Merge pull request #66 from commjoen/gcp-2

WIP @ GCP setup test

Dockerfile.web

@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/addo-example:ENV-test3-no-vault
+FROM jeroenwillemsen/addo-example:ENV-test4-no-vault
 
-ARG argBasedVersion="1.0.2B"
+ARG argBasedVersion="1.0.2C"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)
 CMD java -jar -Dserver.port=$PORT -Dspring.profiles.active=without-vault application.jar

aws/k8s/secret-challenge-vault-deployment.yml

@@ -33,7 +33,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/addo-example:1.0.2-k8s-vault
+        - image: jeroenwillemsen/addo-example:ENV-test4-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

gcp/README.md

@@ -24,7 +24,7 @@ Make sure you have an active account at GCP for which you have configured the cr
 
 **Note-III**: The cluster you create has its access bound to the public IP of the creator. In other words: the cluster you create with this code has its access bound to your public IP-address if you apply it locally.
 
-1. check whether you have the right project by doing `gcloud config list`.
+1. check whether you have the right project by doing `gcloud config list`. Otherwise configure it by doing `gcloud init`.
 2. Run `gcloud auth application-default login` to be able to use your account credentials for terraform.
 3. Enable the required gcloud services using `gcloud services enable compute.googleapis.com container.googleapis.com`
 4. Run `terraform init` (if required, use tfenv to select TF 0.14.0 or higher )

gcp/iam.tf

@@ -7,17 +7,24 @@ resource "google_service_account" "wrongsecrets_workload" {
   display_name = "WrongSecrets Workload Service Account"
 }
 
+resource "random_integer" "int" {
+  min = 10000
+  max = 99999
+}
+
+
 resource "google_iam_workload_identity_pool" "pool" {
   provider                  = google-beta
-  workload_identity_pool_id = var.project_id
+  workload_identity_pool_id = "${var.project_id}-${random_integer.int.result}"
   project                   = var.project_id
+  display_name              = "WrongSecrets"
 }
 
 resource "google_service_account_iam_member" "wrongsecret_pod_sa" {
   service_account_id = google_service_account.wrongsecrets_workload.id
   role               = "roles/iam.workloadIdentityUser"
   member             = "serviceAccount:${var.project_id}.svc.id.goog[default/vault]"
-  depends_on = [
+  depends_on         = [
     google_iam_workload_identity_pool.pool,
     google_container_cluster.gke
   ]
@@ -28,7 +35,7 @@ resource "google_service_account_iam_member" "wrongsecret_wrong_pod_sa" {
   service_account_id = google_service_account.wrongsecrets_workload.id
   role               = "roles/iam.workloadIdentityUser"
   member             = "serviceAccount:${var.project_id}.svc.id.goog[default/default]"
-  depends_on = [
+  depends_on         = [
     google_iam_workload_identity_pool.pool,
     google_container_cluster.gke
   ]

gcp/k8s/secret-challenge-vault-deployment.yml

@@ -33,7 +33,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/addo-example:1.0.0-k8s-vault
+        - image: jeroenwillemsen/addo-example:ENV-test4-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

src/main/java/com/example/secrettextprinter/SecretLeakageController.java

@@ -21,7 +21,6 @@
 import software.amazon.awssdk.services.sts.model.StsException;
 
 import javax.servlet.http.HttpSession;
-import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -42,28 +41,28 @@ public SecretLeakageController(Vaultpassword vaultpassword) {
     }
 
     @Value("${password}")
-    String hardcodedPassword;
+    private String hardcodedPassword;
 
     @Value("${ARG_BASED_PASSWORD}")
-    String argBasedPassword;
+    private String argBasedPassword;
 
     @Value("${DOCKER_ENV_PASSWORD}")
-    String hardcodedEnvPassword;
+    private String hardcodedEnvPassword;
 
     @Value("${SPECIAL_K8S_SECRET}")
-    String configmapK8sSecret;
+    private String configmapK8sSecret;
 
     @Value("${SPECIAL_SPECIAL_K8S_SECRET}")
-    String secretK8sSecret;
+    private String secretK8sSecret;
 
     @Value("${vaultpassword}")
-    String vaultPasswordString;
+    private String vaultPasswordString;
 
     @Value("${default_aws_value}")
-    String awsDefaultValue;
+    private String awsDefaultValue;
 
     @Value("${secretmountpath}")
-    String filePath;
+    private String filePath;
 
     @Value("${K8S_ENV}")
     private String k8sEnvironment;
@@ -85,12 +84,6 @@ public String getHardcodedSecret(Model model) {
         return getSpoil(model, hardcodedPassword);
     }
 
-    private String getSpoil(Model model, String password) {
-        model.addAttribute("spoil", new Spoil());
-        model.addAttribute("solution", password);
-        return "spoil";
-    }
-
     @GetMapping("/spoil-2")
     public String getEnvArgBasedSecret(Model model) {
         return getSpoil(model, argBasedPassword);
@@ -130,20 +123,26 @@ public String getRandCode(Model model) {
     }
 
