You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by md...@apache.org on 2022/05/31 16:11:11 UTC
[lucene-solr] branch branch_8_11 updated: SOLR-16209 Improve PKIAuthenticationPlugin Logging (#2660)
This is an automated email from the ASF dual-hosted git repository.
mdrob pushed a commit to branch branch_8_11
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8_11 by this push:
new 6170366a375 SOLR-16209 Improve PKIAuthenticationPlugin Logging (#2660)
6170366a375 is described below
commit 6170366a375c01562a041876b89704b7523005a6
Author: Mike Drob <md...@apache.org>
AuthorDate: Tue May 31 09:11:06 2022 -0700
SOLR-16209 Improve PKIAuthenticationPlugin Logging (#2660)
(cherry picked from commit 87f0c23d7b10e7d5b16fc6a4bf6a6344f2dc5f03)
---
solr/CHANGES.txt | 2 ++
.../solr/security/PKIAuthenticationPlugin.java | 24 ++++++++++++++--------
.../solr/security/TestPKIAuthenticationPlugin.java | 14 ++++++-------
3 files changed, 25 insertions(+), 15 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 2040f7435a9..d2c59c507e9 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -62,6 +62,8 @@ Bug Fixes
* SOLR-15965: Use better signatures for the PKI Authentication plugin. (Mike Drob)
+* SOLR-16209: Rolling restart will no longer trigger as much PKI Plugin error logging. (Mike Drob, Tomás Fernández Löbbe)
+
================== 8.11.1 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
index 81a652392a5..dda042cb364 100644
--- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
@@ -235,17 +235,17 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
String data = header.substring(0, sigStart);
byte[] sig = Base64.base64ToByteArray(header.substring(sigStart + 1));
- PKIHeaderData rv = validateSignature(data, sig, key);
+ PKIHeaderData rv = validateSignature(data, sig, key, false);
if (rv == null) {
log.warn("Failed to verify signature, trying after refreshing the key ");
key = getRemotePublicKey(nodeName);
- rv = validateSignature(data, sig, key);
+ rv = validateSignature(data, sig, key, true);
}
return rv;
}
- private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key) {
+ private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key, boolean isRetry) {
try {
if (CryptoKeys.verifySha256(data.getBytes(UTF_8), sig, key)) {
int timestampStart = data.lastIndexOf(' ');
@@ -264,7 +264,11 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
return null;
}
} catch (InvalidKeyException | SignatureException e) {
- log.error("Signature validation failed, likely key error");
+ if (isRetry) {
+ log.error("Signature validation failed, likely key error");
+ } else {
+ log.info("Signature validation failed, likely key error");
+ }
return null;
}
}
@@ -277,23 +281,27 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt
log.debug("public key obtained {} ", key);
}
- PKIHeaderData header = parseCipher(cipherBase64, key);
+ PKIHeaderData header = parseCipher(cipherBase64, key, false);
if (header == null) {
log.warn("Failed to decrypt header, trying after refreshing the key ");
key = getRemotePublicKey(nodeName);
- return parseCipher(cipherBase64, key);
+ return parseCipher(cipherBase64, key, true);
} else {
return header;
}
}
@VisibleForTesting
- static PKIHeaderData parseCipher(String cipher, PublicKey key) {
+ static PKIHeaderData parseCipher(String cipher, PublicKey key, boolean isRetry) {
byte[] bytes;
try {
bytes = CryptoKeys.decryptRSA(Base64.base64ToByteArray(cipher), key);
} catch (Exception e) {
- log.error("Decryption failed , key must be wrong", e);
+ if (isRetry) {
+ log.error("Decryption failed , key must be wrong", e);
+ } else {
+ log.info("Decryption failed , key must be wrong", e);
+ }
return null;
}
String s = new String(bytes, UTF_8).trim();
diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
index 0816512c5a1..b15062c971b 100644
--- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
@@ -183,7 +183,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
- PKIAuthenticationPlugin.PKIHeaderData header = PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey());
+ PKIAuthenticationPlugin.PKIHeaderData header = PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false);
assertNotNull("Expecting valid header for user " + validUser + " and timestamp " + validTimestamp, header);
assertEquals(validUser, header.userName);
assertEquals(validTimestamp, header.timestamp);
@@ -198,7 +198,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
}
public void testParseCipherInvalidTimestampTooBig() {
@@ -208,7 +208,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
}
public void testParseCipherInvalidKey() {
@@ -216,7 +216,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, new CryptoKeys.RSAKeyPair().getPublicKey()));
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, new CryptoKeys.RSAKeyPair().getPublicKey(), false));
}
public void testParseCipherNoSpace() {
@@ -225,7 +225,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
}
public void testParseCipherNoTimestamp() {
@@ -234,7 +234,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.byteArrayToBase64(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), false));
}
public void testParseCipherInvalidKeyExample() {
@@ -243,7 +243,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
*/
String base64Cipher = "A8tEkMfmA5m5+wVG9xSI46Lhg8MqDFkjPVqXc6Tf6LT/EVIpW3DUrkIygIjk9tSCCAxhHwSvKfVJeujaBtxr19ajmpWjtZKgZOXkynF5aPbDuI+mnvCiTmhLuZYExvnmeYxag6A4Fu2TpA/Wo97S4cIkRgfyag/ZOYM0pZwVAtNoJgTpmODDGrH4W16BXSZ6xm+EV4vrfUqpuuO7U7YiU5fd1tv22Au0ZaY6lPbxAHjeFyD8WrkPPIkEoM14K0G5vAg4wUxpRF/eVlnzhULoPgKFErz7cKVxuvxSsYpVw5oko+ldzyfsnMrC1brqUKA7NxhpdpJzp7bmd8W8/mvZEw==";
String publicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJu1O+A/gGikFSeLGYdgNPrz3ef/tqJP1sRqzkVjnBcdyI2oXMmAWF+yDe0Zmya+HevyOI8YN2Yaq6aCLjbHnT364Rno/urhKvR5PmaH/PqXrh3Dl+vn08B74iLVZxZro/v34FGjX8fkiasZggC4AnyLjFkU7POsHhJKSXGslsWe0dq7yaaA2AES/bFwJ3r3FNxUsE+kWEtZG1RKMq8P8wlx/HLDzjYKaGnyApAltBHVx60XHiOC9Oatu5HZb/eKU3jf7sKibrzrRsqwb+iE4ZxxtXkgATuLOl/2ks5Mnkk4u7bPEAgEpEuzQBB4AahMC7r+R5AzRnB4+xx69FP1IwIDAQAB";
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, CryptoKeys.deserializeX509PublicKey(publicKey)));
+ assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, CryptoKeys.deserializeX509PublicKey(publicKey), false));
}
private HttpServletRequest createMockRequest(final AtomicReference<Header> header) {