From 0f3f605974917de898189191cf70b32b59a80f2c Mon Sep 17 00:00:00 2001 From: Tobias Henkel Date: Sun, 11 Feb 2018 09:27:43 +0100 Subject: [PATCH] Emit a warning when using unsafe public key url When encrypting secrets we use a public key retrieved from zuul. If we get this key from an unencrypted url a man in the middle attack could replace this encryption key. To make the user aware of this we should emit a warning when using untrusted key sources. Change-Id: I7f26e93d863be710a558e15fa1d086b223f465bf --- tools/encrypt_secret.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/encrypt_secret.py b/tools/encrypt_secret.py index 4cb1666319..45ad68ca6e 100755 --- a/tools/encrypt_secret.py +++ b/tools/encrypt_secret.py @@ -26,9 +26,11 @@ import textwrap try: from urllib.request import Request from urllib.request import urlopen + from urllib.parse import urlparse except ImportError: from urllib2 import Request from urllib2 import urlopen + from urlparse import urlparse DESCRIPTION = """Encrypt a secret for Zuul. @@ -43,7 +45,6 @@ def main(): parser.add_argument('url', help="The base URL of the zuul server and tenant. " "E.g., https://zuul.example.com/tenant-name") - # TODO(jeblair): Throw a fit if SSL is not used. parser.add_argument('project', help="The name of the project.") parser.add_argument('--strip', action='store_true', default=False, @@ -60,6 +61,15 @@ def main(): "to standard output.") args = parser.parse_args() + # We should not use unencrypted connections for retrieving the public key. + # Otherwise our secret can be compromised. The schemes file and https are + # considered safe. + url = urlparse(args.url) + if url.scheme not in ('file', 'https'): + sys.stderr.write("WARNING: Retrieving encryption key via an " + "unencrypted connection. Your secret may get " + "compromised.\n") + req = Request("%s/%s.pub" % (args.url.rstrip('/'), args.project)) pubkey = urlopen(req)