aomi
aomi copied to clipboard
Autodesk
Provide secrets to build and release pipelines in a self service way using Hashicorp Vault.
https://github.com/Autodesk/aomi/blob/84da2dfb0424837adf9c4ddc1aa352e942bb7a4a/aomi/cli.py#L365 https://github.com/Autodesk/aomi/blob/84da2dfb0424837adf9c4ddc1aa352e942bb7a4a/aomi/helpers.py#L218 Allowing user input to control paths used in file system operations could enable an attacker to access or modify otherwise protected system resources
We found a problem about System Information Leak:Internal in aomi-master/aomi/cli.py An internal information leak occurs when system data or debugging information is sent to a local file, console, or screen...
As of right now there are a bunch of hardcoded `Resource.path == cubbyhole` kinda statements. Should switch to having the default cubbyhole always be detected and handled, but other cubbyholes...
``` Connected to https://REDACTED:8200 as REDACTED, v0.7.0 generic backend already mounted on REDACTED Ad-Hoc mount with Generic VarFile REDACTED/ALSO_REDACTED. Please specify explicit mountpoints. ``` Confirmed that `REDACTED` shows up as...
`aomi` does have some minimal permission requirements, namely being able to view mounts, and ideally create it's operational tokens. this should be documented in a clear way, with sample policies....
Right now the docker container is pushed by `scripts/container`. We should probably have it as a travis `deploy` target to reduce complexity...
It appears it is only possible to mount `generic` secret backends from aomi currently, if I'm not mistaken? I need to provision database and PKCI backends so this is blocking...
It doesn't need any special permissions, this should be straight forward to actually do. It can probably even run as `nobody`.
There are some cases in which it would be nice to specify the policies used by the operational token. The default is to use whatever policies the requesting token has...