crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 883a714b
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■
    README.md
    skipped 225 lines
    226 226   
    227 227  - [Madhu Akula @madhuakula](https://github.com/madhuakula)
    228 228  - [Björn Kimminich @bkimminich](https://github.com/bkimminich)
    229  -- [Avinash Pancham @avinashpancham](https://github.com/avinashpancham)
     229 +- [Xiaolu Dai @saragluna](https://github.com/saragluna)
     230 +- [Jonathan Giles @jonathanGiles](https://github.com/JonathanGiles)
    230 231   
    231 232   
    232 233  ### Sponsorships
    skipped 181 lines
  • ■ ■ ■ ■ ■ ■
    azure/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 40 lines
    41 41   volumeAttributes:
    42 42   secretProviderClass: "azure-wrongsecrets-vault"
    43 43   containers:
    44  - - image: jeroenwillemsen/wrongsecrets:1.5.11-k8s-vault
     44 + - image: jeroenwillemsen/wrongsecrets:azure-490-9-k8s-vault
    45 45   imagePullPolicy: IfNotPresent
    46 46   name: secret-challenge
    47 47   securityContext:
    skipped 33 lines
    81 81   env:
    82 82   - name: K8S_ENV
    83 83   value: azure
    84  - - name: azure_keyvault_enabled
     84 + - name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCEENABLED
    85 85   value: "true"
    86  - - name: azure_keyvault_uri
     86 + - name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_NAME
     87 + value: wrongsecret-3
     88 + - name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_ENDPOINT
    87 89   value: ${AZ_VAULT_URI}
    88  - - name: management.health.azure-key-vault.enabled
     90 + - name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_CREDENTIAL_CLIENTID
     91 + value: ${AZ_POD_CLIENT_ID}
     92 + - name: SPRING_CLOUD_AZURE_KEYVAULT_SECRET_PROPERTYSOURCES_0_CREDENTIAL_MANAGEDIDENTITYENABLED
    89 93   value: "true"
    90 94   - name: SPECIAL_K8S_SECRET
    91 95   valueFrom:
    skipped 23 lines
  • ■ ■ ■ ■
    azure/k8s-vault-azure-start.sh
    skipped 59 lines
    60 60   echo "CSI driver is already installed"
    61 61  else
    62 62   echo "Installing CSI driver"
    63  - helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
     63 + helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system
    64 64  fi
    65 65   
    66 66  echo "Add Azure pod identity to repo"
    skipped 33 lines
  • ■ ■ ■ ■
    azure/main.tf
    skipped 51 lines
    52 52   default_node_pool {
    53 53   name = "default"
    54 54   node_count = 1
    55  - vm_size = "Standard_A2_v2"
     55 + vm_size = "Standard_A2m_v2"
    56 56   }
    57 57   
    58 58   identity {
    skipped 6 lines
  • ■ ■ ■ ■ ■ ■
    pom.xml
    1 1  <?xml version="1.0" encoding="UTF-8"?>
    2  -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     2 +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     3 + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    3 4   <modelVersion>4.0.0</modelVersion>
    4 5   <parent>
    5 6   <groupId>org.springframework.boot</groupId>
    6 7   <artifactId>spring-boot-starter-parent</artifactId>
    7 8   <version>2.7.5</version>
    8  - <relativePath /> <!-- lookup parent from repository -->
     9 + <relativePath/> <!-- lookup parent from repository -->
    9 10   </parent>
    10 11   <groupId>org.owasp</groupId>
    11 12   <artifactId>wrongsecrets</artifactId>
    skipped 31 lines
    43 44   <maven.compiler.target>19</maven.compiler.target>
    44 45   <spring.cloud-version>2021.0.4</spring.cloud-version>
    45 46   <lombok.version>1.18.24</lombok.version>
    46  - <aws.sdk.version>2.18.24</aws.sdk.version>
     47 + <aws.sdk.version>2.18.28</aws.sdk.version>
    47 48   <asciidoctorj.version>2.5.7</asciidoctorj.version>
    48  - <jruby.version>9.3.9.0</jruby.version>
     49 + <jruby.version>9.4.0.0</jruby.version>
    49 50   <bootstrap.version>5.2.2</bootstrap.version>
    50 51   <github.button.version>2.14.1</github.button.version>
    51 52   <gcp.sdk.version>3.4.0</gcp.sdk.version>
    skipped 3 lines
    55 56   <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
    56 57   <thymeleaf.layout>3.1.0</thymeleaf.layout>
    57 58   <asciidoctor.maven.plugin.version>2.2.2</asciidoctor.maven.plugin.version>
    58  - <azure.keyvault.version>4.5.2</azure.keyvault.version>
