You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by md...@apache.org on 2022/05/20 21:08:56 UTC
[solr] branch branch_9_0 updated: SOLR-16209: Rolling restart will no longer trigger as much PKI Plugin error logging. (#874)
This is an automated email from the ASF dual-hosted git repository.
mdrob pushed a commit to branch branch_9_0
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9_0 by this push:
new fe70aec071d SOLR-16209: Rolling restart will no longer trigger as much PKI Plugin error logging. (#874)
fe70aec071d is described below
commit fe70aec071dce3fd551526e1decc44d9e35f235b
Author: Mike Drob <md...@apache.org>
AuthorDate: Fri May 20 14:50:49 2022 -0500
SOLR-16209: Rolling restart will no longer trigger as much PKI Plugin error logging. (#874)
(cherry picked from commit 87f0c23d7b10e7d5b16fc6a4bf6a6344f2dc5f03)
---
solr/CHANGES.txt | 2 ++
.../solr/security/PKIAuthenticationPlugin.java | 24 ++++++++++++++--------
.../solr/security/TestPKIAuthenticationPlugin.java | 19 +++++++++--------
3 files changed, 29 insertions(+), 16 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index c080b262596..477becfc15c 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -11,6 +11,8 @@ Bug Fixes
* SOLR-16191: Validate that installed ps utility supports -p flag, so that we do not inadvertantly stop the wrong process. (Mike Drob, Michael Gibney)
+* SOLR-16209: Rolling restart will no longer trigger as much PKI Plugin error logging. (Mike Drob, Tomás Fernández Löbbe)
+
================== 9.0.0 ==================
New Features
diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
index 062b20112ff..68b28c7592d 100644
--- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java
@@ -224,17 +224,17 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
String data = header.substring(0, sigStart);
byte[] sig = Base64.getDecoder().decode(header.substring(sigStart + 1));
- PKIHeaderData rv = validateSignature(data, sig, key);
+ PKIHeaderData rv = validateSignature(data, sig, key, false);
if (rv == null) {
log.warn("Failed to verify signature, trying after refreshing the key ");
key = getRemotePublicKey(nodeName);
- rv = validateSignature(data, sig, key);
+ rv = validateSignature(data, sig, key, true);
}
return rv;
}
- private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key) {
+ private PKIHeaderData validateSignature(String data, byte[] sig, PublicKey key, boolean isRetry) {
try {
if (CryptoKeys.verifySha256(data.getBytes(UTF_8), sig, key)) {
int timestampStart = data.lastIndexOf(' ');
@@ -253,7 +253,11 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
return null;
}
} catch (InvalidKeyException | SignatureException e) {
- log.error("Signature validation failed, likely key error");
+ if (isRetry) {
+ log.error("Signature validation on retry failed, likely key error");
+ } else {
+ log.info("Signature validation failed first attempt, likely key error");
+ }
return null;
}
}
@@ -266,23 +270,27 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin
log.debug("public key obtained {} ", key);
}
- PKIHeaderData header = parseCipher(cipherBase64, key);
+ PKIHeaderData header = parseCipher(cipherBase64, key, false);
if (header == null) {
log.warn("Failed to decrypt header, trying after refreshing the key ");
key = getRemotePublicKey(nodeName);
- return parseCipher(cipherBase64, key);
+ return parseCipher(cipherBase64, key, true);
} else {
return header;
}
}
@VisibleForTesting
- static PKIHeaderData parseCipher(String cipher, PublicKey key) {
+ static PKIHeaderData parseCipher(String cipher, PublicKey key, boolean isRetry) {
byte[] bytes;
try {
bytes = CryptoKeys.decryptRSA(Base64.getDecoder().decode(cipher), key);
} catch (Exception e) {
- log.error("Decryption failed , key must be wrong", e);
+ if (isRetry) {
+ log.error("Decryption failed on retry, key must be wrong", e);
+ } else {
+ log.info("Decryption failed on first attempt, will retry", e);
+ }
return null;
}
String s = new String(bytes, UTF_8).trim();
diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
index f4be6e1eed7..eb2bb2808d3 100644
--- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java
@@ -212,8 +212,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
- PKIAuthenticationPlugin.PKIHeaderData header =
- PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey());
+ PKIAuthenticationPlugin.PKIHeaderData header = parseCipher(base64Cipher);
assertNotNull(
"Expecting valid header for user " + validUser + " and timestamp " + validTimestamp,
header);
@@ -230,7 +229,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(parseCipher(base64Cipher));
}
public void testParseCipherInvalidTimestampTooBig() {
@@ -240,7 +239,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(parseCipher(base64Cipher));
}
public void testParseCipherInvalidKey() {
@@ -250,7 +249,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
assertNull(
PKIAuthenticationPlugin.parseCipher(
- base64Cipher, new CryptoKeys.RSAKeyPair().getPublicKey()));
+ base64Cipher, new CryptoKeys.RSAKeyPair().getPublicKey(), true));
}
public void testParseCipherNoSpace() {
@@ -259,7 +258,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(parseCipher(base64Cipher));
}
public void testParseCipherNoTimestamp() {
@@ -268,7 +267,11 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
byte[] payload = s.getBytes(UTF_8);
byte[] payloadCipher = aKeyPair.encrypt(ByteBuffer.wrap(payload));
String base64Cipher = Base64.getEncoder().encodeToString(payloadCipher);
- assertNull(PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey()));
+ assertNull(parseCipher(base64Cipher));
+ }
+
+ private PKIAuthenticationPlugin.PKIHeaderData parseCipher(String base64Cipher) {
+ return PKIAuthenticationPlugin.parseCipher(base64Cipher, aKeyPair.getPublicKey(), true);
}
public void testParseCipherInvalidKeyExample() {
@@ -281,7 +284,7 @@ public class TestPKIAuthenticationPlugin extends SolrTestCaseJ4 {
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJu1O+A/gGikFSeLGYdgNPrz3ef/tqJP1sRqzkVjnBcdyI2oXMmAWF+yDe0Zmya+HevyOI8YN2Yaq6aCLjbHnT364Rno/urhKvR5PmaH/PqXrh3Dl+vn08B74iLVZxZro/v34FGjX8fkiasZggC4AnyLjFkU7POsHhJKSXGslsWe0dq7yaaA2AES/bFwJ3r3FNxUsE+kWEtZG1RKMq8P8wlx/HLDzjYKaGnyApAltBHVx60XHiOC9Oatu5HZb/eKU3jf7sKibrzrRsqwb+iE4ZxxtXkgATuLOl/2ks5Mnkk4u7bPEAgEpEuzQBB4AahMC7r+R5AzRnB4+xx69FP1IwIDAQAB";
assertNull(
PKIAuthenticationPlugin.parseCipher(
- base64Cipher, CryptoKeys.deserializeX509PublicKey(publicKey)));
+ base64Cipher, CryptoKeys.deserializeX509PublicKey(publicKey), true));
}
private HttpServletRequest createMockRequest(final AtomicReference<Header> header) {