You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.12.20 - but I suspect this will affect any Terraform version.
$> ./terraform version
Terraform v0.12.20
Your version of Terraform is out of date! The latest version
is 0.13.5. You can update by downloading from https://www.terraform.io/downloads.html
Affected Resource(s)
N/A - this appears to be a provider issue or an issue with the github.com/atlassian/go-artifactory/v2/artifactory client implementation when the provider invokes its configure function and attempts to ping Artifactory
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,# please use a service like Dropbox and share a link to the ZIP file.terraform {
required_version ="~> 0.12.20"
}
provider"artifactory" {
url ="https://<artifactory URL>/artifactory"
api_key ="this-is-a-secret-key"
}
data"artifactory_fileinfo""test" {
repository ="terraform"
path ="modules/foreman-subnet/foreman-subnet_v1.0.0.tar.gz"
}
Debug Output
Panic Output
Expected Behavior
If the provider encounters an authentication failure, I expect the provider to fail and cause a halt in Terraform execution. However, the API token should not be dumped back to console - the token should remain hidden and the provider only displays an indication of a bad token (possibly masking token details if it absolutely must be dumped?). Something like this:
GET https://<artifactory URL>/artifactory/api/system/ping: 403 [{Status:403 Message:Bad props auth token}]
on .terraform/modules/docker-terraform-test/providers.tf line 7, in provider "artifactory":
7: provider "artifactory" {
Actual Behavior
The provider fails and dumps the token in plaintext to the console. This is a huge security issue causing us to pull/revoke this provider from our internal registry and redo compromised credentials.
GET https://<artifactory URL>/artifactory/api/system/ping: 403 [{Status:403 Message:Bad props auth token: apiKey=<BLATANT TOKEN IN PLAINTEXT HERE>}]
on .terraform/modules/docker-terraform-test/providers.tf line 7, in provider "artifactory":
7: provider "artifactory" {
Steps to Reproduce
Copy configuration from Terraform Configuration Files - give it a nonsensical token for your instance
$> terraform init
Initializing the backend...
Initializing provider plugins...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
attempt to plan the project
$> terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
Error: GET https://<artifactory URL>/artifactory/api/system/ping: 403 [{Status:403 Message:Bad props auth token: apiKey=this-is-a-secret-key}]
on terraform.tf line 5, in provider "artifactory":
5: provider "artifactory" {
Important Factoids
This issue does not occur when using username/password auth. It appears to only occur on API key. It does not matter if this API key is specified via env vars or statically configured.
GET https://<artifactory URL>/artifactory/api/system/ping: 401 [{Status:401 Message:Bad credentials}]
on .terraform/modules/docker-terraform-test/providers.tf line 88, in provider "artifactory":
88: provider "artifactory" {
References
#0000
The text was updated successfully, but these errors were encountered:
@mcgarebear You're saying that, when you give it a bad token, it echos it back and that's bad?
mmmm... the token is bad - by definition, this can't be a problem as a useless secret is being exposed. Pulling it from your own registry is your business. However, if you're a paying customer you can file a support ticket to see about getting some traction on the matter as this has nothing to do with terraform: this is the message coming straight from RT
I will be closing the ticket in the new repo. I can only suggest to the admins of this one to do the same
Community Note
Terraform Version
Terraform
v0.12.20
- but I suspect this will affect any Terraform version.Affected Resource(s)
github.com/atlassian/go-artifactory/v2/artifactory
client implementation when the provider invokes its configure function and attempts to ping ArtifactoryTerraform Configuration Files
Debug Output
Panic Output
Expected Behavior
If the provider encounters an authentication failure, I expect the provider to fail and cause a halt in Terraform execution. However, the API token should not be dumped back to console - the token should remain hidden and the provider only displays an indication of a bad token (possibly masking token details if it absolutely must be dumped?). Something like this:
Actual Behavior
The provider fails and dumps the token in plaintext to the console. This is a huge security issue causing us to pull/revoke this provider from our internal registry and redo compromised credentials.
Steps to Reproduce
Terraform Configuration Files
- give it a nonsensical token for your instanceImportant Factoids
This issue does not occur when using username/password auth. It appears to only occur on API key. It does not matter if this API key is specified via env vars or statically configured.
References
The text was updated successfully, but these errors were encountered: