Merge branch 'master' into #44-JavaScript_library_with_key_obfuscated

.github/FUNDING.yml

@@ -1 +1 @@
-custom: https://www.icrc.org/en/donate/ukraine
+custom: https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets

.github/scripts/docker-create-and-push.sh

@@ -81,8 +81,13 @@ echo "restoring temporal change"
 git restore js/index.js
 
 echo "tagging version"
-#git tag -a $tag -m "${message}"
-#git push --tags
+git tag -a $tag -m "${message}"
+git push --tags
+
+echo "Updating testbed with the latest release"
+git checkout experiment-bed
+git merge master --no-edit
+git push
 
 #staging (https://arcane-scrubland-42646.herokuapp.com/)
 echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login' 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku' and 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release both (heroku container:release web --app=wrongsecrets)"

Dockerfile.web

@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:heroku-tst-6-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.3.11-no-vault
 
-ARG argBasedVersion="1.3.10"
+ARG argBasedVersion="1.3.11"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)

README.md

@@ -25,7 +25,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.3.10-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.3.11-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:
@@ -169,6 +169,7 @@ Top contributors:
 - [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
 - [Filip Chyla @fchyla](https://github.com/fchyla)
 - [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
+- [Josh Grossman @tghosth](https://github.com/tghosth)
 - [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
 - [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx)
 - [Marcin Nowak @MarcinNowak-codes](https://github.com/MarcinNowak-codes)

aws/k8s-aws-alb-script.sh

@@ -24,7 +24,7 @@ fi
 ACCOUNT_ID=$(aws sts get-caller-identity | jq '.Account' -r)
 echo "ACCOUNT_ID=${ACCOUNT_ID}"
 
-LBC_VERSION="v2.4.0"
+LBC_VERSION="v2.4.1"
 echo "LBC_VERSION=$LBC_VERSION"
 
 # echo "executing eksctl utils associate-iam-oidc-provider"
@@ -63,6 +63,7 @@ kubectl get crd
 
 echo "do helm eks application"
 helm repo add eks https://aws.github.io/eks-charts
+helm repo update
 
 echo "upgrade alb controller with helm"
 helm upgrade -i aws-load-balancer-controller \
@@ -88,6 +89,8 @@ echo "apply -f k8s/secret-challenge-vault-ingress.yml in 10 s"
 sleep 10
 kubectl apply -f k8s/secret-challenge-vault-ingress.yml
 
-echo "http://$(kubectl get ingress wrongsecrets -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')"
+echo "waiting 10 s for loadBalancer"
+sleep 10
+echo "https://$(kubectl get ingress wrongsecrets -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')"
 
 echo "Do not forget to cleanup afterwards! Run k8s-aws-alb-script-cleanup.sh"

aws/k8s-vault-aws-start.sh

@@ -5,7 +5,7 @@
 
 source ../scripts/check-available-commands.sh
 
-checkCommandsAvailable helm jq vault sed grep docker grep cat aws
+checkCommandsAvailable helm jq vault sed grep cat aws
 
 AWS_REGION="eu-west-1"
 

aws/k8s/secret-challenge-vault-deployment.yml

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.3.10-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.3.11-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

azure/README.md

@@ -23,8 +23,32 @@ Make sure you have an active subscription at Azure for which you have configured
 
