In a recent update I saw mention of password_fields being encrypted encrypted. How does this work? I am running “ondemand-3.1.14-1”. When I set up a form field with “widget: password_field” I still see the password listed in clear text in the user_defined_context.json. Is there a way to prevent passwords that are entered from being leaked?
In a seperate question but related is there a way to pass information entered in a form to the users environment before the job is executed via environment variable, output to a text file, or file descriptor? What I am trying to do is have information entered in a field that is then accessible by a prolog or Slurm SPANK plugin.
Thanks, the job_environment may be handy for wrangling some of this. I have been playing around and having some luck simply adding some ruby before the — in the submit.yml.erb.
I do still see the password being listed in clear text in the user_defined_context.json. Is there a way to prevent this from being logged? At what point is this written? Would it be possible to unset this value before the .json file is written?
The issue is then getting this password into the app in a secure way. I had thought that setting cachable false would help with this. In the job output folder the file user_defined_context.json still clearly lists the value of the password_field. It looks like this is populated by batch_connect in the submit.yml.erb. The following is the top of my submit.yml.erb before batch_connect.
<%
require ‘fileutils’
Define keyfile path in user’s home directory
keyfile_path = File.join(Dir.home, “.keyfile”)
Set this for later use
ENV[‘LUKSPASS_FILE’] = keyfile_path
Make sure the parent directory exists
FileUtils.mkdir_p(File.dirname(keyfile_path))
Write the password from the form to the keyfile
File.open(keyfile_path, ‘w’) do |f|
f.puts lukspass
end
Set secure permissions: user read/write only
File.chmod(0600, keyfile_path)
Overwrite and clear lukspass
lukspass.replace(“X” * lukspass.length) if lukspass.respond_to?(:replace)
lukspass = nil
Optionally trigger garbage collection (not guaranteed, but helpful)
GC.start
%>
batch_connect:
I now see that it is at least being obscured in the user_defined_context.json.
From here the resulting password can be used by a Slurm SPANK plugin. This may still not be the best way of going about this but may be handy if anyone is running into a similar situation and would like to prevent things from being written in clear text.