Edge-home-orchestration-go: [Discussion] Do we need to rectify SecurityMgr? (Sensitive Data handling)

@tdrozdovsky Plus, could you rectify if err is used in our platform?

https://github.com/lf-edge/edge-home-orchestration-go/blob/22ce49b4b76ae78dfb75e14ef64399e5805c7d02/src/orchestrationapi/orchestration_api.go#L180

@tdrozdovsky This is due to my ongoing analysis with the tool lgtm as follow.

https://lgtm.com/projects/g/lf-edge/edge-home-orchestration-go/alerts/?mode=list

I personally think that sensitive data is returned by an access to passPhraseJWTPath. What do you think? @tdrozdovsky

https://github.com/lf-edge/edge-home-orchestration-go/blob/22ce49b4b76ae78dfb75e14ef64399e5805c7d02/src/controller/securemgr/authenticator/authenticator.go#L70

This might be the same potential security risk as follow.

https://github.com/lf-edge/edge-home-orchestration-go/blob/22ce49b4b76ae78dfb75e14ef64399e5805c7d02/src/controller/securemgr/authenticator/authenticator.go#L84

Good point, I know and remember this security issue.

These only informs about a failed attempt to create the passPhraseJWTFilePath file.
But of course, storing such information in files (passPhrase, edge-orchestration.key, etc) is a security risk.
I think in the future this should be solved with secure storage or with access control system such as: SeLinux, SMACK, etc.

Thank you for reminder

@tdrozdovsky Thank you for accepting my suggestion. I have just assigned this issue to you. We are looking forward to seeing your another valuable contribution soon!

@tdrozdovsky Plus, could you rectify if err is used in our platform?

https://github.com/lf-edge/edge-home-orchestration-go/blob/22ce49b4b76ae78dfb75e14ef64399e5805c7d02/src/orchestrationapi/orchestration_api.go#L180

I researched using err variable. Error handling is done below.

if len(deviceScores) <= 0 {
        return errorResp
} else if deviceScores[0].score == scoringmgr.INVALID_SCORE {
    return errorResp
}

Additional processing will make the code more complex.

Therefore, I suggest to ignore the err variable.

    deviceResources[i].score, _ = orcheEngine.GetScoreWithResource(dev.resource)

@tdrozdovsky Plus, could you rectify if err is used in our platform?
https://github.com/lf-edge/edge-home-orchestration-go/blob/22ce49b4b76ae78dfb75e14ef64399e5805c7d02/src/orchestrationapi/orchestration_api.go#L180

I researched using err variable. Error handling is done below.

if len(deviceScores) <= 0 {
      return errorResp
} else if deviceScores[0].score == scoringmgr.INVALID_SCORE {
  return errorResp
}

Additional processing will make the code more complex.

Therefore, I suggest to ignore the err variable.

  deviceResources[i].score, _ = orcheEngine.GetScoreWithResource(dev.resource)

@tdrozdovsky It is reasonable. ^^ Could you suggest the regarding PR for this?