rubygem_url attribute needs a way to pass credential securely

[haidangwa]

We have a requirement for a private Gems repository. This repository requires authentication be passed. node['chef_client']['config']['rubygems_url'] is the only way to set the rubygems URL. It appears that the only way to embed credentials to access the gems repo is to include it as part of the URL. However, we also can't save the credentials in node attributes for security purposes. The current mechanism we have would require us to write a routine to scrub the node attribute at the end of the chef run to ensure it doesn't get persisted when node.save is executed.

[antima-gupta]

@haidangwa I am not able to understand how this rubygems_url works in this chef-client repo. Could you please give me the steps to reproduce the issue?

I have tried following steps:

• Downloaded the chef-client cookbook
• Added rubygems_url in default['chef_client']['config'] attributes
• Ran chef-client cookbook using sudo chef-client --local-mode --override-runlist chef-client::config -c .chef/knife.rb
• In logs It creates or update the etc/chef/client.rb file along with rubygems_url which we set in the default['chef_client']['config']['rubygems_url']

As per the issue description we should pass the private Gems repository credential securely, I am not sure but I guess we need to set the credential in such a way so that if rubygems_url has credential as part of the gems repo URL then it should not display in the logs.

Please correct me if it is wrong.

[antima-gupta]

@haidangwa Could you please get back to me on this?

[antima-gupta]

@haidangwa Could you please revert back to me on this?

[haidangwa]

@antima-gupta

The setting is regarding the rubygems_url property that is documented by Chef regarding the client.rb:

rubygems_url The location to source rubygems. It can be set to a string or array of strings for URIs to set as rubygems sources. This allows individuals to setup an internal mirror of rubygems for “airgapped” environments. Default value: https://www.rubygems.org. If a source is specified in either gem_package of chef_gem resources it will be added to the values provided here.

This cookbook allows for setting this property in a Chef Infra Client's client.rb, but it is only via a cookbook attribute. A node/cookbook attribute is stored on the chef server in plain text; thus, is a security issue if we need to provide login credentials to the Rubygems repo; for example, if said rubygems repo is a private mirror, which is the case that I'm in, this value is stored as something like https://myuser:mypass@private.rubygems.repo. Today, we have a wrapper that scrubs the node attributes before the node data is uploaded back to the chef server at the end of the chef run.

Blacklisting the attribute is an option, but I tend to think this cookbook could use an encrypted data bag to securely store the value instead.

[tas50]

For this you'll really want to use the chef_client_config resource in newer versions of Chef Infra Client 16. Since this a resource you can source the values you pass into the properties from anywhere including secure storage locations like Vault.

[dheerajd-msys]

Hi @haidangwa Please use chef_client_config resource as mentioned in above comment. Based on this closing this issue for now.

[haidangwa]

chef_client_config is only available for Chef Infra 16.6 and newer. We have Chef 15 clients that will not be able to use this. Also, the root of the issue (maybe it's a different issue), is that the credentials have to be embedded in the client.rb.

[haidangwa]

This is a related issue in Chef infra core: https://github.com/chef/chef/issues/10985