search

iterative / terraform-provider-iterative

☁️ Terraform plugin for machine learning workloads: spot instance recovery & auto-termination | AWS, GCP, Azure, Kubernetes
https://registry.terraform.io/providers/iterative/iterative/latest/docs
Apache License 2.0
287 stars 27 forks source link

Encrypt credentials with sealed box #721

Closed 0x2b3bfa0 closed 1 year ago

0x2b3bfa0 commented 1 year ago
0x2b3bfa0 commented 1 year ago

Client-side example

<!DOCTYPE html>
<html>
  <head>
    <title>Credentials</title>
    <script
      src="https://cdnjs.cloudflare.com/ajax/libs/libsodium-wrappers/0.5.4/sodium.min.js"
      referrerpolicy="no-referrer"
    ></script>
    <script>
      async function doSomething() {
        const credentials = window.localStorage.getItem("leo-credentials");
        const response = await fetch("/something", { headers: { credentials } });
        alert(await response.json());
      }

      async function getServerPublicKey() {
        const { key } = await fetch("/key").then((response) => response.json());
        return key;
      }

      async function encryptAndSave(form) {
        const fields = { aws: Object.fromEntries(new FormData(form)) };
        form.reset();

        const message = JSON.stringify(fields);
        const recipient = sodium.from_base64(await getServerPublicKey());
        const encrypted = sodium.crypto_box_seal(message, recipient);
        const encoded = sodium.to_base64(encrypted);

        window.localStorage.setItem("leo-credentials", encoded);
      }
    </script>
  </head>
  <body>
    <form onsubmit="event.preventDefault(); encryptAndSave(this);">
      <input name="access-key-id" placeholder="AWS_ACCESS_KEY_ID" />
      <input name="secret-access-key" placeholder="AWS_SECRET_ACCESS_KEY" />
      <input name="session-token" placeholder="AWS_SESSION_TOKEN" />
      <input type="submit" value="Save" />
      <input type="button" value="Run" onclick="doSomething();" />
    </form>
  </body>
</html>
0x2b3bfa0 commented 1 year ago

Outdated comment: after watching the recording of the #studio backend meeting, this pull request is absolutely required.

@tasdomas, wrote this ~out of sheer boredom~ to address https://github.com/iterative/terraform-provider-iterative/pull/708#issuecomment-1303654847; feel free to take a look if you deem it useful

dacbd commented 1 year ago

@0x2b3bfa0 can you save me some googling and share a cli example of wrapping the credentials?

0x2b3bfa0 commented 1 year ago

@dacbd, I'm afraid there is no easy command-line tool to do that; even GitHub documentation points users to sesquipedalian code snippets. Here you go a code golfed version:

$ pip install pynacl
$ <credentials.json>credentials.b64 python -c 'import base64,sys,nacl.public,nacl.encoding;print(base64.b64encode(nacl.public.SealedBox(nacl.public.PublicKey(sys.argv[1],nacl.encoding.Base64Encoder)).encrypt(sys.stdin.buffer.read())).decode())' $(curl -s localhost:8080/key|jq -r .key)
$ http POST localhost:8080/tasks -A bearer -a $(cat credentials.b64) < request.json
0x2b3bfa0 commented 1 year ago

Moved permanently to https://github.com/iterative/leo-server/pull/9