main() -> int:
                 )
             ),
             executor.submit(
-                pull
+                partial(
+                    pull,
+                    daemon=True
+                )
             )
         ]
 

diff --git a/src/operator/git.py b/src/operator/git.py
@@ -8,7 +8,6 @@
 from src.operator import env
 
 import logging
-# import sys
 
 
 log = logging.getLogger(__name__)
@@ -33,12 +32,20 @@ def clone() -> None:
     log.info(f'Successfully cloned repo {env["PASS_GIT_URL"]} to password store {env["PASS_DIRECTORY"]}')
 
 
-def pull() -> None:
+def pull(daemon: bool =False) -> None:
     """
-    Blocking function that runs 'git pull' in the cloned repository, repeatedly.
+    Blocking function that optionally runs 'git pull' in the cloned repository, repeatedly.
+
+    Args:
+        daemon (bool): whether or not to loop on the user-specified OPERATOR_INTERVAL (default: False).
     """
-    while True:
+    if daemon:
+        while True:
+            log.info(f'Updating local password store at "{env["PASS_DIRECTORY"]}"')
+            repo = Repo(env['PASS_DIRECTORY'])
+            repo.remotes.origin.pull()
+            sleep(float(env['OPERATOR_INTERVAL']))
+    else:
         log.info(f'Updating local password store at "{env["PASS_DIRECTORY"]}"')
         repo = Repo(env['PASS_DIRECTORY'])
-        repo.remotes.origin.pull()
-        sleep(float(env['OPERATOR_INTERVAL']))
+        repo.remotes.origin.pull()