You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ge...@apache.org on 2024/03/01 13:38:19 UTC
(solr) branch branch_9x updated: SOLR-17183: Tweak PKI Auth logging (#2312)

This is an automated email from the ASF dual-hosted git repository.

gerlowskija pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/branch_9x by this push:
     new b695853142f SOLR-17183: Tweak PKI Auth logging (#2312)
b695853142f is described below

commit b695853142fdc6d5a50a166189f6dd5911643323
Author: Jason Gerlowski <ge...@apache.org>
AuthorDate: Fri Mar 1 08:25:45 2024 -0500

    SOLR-17183: Tweak PKI Auth logging (#2312)
    
    Clarifies one or two messages, includes cryptographic exception messages
    in logging, and introduces a new message in the case where a public-key
    cannot be fetched because the relevant node isn't in `/live_nodes`
---
 .../solr/security/PKIAuthenticationPlugin.java     | 60 ++++++++++++++--------
 .../solr/security/TestPKIAuthenticationPlugin.java |  4 +-
 2 files changed, 41 insertions(+), 23 deletions(-)

diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
index a57c636a386..0b966e5419a 100644
--- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
@@ -153,7 +153,9 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
     PKIHeaderData headerData = null;
     String headerV2 = request.getHeader(HEADER_V2);
     String headerV1 = request.getHeader(HEADER);
-    if (headerV2 != null) {
+    if (headerV1 == null && headerV2 == null) {
+      return sendError(response, true, "No PKI auth header was provided");
+    } else if (headerV2 != null) {
       // Try V2 first
       int nodeNameEnd = headerV2.indexOf(' ');
       if (nodeNameEnd <= 0) {
@@ -172,7 +174,7 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
     }
 
     if (headerData == null) {
-      return sendError(response, true, "Could not load principal from SolrAuthV2 header.");
+      return sendError(response, true, "Could not validate PKI header.");
     }
     long elapsed = receivedTime - headerData.timestamp;
     if (elapsed > MAX_VALIDITY) {
@@ -218,14 +220,20 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
     }
   }
 
-  private PKIHeaderData decipherHeaderV2(String header, String nodeName) {
+  private PublicKey getOrFetchPublicKey(String nodeName) {
     PublicKey key = keyCache.get(nodeName);
     if (key == null) {
       log.debug("No key available for node: {} fetching now ", nodeName);
-      key = getRemotePublicKey(nodeName);
+      key = fetchPublicKeyFromRemote(nodeName);
       log.debug("public key obtained {} ", key);
     }
 
+    return key;
+  }
+
+  private PKIHeaderData decipherHeaderV2(String header, String nodeName) {
+    PublicKey key = getOrFetchPublicKey(nodeName);
+
     int sigStart = header.lastIndexOf(' ');
 
     String data = header.substring(0, sigStart);
@@ -233,7 +241,7 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
     PKIHeaderData rv = validateSignature(data, sig, key, false);
     if (rv == null) {
       log.warn("Failed to verify signature, trying after refreshing the key ");
-      key = getRemotePublicKey(nodeName);
+      key = fetchPublicKeyFromRemote(nodeName);
       rv = validateSignature(data, sig, key, true);
     }
 
@@ -241,6 +249,11 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
   }
 
   private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key, boolean isRetry) {
+    if (key == null) {
+      log.warn("Key is null when attempting to validate signature; skipping...");
+      return null;
+    }
+
     try {
       if (CryptoKeys.verifySha256(data.getBytes(UTF_8), sig, key)) {
         int timestampStart = data.lastIndexOf(' ');
@@ -259,27 +272,23 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
         return null;
       }
     } catch (InvalidKeyException | SignatureException e) {
+      final String excMessage = e.getMessage();
       if (isRetry) {
-        log.error("Signature validation on retry failed, likely key error");
+        log.error("Signature validation on retry failed, likely key error: {}", excMessage);
       } else {
-        log.info("Signature validation failed first attempt, likely key error");
+        log.info("Signature validation failed first attempt, likely key error: {}", excMessage);
       }
       return null;
     }
   }
 
   private PKIHeaderData decipherHeader(String nodeName, String cipherBase64) {
-    PublicKey key = keyCache.get(nodeName);
-    if (key == null) {
-      log.debug("No key available for node: {} fetching now ", nodeName);
-      key = getRemotePublicKey(nodeName);
-      log.debug("public key obtained {} ", key);
-    }
+    PublicKey key = getOrFetchPublicKey(nodeName);
 
     PKIHeaderData header = parseCipher(cipherBase64, key, false);
     if (header == null) {
       log.warn("Failed to decrypt header, trying after refreshing the key ");
-      key = getRemotePublicKey(nodeName);
+      key = fetchPublicKeyFromRemote(nodeName);
       return parseCipher(cipherBase64, key, true);
     } else {
       return header;
@@ -320,6 +329,15 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
     }
   }
 
+  private boolean isInLiveNodes(String nodeName) {
+    return cores
+        .getZkController()
+        .getZkStateReader()
+        .getClusterState()
+        .getLiveNodes()
+        .contains(nodeName);
+  }
+
   /**
    * Fetch the public key for a remote Solr node and store it in our key cache, replacing any
    * existing entries.
@@ -327,13 +345,13 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
    * @param nodename the node to fetch a key from
    * @return the public key
    */
-  PublicKey getRemotePublicKey(String nodename) {
-    if (!cores
-        .getZkController()
-        .getZkStateReader()
-        .getClusterState()
-        .getLiveNodes()
-        .contains(nodename)) return null;
+  PublicKey fetchPublicKeyFromRemote(String nodename) {
+    if (!isInLiveNodes(nodename)) {
+      log.warn(
+          "Unable to fetch public key for {} as it does not appear to be a Solr 'live node'",
+          nodename);
+      return null;
+    }
     String url = cores.getZkController().getZkStateReader().getBaseUrlForNodeName(nodename);
     HttpEntity entity = null;
     try {
diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
index eb2bb2808d3..5c2cdd39c92 100644
--- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
@@ -64,7 +64,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
     }
 
     @Override
-    PublicKey getRemotePublicKey(String ignored) {
+    PublicKey fetchPublicKeyFromRemote(String ignored) {
       return myKey;
     }
 
@@ -153,7 +153,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
           boolean firstCall = true;
 
           @Override
-          PublicKey getRemotePublicKey(String ignored) {
+          PublicKey fetchPublicKeyFromRemote(String ignored) {
             try {
               return firstCall ? myKey : mock.myKey;
             } finally {