Lewis Moten

Unveiling the Code: Institutional Memory & Obsessions

Secrets UI

Off to a late start today. I had to take care of a few things first to ensure the Lego Users Group had access to space at the Blue Ridge Arts Council tomorrow. I also spent some time setting up a trip in two months and booking a Hotel.

With the error log application up and running, it’s time to work on Secrets. I had previously setup some end-points and a bare-bones UI to manage it. Now that I’ve setup an Angular project, let’s see how far I can get with setting up the secrets.

Get Secret
Rotating Keys
Recovery

Secrets

I’m going to copy the Angular project from errors as a baseline to start with.

Tada!

I’m now able to log in and log out of the secrets manager. The home page only shows two buttons at the moment. It’s enough to have something to work with.

I had to modify a few things, setup a new ftp account, create build server secrets, etc. I ran into a few bugs along the way and found myself making changes in both the secrets and errors repositories. I’ll eventually need to setup composer so that I can share some common files between projects.

Well, getting that setup in less than an hour just blew away the time it took to do the same for error logs. Most of the time was spent on the PHP scripts removing the old UI code and converting over to use the authorization bearer token. Previously, the secrets were only protected with 2FA – no accounts. I was able to use the account logic from the error log application, but with one small modification. If an account doesn’t exist when you login, your credentials are used to create a new account.

Tired

I didn’t get much sleep today. I’m tired. I have a big day ahead of me tomorrow with a few events, so I won’t be able to get much work done until the evening. Unfortunately, that means the secret manager is going to be delayed by about a days work.

Wrap Up

  • Setup Angular project for Secrets
  • Brought over secret API endpoints from dev-api
  • Removed bare-bones HTML UI
  • Setup Github Actions build script (YAML)
  • Created FTP Account
  • Setup Github secrets for YAML script
  • Login, Logout, and Change Password/2FA
  • Automate account creation on first login

Secrets already has a few established endpoints. I just need to create an interface for them.

  • Rotate/Transfer keys
  • Get/Set secrets
  • Setup database, encryption, pepper, recovery
  • Display status

The main thing I need to address is recovery since I will not be able to login when restoring the secrets manager. The login page needs to link to the recovery page. I also need to ensure that recovery isn’t exposed to anyone. If someone enters valid database credentials for their own remote server, they could mess things up. I could restrict the database host to localhost. That would reduce the problem down to clients that share the same hosted server. It may come down to changing .htaccess to enable recovery mode. Either way, a security hole needs to be addressed. Even the key management system is vulnerable if you know what to do. Wait – I forgot about the recovery key requirement. I think it’s fine. Either way, I need to verify that I don’t have any potential vulnerabilities.

, , , , , , ,

Discover more from Lewis Moten

Subscribe now to keep reading and get access to the full archive.

Continue reading