Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(authx): SOPS integration #5841

Open
wants to merge 4 commits into
base: dev
Choose a base branch
from

Conversation

dwisiswant0
Copy link
Member

@dwisiswant0 dwisiswant0 commented Nov 20, 2024

Proposed changes

Close #5840

Note

github.com/getsops/sops/v3 requires go >= 1.22.

How has this been tested?

1. Build

gh pr checkout 5841
make build

2. Test

$ gpg --import pkg/authprovider/authx/testData/private.asc
$ go test -v -race -run ^TestSecretsUnmarshal$ github.com/projectdiscovery/nuclei/v3/pkg/authprovider/authx
=== RUN   TestSecretsUnmarshal
=== RUN   TestSecretsUnmarshal/encrypted
--- PASS: TestSecretsUnmarshal (0.02s)
    --- PASS: TestSecretsUnmarshal/encrypted (0.01s)
PASS
ok  	github.com/projectdiscovery/nuclei/v3/pkg/authprovider/authx	1.191s

3. Proof

With encrypted values:

$ ./bin/nuclei -secret-file pkg/authprovider/authx/testData/example-auth.enc.yaml -t test.yaml -u http://scanme.sh -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.6

		projectdiscovery.io

[INF] Current nuclei version: v3.3.6 (latest)
[INF] Current nuclei-templates version: v10.0.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 74
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [test] Dumped HTTP request for http://scanme.sh/

GET / HTTP/1.1
Host: scanme.sh
User-Agent: Mozilla/5.0 (Knoppix; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/********* Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Authorization: Basic dGVzdDp0ZXN0
Cookie: PHPSESSID=1a2b3c4d5e6f7g8h9i0j
Accept-Encoding: gzip

[INF] No results found. Better luck next time!

Regular secret file (non-encrypted):

$ ./bin/nuclei -secret-file pkg/authprovider/authx/testData/example-auth.yaml -t test.yaml -u http://scanme.sh -debug-req

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.6

		projectdiscovery.io

[INF] Current nuclei version: v3.3.6 (latest)
[INF] Current nuclei-templates version: v10.0.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 74
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [test] Dumped HTTP request for http://scanme.sh/

GET / HTTP/1.1
Host: scanme.sh
User-Agent: Mozilla/5.0 (Fedora; Linux i686; rv:127.0) Gecko/20100101 Firefox/127.0
Connection: close
Accept: */*
Accept-Language: en
Authorization: Basic dGVzdDp0ZXN0
Cookie: PHPSESSID=1a2b3c4d5e6f7g8h9i0j
Accept-Encoding: gzip

[INF] No results found. Better luck next time!

4. Cleanup

gpg --delete-secret-keys C6C11FC4DA74DC979109CBD48EB7405A1F8D1930
gpg --delete-key C6C11FC4DA74DC979109CBD48EB7405A1F8D1930

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm !

suggesting minor changes

  • fix gh workflows ( probably because we need to bump go version in workflows)
  • update version in dockerfile and docs
  • add documentation related to entire lifecycle ( creating secrets file -> encrypting it -> passing it to nuclei ) [update at docs.projectdiscovery.io ]
  • (optional) remove json supports from secrets file ( while there is no real reason behind not supporting it , its just that we have sticked to using yaml and we haven't seen a requirements from user about requiring json )

@dwisiswant0
Copy link
Member Author

dwisiswant0 commented Nov 21, 2024

  • fix gh workflows ( probably because we need to bump go version in workflows)

nah, this is likely because we’re using a deprecated package (ast.Package). On the workflow side, nothing needs to be changed since it automatically follows the go.mod version. This package is used in bindgen. Can you help handle this?

Signed-off-by: Dwi Siswanto <git@dw1.io>
Signed-off-by: Dwi Siswanto <git@dw1.io>
Signed-off-by: Dwi Siswanto <git@dw1.io>
Signed-off-by: Dwi Siswanto <git@dw1.io>
@dwisiswant0 dwisiswant0 force-pushed the dwisiswant0/feat/authx/sops-integration branch from e5bf3ff to 5e2d140 Compare November 21, 2024 17:10
Copy link
Member

@dogancanbakir dogancanbakir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - a follow up ticket is needed in pd/docs to add examples for other supported methods like aws kms, azure key vault, hashicorp vault, so on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[FEATURE] Integrate Secret File with SOPS
3 participants