Add support for passing non-printable character as key #2851
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2851 +/- ##
==========================================
+ Coverage 9.9% 10.04% +0.14%
==========================================
Files 140 140
Lines 13522 13555 +33
==========================================
+ Hits 1339 1362 +23
- Misses 12016 12026 +10
Partials 167 167
Continue to review full report at Codecov.
|
cmd/head-main.go
Outdated
| @@ -68,6 +68,10 @@ EXAMPLES: | |||
|
|
|||
| 2. Display only first line from server encrypted object on Amazon S3. | |||
| $ {{.HelpName}} -n 1 --encrypt-key 's3/csv-data=32byteslongsecretkeymustbegiven1' s3/csv-data/population.csv | |||
|
|
|||
| 3. Display only first line from server encrypted object on Amazon S3. In case the encryption key contains non-printable characcter like tab, pass the | |||
cmd/cat-main.go
Outdated
| @@ -69,6 +69,10 @@ EXAMPLES: | |||
|
|
|||
| 4. Save an encrypted object from Amazon S3 cloud storage to a local file. | |||
| $ {{.HelpName}} --encrypt-key 's3/mysql-backups=32byteslongsecretkeymustbegiven1' s3/mysql-backups/backups-201810.gz > /mnt/data/recent.gz | |||
|
|
|||
| 5. Display the content of encrypted object. In case the encryption key contains non-printable characcter like tab, pass the | |||
cmd/cp-main.go
Outdated
|
|
||
| if sseKeys != "" { | ||
| sseKeys, err = getDecodedKey(sseKeys) | ||
| fatalIf(err, "Unable to decrypt encryption keys.") |
There was a problem hiding this comment.
"Unable to decrypt encryption keys." is incorrect as you are just trying to decode the base64 encoded key.
"Unable to parse encryption key" is better
cmd/common-methods.go
Outdated
| secretValue := encryptString[1] | ||
| decodedString, e := base64.StdEncoding.DecodeString(secretValue) | ||
| if e != nil { | ||
| return "", probe.NewError(errors.New("key should be 32 bytes long or if the key is encoded; then decoded value must be of 32 bytes long")) |
There was a problem hiding this comment.
| return "", probe.NewError(errors.New("key should be 32 bytes long or if the key is encoded; then decoded value must be of 32 bytes long")) | |
| return "", probe.NewError(errors.New("key should be 32 bytes long or if the key is base64 encoded; then decoded value must be 32 bytes long")) | |
| ``` |
cmd/common-methods.go
Outdated
| } | ||
|
|
||
| if len(decodedString) != 32 { | ||
| keyString = keyString + sse |
There was a problem hiding this comment.
shouldn't you be returning an error here because plain text key is not 32 bytes
There was a problem hiding this comment.
That is taken care in parseEncryptionKeys .
cmd/common-methods_test.go
Outdated
| err error | ||
| status bool | ||
| }{ | ||
| //success scenerio the key contains non printable (tab) character as key |
There was a problem hiding this comment.
s/scenerio/scenario across this test case
There was a problem hiding this comment.
This needs to be fixed in more than one place. Please fix them everywhere
cmd/common-methods.go
Outdated
| encryptString := strings.SplitN(sse, "=", 2) | ||
| pre := encryptString[0] | ||
| secretValue := encryptString[1] | ||
| decodedString, e := base64.StdEncoding.DecodeString(secretValue) |
There was a problem hiding this comment.
It is better to have this part in a function. Other than that, the first part should be to check if the length of secretValue is 32, then it is plain text and use it as is. Only otherwise do you proceed to decode and if the decode fails, you return error. Else check if the decoded length is 32, then use that, else return error
Now, what will happen is that even if you encode a string of length 10 and pass it in command line, this code is going to use it as plain text as the decoded string length will be 10 and this code will assume that it is a plain text secret key.
There was a problem hiding this comment.
Added a function func parseKey(sseKeys string) (sse string, err *probe.Error) to achieve this functionality.
sinhaashish
force-pushed
the
non-printable-char
branch
from
132b819
to
a958194
Compare
cmd/common-methods.go
Outdated
| return sseKeys, nil | ||
| } | ||
| decodedString, e := base64.StdEncoding.DecodeString(secretValue) | ||
| if e != nil || len(decodedString) != 32 || len(secretValue) != 32 { |
There was a problem hiding this comment.
| if e != nil || len(decodedString) != 32 || len(secretValue) != 32 { | |
| if e != nil || len(decodedString) != 32 { |
sinhaashish
force-pushed
the
non-printable-char
branch
2 times, most recently
from
30e2bb4
to
65eb30f
Compare
cmd/common-methods.go
Outdated
| } | ||
| decodedString, e := base64.StdEncoding.DecodeString(secretValue) | ||
| if e != nil || len(decodedString) != 32 { | ||
| return "", probe.NewError(errors.New("key should be 32 bytes long or if the key is base64 encoded; then decoded value must be 32 bytes long")) |
There was a problem hiding this comment.
| return "", probe.NewError(errors.New("key should be 32 bytes long or if the key is base64 encoded; then decoded value must be 32 bytes long")) | |
| return "", probe.NewError(errors.New("Encryption key should be 32 bytes plain text key or 64 bytes base64 encoded key")) | |
cmd/common-methods_test.go
Outdated
| // {"play/documents/=32byteslongsecretkeymustbegiven1,s3/documents/=MzJieXRlc2xvbmdzZWNyZWFiY2RlZmcJZ2l2ZW5uMjE=", "play/documents/=32byteslongsecretkeymustbegiven1,s3/documents/=32byteslongsecreabcdefg givenn21", nil, true}, | ||
| // // decoded key less than 32 char and conatin non printable (tab) character | ||
| // {"s3/documents/=MzJieXRlc2xvbmdzZWNyZWFiY2RlZmcJZ2l2ZW5uMjE", "", errors.New("key should be 32 bytes long or if the key is base64 encoded; then decoded value must be 32 bytes long"), false}, | ||
| // // normal key less than 32 character |
There was a problem hiding this comment.
looks like these tests need to be uncommented
sinhaashish
force-pushed
the
non-printable-char
branch
from
65eb30f
to
7770235
Compare
|
@poornas @kannappanr PTAL |
cmd/cp-main_test.go
Outdated
| @@ -28,11 +28,11 @@ func TestParseMetaData(t *testing.T) { | |||
| err error | |||
| status bool | |||
| }{ | |||
| // success scenerio using ; as delimitter | |||
| // success scenario using ; as delimitter | |||
There was a problem hiding this comment.
please fix typo delimitter -> delimiter wherever they occur
There was a problem hiding this comment.
thanks for pointing it out. Done with the change.
sinhaashish
force-pushed
the
non-printable-char
branch
from
7770235
to
458b0a4
Compare
sinhaashish
force-pushed
the
non-printable-char
branch
from
46ae6fe
to
f634d77
Compare
This feature enables the users to pass non-printable character as encrytion-key by encoding it.
Example :
If the encryption keys contains a non printable character like tab :
--encrypt-key "play/test/=32byteslongsecretke mustbegiven1".The user need to encode using base64 and pass the encoded string as the key.
--encrypt-key "play/test=MzJieXRlc2xvbmdzZWNyZXRrZQltdXN0YmVnaXZlbjE="Tested case:
Closes #2678