    59  - <azure.identity.version>1.7.0</azure.identity.version>
    60  - <azure.keyvault.spring.version>2.3.5</azure.keyvault.spring.version>
    61 59   <spring.security.version>5.7.5</spring.security.version>
     60 + <com.azure.spring.version>4.4.1</com.azure.spring.version>
    62 61   <cyclonedx.core.version>7.2.0</cyclonedx.core.version>
    63 62   <KeePassJava2.version>2.1.4</KeePassJava2.version>
    64 63   <system-stubs-jupiter.version>2.0.1</system-stubs-jupiter.version>
    skipped 114 lines
    179 178   </dependency>
    180 179   
    181 180   <dependency>
    182  - <groupId>com.azure</groupId>
    183  - <artifactId>azure-security-keyvault-secrets</artifactId>
    184  - <version>${azure.keyvault.version}</version>
    185  - </dependency>
    186  - 
    187  - <dependency>
    188  - <groupId>com.azure</groupId>
    189  - <artifactId>azure-identity</artifactId>
    190  - <version>${azure.identity.version}</version>
    191  - </dependency>
    192  - 
    193  - <dependency>
    194  - <groupId>com.microsoft.azure</groupId>
    195  - <artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId>
    196  - <version>${azure.keyvault.spring.version}</version>
     181 + <groupId>com.azure.spring</groupId>
     182 + <artifactId>spring-cloud-azure-starter-keyvault-secrets</artifactId>
    197 183   </dependency>
    198 184   
    199 185   <dependency>
    skipped 21 lines
    221 207   <version>${dependency-check-maven.version}</version>
    222 208   <type>maven-plugin</type>
    223 209   </dependency>
    224  - <dependency>
    225  - <groupId>com.h2database</groupId>
    226  - <artifactId>h2</artifactId>
    227  - <version>2.1.214</version>
    228  - </dependency>
     210 +<!-- <dependency>-->
     211 +<!-- <groupId>com.h2database</groupId>-->
     212 +<!-- <artifactId>h2</artifactId>-->
     213 +<!-- <version>2.1.214</version>-->
     214 +<!-- </dependency>-->
    229 215   </dependencies>
    230 216   
    231 217   <dependencyManagement>
    skipped 12 lines
    244 230   <type>pom</type>
    245 231   <scope>import</scope>
    246 232   </dependency>
     233 + <dependency>
     234 + <groupId>com.azure.spring</groupId>
     235 + <artifactId>spring-cloud-azure-dependencies</artifactId>
     236 + <version>${com.azure.spring.version}</version>
     237 + <type>pom</type>
     238 + <scope>import</scope>
     239 + </dependency>
    247 240   </dependencies>
    248 241   </dependencyManagement>
    249 242   
    skipped 18 lines
    268 261   </os>
    269 262   </activation>
    270 263   <properties>
    271  - <script.extension />
     264 + <script.extension/>
    272 265   </properties>
    273 266   </profile>
    274 267   </profiles>
    skipped 9 lines
    284 277   <dependency>
    285 278   <groupId>com.puppycrawl.tools</groupId>
    286 279   <artifactId>checkstyle</artifactId>
    287  - <version>10.4</version>
     280 + <version>10.5.0</version>
    288 281   </dependency>
    289 282   </dependencies>
    290 283   </plugin>
    skipped 167 lines
  • ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/WrongSecretsApplication.java
    skipped 18 lines
    19 19   @Bean
    20 20   @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
    21 21   public InMemoryScoreCard scoreCard() {
    22  - return new InMemoryScoreCard(22);
     22 + return new InMemoryScoreCard(27);
    23 23   }
    24 24   
    25 25   
    skipped 3 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java
    skipped 57 lines
    58 58   @Value("${default_gcp_value}") String gcpDefaultValue,
    59 59   @Value("${default_aws_value}") String awsDefaultValue,
    60 60   @Value("${default_azure_value}") String azureDefaultValue,
    61  - @Value("${azure.keyvault.uri}") String azureVaultUri,
     61 + @Value("${spring.cloud.azure.keyvault.secret.property-sources[0].endpoint}") String azureVaultUri,
    62 62   @Value("${wrongsecret-3}") String azureWrongSecret3, // Exclusively auto-wired for Azure
    63 63   @Value("${GOOGLE_CLOUD_PROJECT}") String projectId,
    64 64   @Value("${default_aws_value_challenge_11}") String ctfValue,
    skipped 58 lines
    123 123   }
    124 124   
    125 125   private String getAWSChallenge11Value() {
     126 + log.info("pre-checking AWS data");
