ARTEMIS-1600 Support masked passwords in bootstrap.xm and login.config by gaohoward · Pull Request #1771 · apache/artemis

gaohoward · 2018-01-11T05:05:47Z

We provide a feature to mask passwords in the configuration files.
However, passwords in the bootstrap.xml (when the console is
secured with HTTPS) cannot be masked. This enhancement has
been opened to allow passwords in the bootstrap.xml to be masked
using the built-in masking feature provided by the broker.

Also the LDAPLoginModule configuration (in login.config) has a
connection password attribute that also needs this mask support.

jbertram · 2018-01-11T18:32:43Z

Aside from the failing tests this looks OK.

That said, I would love to see us move all our password masking to use the "ENC()" syntax instead of using boolean "mask-password" attributes everywhere if possible. This is done for the properties login module and it's very clean. If the text follows the pattern then it should be treated as masked otherwise it shouldn't.

gaohoward · 2018-01-12T04:48:57Z

@jbertram good point. I think I can do that. Do you think we still need to support "mask-password" for backward compatibility?

gaohoward · 2018-01-12T05:43:55Z

@jbertram ok I think we can support ENC() as well as "mask-password".

jbertram · 2018-01-12T15:25:42Z

We should keep mask-password config support where it exists already, but don't add any new features that use it. Instead we can rely on the ENC() syntax.

gaohoward · 2018-01-12T16:10:16Z

OK, so I'd add ENC() syntax and keeps the mask-password as an option. (I mean I won't remove this from this PR, but won't add any more in the future if there is new password mask requirements).

jbertram · 2018-01-12T16:39:05Z

In my opinion, you should remove the mask-password config property from this PR as it will require more code/documentation changes later when it's deprecated and eventually removed.

gaohoward · 2018-01-12T16:52:17Z

that's fine. I'll remove it.

gaohoward · 2018-01-16T22:54:20Z

@jbertram Hi Justin, I think it's done. Can you take a look again?

Thanks

gaohoward · 2018-01-16T22:57:44Z

well, almost done. Just found a unused var. I'll delete it right away. Sorry about that. :)

clebertsuconic · 2018-01-17T17:29:44Z

    */
-   public static boolean isDefaultMaskPassword() {
-      return DEFAULT_MASK_PASSWORD;
+   public static Boolean isDefaultMaskPassword() {


Why this?

Why you need a third state? true / false / undefined?

Why not just keep it boolean.. either mask it or not...

Besides.. if you really need the third option.. I would make DEFAULT_MASK_PASSWORD = null; instead of returning null here.

I couldn't understand why you need it.

@clebertsuconic, check out org.apache.activemq.artemis.utils.PasswordMaskingUtil.resolveMask. I believe the way that method works is why he needs 3 values.

@clebertsuconic yes that's the purpose as @jbertram pointed out. I need 'null' to represent the case where the mask-password is not specified at all.

jbertram · 2018-01-17T19:19:14Z

      }
      isRoleAttributeSet = isLoginPropertySet(ROLE_NAME);
      roleAttributeName = getLDAPPropertyValue(ROLE_NAME);
+      String isMask = (String) options.get(MASK_PASSWORD);


This isn't used anywhere so it can be removed.

jbertram · 2018-01-17T19:26:32Z

 passwords.

+In general, a masked password can be identified using one of two ways. The first one
+iS the ENC() syntax, i.e. any string value wrapped in ENC() is to be treated as 


Capitalization error on "iS".

gaohoward · 2018-01-18T02:47:07Z

@jbertram @clebertsuconic done!

gaohoward · 2018-01-18T03:25:23Z

@jbertram Please hold for a moment. I just found a change that may be wrong.

We provide a feature to mask passwords in the configuration files. However, passwords in the bootstrap.xml (when the console is secured with HTTPS) cannot be masked. This enhancement has been opened to allow passwords in the bootstrap.xml to be masked using the built-in masking feature provided by the broker. Also the LDAPLoginModule configuration (in login.config) has a connection password attribute that also needs this mask support. In addition the ENC() syntax is supported for password masking to replace the old 'mask-password' flag.

gaohoward · 2018-01-18T06:43:21Z

OK it's done.

gaohoward force-pushed the fent908 branch from f9f6d90 to 678e2ad Compare January 11, 2018 05:26

gaohoward force-pushed the fent908 branch 2 times, most recently from eec4197 to 4c94dbf Compare January 16, 2018 15:56

gaohoward force-pushed the fent908 branch 2 times, most recently from 568e701 to 41b7883 Compare January 17, 2018 08:10

clebertsuconic reviewed Jan 17, 2018

View reviewed changes

jbertram reviewed Jan 17, 2018

View reviewed changes

gaohoward force-pushed the fent908 branch 2 times, most recently from 9647a36 to 1e04cef Compare January 18, 2018 02:45

gaohoward force-pushed the fent908 branch from 1e04cef to f6bcf13 Compare January 18, 2018 06:32

asfgit closed this in 0d9a114 Jan 18, 2018

Conversation

gaohoward commented Jan 11, 2018

Uh oh!

jbertram commented Jan 11, 2018

Uh oh!

gaohoward commented Jan 12, 2018

Uh oh!

gaohoward commented Jan 12, 2018

Uh oh!

jbertram commented Jan 12, 2018

Uh oh!

gaohoward commented Jan 12, 2018

Uh oh!

jbertram commented Jan 12, 2018

Uh oh!

gaohoward commented Jan 12, 2018

Uh oh!

gaohoward commented Jan 16, 2018

Uh oh!

gaohoward commented Jan 16, 2018

Uh oh!

clebertsuconic Jan 17, 2018

Choose a reason for hiding this comment

Uh oh!

jbertram Jan 17, 2018

Choose a reason for hiding this comment

Uh oh!

gaohoward Jan 18, 2018

Choose a reason for hiding this comment

Uh oh!

jbertram Jan 17, 2018

Choose a reason for hiding this comment

Uh oh!

jbertram Jan 17, 2018

Choose a reason for hiding this comment

Uh oh!

gaohoward commented Jan 18, 2018

Uh oh!

gaohoward commented Jan 18, 2018

Uh oh!

gaohoward commented Jan 18, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants