cyberark / secretless-broker Goto Github PK

View Code? Open in Web Editor NEW

230.0 28.0 42.0 10.55 MB

Secure your apps by making them Secretless

License: Apache License 2.0

Shell 10.31% Go 87.93% Dockerfile 1.22% C++ 0.05% Python 0.49%

secret-management proxy golang kubernetes conjbot-notify conjur-community-team

secretless-broker's Introduction

Secretless Broker
- Supported services
Quick Start
Additional demos
Using Secretless
- Using This Project With Conjur-OSS
- About our releases
Community
Performance
Development
License

Secretless Broker™

Secretless Broker is a connection broker which relieves client applications of the need to directly handle secrets to target services such as databases, web services, SSH connections, or any other TCP-based service.

Secretless is designed to solve two problems. The first is loss or theft of credentials from applications and services, which can occur by:

Accidental credential leakage (e.g. credential checked into source control, etc)
An attack on a privileged user (e.g. phishing, developer machine compromises, etc)
A vulnerability in an application (e.g. remote code execution, environment variable dump, etc)

The second is downtime caused when applications or services do not respond to credential rotation and crash or get locked out of target services as a result.

When the client connects to a target service through the Secretless Broker:

The client is not part of the threat surface

The client/app no longer has direct access to the password, and therefore cannot reveal it.

The client doesn’t have to know how to properly manage secrets

Handling secrets safely involves some complexities, and when every application needs to know how to handle secrets, accidents happen. The Secretless Broker centralizes the client-side management of secrets into one code base, making it easier for developers to focus on delivering features.
The client doesn’t have to manage secret rotation

Secretless is responsible for establishing connections to the backend, and can handle secret rotation in a way that’s transparent to the client.

To provide Secretless access to a target service, a Service Connector implements the protocol of the service, replacing the authentication handshake. The client does not need to know or use a real password to the service. Instead, it proxies its connection to the service through a local connection to Secretless. Secretless obtains credentials to the target service from a secrets vault (such as Conjur, a keychain service, text files, or other sources) via a Credential Provider. The credentials are used to establish a connection to the actual service, and Secretless then rapidly shuttles data back and forth between the client and the service.

Secretless Broker is currently licensed under ASL 2.0

Currently supported services

Secretless supports several target services out of the box, and these include:

MySQL (Socket and TCP)
PostgreSQL (Socket and TCP)
SSH / SSH-Agent (Beta)
HTTP with Basic auth, Conjur, and AWS authorization strategies (Beta)

Support for these services is provided via internal plugins (also referred to as "Service Connectors") that are part of the Secretless binary distribution.

If you want to use Secretless with a target service that is not currently supported, you can use the Secretless Plugin Interface to create Connector Plugins to extend Secretless to support virtually any target service. These external plugins can be integrated in environments using a standard Secretless Broker implementation.

For more information on building a Secretless Connector Plugin please see our documentation, which will walk you through creating a new Connector Plugin using our templates.

Are we missing an internal service connector that you think is important? Are you curious if anyone else has thought of building the service connector you're interested in? Please open a GitHub issue with more information on the connector you'd like, and start the conversation.

For specific guidelines about using a particular service, please see our documentation.

Quick Start

Running the quick start demo requires Docker.

To see the Secretless Broker in action, pull the quick start image:

docker pull cyberark/secretless-broker-quickstart

The quick start image runs the Secretless Broker binary and a few sample target services. The Secretless Broker is configured to retrieve the credentials required to access the services from the process environment. All services are configured to require authentication to access, but we don't know what those credentials are. We can try to access the services, but since we don't know the password our access attempts will fail. But when we try to connect via the Secretless Broker, we will be granted access.

Let's try this with the PostgreSQL server running in the quick start image. We know that the server has been configured with a quickstart database, so let's try to access it.

