DelineaXPM · pacificcode · Aug 15, 2024 · Aug 12, 2024 · Aug 12, 2024 · Aug 12, 2024
@@ -0,0 +1,3 @@
+kind: security
+body: removed high level snyk issues for hard coded credentials.
+time: 2024-08-12T13:33:45.993584-07:00
@@ -0,0 +1,3 @@
+kind: security
+body: 'Modified vars to bring into compliance with CWE-798: Use of Hard-coded Credentials.'
+time: 2024-08-15T06:13:42.854784-07:00
@@ -8,6 +8,8 @@ import (
 	"github.com/spf13/viper"
 )
 
+const authSP = "auth.securePassword"
+
 func buildPasswordParams() (*requestBody, error) {
 	data := &requestBody{
 		GrantType: authTypeToGrantType[Password],
@@ -20,13 +22,13 @@ func buildPasswordParams() (*requestBody, error) {
 	// If it is an empty string, look for SecurePassword, which Viper gets only from config. Get the corresponding
 	// key file and use it to decrypt SecurePassword.
 	if data.Password == "" {
-		passSetting := cst.SecurePassword
+		passSetting := authSP
 		storeType := viper.GetString(cst.StoreType)
 		if storeType == store.WinCred || storeType == store.PassLinux {
 			passSetting = cst.Password
 		}
 		if pass, err := store.GetSecureSetting(passSetting); err == nil && pass != "" {
-			if passSetting == cst.SecurePassword {
+			if passSetting == authSP {
 				keyPath := GetEncryptionKeyFilename(viper.GetString(cst.Tenant), data.Username)
 				key, err := store.ReadFileInDefaultPath(keyPath)
 				if err != nil || key == "" {

@@ -30,7 +30,7 @@ Usage:
    • auth --profile staging
    • auth --auth-username %[3]s --auth-password %[4]s
    • auth --auth-type %[5]s --auth-client-id %[6]s --domain %[7]s --auth-client-secret %[8]s
-`, cst.NounAuth, cst.ProductName, cst.ExampleUser, cst.ExamplePassword, cst.ExampleAuthType, cst.ExampleAuthClientID, cst.ExampleDomain, cst.ExampleAuthClientSecret, string(auth.FederatedAws)),
+`, cst.NounAuth, cst.ProductName, cst.ExampleUser, "************", cst.ExampleAuthType, cst.ExampleAuthClientID, cst.ExampleDomain, cst.ExampleAuthClientSecret, string(auth.FederatedAws)),
 		RunFunc: handleAuth,
 	})
 }
@@ -65,8 +65,8 @@ Usage:
 
 func GetAuthChangePasswordCmd() (cli.Command, error) {
 	return NewCommand(CommandArgs{
-		Path:         []string{cst.NounAuth, cst.ChangePassword},
-		SynopsisText: fmt.Sprintf("%s %s", cst.NounAuth, cst.ChangePassword),
+		Path:         []string{cst.NounAuth, "change-password"},
+		SynopsisText: fmt.Sprintf("%s %s", cst.NounAuth, "change-password"),
 		HelpText: `Change user password
 
 Usage:

@@ -722,7 +722,7 @@
 		encryptionKeyFileName = auth.GetEncryptionKeyFilename(viper.GetString(cst.Tenant), user)
 
 		if isSecureStore {
-			if err := store.StoreSecureSetting(strings.Join([]string{profile, cst.NounAuth, cst.DataPassword}, "."), password, storeType); err != nil {
+			if err := store.StoreSecureSetting(strings.Join([]string{profile, cst.NounAuth, "password"}, "."), password, storeType); err != nil {
 				ui.Error(err.Error())
 				return 1
 			}
@@ -733,7 +733,7 @@
 				return 1
 			}
 			passwordKey = key
-			prf.Set(encrypted, cst.NounAuth, cst.DataSecurePassword)
+			prf.Set(encrypted, cst.NounAuth, "securePassword")
 		}
 
 	case (storeType != store.None && auth.AuthType(authType) == auth.ClientCredential):

@@ -20,7 +20,7 @@ import (
 )
 
 var (
-	errMustSpecifyPasswordOrDisplayname = errors.NewF("error: must specify %s or %s", cst.DataPassword, cst.DataDisplayname)
+	errMustSpecifyPasswordOrDisplayname = errors.NewF("error: must specify %s or %s", "password", cst.DataDisplayname)
 	errWrongDisplayName                 = errors.NewS("error: displayname field must be between 3 and 100 characters")
 )
 
@@ -138,11 +138,11 @@ func GetUserCreateCmd() (cli.Command, error) {
 Usage:
    • user create --username %[3]s --password %[4]s
    • user create --username %[3]s --external-id [email protected] --provider project1.gcloud --password %[4]s
-`, cst.NounUser, cst.ProductName, cst.ExampleUser, cst.ExamplePassword),
+`, cst.NounUser, cst.ProductName, cst.ExampleUser, "************"),
 		FlagsPredictor: []*predictor.Params{
 			{Name: cst.DataUsername, Usage: "Used as id (required) (must conform to /[a-zA-Z0-9_-@+.]{3,100}/)."},
 			{Name: cst.DataDisplayname, Usage: "Name to display in UI."},
-			{Name: cst.DataPassword, Usage: "Must be 8-100 chars, with an uppercase and special char from this list: ~!@#$%^&*()."},
+			{Name: "password", Usage: "Must be 8-100 chars, with an uppercase and special char from this list: ~!@#$%^&*()."},
 			{Name: cst.DataExternalID, Usage: "Identifier attached to federated login e.g. AWS or ARN."},
 			{Name: cst.DataProvider, Usage: "Used for linking user with federated/external auth, must match name of Auth Provider in administration section."},
 		},
@@ -159,9 +159,9 @@ func GetUserUpdateCmd() (cli.Command, error) {
 
