13:07:27 #startmeeting barbican 13:07:27 Meeting started Tue Jan 21 13:07:27 2020 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:07:28 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:07:30 The meeting name has been set to 'barbican' 13:07:35 \o/ 13:07:52 #topic Roll Call 13:08:03 Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek 13:08:12 o/ again :) 13:09:43 Okay, let's get started! 13:10:24 #topic Secret-Consumers broke the TripleO gate 13:11:09 yep, wanted to bring that one up 13:11:25 Looks like the client can't handle changes to the API 13:11:36 so I'm going to make a workaround patch after the meeting 13:11:49 and then work on microversions so we don't break the client again 13:11:55 then work on the client so it doesn't break anymore 13:12:30 I should have the workaround patch up soon (just removing the API response bits) 13:12:48 and then I'll bug y'all for reviews. 13:12:55 any questions/comments? 13:14:12 works for me 13:17:19 ok, moving on 13:17:34 #topic Manipulation of ACL data in DB 13:17:56 This is an old security audit finding from the Newton cycle 13:18:14 #link https://review.opendev.org/#/c/357978/13/doc/source/artifacts/barbican/newton/review-findings.rst 13:18:26 Finding #1 13:18:57 basically, if an attacker can modify the database, then they can add arbitrary users to a Secret's ACL, and then retrieve the secret using the API 13:19:34 at the time, we talked about maybe signing acl rows 13:19:53 and then error out if the row fails to validate on retreival 13:21:10 in any case, we should consider fixing it 13:21:29 or at least documenting that DB manipulation is a "Bad Thing"™ 13:21:59 What do y'all think? 13:22:48 redrobot, i need to think about the problem a little bit more - but you are right, something has to be done :D 13:24:51 Luzi, cool, lets revisit this in a week or two 13:25:39 ok, moving on 13:25:53 #topic Barbican UI 13:26:10 nearyo, all yours 13:26:23 #link https://review.opendev.org/#/c/702399/ 13:26:24 Hey, I finally reached a good point for the first contribution to the barbican-ui. With this contribution it is possible to list, show, create, update and delete secrets and their metadata. I left the metadata stuff inside for now, but I would say it's trivial to remove this (as we discussed in shanghai). 13:26:33 https://review.opendev.org/#/c/702399/ 13:26:51 nearyo, that is awesome news! 13:26:51 What do I have to do, to assign this to someone? (It's my first contribution ^^) 13:27:40 I've added myself and ade_lee as reviewers, and I may go poke folks at the horizon channel to see if anyone could also review real quick 13:28:12 It may take me a while though, as I have not written/read any JS in years. 😅 13:28:14 Nice, thanks :) 13:29:16 Yeah the angular stuff was also "new" for me ^^ 13:31:07 cool beans 13:31:22 man, it'll be awesome if we can ship this for the next release :D 13:31:30 I would say if we agree on this we can think about further panel for acls and orders. 13:31:49 nearyo, sounds good 13:32:15 Cool, thats all from my side. ;-) 13:32:42 coolness 13:32:48 #topic Liaison Updates 13:32:58 moguimar, forgot to ask if you had any updates from Oslo? 13:37:24 ... 13:37:31 I'll take that as a no 13:37:38 #topic Open Discussion 13:37:45 Any other topics we should talk about? 13:39:57 Alrighty then 13:40:01 thanks for coming, everyone! 13:40:09 See y'all next week 13:40:11 #endmeeting