You can run the Secretless Broker quick start as a Docker container:

$ docker run \
  --rm \
  -p 5432:5432 \
  -p 5454:5454 \
  secretless-broker-quickstart:latest

In a new window, if we try to connect to PostgreSQL directly via port 5432 (guessing at the postgres username), our attempt will fail:

$ psql "host=localhost port=5432 user=postgres dbname=quickstart sslmode=disable"
Password for user postgres:
psql: FATAL:  password authentication failed for user "postgres"

But the Secretless Broker is listening on port 5454, and will add authentication credentials (both username and password) to our connection request and proxy our connection to the PostgreSQL server:

$ psql "host=localhost port=5454 user=postgres dbname=quickstart sslmode=disable"
psql (10.3, server 9.6.9)
Type "help" for help.

quickstart=> \d
                List of relations
 Schema |      Name       |   Type   |   Owner    
--------+-----------------+----------+------------
 public | counties        | table    | secretless
 public | counties_id_seq | sequence | secretless
(2 rows)

quickstart=> select * from counties limit 1;
 id |   name    
----+-----------
  1 | Middlesex
(1 row)

quickstart=>

Success! Smile and grab a 🍪 because it was too easy!

You have just delegated responsibility for managing credentials to a secure process isolated from your app!

Run more Secretless Broker demos

If the PostgreSQL quick start demo piqued your interest, please check out our additional demos where you can try the Secretless Broker with SSH and HTTP Basic Auth.

For an even more in-depth demo, check out our Deploying to Kubernetes demo, which walks you through deploying a sample app to Kubernetes with the Secretless Broker.

Using Secretless

For complete documentation on using Secretless, please see our documentation. The documentation includes comprehensive guides for how to get up and running with Secretless.

Using secretless-broker with Conjur Open Source

Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.

About our releases

Docker images

The primary source of Secretless Broker releases is our DockerHub.

Every new GitHub tag (x.y.z) added to the project produces a set of Docker images in DockerHub: (x.y.z, x.y, x, latest). The latest image tag therefore always corresponds to the latest GitHub tag, and the x.y and x tags alway correspond to the latest matching x.y.z image.

GitHub releases

Post-1.0, GitHub releases are created for GitHub tagged versions that have undergone additional quality activities to ensure that Secretless continues to meet its stability requirements. When a GitHub release is created (indicating a new stable Secretless version), an additional Docker image is pushed to DockerHub with the stable tag.

At any given time there is only one Docker image with the stable tag - that of the latest stable release. Older stable versions (v1.0+) can be found on the official GitHub releases page.

Note: the GitHub releases page will also show pre-releases, which have not yet been promoted to stable.

GitHub repository

The code on main in the project's GitHub repository represents the development work done since the previous GitHub tag. It is possible to build Secretless from source (see our contributing guidelines for more info), but for regular use we recommend using the stable Docker image from DockerHub or an official GitHub release.

Stable release definition

Stable components (eg service connectors, credential providers, etc.) of Secretless meet the core acceptance criteria:

The component should perform its functionality transparently to the underlying application
The component must guard against threats from all parts of the STRIDE threat model
Documentation exists that clearly explains how to set up and use the component as well as providing troubleshooting information for anticipated common failure cases
A suite of automated tests that exercise the component exists and provides excellent code coverage

In addition, the following must be true for any stable release:

Secretless has had security review (including static code analysis), and all known high and critical issues have been addressed. Any low or medium issues that have not been addressed have been logged in the GitHub issue backlog with a label of the form security/X
Secretless has undergone STRIDE threat modeling
For use cases involving stable components of Secretless (eg service connectors, credential providers, etc.):
- Secretless is stable while running
  - It does not drop connections while running
  - It can run without failure (eg it can consistently open connections, it maintains existing open connections, etc) for an extended period of time (~4 days)
  - When the Secretless process dies in Kubernetes / OpenShift, the pod is destroyed and rescheduled
- Secretless has minimal impact on connection speeds
  - Request throughput is within 20% of direct-to-DB speed
- Secretless performs under load in a realistic environment (eg deployed to the same pod as an application in Kubernetes or OpenShift)
- Secretless handles connections transparently, so that requests from the client are appropriately transmitted to the server and messages from the server are propagated back to the client
Secretless is easy to set up, and adding the configured Secretless Broker sidecar to your application takes less than 30 minutes
Secretless is clear about known limitations

Community

Our primary channel for support is through our Secretless Broker Discourse. More info here: community support

Performance

Using the Secretless Broker reduces the transaction throughput by about 25% on Postgresql. Once the connection to the backend database is established, the Secretless Broker runs 2 goroutines - one reads from the client and writes to the server, the other reads from the server and writes to the client. It's as simple as this:

    go stream(self.Client, self.Backend)
    go stream(self.Backend, self.Client)

Here is some performance data created by running pgbench with the client, the Secretless Broker and database running on a single machine (2017 MacBook Pro with 2.3 GHz Intel Core i5) where the database is running in Docker.