     @GetMapping("/spoil-9")
-    public String getAWSChanngelenge1(Model model) {
-        return getSpoil(model, getAWSChallenge9and10Value("wrongsecret"));
+    public String getCloudChallenge1(Model model) {
+        return getSpoil(model, getCloudChallenge9and10Value("wrongsecret"));
     }
 
     @GetMapping("/spoil-10")
-    public String getAWSChanngelenge2(Model model) {
-        return getSpoil(model, getAWSChallenge9and10Value("wrongsecret-2"));
+    public String getCloudChallenge2(Model model) {
+        return getSpoil(model, getCloudChallenge9and10Value("wrongsecret-2"));
     }
 
     @GetMapping("/spoil-11")
-    public String getAWSChanngelenge3(Model model) {
+    public String getCloudChallenge3(Model model) {
         return getSpoil(model, getAWSChallenge11Value());
     }
 
+    private String getSpoil(Model model, String password) {
+        model.addAttribute("spoil", new Spoil());
+        model.addAttribute("solution", password);
+        return "spoil";
+    }
+
     @GetMapping("/")
     public String rootPage(Model model, HttpSession session) {
         model.addAttribute("version", version);
@@ -165,8 +164,21 @@ public String challengeForm(@PathVariable String id, Model model, HttpSession se
         model.addAttribute("answerCorrect", null);
         model.addAttribute("answerIncorrect", null);
         model.addAttribute("solution", null);
-        includeScoringStatus(newScore, Integer.parseInt(id), model);
-        addWarning(Integer.parseInt(id), model);
+        model.addAttribute("environment", k8sEnvironment);
+        int challengeNumber = 0;
+        try {
+            challengeNumber = Integer.parseInt(id);
+        } catch (NumberFormatException e) {
+            challengeNumber = 12;
+        }
+        if (challengeNumber > 11) {
+            challengeNumber = 1;
+            model.addAttribute("runtimeWarning", "There are only 11 challenges, please navigate to another one");
+        }
+        model.addAttribute("challengeNumberNumber", challengeNumber);
+
+        includeScoringStatus(newScore, challengeNumber, model);
+        addWarning(challengeNumber, model);
         return "challenge";
     }
 
@@ -249,14 +261,14 @@ public String postController8(@ModelAttribute ChallengeForm challengeForm, Model
     public String postController9(@ModelAttribute ChallengeForm challengeForm, Model model, HttpSession session) {
         log.info("POST received at 9 - serializing form: solution: " + challengeForm.getSolution());
         model.addAttribute("challengeNumber", 9);
-        return handleModel(session, getAWSChallenge9and10Value("wrongsecret"), challengeForm.getSolution(), model, 8);
+        return handleModel(session, getCloudChallenge9and10Value("wrongsecret"), challengeForm.getSolution(), model, 8);
     }
 
     @PostMapping("/challenge/10")
     public String postController10(@ModelAttribute ChallengeForm challengeForm, Model model, HttpSession session) {
         log.info("POST received at 10 - serializing form: solution: " + challengeForm.getSolution());
         model.addAttribute("challengeNumber", 10);
-        return handleModel(session, getAWSChallenge9and10Value("wrongsecret-2"), challengeForm.getSolution(), model, 9);
+        return handleModel(session, getCloudChallenge9and10Value("wrongsecret-2"), challengeForm.getSolution(), model, 9);
     }
 
     @PostMapping("/challenge/11")
@@ -281,7 +293,7 @@ private String handleModel(HttpSession session, String targetPassword, String gi
     }
 
     private void addWarning(int id, Model model) {
-        if ("if_you_see_this_please_use_docker_instead".equals(argBasedPassword) && (id < 5 || 8 == id)) {
+        if ("if_you_see_this_please_use_docker_instead".equals(argBasedPassword) && ((1 < id && id < 5) || 8 == id)) {
             model.addAttribute("runtimeWarning", "We are running outside of a docker container. Please run this in a container as explained in the README.md.");
         }
         if ((5 == id || 6 == id) && "if_you_see_this_please_use_k8s".equals(configmapK8sSecret)) {
@@ -290,8 +302,11 @@ private void addWarning(int id, Model model) {
         if (7 == id && vaultPassword.getPasssword() == null) {
             model.addAttribute("runtimeWarning", "We are running outside of a K8s cluster with Vault. Please run this in the K8s cluster as explained in the README.md.");
         }
-        if ((9 == id || 10 == id || 11 == id) && "if_you_see_this_please_use_AWS_Setup".equals(awsRoleArn)) {
-            model.addAttribute("runtimeWarning", "We are running outside of a properly configured AWS environment. Please run this in an AWS environment as explained in the README.md.");
+        if ((9 == id || 10 == id) && (!"gcp".equals(k8sEnvironment)) && (!"aws".equals(k8sEnvironment))) {
+            model.addAttribute("runtimeWarning", "We are running outside of a properly configured AWS or GCP environment. Please run this in an AWS or GCP environment as explained in the README.md.");
+        }
+        if ((11 == id) && (!"aws".equals(k8sEnvironment))) {
+            model.addAttribute("runtimeWarning", "We are running outside of a properly configured AWS environment. Please run this in an AWS environment as explained in the README.md. GCP is not done yet");
         }
     }
 
