Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove password from credentials object #4661

Merged
merged 6 commits into from
Mar 6, 2024
Merged

Remove password from credentials object #4661

merged 6 commits into from
Mar 6, 2024

Conversation

tariqajyusuf
Copy link
Contributor

Fixes issue introduced in #2153

Description Of Changes

fides user login stores the plaintext password to the ~/.fides-credentials file. This removes the password since it's not actively used anywhere.

Code Changes

  • Remove password from the credentials object.

Steps to Confirm

  • Use fides user login and login with credentials.
  • Open ~/.fides-credentials and ensure password is not stored

Pre-Merge Checklist

@vercel Vercel
Copy link

vercel bot commented Mar 5, 2024

@tariqajyusuf is attempting to deploy a commit to the Ethyca Team on Vercel.

A member of the Team first needs to authorize it.

@daveqnet
Copy link
Contributor

daveqnet commented Mar 5, 2024

Tested successfully on this PR branch:

fidesuser@a6c53654f2e8:/fides$ fides user login -u root_user -p Testpassword1!
2024-03-05 16:39:51.642 | DEBUG    |  - Logger configuration options in use | {'api_config': '{"destination": "", "colorize": false, "level": "DEBUG", "serialization": "", "log_pii": true}'}
> Loaded config from: /fides/src/fides/data/sample_project/fides.toml
Logged in as user: root_user
Credentials file written to: /home/fidesuser/.fides_credentials
fidesuser@a6c53654f2e8:/fides$ cat /home/fidesuser/.fides_credentials
username = "root_user"
user_id = "fidesadmin"
access_token = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..pwTMoiV7EhamS1a5L4_1fQ.VTtFQmo9UMrpgZ4IUfnkTJr_6mKCMQMhBfPIadi1L6fqAaicDtmR6Mn3XFAAp3v6IVrv35wV4hETRK5QPAu6KobLsmH8svLwi-TGHJ0WDS_ahq-qajJyfEeDc6So-ikERhxb9lRhKAAxsNVHhs4jm9LHE0u82kgQ-Au5GgTlkvG4qa83mY2QCheH7_-ROGa7tqcu0H31UlvDYoe_d0ruoVVqetxANZDKU8A_lG7wh5PvDEaDGbQiSt2LY7Zx8aS5rYV9ku8pkV6Ha0fa3DYV4DXG2VvJCo3eInAdoFjm2r1LL-qdxoKw6N1q5V4eInqS-EVKpwWQnB9x8ZMfyfeGH6n7BWwEqzaBQURm3-nong8VXFeoWrNdM2l0SEspi2vbT7ppLfyZ_0WkbQczu0tV_6V7Z9eT6svPDv3tNO16JC6oklGv8BjQL5dNFfNJCKgKVd16FkKO8wws8yu0Lg_N79bMAAHA4qE_5Z3qlCU4526MHo0AXlw6Tb-pfXHyPx02Y3LM7Lgx1TYZkuISQk8UslQB9xMtBu--IPekYccIBytRRGvkCL82qEE4Suaquz7bS_A3K1_wmRkA1t-7jJmC645Z6fuRT3mzuIi7TVtjNSd8wLOX8XiIZ93X6ulNIJDkkEql3qG-GQ7fzXdJ281NyRSHo9t7OdZhUvYmFJp1gZ3KZVFX1gEmDfyOrO5hjrMUpyxNV8_PAum_6LM7DsRjn2Fq7oZrguXdQI5x3DY9DjIBm4wIhpxGcTamZnQ2SG1HeQcy4Cr_egHJjoGO0J2W5WTITIQNhHtchakNXx9R4Ma4i97kYlI9HOEjp1ha5WXp-99MTkR9zaDa06ZF8gtcy0KvL9t9fswTGSx8-AgEzUTME4RpQgIpetedADasYjPh2KReNUiu34Hrc7spwAT2YHl543A7EGO-b5bDYtTNWotFgd0h67620GycdHxmXh5J3LBUbl0sisGAPEAA13s31U-Z-MuiiXrba4SLlsSnm6ugYpKbLC09nQsBruXn-93BccQbfNsStl3fSFh2ZCW3duLYU7XzzPDCS1wwvuO13jnU1uyZyvYVclrcqNl_qOgq2Ga2SJIZJhtoLkJBI71kUg3zZvHi0u_G2TCImIMTSuwi-oeFTNP31Ia_M3RnC1omJDGHIIkeSnCjPuYAtjAZGj074Ya1JcIWpnXKdT-9c5Bi6Rvw3SsohNpLkduOnMtnckPOOdIkBR-dHla5_KaHk-B20G5-HzCQXraFx2OqnNM5pgF-UUGeWQhbwTkP39fiBGwSTXHC9SiDuDnRtk8p2m-R6auZzZmwk6szUkE1-0dzliOM_WXlwf_OATfYO-7SgCaj2Q5qVXalIAk8WvMA-tFEvEEb9GrePA82p9jQzA_w2mFgw1KHF8Y9Yk7B3WiVKZaM8R4fQTf9XatwRRjxcphS4oHGxLpgv1n0mfiiRCN5EnxwuK-_VpZ94R8qBSbS_JNgGLNpvBrFgQVk5O2OCfWXTC21F9_D0bSmI0i1hEzUUE018UwGGH5RIig-GqF7r4JXr1VYcDGr12AESIoYcAA_sn8PjdduYdUNHy9hneXGnuMOzKfkG4Hv_oAAlZb3qybQnlfTlOOCfuGCr0Qk1rJeXIPbcF39GBhtKKxiD_Dsc0_9AISXDqaB8vi8yaJn1lrOLx3bEo11okXm0ng-IOR-25TtqbT1PMh1dtjDPIW9sYEs5oZkwpu55kdMYeaRbM-4IHA9Cqsd-a2_FHWL_BLUDHa-FHRohmotZTLo5dSAYG0ZawWCMDv4FG9IkpiJFY66cqSv8t8QhkeCjy7B3re0a1c1RzHDlo6RZCFVndckn7aIXe50qbvmejY9hHXr9VRnycW4TvVCN80OLOHYxRxwZ3ZqIIgfPMEgNFQsirIu_-cGR3srCZPjWYAovpOLjzXo1ktr2jG8q0rgius-fP1X40FTL-zeT8YBG0C0EN1kiqmICrMnHoMOfwEy7pBB7zJ24ay_KUVOE3RpBdfuZSt6M2yaH76BI-aLbE_ILYMX4Z8x_mWGPegeqlvaoi8yuksVrWFp5bYHn-cm1EC4oyn117jLVq9UmZRntdDqD1gxCZAuA-EmzuhaGbGFU0W_wUSpbGOMnRZvlCoqAJFl0nBWper5iXLcyHj_2lhxAapdgJdSrDdxi_BqyU1pJWW_aslCvrhhPXpDMsV4nXaxX1o8CvxbMY8P9XOG6e7qNnri6j-KfEM3PgD9v5Qclv0L4JBIgmiuyw0TuL4xqJmivYd8WWAgzdLsLBAVRkxci2weh2-zemBGJuvjFNYzvuiAuoN1A7o6UpgtH4SARzq-lxq0qQ_d3aacaRK2qsubYWG4G0rP9ibAvebpQH3_dy8ncD4CThTKDWtIXA2Gv1D6WUktXkqICSARrC28i_Fx__kO6F_wWzngxtotINSCiR0TgJZUUGd2o22CdC7Y-wEykms3dzIvtpoJn3c5tErUIQwxW4G_ZZC2UusoO8is7K4U6r0jX97C8yFJRczSoQ32vUO4iFsKYndUnDOAOlqaMrvBzdySLnYT0nkI3PzK3akOV161tNeQU1UTexGvxzKMsZ5i-tCjDfSsfLiuQUkSEhGC1yELSAxD3OEp0hcK-g9j-HsTcLMovKEbGreFWKHeLhM4zpxdbTYlUNN1fPaUamW6qWvIlKU_uWwwA1NKi478-TAdApJhQEm_ZWKeusi8djsla4cLuLNBh7XNdEIxt-0AuK2h4PWyB2yO5q4hbCxWufsf-8q79kVWBn54wf87dLwksauKBQLdJPjw3Un_uXSrJ4kctTN87BYz2n9JuBb2nchQxRuS_UiOPUr9_9Ybss5Ym3E3D95a-wt9bRrbSU1VXQVVUhdaUxm9BreqokfFxUU4JNfTAdNV848XVdYFfcBFAtRjNyL70oy5MNJbC8JRkDkMzyU6eggJj05lxefHgSFVMD-UMqEDBaorPZTlTOiF9dDPcgqBwo1F7G0_QNbwAN4qXYE22WrlFzLoZ2IttzQbpMEYQYeUMSf_wVg4u2C0shmUPb_DxKnQDjFDyAN92o9U1r1-STsutLC5p5Lnhq1RE3zjzFuN5v4s-2ch15mRC5iKAnToJqThVbW5bEHZtpxgcmKlTXvmrVPKn7knpTX-0IUYCGAfoDM-3MACyRuY1EdJ0izU1nte9g8dOd_8j0emLacN0y23nrqgMX5ezqrvGeKwc6Cdp0bcwj1KmQ8bLwIH_JrqrX1ddydhB-oisqHYqkvwNtrHHr5PBOYcqNL_8d631S3Nox2IvIngKVuh2raGvkCHlLJsCG6ujxC82999npwcVBra1rNINkQ6hJlDqfM7bGvfBIn3CMG6CstZHdCkulFanXgci4Jj1yb9IEh_qQTSCw8plFotLANsozGHUmhpbeQs7uFwTcwtIPwK36uUoRLg3QTkIb3IIQhW6tFizOFvnf0zqVILawkp1JIsM-hPUIZOjfyc3U6w2_XxFv9ijSV0NJVJ6ZglXjMMNlc9Pnhxsmc2qFbBVYWFayHcQb8M34_MNbVsbAXnl-_ELL1SWdO57CQ.YyqYM-elsz7TkNjfrH3Alg"
fidesuser@a6c53654f2e8:/fides$ fides user permissions
2024-03-05 16:40:15.644 | DEBUG    |  - Logger configuration options in use | {'api_config': '{"destination": "", "colorize": false, "level": "DEBUG", "serialization": "", "log_pii": true}'}
> Loaded config from: /fides/src/fides/data/sample_project/fides.toml
Roles:
	owner
Associated scopes:
	cli-objects:create
	cli-objects:delete
	cli-objects:read