Directly to the database:

$ PGPASSWORD=mysecretpassword PGSSLMODE=disable pgbench -h localhost -U postgres -p 5432 -T 10 -c 12 -j 12 postgres
starting vacuum...end.
transaction type: <builtin: TPC-B (sort of)>
scaling factor: 1
query mode: simple
number of clients: 12
number of threads: 12
duration: 10 s
number of transactions actually processed: 2733
latency average = 44.167 ms
tps = 271.696057 (including connections establishing)
tps = 272.924176 (excluding connections establishing)

Through the secretless-broker proxy:

$ PGSSLMODE=disable pgbench -h localhost -U postgres -p 4321 -T 10 -c 12 -j 12 postgres
starting vacuum...end.
transaction type: <builtin: TPC-B (sort of)>
scaling factor: 1
query mode: simple
number of clients: 12
number of threads: 12
duration: 10 s
number of transactions actually processed: 2459
latency average = 49.034 ms
tps = 244.727719 (including connections establishing)
tps = 248.327635 (excluding connections establishing)

From the results above, you can see 9% fewer tps (even including establishing connections) via the Secretless Broker.

To run this test yourself, you can start PostgreSQL by running

docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d -p 5432:5432 postgres:9.3

Write a secretless.yml file that includes:

version: "2"
services:
  pg-db:
    connector: pg
    listenOn: tcp://0.0.0.0:4321
    credentials:
      host: localhost
      username: postgres
      password: mysecretpassword
      sslmode: disable

and run Secretless:

$ ./bin/build_darwin # to build the OSX binary
$ ./dist/darwin/amd64/secretless-broker -f secretless.yml

Initialize pgbench by running

PGPASSWORD=mysecretpassword pgbench -i -h localhost -U postgres -p 5432

and run the tests as above.

Development

We welcome contributions of all kinds to Secretless Broker. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide. This document includes guidelines for writing plugins to extend the functionality of Secretless Broker.

License

The Secretless Broker is licensed under Apache License 2.0 - see LICENSE for more details.

secretless-broker's People

Contributors

Stargazers

Watchers

secretless-broker's Issues

Use a dot foo.bar scheme to access nested data from HashiCorp Vault

For example, suppose there is a secret called aws/credentials which returns a JSON object:

{
  "access_key_id": <val1>,
  "secret_access_key": <val2>
}

The access key would be referenced as aws/credentials#access_key_id

Manager plugins can manipulate the secretless configuration

GIVEN the secretless manager plugin receives a configuration from the server
THEN the plugin can pass the configuration to secretless
AND the remote configuration is used
AND the -f argument need not be supplied

Add unit tests for temp_factory.go

It would be good to have some test coverage of this package.

Provider returns a []byte or map[string]interface{}

To support plucking data out of a secret map (e.g. HashiCorp Vault secret), a provider may return either a byte array or a map.

Move Variable data access implementations to Providers

Currently, Secretless variables such as handler configuration and provider credentials can be obtained from Variables or Providers. Variables and Providers serve a similar purpose and should be consolidated, so that there is just one way to access external data from within the Secretless code base.

startup hiccups

error on dep ensure in ./build/build_darwin.sh, need to doc as dependency
"brew install dep" remediates
GOPATH error
$ ./build/build_darwin.sh
- dep ensure
  /Users/josephhunt/Conjur/secretless is not within a known GOPATH/src
GOROOT also needs to be set?
$ go build ./cmd/secretless
cmd/secretless/main.go:8:2: cannot find package "github.com/conjurinc/secretless/internal/app/secretless" in any of:
/usr/local/Cellar/go/1.9.3/libexec/src/github.com/conjurinc/secretless/internal/app/secretless (from $GOROOT)
/Users/josephhunt/Conjur/secretless/src/github.com/conjurinc/secretless/internal/app/secretless (from $GOPATH)
cmd/secretless/main.go:7:2: cannot find package "github.com/conjurinc/secretless/pkg/secretless/config" in any of:
/usr/local/Cellar/go/1.9.3/libexec/src/github.com/conjurinc/secretless/pkg/secretless/config (from $GOROOT)
/Users/josephhunt/Conjur/secretless/src/github.com/conjurinc/secretless/pkg/secretless/config (from $GOPATH)

Update README to include more details

The README should be updated to define more clearly the purpose of the project and the definitions of key terms (handler, listener, provider, etc). It should include an architectural diagram and links to sources of other relevant information (license, website (when avail.), contributing info (when avail.), etc).