 **Note-II**: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally.
 
+### (Optional) Multi-user setup: shared state
+
+If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using an Azure storage container.
+
+First, enable the `Microsoft.Storage` API (if it isn't already) using:
+
+```bash
+az provider register --namespace Microsoft.Storage
+```
+
+Then, apply the terraform (optionally add `-var="region=YOUR_DESIRED_REGION"` to the apply to use a region other than the default `East US`):
+
+```bash
+cd shared-state
+terraform init
+terraform apply
+```
+
+The storage account name should be in the output. Please use that to configure the terraform backend in `main.tf` by uncommenting the part on the `backend "azurerm"`.
+
+**Note**: You'll need to follow the description below for the "existing resource group" i.e., use the `data.azurerm_resource_group.default` resource.
+
+### WrongSecrets
+
 1. Set either a new resource group or use an existing resource group in `main.tf` (it defaults to the existing `OWASP-Projects` resource group). Note that you'll need to find/replace references to "data.azurerm_resource_group.default" to "arurerm_resource_group.default" if you want to create a new one.
-2. check whether you have the right project by doing `az account show` (after `az login`).
+2. check whether you have the right project by doing `az account show` (after `az login`). Want to set the project as your default? Use `az account set --subscription  <.id here>`.
 3. If not yet enabled, register the required services for the subscription, run:
     - `az provider register --namespace Microsoft.ContainerService`
     - `az provider register --namespace Microsoft.KeyVault`
@@ -33,6 +57,7 @@ Make sure you have an active subscription at Azure for which you have configured
 5. Run `terraform plan` to see what will be created (optional).
 6. Run `terraform apply`. Note: the apply will take 5 to 20 minutes depending on the speed of the Azure backplane.
 7. Run `./k8s-vault-azure-start.sh`. Your kubeconfig file will automatically be updated.
+8. (Optional) To make the app available over a load balancer, run `kubectl apply -f ./k8s/lb.yml`, then  look for the public IP using `kubectl describe service wrongsecrets-lb`. The app should be available on HTTP port 80 within a few minutes.
 
 Your AKS cluster should be visible in your resource group. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
@@ -43,15 +68,17 @@ Are you done playing? Please run `terraform destroy` twice to clean up.
 Run `./k8s-vault-azure-start.sh` and connect to [http://localhost:8080](http://localhost:8080) when it's ready to accept connections (you'll read the line `Forwarding from 127.0.0.1:8080 -> 8080` in your console). Now challenge 9 and 10 should be available as well.
 
 ### Resume it
+
 When you stopped the `k8s-vault-azure-start.sh` script and want to resume the port forward run: `k8s-vault-azure-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
 
 ### Clean it up
 
 When you're done:
 
 1. Kill the port forward.
-2. Run `terraform destroy` to clean up the infrastructure.
-3. Run `rm terraform.ts*` to remove local state files.
+2. Run `terraform destroy` to clean up the infrastructure. Note that you may need to repeat the destroy to fully clean up.
+3. If you've used the shared state, `cd` to the `shared-state` folder and run `terraform destroy` there too.
+4. Run `rm terraform.ts*` to remove local state files.
 
 ### A few things to consider
 

azure/k8s-vault-azure-start.sh

@@ -5,9 +5,9 @@
 
 source ../scripts/check-available-commands.sh
 
-checkCommandsAvailable helm minikube jq vault sed grep docker grep cat az envsubst
+checkCommandsAvailable helm vault jq sed grep cat az envsubst
 
-echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, jq, vault, grep, cat, sed, envsubst, and azure cli, and is only tested on mac, Debian and Ubuntu"
+echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, vault, grep, cat, sed, envsubst, and azure cli, and is only tested on mac, Debian and Ubuntu"
 echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"
 
 # Most of the variables below are used in envsubst later.

azure/k8s/lb.yml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: wrongsecrets-lb
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 80
+      targetPort: 8080
+  selector:
+    app: secret-challenge

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.3.10-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.3.11-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

azure/main.tf

@@ -1,3 +1,23 @@
+terraform {
+  required_version = ">= 0.14.0"
+
+  required_providers {
+    random  = "~> 3.0"
+    azurerm = "~> 3.0"
+    http    = "~> 2.1"
+  }
+
+  # For shared state:
+  # Set the resource group in the backend configuration below, then uncomment and apply!
+  # Note that you probably already create a resource group. Don't forget to set that correctly in this file.
+  # backend "azurerm" {
+  #   resource_group_name  = "owasp-wrongsecrets"
+  #   storage_account_name = "YOUR_ACCOUNT_NAME_HERE"
+  #   container_name       = "tfstate"
+  #   key                  = "terraform.tfstate"
+  # }
+}
+
 provider "http" {}
 
 data "http" "ip" {
@@ -14,11 +34,11 @@ data "azurerm_client_config" "current" {}
 
 # If you're using an existing resource group, modify this part.
 # Note that you'll need to find/replace references to "arurerm_resource_group.default" to "data.azurerm_resource_group.default"
-#data "azurerm_resource_group" "default" {
-#  name = "OWASP-Projects"
-#}
+# data "azurerm_resource_group" "default" {
+#   name = "owasp-wrongsecrets"
+# }
 