@@ -304,7 +319,7 @@ private void includeScoringStatus(InMemoryScoring scoring, int id, Model model)
         }
     }
 
-    private String getAWSChallenge9and10Value(String fileName) {
+    private String getCloudChallenge9and10Value(String fileName) {
         try {
             Path filePath = Paths.get(this.filePath, fileName);
             return Files.readString(filePath);

src/main/resources/explanations/challenge10-gcp.adoc

@@ -0,0 +1,3 @@
+=== Challenge 10: GCP Secret Manager part 2
+
+The secret is now randomized and stored directly in the cloud's Secret(s) manager. We're still mounting it to the K8s pod via the https://secrets-store-csi-driver.sigs.k8s.io[CSI driver] for https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp[GCP] though... Can you access it?

src/main/resources/explanations/challenge10.adoc

@@ -1,3 +1,3 @@
-=== Challenge 10: AWS Secrets Manager / GCP Secret Manager part 2
+=== Challenge 10: AWS Secrets Manager
 
-The secret is now randomized and stored directly in the cloud's Secret(s) manager. We're still mounting it to the K8s pod via the https://secrets-store-csi-driver.sigs.k8s.io[CSI driver] for https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html[AWS] or https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp[GCP] though... Can you access it?
+The secret is now randomized and stored directly in the cloud's Secret(s) manager. We're still mounting it to the K8s pod via the https://secrets-store-csi-driver.sigs.k8s.io[CSI driver] for https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html[AWS] though... Can you access it?

src/main/resources/explanations/challenge12.adoc → src/main/resources/explanations/challenge11-gcp.adoc

@@ -1,4 +1,4 @@
-=== Challenge 12: GCP Secret Manager part 3
+=== Challenge 11: GCP Secret Manager part 3
 
 In our GKE cluster, there's a service account for workloads, which maps to a service account in kubernetes. 
 

src/main/resources/explanations/challenge9-gcp.adoc

@@ -0,0 +1,5 @@
+=== Challenge 9: GCP Secret Manager part 1
+
+Okay, now we're generating a secret through Terraform and storing that with our Cloud Provider. What happens in the Terraform state?
+
+You can try to find the secret by sniffing through your `terraform.tfstate` files using https://github.com/trufflesecurity/truffleHog[*Trufflehog*].

src/main/resources/explanations/challenge9.adoc

@@ -1,4 +1,4 @@
-=== Challenge 9: AWS Secrets Manager / GCP Secret Manager part 1
+=== Challenge 9: AWS Secrets Manager
 
 Okay, now we're generating a secret through Terraform and storing that with our Cloud Provider. What happens in the Terraform state?
 

src/main/resources/templates/challenge.html

@@ -66,7 +66,14 @@
 <div class="container">
     <h1 th:text="'Challenge '+${challengeNumber}"/>
     <p th:text="'Welcome to challenge ' + ${challengeNumber} + '. You need to guess the secret that is hidden in the java, docker, k8s, Vault or AWS.'"></p>
-    <div class="explanation" th:replace="doc:challenge__${challengeNumber}__.adoc"></div>
+    <div th:if="${ environment =='gcp'} and ${ challengeNumberNumber  &gt; 8} "
+         class="explanation">
+        <div th:replace="doc:challenge__${challengeNumber}+'-gcp'__.adoc"></div>
+    </div>
+    <div th:if="${ environment !='gcp'} and ${challengeNumberNumber &gt; 8} "
+         class="explanation">
+        <div th:replace="doc:challenge__${challengeNumber}__.adoc"></div>
+    </div>
     <div th:text="${challengeCompletedAlready}"></div>
     <div class="feedback alert alert-success" role="alert" th:if="${answerCorrect!=null}"
          th:text="${answerCorrect}"></div>

src/main/resources/templates/index.html

@@ -80,8 +80,7 @@ <h1 class="display-4"> Welcome </h1>
                 <a href="challenge/8">Challenge 8 (requires Docker)</a><br/>
                 <a href="challenge/9">Challenge 9 (requires AWS or GCP)</a><br/>
                 <a href="challenge/10">Challenge 10 (requires AWS or GCP)</a><br/>
-                <a href="challenge/11">Challenge 11 (requires AWS)</a><br/>
-                <a href="challenge/12">Challenge 12 (requires GCP)</a><br/>
+                <a href="challenge/11">Challenge 11 (requires AWS or GCP-WIP)</a><br/>
             </p>
             <p>Don't want to wait for Vault? here is <a href="spoil-7">the secret :(</a>.</p>
             <p th:text="'You are currently running on the following environment: '+${environment}"></p>