Fix broken test logic on Jenkins

Occasionally, Jenkins tests fail but they proceed like there was no failures (see here).

AC:

If tests on Jenkins fail, fail the whole test suite

Listener/handler has an easy way to interface with plugins

and ideally forced.

Add contribution guide

Update the project to include a contribution guide. May use the Conjur contribution guide as a model.

Secretless has CI pipeline

Run config_test.go as part of build/test.sh

MySQL Handler accepts random username

GIVEN I connect to MySQL via Secretless via a MySQL client
AND I give the client and incorrect username / password
AND I have configured Secretless to inject the correct credentials
THEN the MySQL client connects to the MySQL server via Secretless

secrets.yml should not require full Conjur ids

The short-form variable names (e.g. db/password) should be valid in Summon's secrets.yml.

Short-form variable names should be automatically converted to <org-account>:variable:<variable-id>.

The `.sh` suffix is removed from the bash scripts

All bash scripts in the repo that currently end with .sh should be updated to remove the suffix, as per the Google shell style guide. This will require updating scripts that reference other scripts and updating relevant documentation.

Plugin interface receives config

Plugins need access to the secretless config. It may be easiest to pass through a config.Config object and add a String() method which returns the original yaml.

MySQL Handler has protocol test suite

MySQL Handler returns useful error messages

GIVEN I try to connect to MySQL with Secretless configured with an invalid username / password
THEN the connection should fail
AND the error code should be Error: 1045 SQLSTATE: 28000 (ER_ACCESS_DENIED_ERROR)

GIVEN I try to connect to MySQL with Secretless configured with an invalid MySQL host / port
THEN the connection should fail
AND the error code should be Error: 2005 SQLSTATE: HY000 (CR_UNKNOWN_HOST)

Handlers and listeners loaded via plugin are able to be used

GIVEN a plugin containing a listener and handler
AND a secretless.yml references the plugins listener/handler
THEN secretless is able to serve the configuration

Depends on #64.

MySQL Handler supports TCP connections

config.yaml is optional for Summon2

AWS handler has test suite with documentation

The AWS handler test directory is updated to include basic tests, a README, and a script to run a dev environment.

Config file parsing provides better errors and feedback

Unrecognized hash keys are no longer silently ignored.
A set of test cases verify the parse errors.

Provide a global Debug setting

Setting debug: true in the config file should result in all debug info being printed.

Add license info

Update the project to include license information.

Resolve providers on-demand

Providers should not have to be declared in the config file.

For example, if a handler config references the conjur provider, then instantiate the provider and let it configure automatically from the environment and Conjur config files.

define and create new Summon format (post secretsyml)

an extensible syntax is required to support new use cases for providers.

create a comprehensive list of enhancements
define the new format
implement it

notes:

see https://docs.google.com/document/d/1MC8moUq8JrAEupKFURRxEq2FHiO1vqT_uN5a51_rJzY/edit

kevin -
We need to think about whether we will update secrets.yml in a backwards compatible way, or design a new format. There are now a lot more YAML formats out there, such as docker-compose and Kubernetes, in addition to Ansible. secrets.yml is looking kind of non-standard and we may want to think about changing the way it works in a fairly fundamental way so that it feels more familiar to users of other tools. For example, dropping the special behavior of tags.

Instructions are available for using Secretless on Mac for SSH and Conjur proxy

On a Mac, a developer has simple instructions for running Secretless in such a way that:

SSH key and Conjur API key are stored in the Keychain.
SSH access uses Secretless.
Conjur CLI commands are proxied through Secretless.

Client plugin retries Connect RPC on request timeout

use viper for standardised configuration (12 factor)

consider using https://github.com/spf13/cobra for the CLI and https://github.com/spf13/viper.

viper would DRY out some of the 12-factor configuration implementation

Build script currently not working for darwin or windows

The ./build/build.sh is failing to build new binaries for Darwin or Windows. It does successfully build binaries for linux/386 and linux/amd64.

