GithubHelp home page GithubHelp logo

credentials-obfuscation's Introduction

Credential Obfuscator

This is a small library OTP application that acts as a helper. It encrypts and decrypts sensitive data typically stored in processes state with a one-off key (key material must be provided on node start). One example of such sensitive data is credentials used to access remote services.

This is necessary to avoid the sensitive values logged when process state is dumped by the Erlang runtime (error_logger).

Note that this application cannot protect against heap dumping attacks and only helps avoid sensitive data appearing in log files.

Supported Erlang/OTP Versions

This library uses the modern crypto API and requires Erlang 23.2 or a later version.

Usage

First, make the credentials_obfuscation application a dependency of your project.

Then, during the start-up of your application, and after the credentials_obfuscation application starts, provide the secret value:

CookieBin = atom_to_binary(erlang:get_cookie(), latin1),
credentials_obfuscation:set_secret(CookieBin)

To use a random value, do the following:

Bytes = crypto:strong_rand_bytes(128),
credentials_obfuscation:set_secret(Bytes)

To encrypt and decrypt a binary or list value:

Encrypted = credentials_obfuscation:encrypt(<<"abc">>).
% => {encrypted,<<"KdH0bP4CYasbA3X79nKShEJhajQ7D7wz1G4yqJmDS4d7zRuuUhAPuQKxdDVgxQtO">>}

credentials_obfuscation:decrypt(Encrypted).
% => <<"abc">>

Lists (char lists in Elixir) will be converted to binaries before encryption. This means that decrypted values will alwyas be returned as binaries.

Lists here mean "byte lists", that is Unicode characters are not supported. This should still be sufficient for encryption of URIs, generated credentials, and many kinds of sensitive identifiers.

License and Copyright

See LICENSE.

(c) 2019-2022 VMware, Inc or its affiliates.

credentials-obfuscation's People

Contributors

acogoluegnes avatar carlhoerberg avatar dmorneau avatar gomoripeti avatar l1ny4n avatar lukebakken avatar luos avatar michaelklishin avatar mkuratczyk avatar simonunge avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

cloudamqp isabella232 zabrane luos newmanjeff l1ny4n emqx simonunge

credentials-obfuscation's Issues

Secret is lost when svc process crashes and restarted

When credentials_obfuscation_svc crashes and restarted with a fresh state it will have the initial pending-secret. If no caller calls set_secret again (and how would the caller knew it should) it will stay in this state going forward. It can result in:

  • from this point on no data encrypted before the crash can be decrypted
  • exposing this bug #17

What if the secret (and probably other state as well) would be stored in persistent_term. encrypt/decrypt could be executed in the calling process, the gen_server is only kept for serialising state updates?

This would also prevent the secrets being logged at gen_server crash. Would this hurt observability?

Any feedback is appreciated.

Crash when running application built with OTP 24.0

Hello.
When I'm running my application used credentials_obfuscation built with OTP 24.0, I got the following error:
16:48:25.658 [error] Supervisor credentials_obfuscation_sup had child credentials_obfuscaton_svc started with credentials_obfuscation_svc:start_link() at undefined exit with reason call to undefined function crypto:hmac(sha256, <<81,199,27,16,7,18,221,254,2,216,92,143,103,242,11,83,157,56,144,201,125,68,144,87,110,238,253,...>>, [<<247,134,149,166,201,240,114,137,102,151,74,75,201,76,117,199>>,<<0,0,0,1>>], 32) in context start_error
In OTP 24.0 the function crypto:hmac was replaced with crypto:mac*: https://github.com/erlang/otp/blob/3a8e65972ac1d0c4ae1412eae2dc2b3e5b3d758d/lib/crypto/src/crypto.erl#L54

Add cuttlefish schema

Is your feature request related to a problem? Please describe.

I would like to add a cuttlefish schema file for the credentials_obfuscation application env (enabled cipher hash iterations) so it be easier to config that config in say rabbitmq without using advanced config.

Describe the solution you'd like

Just add the schema file under priv/schema and leave it at that, and let whatever app that uses it look there (such as rabbitmq)

Describe alternatives you've considered

No response

Additional context

No response

Remove rebar3_hex plugin from rebar.config

rebar3_hex should not be included as a plugin in rebar.config. See documenation:

NOTE : Be sure not to add rebar3_hex to the plugins section within a projects rebar3 config as this will become a dependency for others downloading your package from hex.pm

Perhaps it should be in project_plugins instead.

ct_run fails to run tests

Describe the bug

Common Test v1.24 starting (cwd is /home/matwey/temp/credentials-obfuscation)

(ct@localhost)1> ct_run -dir /home/matwey/temp/credentials-obfuscation

(ct@localhost)1> 
Common Test: Running make in test directories...
(ct@localhost)1> 
CWD set to: "/home/matwey/temp/credentials-obfuscation/[email protected]_13.38.05"
(ct@localhost)1> 
TEST INFO: 1 test(s), 16 case(s) in 2 suite(s)

(ct@localhost)1> Testing temp.credentials-obfuscation: Starting test, 16 test cases
(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.047973 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.077433 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.106457 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.136398 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
credentials_obfuscation_SUITE:use_cookie_as_secret failed on line 123
Reason: {assertEqual,[{module,...},{...}|...]}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(ct@localhost)1> Testing temp.credentials-obfuscation: *** FAILED test case 5 of 16 ***
(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.194583 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.219100 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
credentials_obfuscation_SUITE:encryption_happens_only_when_secret_available failed on line 171
Reason: {assertEqual,[{module,...},{...}|...]}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.244427 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> Testing temp.credentials-obfuscation: *** FAILED test case 8 of 16 ***
(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.270671 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.297430 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.323089 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.348205 ===
    application: credentials_obfuscation
    exited: stopped
    type: temporary

