Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret handling of Redmine API key #42

Open
uwefladrich opened this issue Feb 4, 2022 · 4 comments
Open

Secret handling of Redmine API key #42

uwefladrich opened this issue Feb 4, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@uwefladrich
Copy link
Owner

The Redmine presentation task reads the API key as a normal Task argument (i.e. expects it in the YAML script), but this leads to the situation that this secret is likely to be stored in a visible file and easily checked into version control systems by mistake.
We need to think how to solve this situation in a user friendly way. It may not be entirely an issue of the Redmine task, maybe it is better solved on the user side, i.e. in the ECE scripts?
@uwefladrich uwefladrich added the bug Something isn't working label Feb 4, 2022
@valentinaschueller
Copy link
Collaborator

I'm not sure if this is an issue for us, to be honest. The used YAML script is not part of this code but would of course be part of the user's EC-Earth code environment (but wouldn't that only contain a sample script?). For a more secure way of dealing with this, the user should either store the API key in an extra script for their general SE context (main.api_key) and just insert it in the Redmine task or parse it in some other way – but if anything, that's a ScriptEngine question and not one for these tasks, I think?

@uwefladrich
Copy link
Owner Author

Whether this is an issue here or for the ECE4 runtime environment depends on the way we solve it. Right, the immediate problem is at the ECE4 RTE, because that is were the secret may be accidentally be checked in, but the reason that it could be accidentally stored is that the Redmine presentation task requires the API key as a direct argument input. So if we would decide to read the key in a safer way, then it is an issue here. For example, we could decide to interpret the argument not directly as the key but as a file name to find the key. That file would never be stored in any version control system then.

Maybe this would even open up for further features, if this file was of some well supported file format, like INI? Then even other connection details could be stored there.

But I'm not sure yet how to best do this.

@valentinaschueller valentinaschueller mentioned this issue Nov 2, 2022
Open
8 tasks
@valentinaschueller
Copy link
Collaborator

Another option might be to store the API key in an environment variable. This could be read in directly in the YAML script or in the task itself:

api_key: ${REDMINE_API_KEY}
import os
api_key = os.getenv('REDMINE_API_KEY', None)
if api_key is None:
     raise ScriptEngineRuntimeError("Environment variable REDMINE_API_KEY does not exist")

@valentinaschueller
Copy link
Collaborator

Or one could look into using .env files somewhere in this whole process

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uwefladrich @valentinaschueller