Do not expose cluster token

This commit: - Removes Copy and Show buttons from the Kubernetes cluster details page - Still allows to set a new token

Do not expose cluster token
This commit: - Removes Copy and Show buttons from the Kubernetes cluster details page - Still allows to set a new token
5fd90b97 · Mikhail Mazurskiy · 796a4f4c · 5fd90b97 · 5fd90b97 · 5fd90b97
Commit 5fd90b97 authored May 06, 2020 by Mikhail Mazurskiy
9 changed files
--- a/app/assets/javascripts/clusters/clusters_bundle.js
+++ b/app/assets/javascripts/clusters/clusters_bundle.js
@@ -108,7 +108,6 @@ export default class Clusters {
    });

    this.installApplication = this.installApplication.bind(this);
-    this.showToken = this.showToken.bind(this);

    this.errorContainer = document.querySelector('.js-cluster-error');
    this.successContainer = document.querySelector('.js-cluster-success');
@@ -119,7 +118,6 @@ export default class Clusters {
    );
    this.errorReasonContainer = this.errorContainer.querySelector('.js-error-reason');
    this.successApplicationContainer = document.querySelector('.js-cluster-application-notice');
-    this.showTokenButton = document.querySelector('.js-show-cluster-token');
    this.tokenField = document.querySelector('.js-cluster-token');
    this.ingressDomainHelpText = document.querySelector('.js-ingress-domain-help-text');
    this.ingressDomainSnippet =
@@ -258,7 +256,6 @@ export default class Clusters {
  }

  addListeners() {
-    if (this.showTokenButton) this.showTokenButton.addEventListener('click', this.showToken);
    eventHub.$on('installApplication', this.installApplication);
    eventHub.$on('updateApplication', data => this.updateApplication(data));
    eventHub.$on('saveKnativeDomain', data => this.saveKnativeDomain(data));
@@ -275,7 +272,6 @@ export default class Clusters {
  }

  removeListeners() {
-    if (this.showTokenButton) this.showTokenButton.removeEventListener('click', this.showToken);
    eventHub.$off('installApplication', this.installApplication);
    eventHub.$off('updateApplication', this.updateApplication);
    eventHub.$off('saveKnativeDomain');
@@ -344,18 +340,6 @@ export default class Clusters {
    }
  }

-  showToken() {
-    const type = this.tokenField.getAttribute('type');
-
-    if (type === 'password') {
-      this.tokenField.setAttribute('type', 'text');
-      this.showTokenButton.textContent = s__('ClusterIntegration|Hide');
-    } else {
-      this.tokenField.setAttribute('type', 'password');
-      this.showTokenButton.textContent = s__('ClusterIntegration|Show');
-    }
-  }
-
  hideAll() {
    this.errorContainer.classList.add('hidden');
    this.successContainer.classList.add('hidden');

--- a/app/services/clusters/update_service.rb
+++ b/app/services/clusters/update_service.rb
@@ -10,6 +10,12 @@ module Clusters

    def execute(cluster)
      if validate_params(cluster)
+        token = params.dig(:platform_kubernetes_attributes, :token)
+
+        if token.blank?
+          params[:platform_kubernetes_attributes]&.delete(:token)
+        end
+
        cluster.update(params)
      else
        false

--- a/app/views/clusters/clusters/_provider_details_form.html.haml
+++ b/app/views/clusters/clusters/_provider_details_form.html.haml
@@ -25,16 +25,10 @@
    label: s_('ClusterIntegration|CA Certificate'), label_class: 'label-bold',
    input_group_class: 'gl-field-error-anchor', append: copy_ca_cert_btn

-    - show_token_btn = (platform_field.button s_('ClusterIntegration|Show'),
-      type: 'button', class: 'js-show-cluster-token btn btn-default')
-    - copy_token_btn = clipboard_button(text: platform.token, title: s_('ClusterIntegration|Copy Service Token'),
-      class: 'input-group-text btn-default') if cluster.read_only_kubernetes_platform_fields?
-
-    = platform_field.text_field :token, type: 'password', class: 'js-select-on-focus js-cluster-token',
-    required: true, title: s_('ClusterIntegration|Service token is required.'),
-    readonly: cluster.read_only_kubernetes_platform_fields?,
-    label: s_('ClusterIntegration|Service Token'), label_class: 'label-bold',
-    input_group_class: 'gl-field-error-anchor', append: show_token_btn + copy_token_btn
+    = platform_field.password_field :token, type: 'password', class: 'js-select-on-focus js-cluster-token',
+    readonly: cluster.read_only_kubernetes_platform_fields?, autocomplete: 'new-password',
+    label: s_('ClusterIntegration|Enter new Service Token'), label_class: 'label-bold',
+    input_group_class: 'gl-field-error-anchor'

