8000 docs: ADR-0004: authentication types and encrypted secrets by jhoward-lm · Pull Request #104 · bomctl/bomctl · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ bomctl Public

docs: ADR-0004: authentication types and encrypted secrets #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 25, 2024
Merged

docs: ADR-0004: authentication types and encrypted secrets #104

merged 3 commits into from
Nov 25, 2024

Conversation

jhoward-lm
Copy link
Contributor

4. Authentication types and secrets encryption

Date: 2024-07-11

Status

Proposed

Context

Additional authentication mechanisms and secure secrets storage should be supported.

Decision

Add support for additional authentication mechanisms:

  • OAuth
  • Bearer token
  • Basic

Secrets provided as plain text will be encrypted with a user-provided or auto-generated key pair.

Add a config file mapping of URLs or bare hostnames to associated user credentials.

  • If credentials are specified by the user or encountered in the config file as plain text:
    • If no private key is provided by user or already exists in the config directory,
      auto-generate a new key pair
    • Encrypt secrets inline in the config file using the private key

Either leverage the SOPS tool as a library to perform the encryption/decryption,
or use its encrypted string expression form.

Example of proposed config file additions:

auths:
  github.com: ENC[AES256_GCM,data:Tr7o=,iv:1=,aad:No=,tag:k=]
  gitlab.com:
    user: ENC[AES256_GCM,data:CwE4O1s=,iv:2k=,aad:o=,tag:w==]
    password: ENC[AES256_GCM,data:p673w==,iv:YY=,aad:UQ=,tag:A=]

Consequences

These changes will increase flexibility for users by allowing fetching from and pushing to additional
remote endpoints that may have limited or strict options for authentication. They will also provide
enhanced security options for local storage and transmission of secrets.

@jhoward-lm
docs: add ADR for auth types and encrypted secrets
6b79305 
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
@jhoward-lm jhoward-lm added the documentation Improvements or additions to documentation label Jul 11, 2024
@jhoward-lm jhoward-lm self-assigned this Jul 11, 2024
@jhoward-lm jhoward-lm requested a review from a team as a code owner July 11, 2024 20:51
@idunbarh
Copy link
Member

Can you talk to what the user experience would be? Are you think that if a encrypted password is accessed, the user would be prompted for a decrypt key?

I see the benefits of SOPS to encrypt secrets that are stored in version control or other configuration files stored outside of a deployed environment. If the intent would be for the keypair or master key is stored on the same system as the bomctl config, I think the security benefits would be negated.

@eddiezane @ashearin what are your thoughts?

@ashearin
Copy link
Member
ashearin commented Aug 5, 2024

Per working group session 8/5/24. For now leave as proposed, be reevaluated for a future release.

@pkwiatkowski1 pkwiatkowski1 mentioned this pull request Aug 7, 2024
Closed
@idunbarh idunbarh added the adr Architecture Decision Records use to decide architecture or implementation details of `bomctl` label Aug 26, 2024
@jhoward-lm jhoward-lm requested a review from lmphil November 25, 2024 16:57
@jhoward-lm jhoward-lm merged commit 794ff83 into main Nov 25, 2024
9 checks passed
@jhoward-lm jhoward-lm deleted the adr/secrets-encryption branch November 25, 2024 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashearin ashearin ashearin approved these changes

@lmphil lmphil lmphil approved these changes

@eddiezane eddiezane Awaiting requested review from eddiezane

@houdini91 houdini91 Awaiting requested review from houdini91

@marcelamelara marcelamelara Awaiting requested review from marcelamelara

@idunbarh idunbarh Awaiting requested review from idunbarh

Assignees

@jhoward-lm jhoward-lm

Labels
adr Architecture Decision Records use to decide architecture or implementation details of `bomctl` documentation Improvements or additions to documentation
Projects
bomctl
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jhoward-lm @idunbarh @ashearin @lmphil
0