Disable secret binding

There are questions that need to be further explored about the implications of supporting secret binding. Exposing the secret name would potentially expose an enumeration attack again other secrets in the namespace.
scothis · May 7, 2020 · 990504f · 990504f
1 parent de67384
commit 990504f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 38 deletions.
diff --git a/pkg/apis/build/v1alpha1/build_validation.go b/pkg/apis/build/v1alpha1/build_validation.go
@@ -95,6 +95,10 @@ func (b *Binding) Validate(context context.Context) *apis.FieldError {
 		errs = errs.Also(apis.ErrMissingField("metadataRef.name"))
 	}
 
+	if b.SecretRef != nil {
+		// TODO(scothis) allow secrets once the security implications are better understood
+		errs = errs.Also(apis.ErrDisallowedFields("secretRef"))
+	}
 	if b.SecretRef != nil && b.SecretRef.Name == "" {
 		// secretRef is optional
 		errs = errs.Also(apis.ErrMissingField("secretRef.name"))

diff --git a/pkg/apis/build/v1alpha1/build_validation_test.go b/pkg/apis/build/v1alpha1/build_validation_test.go
@@ -187,7 +187,12 @@ func testBuildValidation(t *testing.T, when spec.G, it spec.S) {
 				},
 			}
 
-			assertValidationError(build, apis.ErrMissingField("spec.bindings[0].secretRef.name"))
+			assertValidationError(build,
+				(&apis.FieldError{}).Also(
+					apis.ErrDisallowedFields("spec.bindings[0].secretRef"),
+					apis.ErrMissingField("spec.bindings[0].secretRef.name"),
+				),
+			)
 		})
 
 		it("validates bindings name uniqueness", func() {
@@ -199,7 +204,6 @@ func testBuildValidation(t *testing.T, when spec.G, it spec.S) {
 				{
 					Name:        "not-apm",
 					MetadataRef: &corev1.LocalObjectReference{Name: "metadata"},
-					SecretRef:   &corev1.LocalObjectReference{Name: "secret"},
 				},
 				{
 					Name:        "apm",

diff --git a/samples/image_with_service_bindings.yaml b/samples/image_with_service_bindings.yaml
@@ -18,28 +18,6 @@ spec:
       metadataRef:
         name: sample-binding-metadata
 ---
-apiVersion: build.pivotal.io/v1alpha1
-kind: Image
-metadata:
-  name: sample-binding-with-secret
-spec:
-  tag: sample/image-with-binding-secret
-  builder:
-    kind: Builder
-    name: sample-builder
-  serviceAccount: service-account
-  source:
-    git:
-      url: https://github.com/buildpack/sample-java-app.git
-      revision: 0eccc6c2f01d9f055087ebbf03526ed0623e014a
-  build:
-    bindings:
-    - name: sample
-      metadataRef:
-        name: sample-binding-metadata
-      secretRef:
-        name: sample-binding-secret
----
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -48,17 +26,3 @@ data:
   kind: mysql
   provider: sample
   tags: ""
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: sample-binding-secret
-type: Opaque
-stringData:
-  hostname: localhost
-  jdbcUrl: jdbc:mysql://localhost:3306/default?user=root&password=
-  name: default
-  password: ""
-  port: "3306"
-  uri: mysql://root:@localhost:3306/default?reconnect=true
-  username: root