Fixes #24651: Disallow clear-text API keys

webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/api/ApiAccountRepository.scala

@@ -164,24 +164,7 @@ final class RoLDAPApiAccountRepository(
         // here, be careful to the semantic of get with a filter!
         optEntry <- ldap.get(rudderDit.API_ACCOUNTS.dn, BuildFilter.EQ(RudderLDAPConstants.A_API_TOKEN, hash))
         optRes   <- optEntry match {
-                      case None    => {
-                        // Fallback on v1 clear text tokens
-                        for {
-                          optEntry <-
-                            // here, be careful to the semantic of get with a filter!
-                            ldap.get(rudderDit.API_ACCOUNTS.dn, BuildFilter.EQ(RudderLDAPConstants.A_API_TOKEN, token.value))
-                          optRes   <- optEntry match {
-                                        case None    => None.succeed
-                                        case Some(e) =>
-                                          mapper
-                                            .entry2ApiAccount(e)
-                                            .map(Some(_))
-                                            .toIO
-                                      }
-                        } yield {
-                          optRes
-                        }
-                      }
+                      case None    => None.succeed
                       case Some(e) => mapper.entry2ApiAccount(e).map(Some(_)).toIO
                     }
       } yield {

webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/api/DataStructures.scala

@@ -64,6 +64,9 @@ final case class ApiAccountName(value: String) extends AnyVal
  *
  * * v1: 32 alphanumeric characters stored as clear text
  *       they are also displayed in clear text in the interface.
+ *
+*        REMOVED in 8.2.
+ *
  * * v2: starting from Rudder 8.1, tokens are still 32 alphanumeric characters,
  *       but are now stored hashed in sha512 (128 characters), prefixed with "v2:".
  *       The tokens are only displayed once at creation.

webapp/sources/rudder/rudder-web/src/main/elm/sources/Accounts/View.elm

@@ -41,9 +41,8 @@ view model =
                                 [ if hasClearTextTokens then
                                     div [ class "alert alert-warning" ]
                                         [ i [ class "fa fa-exclamation-triangle" ] []
-                                        , text "You have API accounts with tokens generated on a previous Rudder versions, those for which the "
-                                        , text "beginning of the token value is displayed in the table. They are now deprecated, you should "
-                                        , text "re-generate or replace them for improved security."
+                                        , text "You have API accounts with clear-text tokens generated before Rudder 8.0. "
+                                        , text "They don't work anymore, you need to re-generate or replace them."
                                         ]
 
                                   else

webapp/sources/rudder/rudder-web/src/main/elm/sources/Accounts/ViewUtils.elm

@@ -138,13 +138,7 @@ displayAccountsTable model =
             if isEmpty a.token then
                 td [class "token"] [ span [class "token-txt"][ text "[hashed]" ] ]
             else
-                td [class "token"]
-                [ span [class "token-txt"]
-                  [text (slice 0 5 a.token)]
-                  , span[class "fa hide-text"][]
-                , Html.a [ class "btn-goto clipboard", title "Copy to clipboard" , onClick (Copy a.token) ]
-                  [ i [class "ion ion-clipboard"][] ]
-                ]
+                td [class "token"] [ span [class "token-txt"][ text "TODO" ] ]
           else
             td [class "date"][ text (cleanDate a.creationDate) ]
         , td [class "date"][ text expirationDate ]