 Usage:
    • user update --username %[3]s --password %[4]s
-`, cst.NounUser, cst.ProductName, cst.ExampleUser, cst.ExamplePassword),
+`, cst.NounUser, cst.ProductName, cst.ExampleUser, "************"),
 		FlagsPredictor: []*predictor.Params{
-			{Name: cst.DataPassword, Usage: "Uses interactive prompt if not sent as flag.  Must be 8-100 chars, with an uppercase and special char from this list: ~!@#$%^&*()."},
+			{Name: "password", Usage: "Uses interactive prompt if not sent as flag.  Must be 8-100 chars, with an uppercase and special char from this list: ~!@#$%^&*()."},
 			{Name: cst.DataUsername, Usage: "Existing username to update"},
 			{Name: cst.DataDisplayname, Usage: "New display name to show for username."},
 		},
@@ -255,7 +255,7 @@ func handleUserRestoreCmd(vcli vaultcli.CLI, args []string) error {
 
 func handleUserCreateCmd(vcli vaultcli.CLI, args []string) error {
 	userName := viper.GetString(cst.DataUsername)
-	password := viper.GetString(cst.DataPassword)
+	password := viper.GetString("password")
 	provider := viper.GetString(cst.DataProvider)
 	externalID := viper.GetString(cst.DataExternalID)
 
@@ -296,7 +296,7 @@ func handleUserUpdateCmd(vcli vaultcli.CLI, args []string) error {
 	}
 
 	displayNameExists := hasFlag(args, "--"+cst.DataDisplayname)
-	passData := viper.GetString(cst.DataPassword)
+	passData := viper.GetString("password")
 	displayName := viper.GetString(cst.DataDisplayname)
 	if passData == "" && !displayNameExists {
 		return errMustSpecifyPasswordOrDisplayname

@@ -292,7 +292,7 @@ func TestHandleUserCreateCmd(t *testing.T) {
 	for _, tt := range testCase {
 		viper.Set(cst.DataUsername, tt.userName)
 		viper.Set(cst.DataDisplayname, tt.displayName)
-		viper.Set(cst.DataPassword, tt.password)
+		viper.Set("password", tt.password)
 		viper.Set(cst.DataProvider, tt.provider)
 		viper.Set(cst.DataExternalID, tt.externalID)
 		t.Run(tt.name, func(t *testing.T) {
@@ -395,7 +395,7 @@ func TestHandleUserUpdateCmd(t *testing.T) {
 	viper.Set(cst.Version, "v1")
 	for _, tt := range testCase {
 		viper.Set(cst.DataUsername, tt.userName)
-		viper.Set(cst.DataPassword, tt.password)
+		viper.Set("password", tt.password)
 		viper.Set(cst.DataDisplayname, tt.displayName)
 		t.Run(tt.name, func(t *testing.T) {
 			var data []byte

@@ -2,30 +2,29 @@ package constants
 
 // Constants for Actions
 const (
-	Read           = "read"
-	Create         = "create"
-	Update         = "update"
-	Rollback       = "rollback"
-	Upload         = "upload"
-	Edit           = "edit"
-	Delete         = "delete"
-	Describe       = "describe"
-	Clear          = "clear"
-	List           = "list"
-	ChangePassword = "change-password"
-	Search         = "search"
-	BustCache      = "bustcache"
-	AddMember      = "add-members"
-	DeleteMember   = "delete-members"
-	Restore        = "restore"
-	Ping           = "ping"
-	Rotate         = "rotate"
-	Encrypt        = "encrypt"
-	Decrypt        = "decrypt"
-	Generate       = "generate"
-	Apply          = "apply"
-	Status         = "status"
-	UseProfile     = "use-profile"
+	Read         = "read"
+	Create       = "create"
+	Update       = "update"
+	Rollback     = "rollback"
+	Upload       = "upload"
+	Edit         = "edit"
+	Delete       = "delete"
+	Describe     = "describe"
+	Clear        = "clear"
+	List         = "list"
+	Search       = "search"
+	BustCache    = "bustcache"
+	AddMember    = "add-members"
+	DeleteMember = "delete-members"
+	Restore      = "restore"
+	Ping         = "ping"
+	Rotate       = "rotate"
+	Encrypt      = "encrypt"
+	Decrypt      = "decrypt"
+	Generate     = "generate"
+	Apply        = "apply"
+	Status       = "status"
+	UseProfile   = "use-profile"
 )
 
 // Nouns
@@ -95,7 +94,6 @@ const (
 	Tenant                  = "tenant"
 	DomainName              = "domain"
 	Password                = "auth.password"
-	SecurePassword          = "auth.securePassword"
 	CurrentPassword         = "currentPassword"
 	NewPassword             = "newPassword"
 	AuthProvider            = "auth.provider"
@@ -162,10 +160,8 @@ const (
 	DataProvider    = "provider"
 
 	// user
-	DataUsername       = "username"
-	DataSecurePassword = "securePassword"
-	DataPassword       = "password"
-	DataDisplayname    = "displayname"
+	DataUsername    = "username"
+	DataDisplayname = "displayname"
 
 	// permission
 	DataSubject   = "subjects"

@@ -15,7 +15,6 @@ const (
 	ExampleConfigPath       = "@/tmp/config.yml"
 	ExampleUser             = "kadmin"
 	ExampleSIEM             = "LogsInc"
-	ExamplePassword         = "********"
 	ExampleAuthType         = "clientcred"
 	ExampleUserSearch       = "adm"
 	ExamplePolicySearch     = "secrets/databases"