Leaking API Token Secret on Auth Failure

[mcgarebear]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20 - but I suspect this will affect any Terraform version.

$> ./terraform version
Terraform v0.12.20

Your version of Terraform is out of date! The latest version
is 0.13.5. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

• N/A - this appears to be a provider issue or an issue with the github.com/atlassian/go-artifactory/v2/artifactory client implementation when the provider invokes its configure function and attempts to ping Artifactory

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file.

terraform {
  required_version = "~> 0.12.20"
}

provider "artifactory" {
  url      = "https://<artifactory URL>/artifactory"
  api_key  = "this-is-a-secret-key"
}

data "artifactory_fileinfo" "test" {
  repository = "terraform"
  path       = "modules/foreman-subnet/foreman-subnet_v1.0.0.tar.gz"
}

Debug Output

Panic Output

Expected Behavior

If the provider encounters an authentication failure, I expect the provider to fail and cause a halt in Terraform execution. However, the API token should not be dumped back to console - the token should remain hidden and the provider only displays an indication of a bad token (possibly masking token details if it absolutely must be dumped?). Something like this:

GET https://<artifactory URL>/artifactory/api/system/ping: 403 [{Status:403 Message:Bad props auth token}]
  on .terraform/modules/docker-terraform-test/providers.tf line 7, in provider "artifactory":
   7: provider "artifactory" {

Actual Behavior

The provider fails and dumps the token in plaintext to the console. This is a huge security issue causing us to pull/revoke this provider from our internal registry and redo compromised credentials.

GET https://<artifactory URL>/artifactory/api/system/ping: 403 [{Status:403 Message:Bad props auth token: apiKey=<BLATANT TOKEN IN PLAINTEXT HERE>}]
  on .terraform/modules/docker-terraform-test/providers.tf line 7, in provider "artifactory":
   7: provider "artifactory" {

Steps to Reproduce

0. Copy configuration from Terraform Configuration Files - give it a nonsensical token for your instance

$> ls
terraform.tf

$> cat terraform.tf
terraform {
  required_version = "~> 0.12.20"
}

provider "artifactory" {
  url      = "https://<artifactory URL>/artifactory"
  api_key  = "this-is-a-secret-key"
}

data "artifactory_fileinfo" "test" {
  repository = "terraform"
  path       = "modules/foreman-subnet/foreman-subnet_v1.0.0.tar.gz"
}

1. initialize Terraform

$> terraform init

Initializing the backend...

Initializing provider plugins...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

2. attempt to plan the project

$> terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.                                                                                                                                                                                                                                                       
Error: GET https://<artifactory URL>/artifactory/api/system/ping: 403 [{Status:403 Message:Bad props auth token: apiKey=this-is-a-secret-key}]

  on terraform.tf line 5, in provider "artifactory":
   5: provider "artifactory" {                                                                                                                                                  

Important Factoids

This issue does not occur when using username/password auth. It appears to only occur on API key. It does not matter if this API key is specified via env vars or statically configured.

GET https://<artifactory URL>/artifactory/api/system/ping: 401 [{Status:401 Message:Bad credentials}]
  on .terraform/modules/docker-terraform-test/providers.tf line 88, in provider "artifactory":
  88: provider "artifactory" {

References

• #0000

[peters95]

migrated -> jfrog/terraform-provider-artifactory#16

[chb0github]

@mcgarebear You're saying that, when you give it a bad token, it echos it back and that's bad?

mmmm... the token is bad - by definition, this can't be a problem as a useless secret is being exposed. Pulling it from your own registry is your business. However, if you're a paying customer you can file a support ticket to see about getting some traction on the matter as this has nothing to do with terraform: this is the message coming straight from RT

I will be closing the ticket in the new repo. I can only suggest to the admins of this one to do the same