	cli-objects:update
	client:create
	client:delete
	client:read
	client:update
	config:read
	config:update
	connection:authorize
	connection:create_or_update
	connection:delete
	connection:instantiate
	connection:read
	connection_type:read
	connector_template:register
	consent:read
	consent_settings:read
	consent_settings:update
	ctl_dataset:create
	ctl_dataset:delete
	ctl_dataset:read
	ctl_dataset:update
	ctl_policy:create
	ctl_policy:delete
	ctl_policy:read
	ctl_policy:update
	current-privacy-preference:read
	data_category:create
	data_category:delete
	data_category:read
	data_category:update
	data_subject:create
	data_subject:delete
	data_subject:read
	data_subject:update
	data_use:create
	data_use:delete
	data_use:read
	data_use:update
	database:reset
	dataset:create_or_update
	dataset:delete
	dataset:read
	encryption:exec
	evaluation:create
	evaluation:delete
	evaluation:read
	evaluation:update
	fides_taxonomy:update
	generate:exec
	masking:exec
	masking:read
	messaging-template:update
	messaging:create_or_update
	messaging:delete
	messaging:read
	organization:create
	organization:delete
	organization:read
	organization:update
	policy:create_or_update
	policy:delete
	policy:read
	privacy-experience:create
	privacy-experience:read
	privacy-experience:update
	privacy-notice:create
	privacy-notice:read
	privacy-notice:update
	privacy-preference-history:read
	privacy-request-notifications:create_or_update
	privacy-request-notifications:read
	privacy-request:create
	privacy-request:delete
	privacy-request:read
	privacy-request:resume
	privacy-request:review
	privacy-request:transfer
	privacy-request:upload_data
	privacy-request:view_data
	rule:create_or_update
	rule:delete
	rule:read
	saas_config:create_or_update
	saas_config:delete
	saas_config:read
	scope:read
	storage:create_or_update
	storage:delete
	storage:read
	system:create
	system:delete
	system:read
	system:update
	system_manager:delete
	system_manager:read
	system_manager:update
	taxonomy:create
	taxonomy:delete
	taxonomy:update
	user-permission:assign_owners
	user-permission:create
	user-permission:read
	user-permission:update
	user:create
	user:delete
	user:password-reset
	user:read
	user:update
	validate:exec
	webhook:create_or_update
	webhook:delete
	webhook:read
Systems Under Management:
fidesuser@a6c53654f2e8:/fides$ fides user --help
2024-03-05 16:40:25.860 | DEBUG    |  - Logger configuration options in use | {'api_config': '{"destination": "", "colorize": false, "level": "DEBUG", "serialization": "", "log_pii": true}'}
> Loaded config from: /fides/src/fides/data/sample_project/fides.toml
                                                                                                                                                                                                                  