(ct@localhost)1> =SUPERVISOR REPORT==== 23-Jul-2023::13:38:06.372693 ===
    supervisor: {local,credentials_obfuscation_sup}
    errorContext: start_error
    reason: {badarg,
                [{crypto,cipher_info,1,[{file,"crypto.erl"},{line,831}]},
                 {credentials_obfuscation_pbe,iv_length,1,
                     [{file,"src/credentials_obfuscation_pbe.erl"},
                      {line,126}]},
                 {credentials_obfuscation_pbe,encrypt,5,
                     [{file,"src/credentials_obfuscation_pbe.erl"},{line,76}]},
                 {credentials_obfuscation_svc,check,3,
                     [{file,"src/credentials_obfuscation_svc.erl"},
                      {line,198}]},
                 {credentials_obfuscation_svc,init_state,0,
                     [{file,"src/credentials_obfuscation_svc.erl"},
                      {line,169}]},
                 {gen_server,init_it,2,[{file,"gen_server.erl"},{line,851}]},
                 {gen_server,init_it,6,[{file,"gen_server.erl"},{line,814}]},
                 {proc_lib,init_p_do_apply,3,
                     [{file,"proc_lib.erl"},{line,240}]}]}
    offender: [{pid,undefined},
               {id,credentials_obfuscaton_svc},
               {mfargs,{credentials_obfuscation_svc,start_link,[]}},
               {restart_type,permanent},
               {significant,false},
               {shutdown,5000},
               {child_type,worker}]

(ct@localhost)1> =CRASH REPORT==== 23-Jul-2023::13:38:06.373071 ===
  crasher:
    initial call: application_master:init/4
    pid: <0.295.0>
    registered_name: []
    exception exit: {{shutdown,
                      {failed_to_start_child,credentials_obfuscaton_svc,
                       {badarg,
                        [{crypto,cipher_info,1,
                          [{file,"crypto.erl"},{line,831}]},
                         {credentials_obfuscation_pbe,iv_length,1,
                          [{file,"src/credentials_obfuscation_pbe.erl"},
                           {line,126}]},
                         {credentials_obfuscation_pbe,encrypt,5,
                          [{file,"src/credentials_obfuscation_pbe.erl"},
                           {line,76}]},
                         {credentials_obfuscation_svc,check,3,
                          [{file,"src/credentials_obfuscation_svc.erl"},
                           {line,198}]},
                         {credentials_obfuscation_svc,init_state,0,
                          [{file,"src/credentials_obfuscation_svc.erl"},
                           {line,169}]},
                         {gen_server,init_it,2,
                          [{file,"gen_server.erl"},{line,851}]},
                         {gen_server,init_it,6,
                          [{file,"gen_server.erl"},{line,814}]},
                         {proc_lib,init_p_do_apply,3,
                          [{file,"proc_lib.erl"},{line,240}]}]}}},
                     {credentials_obfuscation_app,start,[normal,[]]}}
      in function  application_master:init/4 (application_master.erl, line 142)
    ancestors: [<0.294.0>]
    message_queue_len: 1
    messages: [{'EXIT',<0.296.0>,normal}]
    links: [<0.294.0>,<0.44.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 610
    stack_size: 28
    reductions: 200
  neighbours:

(ct@localhost)1> =INFO REPORT==== 23-Jul-2023::13:38:06.373718 ===
    application: credentials_obfuscation
    exited: {{shutdown,
                 {failed_to_start_child,credentials_obfuscaton_svc,
                     {badarg,
                         [{crypto,cipher_info,1,
                              [{file,"crypto.erl"},{line,831}]},
                          {credentials_obfuscation_pbe,iv_length,1,
                              [{file,"src/credentials_obfuscation_pbe.erl"},
                               {line,126}]},
                          {credentials_obfuscation_pbe,encrypt,5,
                              [{file,"src/credentials_obfuscation_pbe.erl"},
                               {line,76}]},
                          {credentials_obfuscation_svc,check,3,
                              [{file,"src/credentials_obfuscation_svc.erl"},
                               {line,198}]},
                          {credentials_obfuscation_svc,init_state,0,
                              [{file,"src/credentials_obfuscation_svc.erl"},
                               {line,169}]},
                          {gen_server,init_it,2,
                              [{file,"gen_server.erl"},{line,851}]},
                          {gen_server,init_it,6,
                              [{file,"gen_server.erl"},{line,814}]},
                          {proc_lib,init_p_do_apply,3,
                              [{file,"proc_lib.erl"},{line,240}]}]}}},
             {credentials_obfuscation_app,start,[normal,[]]}}
    type: temporary

(ct@localhost)1> Testing temp.credentials-obfuscation: TEST COMPLETE, 14 ok, 2 failed of 16 test cases

(ct@localhost)1> Updating /home/matwey/temp/credentials-obfuscation/index.html ... (ct@localhost)1> done
(ct@localhost)1> Updating /home/matwey/temp/credentials-obfuscation/all_runs.html ... (ct@localhost)1> done
(ct@localhost)1> 
(ct@localhost)1>

Reproduction steps

  1. Build the app
  2. Run ct_run -pa path/to/ebin

Expected behavior

Tests are passed successfully.

Additional context

No response

(Mix) Could not compile dependency :credentials_obfuscation, "escript.exe

While compiling my project. I am getting this error:

(Mix) Could not compile dependency :credentials_obfuscation, "escript.exe "c:/Users/Syed Muzamil/.mix/rebar3" bare compile --paths="f:/projects_startup/dogehouse/kousa/_build/dev/lib/*/ebin"" command failed. You can recompile this dependency with "mix deps.compile credentials_obfuscation", update it with "mix deps.update credentials_obfuscation" or clean it with "mix deps.clean credentials_obfuscation"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.