Skip to content

Fix CredentialProviderToken serialization #4580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ctubbsii merged 4 commits into from
Jul 24, 2024
Merged

Fix CredentialProviderToken serialization #4580

ctubbsii merged 4 commits into from
Jul 24, 2024

Conversation

@ctubbsii
Copy link
Member

@ctubbsii ctubbsii commented May 20, 2024

  • Fix the serialization of CredentialProviderToken, so it serializes the name and credential provider paths, rather than the resolved password from the provider
  • Add comments to reserve specific magic numbers/versions for serialization to separate it from PasswordToken's serialization
  • Mark internal method as private
  • Also fix issue in CreateToken where only the most recent property was being used to initialize a token, instead of all the properties

This fixes #4573

@ctubbsii
Fix CredentialProviderToken serialization
8755c59 
* Fix the serialization of CredentialProviderToken, so it serializes the
  name and credential provider paths, rather than the resolved password
  from the provider
* Add comments to reserve specific magic numbers/versions for
  serialization to separate it from PasswordToken's serialization
* Mark internal method as private
* Also fix issue in CreateToken where only the most recent property was
  being used to initialize a token, instead of all the properties

This fixes apache#4573
@ctubbsii ctubbsii self-assigned this May 20, 2024
@ctubbsii ctubbsii mentioned this pull request May 20, 2024
Closed
@keith-turner
Copy link
Contributor

keith-turner commented May 21, 2024

Could add a unit test to CredentialProviderTokenTest that ensures the serialized of form CredentialProviderToken does not contain a password.

@gwynlionhart
Copy link

gwynlionhart commented May 23, 2024

Thanks, I gave it a shot through tests and it looks fine. Regarding a test on whether the serialization contains a password, I wrote a small one:

  public void deserializesWithoutPassword() throws Exception {
    CredentialProviderToken token = new CredentialProviderToken("bob.password", keystorePath);
    String serializedTokenString = new String(AuthenticationToken.AuthenticationTokenSerializer.serialize(token));
    assertFalse(serializedTokenString.contains(new String(token.getPassword())));
  }

You'd have to make a jceks file where the password value doesn't contain any string from the JCEKS alias. My test fails for me because the passwords.jceks values all have the word "password" in the alias name with a password "password". But visually inspecting the serialized string and it no longer displays the password.

@ctubbsii ctubbsii modified the milestones: 3.1.0, 2.1.3 Jul 12, 2024
ctubbsii added 3 commits July 24, 2024 06:17
@ctubbsii
Merge branch '2.1' into fix-CredentialProviderToken-and-CreateToken
1d4da5b
@ctubbsii
Add a test of CredentialProviderToken serialization
44fcdd1 
* Add test of end-to-end serialization and deserialization
* Use var in a few more places
* Update test keystore with unique passwords for each jceks entry
* Document hadoop commands for modifying the jceks files
@ctubbsii
Fix import
f350f48
@ctubbsii ctubbsii merged commit f54a2b2 into apache:2.1 Jul 24, 2024
@ctubbsii ctubbsii deleted the fix-CredentialProviderToken-and-CreateToken branch July 24, 2024 13:07
@ctubbsii ctubbsii linked an issue Jul 24, 2024 that may be closed by this pull request
CredentialProviderToken in accumulo-client.properties stores the serialized token which contains the password, exposing the password out of the JCEKS file #4573
Closed
@ctubbsii ctubbsii mentioned this pull request Jul 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ctubbsii ctubbsii

Labels

None yet

Projects

None yet

Milestone

2.1.3

3 participants

@ctubbsii @keith-turner @gwynlionhart