You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2021/08/06 09:45:15 UTC
[GitHub] [knox] zeroflag opened a new pull request #478: KNOX-2574 - Missing proper logging when hmac secret is short
zeroflag opened a new pull request #478:
URL: https://github.com/apache/knox/pull/478
## What changes were proposed in this pull request?
When the hmac secret length is shorter than required by the signing algorithm then token generation will fail with no meaningful message.
```json
{ "Unable to acquire token." }
```
The gateway log doesn't contain any information about what went wrong.
I found no simply way to add validation logic to the secret creation (bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value <..>) and prevent creating the secret with invalid length, so I added a check to TokenResorce>>init() instead.
## How was this patch tested?
1. Created a shorter than expected secret:
```
$ bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value 1234
```
2. Set the signing alg to HS256 (keylength = 32)
```
<param>
<name>knox.token.sigalg</name>
<value>HS256</value>
</param>
```
3. Tried to create a token
```
$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
```
4. Checked the exception in gateway.logs
```
com.nimbusds.jose.KeyLengthException: Unexpected key length (for HS256 algorithm)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [knox] zeroflag closed pull request #478: KNOX-2574 - Missing proper logging when hmac secret is short
Posted by GitBox <gi...@apache.org>.
zeroflag closed pull request #478:
URL: https://github.com/apache/knox/pull/478
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [knox] zeroflag commented on pull request #478: KNOX-2574 - Missing proper logging when hmac secret is short
Posted by GitBox <gi...@apache.org>.
zeroflag commented on pull request #478:
URL: https://github.com/apache/knox/pull/478#issuecomment-894170676
cc: @moresandeep @smolnar82 @pzampino @lmccay
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [knox] pzampino merged pull request #478: KNOX-2574 - Missing proper logging when hmac secret is short
Posted by GitBox <gi...@apache.org>.
pzampino merged pull request #478:
URL: https://github.com/apache/knox/pull/478
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org