Unique repo path and permissions

[alexmt]

Signed-off-by: Alexander Matyushentsev AMatyushentsev@gmail.com

PR implements two changes:

• Git and Helm repositories are cloned/fetched into random/non-predicable local directory
• Repo server remove read permissions from Git repos when not using it for manifest generation

[codecov]

Codecov Report

Merging #8517 (74001dd) into master (ac47a42) will decrease coverage by 0.01%.
The diff coverage is 50.52%.

@@            Coverage Diff             @@
##           master    #8517      +/-   ##
==========================================
- Coverage   42.60%   42.59%   -0.02%     
==========================================
  Files         176      183       +7     
  Lines       22941    23102     +161     
==========================================
+ Hits         9774     9840      +66     
- Misses      11770    11853      +83     
- Partials     1397     1409      +12     

Impacted Files	Coverage Δ
cmd/argocd/commands/app.go	0.53% <0.00%> (ø)
pkg/apis/application/v1alpha1/repository_types.go	60.52% <0.00%> (ø)
util/git/creds.go	9.80% <4.34%> (-0.20%)	⬇️
reposerver/askpass/server.go	35.29% <35.29%> (ø)
util/helm/client.go	45.14% <55.55%> (-3.37%)	⬇️
reposerver/repository/repository.go	58.49% <55.93%> (-0.18%)	⬇️
util/io/paths.go	68.75% <68.75%> (ø)
util/grpc/sanitizer.go	85.00% <85.00%> (ø)
reposerver/repository/lock.go	100.00% <100.00%> (ø)
util/git/client.go	44.74% <100.00%> (ø)
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 764b7a6...74001dd. Read the comment docs.

[crenshaw-dev]

LGTM!

[crenshaw-dev]

Should we go ahead an use the UUIDv4 path generator for this line, too?

argo-cd/reposerver/repository/repository.go

Line 758 in d7fbc91

file, err := ioutil.TempFile("", "values-*.yaml")

[alexmt]

@crenshaw-dev request about file, err := ioutil.TempFile("", "values-*.yaml") already implemented in another PR

[crenshaw-dev]

One small comment.

[crenshaw-dev]

Do we need 755? Or just 700?

[jessesuen]

Rather than maintain the map everytime we clone a repo, I feel we could have a regexp replace this

func NewSanitizer(root string) {
	return &sanitizer{
		re: regexp.MustCompile(`(` + root + `/.*?)/`) // non-greedy until next slash after root
	}
}

func (s *sanitizer) Replace(val string) string {
    return s.re.ReplaceAllString(val, ".")
}

[crenshaw-dev]

To avoid missing relative paths, we could add a reasonably-unique prefix to the temp dir name and use a regex like this:

no-log-[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}

(The end is just a regex for UUIDv4.)

[crenshaw-dev]

Another benefit of a keyword-based replace would be that random paths outside the repo dir (like temporary values.yaml files' paths) could be sanitized as well.

empDir := path.Join(os.TempDir(), fmt.Sprintf("no-log-%s", newUUID.String()))

[crenshaw-dev]

Both approaches also help us completely avoid an attack where someone uses the sanitizer to leak valid paths by forcing errors containing lots of UUIDs. I think that attack is super impractical, but if we can solve two problems at once, great.

[alexmt]

New "sanitizer" is created and deleted every request. So this map will get 2~3 entries max.

Using the gprc interceptor and context was the least intrusive way to introduce sanitization. I really did not want to introduce a lot of copy-paste code. So it forced me to make sanitizer pretty generic . I think regex based sanitization will be useful. Implemented option suggested by @jessesuen because it is less coupled with how we generate unique paths .

[jessesuen]

I see that we sanitize the gRPC responses, but does this change sanitize the log outputs as well? Or do we not care?

[jessesuen]

This looks a lot simpler than before. Thanks!