Deploy permissions should not give access to addons

heroku / roadmap

This is the public roadmap for Salesforce Heroku services.

193 stars 11 forks source link

Deploy permissions should not give access to addons #105

Open joshuacullenlux opened 1 year ago

joshuacullenlux commented 1 year ago

Required Terms

[X] I agree to follow this project's Code of Conduct
[X] I have read and accept the Salesforce Program Agreement

What service(s) is this request for?

Security, Postgres, Addons

Tell us about what you're trying to solve. What challenges are you facing?

There is a major security issue with deploy permissions and addons. The best example is PostgreSQL addons. 

If you give a user deploy access then they get full access to the addon. They are able to connect to the database with full read/write permissions. 

We should be able to give a user deploy permissions but restrict access to sensitive addons like private databases.

afawcett commented 1 year ago

Thanks for raising this @joshuacullenlux - @andre5oto is working on understanding the design for this and thus effort involved in future roadmap.

andre5oto commented 1 year ago

Appreciate all the 👍’s. @joshuacullenlux and community, we are putting together a requirements doc and use cases like this are very helpful. We have identified and are considering focal points in our approach to delineate these capabilities for the deploy and operate app permissions:

Separate capabilities to push code and read/write config vars
Separate capabilities to push code and manage non-paid Add-ons
Separate capabilities to view/manage logs and read/write config vars

Please tell us what you think about this approach? Let us know if there are other use cases we should consider.

chillu commented 1 year ago

We're also quite worried about this, in a context of API tokens stored in CI - see my comment on Access Tokens v2.

A limited deployer role also shouldn't be able to read config vars, otherwise they can just get database access through the DATABASE_URL provided by Postgres addon. And of course they shouldn't be allowed heroku exec (since the app execution context naturally has access to all of these).

We're doing container deploys (heroku container:push), can you please ensure that's accounted for under the "release" use case?

I would consider this a baseline feature for Heroku users, rather than having essential security locked away in Heroku Enterprise.

andre5oto commented 1 year ago

Update: we have begun internal testing on a feature to mask sensitive config var values for Heroku PG and Redis add-ons. We will be introducing a pilot soon where customer can participate and test this feature.

andre5oto commented 7 months ago

Latest update: https://github.com/heroku/roadmap/issues/24#issuecomment-1899359710

andre5oto commented 3 months ago

Limited pilot announced in #24 for Write-Only Config Vars to solve for this issue. Sign up form included.