 Usage: fides user [OPTIONS] COMMAND [ARGS]...                                                                                                                                                                    
                                                                                                                                                                                                                  
 Click command group for interacting with user-related functionality.                                                                                                                                             
                                                                                                                                                                                                                  
╭─ Options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --help  -h    Show this message and exit.                                                                                                                                                                      │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ create       Use the credentials file to create a new user. Gives full permissions to the new user.                                                                                                            │
│ login        Authenticate with the webserver and generate a user access token. Then store those credentials in a credentials file.                                                                             │
│ permissions  List the directly-assigned scopes and roles available to the current user.                                                                                                                        │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

fidesuser@a6c53654f2e8:/fides$ fides user create dave Testpassword1!
2024-03-05 16:40:42.637 | DEBUG    |  - Logger configuration options in use | {'api_config': '{"destination": "", "colorize": false, "level": "DEBUG", "serialization": "", "log_pii": true}'}
> Loaded config from: /fides/src/fides/data/sample_project/fides.toml
User: 'dave' created and assigned permissions: ['owner']
fidesuser@a6c53654f2e8:/fides$ fides user login -u dave -p Testpassword1!
2024-03-05 16:40:54.639 | DEBUG    |  - Logger configuration options in use | {'api_config': '{"destination": "", "colorize": false, "level": "DEBUG", "serialization": "", "log_pii": true}'}
> Loaded config from: /fides/src/fides/data/sample_project/fides.toml
Logged in as user: dave
Credentials file written to: /home/fidesuser/.fides_credentials
fidesuser@a6c53654f2e8:/fides$ cat /home/fidesuser/.fides_credentials
username = "dave"
user_id = "fid_6e833147-242e-4d91-a4a7-6ef9a4124b95"
access_token = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..7glBmHCmCSymYHsW2SXFBw.CavsiBPZCUaDJVE-9-pcDsLomQuuNAmXd8ssP9PNviMHRgvffiQvHxhI5TQnG_TuxeQen_bHYTBKxj5bCGw_QgJjPrw10MK6Ojo9r7LhP5YC47bFbnvhuO_R3aYX8OQOrTgDT9Wf-18LtRRE3xhq-LaE1Ve-sUTjBIS_j22R2bcZXjd5xuk0.J30wsDYE6h7YBAx3qfQHZA"
fidesuser@a6c53654f2e8:/fides$ fides user permissions
2024-03-05 16:41:18.614 | DEBUG    |  - Logger configuration options in use | {'api_config': '{"destination": "", "colorize": false, "level": "DEBUG", "serialization": "", "log_pii": true}'}
> Loaded config from: /fides/src/fides/data/sample_project/fides.toml
Roles:
	owner
Associated scopes:
	cli-objects:create
	cli-objects:delete
	cli-objects:read
	cli-objects:update
	client:create
	client:delete
	client:read
	client:update
	config:read
	config:update
	connection:authorize
	connection:create_or_update
	connection:delete
	connection:instantiate
	connection:read
	connection_type:read
	connector_template:register
	consent:read
	consent_settings:read
	consent_settings:update
	ctl_dataset:create
	ctl_dataset:delete
	ctl_dataset:read
	ctl_dataset:update
	ctl_policy:create
	ctl_policy:delete
	ctl_policy:read
	ctl_policy:update
	current-privacy-preference:read
	data_category:create
	data_category:delete
	data_category:read
	data_category:update
	data_subject:create
	data_subject:delete
	data_subject:read
	data_subject:update
	data_use:create
	data_use:delete
	data_use:read
	data_use:update
	database:reset
	dataset:create_or_update
	dataset:delete
	dataset:read
	encryption:exec
	evaluation:create
	evaluation:delete
	evaluation:read
	evaluation:update
	fides_taxonomy:update
	generate:exec
	masking:exec
	masking:read
	messaging-template:update
	messaging:create_or_update
	messaging:delete
	messaging:read
	organization:create
	organization:delete
	organization:read
	organization:update
	policy:create_or_update
	policy:delete
	policy:read
	privacy-experience:create
	privacy-experience:read
	privacy-experience:update
	privacy-notice:create
	privacy-notice:read
	privacy-notice:update
	privacy-preference-history:read
	privacy-request-notifications:create_or_update
	privacy-request-notifications:read
	privacy-request:create
	privacy-request:delete
	privacy-request:read
	privacy-request:resume
	privacy-request:review
	privacy-request:transfer
	privacy-request:upload_data
	privacy-request:view_data
	rule:create_or_update
	rule:delete
	rule:read
	saas_config:create_or_update
	saas_config:delete
	saas_config:read
	scope:read
	storage:create_or_update
	storage:delete
	storage:read
	system:create
	system:delete
	system:read
	system:update
	system_manager:delete
	system_manager:read
	system_manager:update
	taxonomy:create
	taxonomy:delete
	taxonomy:update
	user-permission:assign_owners
	user-permission:create
	user-permission:read
	user-permission:update
	user:create
	user:delete
	user:password-reset
	user:read
	user:update
	validate:exec
	webhook:create_or_update
	webhook:delete
	webhook:read
Systems Under Management:

