Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obscure sensitive Traffic Portal form fields #6981

Merged
merged 16 commits into from
Aug 4, 2022
Merged

Obscure sensitive Traffic Portal form fields #6981

merged 16 commits into from
Aug 4, 2022

Conversation

ocket8888
Copy link
Contributor

This obscures sensitive text fields. <textarea> fields display blurred text except on hover or while being interacted with (e.g. holding down tap on mobile), and simple <input/> fields are input[type="password"]s by default, with a button that changes them to input[type="text]s (and back again).

Partially addresses #6953.

The fields obscured are:

  • server ILO passwords
  • Delivery Service SSL private keys
  • Delivery Service "Header Rewrite" rule fields
  • Delivery Service "Raw Remap Text" field.

This also adds a re-usable component to the experimental Traffic Portal v2 that provides the <input> type attribute swapping as an Angular Material Forms-compatible form control value accessor, and uses it in place of the inline solution currently used on the login page as well as for the server details page's ILO Password field.

Which Traffic Control components are affected by this PR?

  • Traffic Portal

What is the best way to verify this PR?

Make sure the provided unit tests for the new TPv2 component have sufficient coverage and pass. Actual functionality is minimally impacted, so existing e2e tests should all still pass.

PR submission checklist

  • This PR has tests
  • This PR has JSDoc documentation
  • This PR has a CHANGELOG.md entry
  • This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY

@ocket8888 ocket8888 added Traffic Portal v1 related to Traffic Portal version 1 low impact affects only a small portion of a CDN, and cannot itself break one improvement The functionality exists but it could be improved in some way. Traffic Portal v2 Related to the experimental Traffic Portal version 2 labels Jul 22, 2022
@shamrickus shamrickus self-assigned this Jul 27, 2022
@ocket8888
Add some styling to be able to quickly re-use for obscurable text fields
fd982bd
@ocket8888
Remove _ from servers controller
1bb1421
@ocket8888
Make the ILO password field obscured by default
4ce3658
@ocket8888
obscure DS SSL private keys by default
c1f12cd
@ocket8888
obscure remap text fields by default
4801dde
@ocket8888
Add CHANGELOG entry
ac539c9
@ocket8888
Fix JSDoc required on both getter and setter of a single property
4a6be83
@ocket8888
Enumerate the allowable values of an HTML "autocomplete" attribute
1da71d1
@ocket8888
Add a reusable component that allows toggling revealing sensitive text
a5b8ede
@ocket8888
Switch login component to use new obscured text input
9acb09f
@ocket8888
Switch server ILO password to use new obscurable text component
1d09331
@ocket8888
Obscure "Header Rewrite" Delivery Service fields by default
8829406
@ocket8888
Update CHANGELOG
f4ff9bb
@ocket8888
Fix missing module import in unit tests
d1f4d08
@ocket8888
Fix incorrect selectors in e2e tests
eb98b42
@ocket8888 ocket8888 force-pushed the tp/obscure-sensitive-form-fields branch from aab1a67 to eb98b42 Compare August 3, 2022 15:34
shamrickus
shamrickus approved these changes Aug 4, 2022
View reviewed changes
Copy link
Member

@shamrickus shamrickus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shamrickus shamrickus merged commit 2a87e2c into apache:master Aug 4, 2022
@ocket8888 ocket8888 deleted the tp/obscure-sensitive-form-fields branch August 4, 2022 14:19
@ocket8888 ocket8888 mentioned this pull request Sep 26, 2022
Closed
zrhoffman pushed a commit to zrhoffman/trafficcontrol that referenced this pull request Oct 2, 2022
@ocket8888
Obscure sensitive Traffic Portal form fields (apache#6981)
342e6d8 
* Add some styling to be able to quickly re-use for obscurable text fields

* Remove _ from servers controller

* Make the ILO password field obscured by default

* obscure DS SSL private keys by default

* obscure remap text fields by default

* Add CHANGELOG entry

* Fix JSDoc required on both getter and setter of a single property

* Enumerate the allowable values of an HTML "autocomplete" attribute

* Add a reusable component that allows toggling revealing sensitive text

* Switch login component to use new obscured text input

* Switch server ILO password to use new obscurable text component

* Obscure "Header Rewrite" Delivery Service fields by default

* Update CHANGELOG

* Fix missing module import in unit tests

* Fix incorrect selectors in e2e tests

* Remove tabindex putting focus on non-interactable element
@ocket8888 ocket8888 mentioned this pull request Oct 31, 2022
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shamrickus shamrickus shamrickus approved these changes

Assignees

@shamrickus shamrickus

Labels
improvement The functionality exists but it could be improved in some way. low impact affects only a small portion of a CDN, and cannot itself break one Traffic Portal v1 related to Traffic Portal version 1 Traffic Portal v2 Related to the experimental Traffic Portal version 2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ocket8888 @shamrickus