Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth password config rework #3463

Merged
merged 7 commits into from
Dec 20, 2021
Merged

Auth password config rework #3463

merged 7 commits into from
Dec 20, 2021

Conversation

chrzaszcz
Copy link
Member

@chrzaszcz chrzaszcz commented Dec 20, 2021
edited

The goal of this PR is to rework the auth.password config section to:

  • Use maps. The resulting format is also a map now. The requirement of not having the hash option if the password format is plain is removed as it was undocumented, inconsistent with no such check for scram_iterations and prevented the defaults from being set. It seems enough to inform the user that the plain format just ignores these options.
  • Use defaults - only the hash option is left without a default. Putting the default list of hashes there might lead to suboptimal code, as lists:member would be called on each call to listmech for each method. This can be changed when we rework the cyrsasl implementation, e.g. by precomputing effective filtered SASL mechanisms per host type, but it falls out of scope of this PR.
  • Contain the scram_iterations option, which is password-related, but was outside of this section.

@chrzaszcz
Rework the aut.password config section with maps and defaults
13e3196 
- 'scram_iterations' moved to 'password'
- There was an undocumented check which prevented SHA hashes from
being specified when format was 'plain', it is removed now:
  - For consistency , as there was no such check for scram_iterations.
  - To be able to specify the defaults.
- There is no default for 'hash' as this would add some lists:member
  checks to the code because of the current implementation.
  In the future we might want to rework 'cyrsasl:listmech' to avoid
  this problem, e.g. by pre-filtering sasl mechanisms for each host type.
@chrzaszcz
Tets the reworked auth.password section
42252cd
@chrzaszcz
Fix 'scram_passwords' to pass the host type as expected.
eab48e2
@chrzaszcz
Fix auth suites after the auth.password update
95b2e59
@mongoose-im

This comment has been minimized.

Sign in to view
@codecov
Copy link

codecov bot commented Dec 20, 2021
edited

Codecov Report

Merging #3463 (c7574bb) into master (1e94f3f) will increase coverage by 0.02%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3463      +/-   ##
==========================================
+ Coverage   80.82%   80.84%   +0.02%     
==========================================
  Files         415      415              
  Lines       32263    32255       -8     
==========================================
+ Hits        26075    26077       +2     
+ Misses       6188     6178      -10
Impacted Files Coverage Δ
src/config/mongoose_config_spec.erl 99.23% <ø> (+0.36%) ⬆️
src/auth/ejabberd_auth_internal.erl 86.23% <100.00%> (-0.80%) ⬇️
src/mongoose_scram.erl 70.93% <100.00%> (-1.30%) ⬇️
src/sasl/cyrsasl_scram.erl 82.60% <0.00%> (-13.05%) ⬇️
src/sasl/cyrsasl.erl 86.36% <0.00%> (-4.55%) ⬇️
src/config/mongoose_config.erl 94.44% <0.00%> (-2.78%) ⬇️
...bal_distrib/mod_global_distrib_hosts_refresher.erl 75.47% <0.00%> (-1.89%) ⬇️
src/auth/ejabberd_auth_riak.erl 76.25% <0.00%> (-1.25%) ⬇️
src/auth/ejabberd_auth_rdbms.erl 56.02% <0.00%> (-1.21%) ⬇️
src/mam/mod_mam_rdbms_arch_async.erl 86.90% <0.00%> (-1.20%) ⬇️
... and 11 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1e94f3f...c7574bb. Read the comment docs.

@mongoose-im

This comment has been minimized.

Sign in to view
@mongoose-im

This comment has been minimized.

Sign in to view
@mongoose-im mongoose-im mentioned this pull request Dec 20, 2021
Closed
@mongoose-im
Copy link
Collaborator

mongoose-im commented Dec 20, 2021
edited

small_tests_24 / small_tests / c7574bb
Reports root / small

small_tests_23 / small_tests / c7574bb
Reports root / small

dynamic_domains_mysql_redis_24 / mysql_redis / c7574bb
Reports root/ big
OK: 2664 / Failed: 0 / User-skipped: 247 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / c7574bb
Reports root/ big
OK: 2681 / Failed: 0 / User-skipped: 230 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / c7574bb
Reports root/ big
OK: 2681 / Failed: 0 / User-skipped: 230 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / c7574bb
Reports root/ big
OK: 2681 / Failed: 0 / User-skipped: 230 / Auto-skipped: 0

ldap_mnesia_23 / ldap_mnesia / c7574bb
Reports root/ big
OK: 1500 / Failed: 0 / User-skipped: 386 / Auto-skipped: 0

ldap_mnesia_24 / ldap_mnesia / c7574bb
Reports root/ big
OK: 1500 / Failed: 0 / User-skipped: 386 / Auto-skipped: 0

internal_mnesia_24 / internal_mnesia / c7574bb
Reports root/ big
OK: 1541 / Failed: 0 / User-skipped: 345 / Auto-skipped: 0

pgsql_mnesia_23 / pgsql_mnesia / c7574bb
Reports root/ big
OK: 3068 / Failed: 0 / User-skipped: 239 / Auto-skipped: 0

pgsql_mnesia_24 / pgsql_mnesia / c7574bb
Reports root/ big
OK: 3068 / Failed: 0 / User-skipped: 239 / Auto-skipped: 0

mysql_redis_24 / mysql_redis / c7574bb
Reports root/ big
OK: 3063 / Failed: 0 / User-skipped: 244 / Auto-skipped: 0

elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / c7574bb
Reports root/ big
OK: 1834 / Failed: 0 / User-skipped: 357 / Auto-skipped: 0

mssql_mnesia_24 / odbc_mssql_mnesia / c7574bb
Reports root/ big
OK: 3068 / Failed: 0 / User-skipped: 239 / Auto-skipped: 0

riak_mnesia_24 / riak_mnesia / c7574bb
Reports root/ big
OK: 1680 / Failed: 0 / User-skipped: 358 / Auto-skipped: 0

@chrzaszcz chrzaszcz marked this pull request as ready for review December 20, 2021 12:47
NelsonVides
NelsonVides approved these changes Dec 20, 2021
View reviewed changes
Copy link
Collaborator

@NelsonVides NelsonVides left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat 👌🏽

rel/mim1.vars-toml.config
{scram_iterations, 64}.
{auth_password_opts, "format = \"scram\"
hash = [\"sha256\"]
scram_iterations = 64"}.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reminds me, if you want to shave off a few more miliseconds in tests, you can set this to 2 or 3 or so, the fact that the iterations really work is thoroughly tested in the fast_scram repo, here in MIM we only need authentication to be correct, not necessarily safe 😄

src/mongoose_scram.erl
Comment on lines +73 to +75
case mongoose_config:get_opt([{auth, HostType}, password]) of
#{format := scram, hash := ConfiguredSha} -> lists:member(Sha, ConfiguredSha);
#{format := _PlainOrScram} -> true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, that's very nice, good optimisation against the common case, less lists:member/2 👏🏽

@NelsonVides NelsonVides merged commit 6e3409c into master Dec 20, 2021
@NelsonVides NelsonVides deleted the auth-password-config branch December 20, 2021 14:52
@Premwoik Premwoik added this to the 5.1.0 milestone May 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NelsonVides NelsonVides NelsonVides approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.1.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@chrzaszcz @mongoose-im @NelsonVides @Premwoik