You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by md...@apache.org on 2022/05/31 16:11:11 UTC
[lucene-solr] branch branch_8_11 updated: SOLR-16209 Improve PKIAuthenticationPlugin Logging (#2660)

This is an automated email from the ASF dual-hosted git repository.

mdrob pushed a commit to branch branch_8_11
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8_11 by this push:
     new 6170366a375 SOLR-16209 Improve PKIAuthenticationPlugin Logging (#2660)
6170366a375 is described below

commit 6170366a375c01562a041876b89704b7523005a6
Author: Mike Drob <md...@apache.org>
AuthorDate: Tue May 31 09:11:06 2022 -0700

    SOLR-16209 Improve PKIAuthenticationPlugin Logging (#2660)
    
    (cherry picked from commit 87f0c23d7b10e7d5b16fc6a4bf6a6344f2dc5f03)
---
 solr/CHANGES.txt                                   |  2 ++
 .../solr/security/PKIAuthenticationPlugin.java     | 24 ++++++++++++++--------
 .../solr/security/TestPKIAuthenticationPlugin.java | 14 ++++++-------
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 2040f7435a9..d2c59c507e9 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -62,6 +62,8 @@ Bug Fixes
 
 * SOLR-15965: Use better signatures for the PKI Authentication plugin. (Mike Drob)
 
+* SOLR-16209: Rolling restart will no longer trigger as much PKI Plugin error logging. (Mike Drob, Tomás Fernández Löbbe)
+
 ==================  8.11.1 ==================
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
index 81a652392a5..dda042cb364 100644
--- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
@@ -235,17 +235,17 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
 
     String data = header.substring(0, sigStart);
     byte[] sig = Base64.base64ToByteArray(header.substring(sigStart + 1));
-    PKIHeaderData rv = validateSignature(data, sig, key);
+    PKIHeaderData rv = validateSignature(data, sig, key, false);
     if (rv == null) {
       log.warn("Failed to verify signature, trying after refreshing the key ");
       key = getRemotePublicKey(nodeName);
-      rv = validateSignature(data, sig, key);
+      rv = validateSignature(data, sig, key, true);
     }
 
     return rv;
   }
 
-  private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key) {
+  private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key, boolean isRetry) {
     try {
       if (CryptoKeys.verifySha256(data.getBytes(UTF_8), sig, key)) {
         int timestampStart = data.lastIndexOf(' ');
@@ -264,7 +264,11 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
         return null;
       }
     } catch (InvalidKeyException | SignatureException e) {
-      log.error("Signature validation failed, likely key error");
+      if (isRetry) {
+        log.error("Signature validation failed, likely key error");
+      } else {
+        log.info("Signature validation failed, likely key error");
+      }
       return null;
     }
   }
@@ -277,23 +281,27 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
       log.debug("public key obtained {} ", key);
     }
 
-    PKIHeaderData header = parseCipher(cipherBase64, key);
+    PKIHeaderData header = parseCipher(cipherBase64, key, false);
     if (header == null) {
       log.warn("Failed to decrypt header, trying after refreshing the key ");
       key = getRemotePublicKey(nodeName);
-      return parseCipher(cipherBase64, key);
+      return parseCipher(cipherBase64, key, true);
     } else {
       return header;
     }
   }
 
   @VisibleForTesting
-  static PKIHeaderData parseCipher(String cipher, PublicKey key) {
+  static PKIHeaderData parseCipher(String cipher, PublicKey key, boolean isRetry) {
     byte[] bytes;
     try {
       bytes = CryptoKeys.decryptRSA(Base64.base64ToByteArray(cipher), key);
     } catch (Exception e) {
-      log.error("Decryption failed , key must be wrong", e);
+      if (isRetry) {
+        log.error("Decryption failed , key must be wrong", e);
+      } else {
+        log.info("Decryption failed , key must be wrong", e);
+      }
       return null;
     }
     String s = new String(bytes, UTF_8).trim();
diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
index 0816512c5a1..b15062c971b 100644
--- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
@@ -183,7 +183,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
         byte[] payload = s.getBytes(UTF_8);
         byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
         String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
-        PKIAuthenticationPlugin.PKIHeaderData header = PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey());
+        PKIAuthenticationPlugin.PKIHeaderData header = PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false);
         assertNotNull("Expecting valid header for user " + validUser + " and timestamp " + validTimestamp, header);
         assertEquals(validUser, header.userName);
         assertEquals(validTimestamp, header.timestamp);
@@ -198,7 +198,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
     byte[] payload = s.getBytes(UTF_8);
     byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
     String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
-    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
   }
 
   public void testParseCipherInvalidTimestampTooBig() {
@@ -208,7 +208,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
     byte[] payload = s.getBytes(UTF_8);
     byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
     String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
-    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
   }
 
   public void testParseCipherInvalidKey() {
@@ -216,7 +216,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
     byte[] payload = s.getBytes(UTF_8);
     byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
     String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
-    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, new CryptoKeys.RSAKeyPair().getPublicKey()));
+    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, new CryptoKeys.RSAKeyPair().getPublicKey(), false));
   }
 
   public void testParseCipherNoSpace() {
@@ -225,7 +225,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
     byte[] payload = s.getBytes(UTF_8);
     byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
     String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
-    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
   }
 
   public void testParseCipherNoTimestamp() {
@@ -234,7 +234,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
     byte[] payload = s.getBytes(UTF_8);
     byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
     String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
-    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
   }
 
   public void testParseCipherInvalidKeyExample() {
@@ -243,7 +243,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
      */
     String base64Cipher = "A8tEkMfmA5m5+wVG9xSI46Lhg8MqDFkjPVqXc6Tf6LT/EVIpW3DUrkIygIjk9tSCCAxhHwSvKfVJeujaBtxr19ajmpWjtZKgZOXkynF5aPbDuI+mnvCiTmhLuZYExvnmeYxag6A4Fu2TpA/Wo97S4cIkRgfyag/ZOYM0pZwVAtNoJgTpmODDGrH4W16BXSZ6xm+EV4vrfUqpuuO7U7YiU5fd1tv22Au0ZaY6lPbxAHjeFyD8WrkPPIkEoM14K0G5vAg4wUxpRF/eVlnzhULoPgKFErz7cKVxuvxSsYpVw5oko+ldzyfsnMrC1brqUKA7NxhpdpJzp7bmd8W8/mvZEw==";
     String publicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJu1O+A/gGikFSeLGYdgNPrz3ef/tqJP1sRqzkVjnBcdyI2oXMmAWF+yDe0Zmya+HevyOI8YN2Yaq6aCLjbHnT364Rno/urhKvR5PmaH/PqXrh3Dl+vn08B74iLVZxZro/v34FGjX8fkiasZggC4AnyLjFkU7POsHhJKSXGslsWe0dq7yaaA2AES/bFwJ3r3FNxUsE+kWEtZG1RKMq8P8wlx/HLDzjYKaGnyApAltBHVx60XHiOC9Oatu5HZb/eKU3jf7sKibrzrRsqwb+iE4ZxxtXkgATuLOl/2ks5Mnkk4u7bPEAgEpEuzQBB4AahMC7r+R5AzRnB4+xx69FP1IwIDAQAB";
-    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, CryptoKeys.deserializeX509PublicKey(publicKey)));
+    assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, CryptoKeys.deserializeX509PublicKey(publicKey), false));
   }
 
   private HttpServletRequest createMockRequest(final AtomicReference<Header> header) {