From cc1177768b52bd6dc8834a61b422bf2e47b4b732 Mon Sep 17 00:00:00 2001
From: David Hollinger III <david.hollinger@moduletux.com>
Date: Mon, 19 Dec 2022 15:52:15 -0600
Subject: [PATCH] remove plaintext cli auth from bolt

---
 README.md                          | 10 +++++--
 config/config.go                   | 10 +++----
 lib/orchestrators/bolt.go          | 43 ------------------------------
 lib/orchestrators/orchestrators.go |  4 ---
 4 files changed, 11 insertions(+), 56 deletions(-)

diff --git a/README.md b/README.md
index 6d3ceb2..206d4a3 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,6 @@ orchestration:
   enabled: true
   type: bolt
   user: webhook
-  password: password
   bolt:
     transport: local
     targets:
@@ -57,9 +56,16 @@ r10k:
   default_branch: main
   allow_uppercase: false
   verbose: true
-
 ```
 
+#### Bolt authentication
+
+Due to the inherent security risk associated with passing plain text passwords to the Bolt CLI tool, all ability to set it within the application have been removed.
+
+Instead, it is recommended to instead utilize the Bolt [Transport configuration options](https://puppet.com/docs/bolt/latest/bolt_transports_reference.html) and place them within the `bolt-defaults.yaml` file.
+
+If you want to utilize an `inventory.yaml` and place the targets and auth config within that file, you can. Just be sure to remember to add the target name containing the nodes you need to the `webhook.yml` file
+
 ### Server options
 
 #### `protected`
diff --git a/config/config.go b/config/config.go
index c0c7c2d..425434a 100644
--- a/config/config.go
+++ b/config/config.go
@@ -30,16 +30,12 @@ type Config struct {
 		ServerUri string `mapstructure:"server_uri"`
 	} `mapstructure:"chatops"`
 	Orchestration struct {
-		Enabled  bool    `mapstructure:"enabled"`
-		Type     *string `mapstructure:"type"`
-		User     *string `mapstructure:"user"`
-		Password *string `mapstructure:"password"`
-		Bolt     *struct {
+		Enabled bool    `mapstructure:"enabled"`
+		Type    *string `mapstructure:"type"`
+		Bolt    *struct {
 			Transport    *string  `mapstructure:"transport"`
 			Targets      []string `mapstructure:"targets"`
 			Concurrency  *int64   `mapstructure:"concurrency"`
-			RunAs        *string  `mapstructure:"run_as"`
-			SudoPassword *string  `mapstructure:"sudo_password"`
 			HostKeyCheck bool     `mapstructure:"host_key_check"`
 		} `mapstructure:"bolt"`
 	} `mapstructure:"orchestration"`
diff --git a/lib/orchestrators/bolt.go b/lib/orchestrators/bolt.go
index 8402324..65c9d21 100644
--- a/lib/orchestrators/bolt.go
+++ b/lib/orchestrators/bolt.go
@@ -15,10 +15,6 @@ type Bolt struct {
 	Transport    *string
 	Targets      []string
 	Concurrency  *int64
-	RunAs        *string
-	SudoPassword *string
-	User         *string
-	Password     *string
 	HostKeyCheck *bool
 }
 
@@ -56,19 +52,6 @@ func (b *Bolt) boltCommand(timeout time.Duration, command string) (*BoltResult,
 	targets = strings.TrimSuffix(targets, ",")
 	cmd = append(cmd, targets)
 
-	// If the Bolt User is set add the user option to command run
-	if b.User != nil {
-		userArgs := []string{"-u", *b.User}
-		cmd = append(cmd, userArgs...)
-	}
-
-	// If the Bolt User's Password is set, then add the user password
-	// option to command run
-	if b.Password != nil {
-		passArgs := fmt.Sprintf("--password=%s", *b.Password)
-		cmd = append(cmd, passArgs)
-	}
-
 	// If the Bolt Transport is set, then add the bolt transport option
 	// to the bolt command
 	if b.Transport != nil {
@@ -83,20 +66,6 @@ func (b *Bolt) boltCommand(timeout time.Duration, command string) (*BoltResult,
 		cmd = append(cmd, concurrency...)
 	}
 
-	// If the Bolt RunAs option is set, then add the --run-as option to
-	// the bolt command
-	if b.RunAs != nil {
-		runAs := []string{"--run-as", *b.RunAs}
-		cmd = append(cmd, runAs...)
-	}
-
-	// If Bolt SudoPassword is set, then add the --sudoe-password option to
-	// the bolt command
-	if b.SudoPassword != nil {
-		sudoPass := fmt.Sprintf("--sudo-password=%s", *b.SudoPassword)
-		cmd = append(cmd, sudoPass)
-	}
-
 	// If the Bolt HostKeyCheck is set to false, then disable the host key check
 	if *b.HostKeyCheck == false {
 		cmd = append(cmd, "--no-host-key-check")
@@ -110,7 +79,6 @@ func (b *Bolt) boltCommand(timeout time.Duration, command string) (*BoltResult,
 	// If the runCommand function fails, then return an error without a result
 	out, err := runCommand(strings.Join(cmd, " "), timeout)
 	if err != nil {
-		cmd = sanitizeOutput(cmd)
 		return nil, fmt.Errorf("Bolt: \"%s\": %s: %s", strings.Join(cmd, " "), string(out), err)
 	}
 
@@ -143,14 +111,3 @@ func runCommand(command string, timeout time.Duration) ([]byte, error) {
 	cmd := exec.Command(args[0], args[1:]...)
 	return cmd.CombinedOutput()
 }
-
-func sanitizeOutput(cmd []string) []string {
-	var sanitized []string
-	for _, v := range cmd {
-		if strings.HasPrefix(v, "--password") || strings.HasPrefix(v, "--sudo-password") {
-			continue
-		}
-		sanitized = append(sanitized, v)
-	}
-	return sanitized
-}
diff --git a/lib/orchestrators/orchestrators.go b/lib/orchestrators/orchestrators.go
index 539a301..e4b3eae 100644
--- a/lib/orchestrators/orchestrators.go
+++ b/lib/orchestrators/orchestrators.go
@@ -24,10 +24,6 @@ func Deploy(cmd string) (interface{}, error) {
 		boltRunner := Bolt{
 			Transport:    orch.Bolt.Transport,
 			Targets:      orch.Bolt.Targets,
-			RunAs:        orch.Bolt.RunAs,
-			SudoPassword: orch.Bolt.SudoPassword,
-			User:         orch.User,
-			Password:     orch.Password,
 			HostKeyCheck: &orch.Bolt.HostKeyCheck,
 			Concurrency:  orch.Bolt.Concurrency,
 		}