Problem/Motivation

Per research done in #2894029: Security Analysis, Web Page Archive capture utilities should either encrypt API keys or exclude them from config exports altogether.

Proposed resolution

Use a hybrid of the approaches taken #2741225: Encrypt Akamai API credentials so they are not stored in plain text and #3041301: Setup Key module integration

Remaining tasks

None

User interface changes

This was the original UI:
Visual of the old storage method

This is the proposed change:
Visual of the plaintext storage selection
Visual of the key module storage selection

API changes

None

Data model changes

Change config entities storage from:
'wpt_api' => 'X.xxxxxxxxxxxxxxxxxxxxxxxx'
to:

api => [
  'storage_method' => 'plaintext' or 'key'
  'key_module' => key entity ID or '' (depending on storage method)
  'key_plaintext' => 'X.xxxxxxxxxxxxxxxxxxxxxxxx' or '' (depending on storage method)
]

Release notes snippet

Adds optional support for the key module for more secure handling of api keys.

CommentFileSizeAuthor
#5 old-storage-method.PNG10.19 KBWidgetsBurritos
#5 plaintext-storage.PNG33.36 KBWidgetsBurritos
#5 key-module-storage.PNG30.62 KBWidgetsBurritos
#4 2907871-key-module-support-4.patch18.33 KBWidgetsBurritos

Comments

WidgetsBurritos created an issue. See original summary.

bighappyface’s picture

bighappyface commented

Propose to introduce encryption as seen in Drupal\marketo_ma\Form\MarketoMASettings

http://cgit.drupalcode.org/marketo_ma/tree/src/Form/MarketoMASettings.ph...

WidgetsBurritos’s picture

WidgetsBurritos commented
Title: Exporting API keys » Key Module Support
Issue summary: View changes
Status: Active » Needs work
Related issues: +#3041301: Setup Key module integration, +#2741225: Encrypt Akamai API credentials so they are not stored in plain text

Per previous work done in #2741225: Encrypt Akamai API credentials so they are not stored in plain text and #3041301: Setup Key module integration, I'm proposing we provide support for handling the keys using the key module.

Unlike accessibility_scanner, I want to keep this dependency optional to avoid interfering with anybody who has been using this prior. I basically ripped off the work we did in the akamai module to provide a wrapper around the key module

WidgetsBurritos’s picture

WidgetsBurritos commented
Status: Needs work » Needs review
StatusFileSize
new 2907871-key-module-support-4.patch18.33 KB
WidgetsBurritos’s picture

WidgetsBurritos commented
Issue summary: View changes
StatusFileSize
new key-module-storage.PNG30.62 KB
new plaintext-storage.PNG33.36 KB
new old-storage-method.PNG10.19 KB

This was the original UI:
Visual of the old storage method

This is the proposed change:
Visual of the plaintext storage selection
Visual of the key module storage selection

pobster’s picture

pobster commented
Status: Needs review » Reviewed & tested by the community

LGTM, code and tests make sense +1

  • WidgetsBurritos committed 54a26a9 on 2.x 
    Issue #2907871 by WidgetsBurritos, bighappyface, pobster: Key Module...
WidgetsBurritos’s picture

WidgetsBurritos commented
Status: Reviewed & tested by the community » Fixed
WidgetsBurritos’s picture

WidgetsBurritos commented

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.