    = platform_field.form_group :authorization_type do
      = platform_field.check_box :authorization_type, { disabled: true, label: s_('ClusterIntegration|RBAC-enabled cluster'),

--- a/changelogs/unreleased/security-do-not-expose-kubernetes-token.yml
+++ b/changelogs/unreleased/security-do-not-expose-kubernetes-token.yml
+---
+title: Kubernetes cluster details page no longer exposes Service Token
+merge_request:
+author:
+type: security
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -4592,9 +4592,6 @@ msgstr ""
 msgid "ClusterIntegration|Copy Kubernetes cluster name"
 msgstr ""

-msgid "ClusterIntegration|Copy Service Token"
-msgstr ""
-
 msgid "ClusterIntegration|Could not load IAM roles"
 msgstr ""

@@ -4673,6 +4670,9 @@ msgstr ""
 msgid "ClusterIntegration|Enabled stack"
 msgstr ""

+msgid "ClusterIntegration|Enter new Service Token"
+msgstr ""
+
 msgid "ClusterIntegration|Enter the details for your Amazon EKS Kubernetes cluster"
 msgstr ""

@@ -4754,9 +4754,6 @@ msgstr ""
 msgid "ClusterIntegration|Helm streamlines installing and managing Kubernetes applications. Tiller runs inside of your Kubernetes Cluster, and manages releases of your charts."
 msgstr ""

-msgid "ClusterIntegration|Hide"
-msgstr ""
-
 msgid "ClusterIntegration|If you are setting up multiple clusters and are using Auto DevOps, %{help_link_start}read this first%{help_link_end}."
 msgstr ""

@@ -5147,9 +5144,6 @@ msgstr ""
 msgid "ClusterIntegration|Set the global mode for the WAF in this cluster. This can be overridden at the environmental level."
 msgstr ""

-msgid "ClusterIntegration|Show"
-msgstr ""
-
 msgid "ClusterIntegration|Something went wrong on our end."
 msgstr ""


--- a/spec/features/groups/clusters/user_spec.rb
+++ b/spec/features/groups/clusters/user_spec.rb
@@ -39,7 +39,7 @@ describe 'User Cluster', :js do
          expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
            .to have_content('http://example.com')
          expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
-            .to have_content('my-token')
+            .to be_empty
        end
      end


--- a/spec/features/projects/clusters/user_spec.rb
+++ b/spec/features/projects/clusters/user_spec.rb
@@ -46,7 +46,7 @@ describe 'User Cluster', :js do
        expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
          .to have_content('http://example.com')
        expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
-          .to have_content('my-token')
+          .to be_empty
      end

      it 'user sees RBAC is enabled by default' do

--- a/spec/frontend/clusters/clusters_bundle_spec.js
+++ b/spec/frontend/clusters/clusters_bundle_spec.js
@@ -82,28 +82,6 @@ describe('Clusters', () => {
    });
  });

-  describe('showToken', () => {
-    it('should update token field type', () => {
-      cluster.showTokenButton.click();
-
-      expect(cluster.tokenField.getAttribute('type')).toEqual('text');
-
-      cluster.showTokenButton.click();
-
-      expect(cluster.tokenField.getAttribute('type')).toEqual('password');
-    });
-
-    it('should update show token button text', () => {
-      cluster.showTokenButton.click();
-
-      expect(cluster.showTokenButton.textContent).toEqual('Hide');
-
-      cluster.showTokenButton.click();
-
-      expect(cluster.showTokenButton.textContent).toEqual('Show');
-    });
-  });
-
  describe('checkForNewInstalls', () => {
    const INITIAL_APP_MAP = {
      helm: { status: null, title: 'Helm Tiller' },

--- a/spec/services/clusters/update_service_spec.rb
+++ b/spec/services/clusters/update_service_spec.rb
@@ -47,6 +47,39 @@ describe Clusters::UpdateService do
          expect(cluster.platform.namespace).to eq('custom-namespace')
        end
      end
+
+      context 'when service token is empty' do
+        let(:params) do
+          {
+              platform_kubernetes_attributes: {
+                  token: ''
+              }
+          }
+        end
+
+        it 'does not update the token' do
+          current_token = cluster.platform.token
+          is_expected.to eq(true)
+          cluster.platform.reload
+
+          expect(cluster.platform.token).to eq(current_token)
+        end
+      end
+
+      context 'when service token is not empty' do
+        let(:params) do
+          {
+              platform_kubernetes_attributes: {
+                  token: 'new secret token'
+              }
+          }
+        end
+
+        it 'updates the token' do
+          is_expected.to eq(true)
+          expect(cluster.platform.token).to eq('new secret token')
+        end
+      end
    end

    context 'when invalid params' do