    126 127   if (!"if_you_see_this_please_use_AWS_Setup".equals(awsRoleArn)) {
    127 128   log.info("Getting credentials from AWS");
    128 129   try { //based on https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/sts/src/main/java/com/example/sts
    skipped 38 lines
    167 168   }
    168 169   
    169 170   private String getGCPChallenge11Value() {
     171 + log.info("pre-checking GCP data");
    170 172   if (isGCP()) {
    171 173   log.info("Getting credentials from GCP");
    172 174   // Based on https://cloud.google.com/secret-manager/docs/reference/libraries
    skipped 14 lines
    187 189   }
    188 190   
    189 191   private String getAzureChallenge11Value() {
     192 + log.info("pre-checking Azure data");
    190 193   if (isAzure()) {
    191  - //log.debug(String.format("Using Azure Key Vault URI: %s", azureVaultUri));
     194 + log.info(String.format("Using Azure Key Vault URI: %s", azureVaultUri));
    192 195   return azureWrongSecret3;
    193 196   }
    194 197   log.error("Fetching secret from Azure did not work, returning default");
    skipped 9 lines
  • ■ ■ ■ ■ ■ ■
    src/main/resources/application.properties
    skipped 16 lines
    17 17  AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup
    18 18  FILENAME_CHALLENGE9=wrongsecret
    19 19  FILENAME_CHALLENGE10=wrongsecret-2
    20  -azure.keyvault.enabled=false
    21  -management.health.azure-key-vault.enabled=false
    22  -azure.keyvault.uri=https://default.vault.localhost
     20 + 
     21 +spring.cloud.azure.keyvault.secret.property-source-enabled=false
     22 +spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://default.placeholder.overriddenink8s.vars.localhost
     23 +spring.cloud.azure.keyvault.secret.property-sources[0].name=wrongsecret-3
    23 24  wrongsecret-3=if_you_see_this_please_use_Azure_Setup
     25 + 
    24 26  secretmountpath=/mnt/secrets-store
    25 27  challengedockermtpath=/var/tmp/helpers
    26 28  AWS_REGION=if_you_see_this_please_use_AWS_Setup
    skipped 75 lines
  • ■ ■ ■ ■ ■ ■
    src/main/resources/explanations/challenge11_hint-azure.adoc
    skipped 12 lines
    13 13   aadpodidbinding: separate-workload-pod-id
    14 14  spec:
    15 15   template:
     16 + metadata:
     17 + name: wrongsecret3job
     18 + labels:
     19 + aadpodidbinding: separate-workload-pod-id
    16 20   spec:
    17 21   containers:
    18  - - name: az
    19  - image: mcr.microsoft.com/azure-cli:latest
    20  - command:
     22 + - name: az
     23 + image: mcr.microsoft.com/azure-cli:latest
     24 + command:
    21 25   [
    22 26   "sleep", "7200"
    23 27   ]
    skipped 1 lines
    25 29  ```
    26 30  - Apply the job with `kubectl apply -f job.yaml`
    27 31   
    28  -You can now exec into the pod, and execute something like `az login --identity --allow-no-subscriptions && az keyvault secret show --name wrongsecret-3 --vault-name wrongsecrets-vault-00000`. Since the job can access the same vault as the secret challenge pod, it has access to its secrets.
     32 +You can now exec into the pod, and execute something like `az login --identity --allow-no-subscriptions && az keyvault secret show --name wrongsecret-3 --vault-name wrongsecrets-vault-00000` . Note that you can find the actual value of `wrongsecrets-vault-00000` in the terraform state. Since the job can access the same vault as the secret challenge pod, it has access to its secrets.
    29 33   
  • ■ ■ ■ ■ ■ ■
    src/main/resources/templates/welcome.html
    skipped 112 lines
    113 113   <ul>
    114 114   <li><a href="https://github.com/madhuakula">Madhu Akula @madhuakula</a></li>
    115 115   <li><a href="https://github.com/bkimminich">Björn Kimminich @bkimminich</a></li>
     116 + <li><a href="https://github.com/saragluna">Xiaolu Dai @saragluna</a></li>
     117 + <li><a href="https://github.com/JonathanGiles">Jonathan Giles @jonathanGiles</a></li>
    116 118   </ul>
    117 119   </div>
    118 120   </div>
    skipped 50 lines
  • ■ ■ ■ ■ ■
    wrongsecret-desktop-resources/startwm.sh
    skipped 1 lines
    2 2   
    3 3  /startpulse.sh &
    4 4  cp -r /var/tmp/wrongsecrets /config/Desktop
     5 +cp -r /var/tmp/wrongsecrets/welcome.md /config/Desktop
    5 6  /usr/bin/startxfce4 > /dev/null 2>&1
    6 7   
Please wait...
Page is in error, reload to recover