@daveqnet
Copy link
Contributor

daveqnet commented Mar 5, 2024

There are some CI test failures, however, as the tests expect the password to be present e.g. https://github.com/ethyca/fides/blob/main/tests/ctl/core/test_user.py

=================================== FAILURES ===================================
____________________ TestCredentials.test_valid_credentials ____________________

self = <tests.ctl.core.test_user.TestCredentials object at 0x7fd79cda9190>

    def test_valid_credentials(self):
        credentials = Credentials(
            username="test",
            ***,
            user_id="some_id",
            access_token="some_token",
        )
        assert credentials.username == "test"
>       assert credentials.password == "password"
E       AttributeError: 'Credentials' object has no attribute 'password'

tests/ctl/core/test_user.py:28: AttributeError
=========================== short test summary info ============================

@adamsachs
Copy link
Contributor

@tariqajyusuf thank you for the updates here!

to clear up the CI failure, i think you can just remove the password references in that test file. namely, removing L23 and L28 of tests/ctl/core/test_user.py.

let me know if you have any difficulties doing this or if you don't think it's the right approach! i can also make the changes for you if you'd prefer, just a bit lazy at the moment to check out your fork 😆 but happy to do it if that's better!

@tariqajyusuf
Copy link
Contributor Author

No worries, fixed @adamsachs @daveqnet

@codecov Codecov
Copy link

codecov bot commented Mar 5, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.67%. Comparing base (1c2bed4) to head (a91c7c6).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4661      +/-   ##
==========================================
- Coverage   86.67%   86.67%   -0.01%     
==========================================
  Files         336      336              
  Lines       20090    20089       -1     
  Branches     2581     2581              
==========================================
- Hits        17414    17413       -1     
  Misses       2203     2203              
  Partials      473      473

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@daveqnet
Copy link
Contributor

daveqnet commented Mar 5, 2024

Much appreciated @tariqajyusuf! Just one final request: can you add the following in the top Unreleased section of CHANGELOG.md link in the repo root please?

### Changed
- Modify `fides user login` to not store plaintext password in `~/.fides-credentials` [#4661](https://github.com/ethyca/fides/pull/4661)

I'd do it myself, but I'd have to request permissions on your fork or raise a separate PR - thanks!

@tariqajyusuf
Copy link
Contributor Author

Done!

daveqnet
daveqnet reviewed Mar 5, 2024
View reviewed changes
CHANGELOG.md Outdated
@@ -30,6 +30,7 @@ The types of changes are:

### Changed
- Update when GPP API reports signal status: ready [#4635](https://github.com/ethyca/fides/pull/4635)
- Modify `fides user login` to not store plaintext password in `~/.fides-credentials` [#4661](https://github.com/ethyca/fides/pull/4661)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry Tariq, I should have been clearer, this changelog entry should go up further in the [Unreleased] section, not here in the [2.31.0] section.

Because of the timing, this particular change will be included in a later release than 2.31.0.

@tariqajyusuf
Copy link
Contributor Author

Whoops that's my bad, was caught multitasking and put it in the wrong section

daveqnet
daveqnet approved these changes Mar 6, 2024
View reviewed changes
Copy link
Contributor

@daveqnet daveqnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, with thanks!

@daveqnet daveqnet merged commit f48a227 into ethyca:main Mar 6, 2024
39 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daveqnet daveqnet daveqnet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tariqajyusuf @daveqnet @adamsachs