-# If you're creating a new resource group, modify this.
+# If you're using an existing resource group, comment this.
 resource "azurerm_resource_group" "default" {
   name     = "owasp-wrongsecrets"
   location = var.region
@@ -49,7 +69,5 @@ resource "azurerm_kubernetes_cluster" "cluster" {
     type = "SystemAssigned"
   }
 
-  role_based_access_control {
-    enabled = true
-  }
+  role_based_access_control_enabled = true
 }

azure/secrets.tf

@@ -32,7 +32,7 @@ resource "azurerm_key_vault_access_policy" "user" {
   object_id    = data.azurerm_client_config.current.object_id
 
   secret_permissions = [
-    "get", "list", "set", "delete"
+    "Get", "List", "Set", "Delete"
   ]
 }
 
@@ -42,7 +42,7 @@ resource "azurerm_key_vault_access_policy" "identity_access" {
   object_id    = azurerm_user_assigned_identity.aks_pod_identity.principal_id
 
   secret_permissions = [
-    "get", "list"
+    "Get", "List"
   ]
 }
 
@@ -110,6 +110,6 @@ resource "azurerm_key_vault_access_policy" "extra_identity_access" {
   object_id    = azurerm_user_assigned_identity.aks_extra_pod_identity.principal_id
 
   secret_permissions = [
-    "get", "list"
+    "Get", "List"
   ]
 }

azure/shared-state/main.tf

@@ -0,0 +1,65 @@
+terraform {
+  required_providers {
+    azurerm = "~> 3.0"
+    random  = "~> 3.0"
+  }
+}
+
+variable "region" {
+  description = "The Azure region to use"
+  type        = string
+  default     = "East US"
+}
+
+
+provider "azurerm" {
+  features {}
+  skip_provider_registration = true
+}
+
+# If you're using an existing resource group, modify this part. That'll definitely be the case if you're using shared state!
+# Note that you'll need to find/replace references to "arurerm_resource_group.default" to "data.azurerm_resource_group.default"
+#data "azurerm_resource_group" "default" {
+#  name = "owasp-wrongsecrets"
+#}
+
+# If you're creating a new resource group, modify this.
+resource "azurerm_resource_group" "default" {
+  name     = "owasp-wrongsecrets"
+  location = var.region
+}
+
+
+resource "random_integer" "suffix" {
+  min = 00000
+  max = 99999
+}
+
+resource "random_string" "suffix" {
+  length  = 5
+  special = false
+  upper   = false
+  number  = true
+}
+
+
+resource "azurerm_storage_account" "account" {
+  name                     = format("wrongsecrets%s%s", random_string.suffix.result, random_integer.suffix.result)
+  resource_group_name      = azurerm_resource_group.default.name
+  location                 = azurerm_resource_group.default.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+
+
+resource "azurerm_storage_container" "blob" {
+  name                  = "tfstate"
+  storage_account_name  = azurerm_storage_account.account.name
+  container_access_type = "private"
+}
+
+output "storage_account_name" {
+  description = "The generated storage account name"
+  value       = azurerm_storage_account.account.name
+}

gcp/k8s-vault-gcp-ingress-start.sh

@@ -5,7 +5,7 @@
 
 source ../scripts/check-available-commands.sh
 
-checkCommandsAvailable helm minikube jq vault sed grep docker grep cat gcloud envsubst
+checkCommandsAvailable helm jq vault sed grep cat gcloud envsubst
 
 echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, jq, vault, grep, cat, sed, envsubst, and google cloud cli, and is only tested on mac, Debian and Ubuntu"
 echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"

gcp/k8s-vault-gcp-start.sh

@@ -5,7 +5,7 @@
 
 source ../scripts/check-available-commands.sh
 
-checkCommandsAvailable helm minikube jq vault sed grep docker grep cat gcloud envsubst
+checkCommandsAvailable helm jq vault sed grep cat gcloud envsubst
 
 echo "This is a script to bootstrap the configuration. You need to have installed: helm, kubectl, jq, vault, grep, cat, sed, envsubst, and google cloud cli, and is only tested on mac, Debian and Ubuntu"
 echo "This script is based on the steps defined in https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube. Vault is awesome!"

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.3.10-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.3.11-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.3.10-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.3.11-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-vault-deployment.yml

@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.3.10-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.3.11-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

pom.xml

@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>heroku-tst-6-SNAPSHOT</version>
+    <version>1.3.11-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>