Running ./build/build_darwin.sh successfully builds the darwin/amd64 binaries, but since the goal was to have a single script that built all of the binaries, it would be great to get build.sh working.

Optimize building process(es) in secretless

Some optimizations can be done on various parts of the build process here

AC:

Faster builds for secretless project

Fix build scripts of secretless

Currently builds of secretless are silently failing when building so we need to fix this up so that at least we get errors bubbling up

AC:

Build errors stop the build
(Optional) Build errors are listed in a grouping at the end of build.

Database handlers close connections cleanly

GIVEN that I am connecting to a MySQL or pg server via Secretless
WHEN the Secretless process is stopped
THEN the DB client should be notified that the connection has closed

Add Bootstrap4 to the pet store demo

Current UI needs snazzing up. Bootstrap4 will give us that with minimal effort.

AC:

UI in the demo is reworked to use Bootstrap4

Database handlers connect to backend servers via SSL

Overview

GIVEN I connect to pg or MySQL via Secretless over TCP or Unix socket
THEN Secretless connects with the pg or MySQL backend by sending an an SSL request before sending the handshake response packet (for MySQL, as described in the MySQL protocol docs)

As part of this update, the disclaimer on the pg/MySQL handler pages on the website should be removed.

Story Breakdown

Parent of #460 - A plan exists for updating the database handlers to use SSL for the backend connections
Parent of #533 - Postgres Handler supports TLS defaulting to sslmode=require
Parent of #534 - MySQL Handler supports TLS defaulting to sslmode=require
Parent of #543 - Modify demos to accommodate default TLS requirements for database handlers
Parent of #538 - MySql docs explain TLS options clearly
Parent of #537 - Postgres docs explain all TLS options clearly
Parent of #536 - Mysql handler supports sslrootcert and sslmode up to verify-ca
Parent of #535 - Postgres handler supports sslrootcert and sslmode up to verify-ca

Planned future work:

#548 - pg / mysql handler supports sslmode=verify-full
#549 - pg / mysql handler supports private-key pair as sslkey and sslcert

Plan

Downstream TLS Support for Database Handlers

MySQL Handler allows client to skip password

GIVEN that a MySQL client tries to connect to a MySQL server via Secretless
AND the MySQL client does not require a password
AND the connection request is made without including a password
THEN Secretless can successfully open the connection

Provide a more flexible way to access specific data from Vault secrets

The datatype returned by Vault is interface{}, which makes it somewhat complex to obtain a specific data item from a Vault secret. Currently, the secret data in Vault is required to be a Map which contains a "password" entry.

Relax this restriction by providing a configurable way to specify what data from the Vault secret will be returned by the Provider.

Summon provider option is required

Summon2 requires the -provider, -p option, or the SUMMON_PROVIDER env var.

Application instances listed in application view

GIVEN an instance running a particular application
AND I view the page for that application
THEN the instance is listed for that application

Secretless has documentation on handlers

Instructions are available for using Secretless on a Jenkins executor for SSH and AWS proxy

On a Jenkins executor, a CI admin has simple instructions for running Secretless in such a way that:

SSH key and Conjur API key are stored in files accessible only to root.
SSH access uses Secretless.
AWS CLI commands are proxied through Secretless.

Optimize secretless test builds

Current test runs could be faster if we use Docker in a bit of a more optimized fashion.

AC:

Tests for Secretless are optimized for Docker

There is a guide to contributing a provider or handler

There exists documentation which clearly describes how to contribute a provider or handler, including the "definitive guide" to the interfaces

UI does not show indications of failure to connect to backend service

Currently, when UI is started, it gives no indication that the connection to the backend server could be failing but the dev console shows the failing attempts.

AC:

UI shows some sort of indication that the backend connection to the server is failing if it cannot reach it.

Review and update the RDS demo

The syntax of some of the files in the RDS demo is out of date. Review and update them.

Change and standardize the location of the config file

Secretless is currently picking up configuration from ./config.yaml.

This is too generic of a file name, and having the config file be found in the working directory is non-standard.

Have it use something like ~/.conjur/secretless.yml, /etc/conjur/secretless.yml, overridden with SECRETLESSRC.

Similarly, Summon can default to ~/.conjur/secrets.yml, /etc/conjur/secrets.yml. The provider name would be passed as a CLI flag or picked up from SUMMON_PROVIDER env var.