fix(authn): make hashing/encryption keys used to secure cookies #2536
Conversation
eusebiu-constantin-petu-dbk
requested review from
rchincha and
andaaron
as code owners
|
I tried to build and deploy Zot with these changes, and I still get the error explained in #2526 with these changes, however, it only happens when I run multiple replicas of Zot. I tried to enable some extra logging by changing https://github.com/peusebiu/zot/blob/c6688abf0bf7edc59db02fca3bea8994b0383dba/pkg/api/authn.go#L851 to stateCookie, err := ctlr.CookieStore.Get(r, "statecookie")
if err != nil {
ctlr.Log.Error().Err(err).Str("component", "openID").Msg("failed to get 'statecookie' from request")
}and I started to get {"level":"error","error":"securecookie: the value is not valid","component":"openID","goroutine":296,"caller":"zotregistry.dev/zot/pkg/api/authn.go:856","time":"2024-07-12T09:34:55.128562134Z","message":"failed to get 'statecookie' from request"}I guess that Zot can't handle cookies from different running instances, as it saves some things in memory which the other instance does not have access to? |
eusebiu-constantin-petu-dbk
force-pushed
the
secure_cookies
branch
from
c6688ab
to
f35d3d0
Compare
|
Hello @AndersBennedsgaard I have pushed a new commit, can you try your test again please? thank you! |
|
@peusebiu pls fix the linter issues and rebase also. |
eusebiu-constantin-petu-dbk
force-pushed
the
secure_cookies
branch
from
f35d3d0
to
9002089
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2536 +/- ##
==========================================
- Coverage 92.74% 92.73% -0.01%
==========================================
Files 169 169
Lines 22471 22482 +11
==========================================
+ Hits 20840 20848 +8
- Misses 1015 1017 +2
- Partials 616 617 +1 ☔ View full report in Codecov by Sentry. |
|
@AndersBennedsgaard does this PR work for you? |
|
Instead of a env var, can we read this from a file? If deployed in kubernetes, this can be made a secret and mounted as a file. |
eusebiu-constantin-petu-dbk
force-pushed
the
secure_cookies
branch
4 times, most recently
from
979b602
to
0499fc4
Compare
|
@rchincha updated, now it's using a separate file for keys. |
|
@rchincha and @peusebiu sorry for not getting back to you before (I was on vacation) but I have now tested these changes and it seems to work perfectly with multiple replicas 🥳 My only issue I've found is that while |
eusebiu-constantin-petu-dbk
force-pushed
the
secure_cookies
branch
from
0499fc4
to
f36379e
Compare
Fixed it, sorry for that, can you test again? :D |
If they are not configured zot will generate a random hashing key at startup, invalidating all cookies if zot is restarted. closes: project-zot#2526 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
eusebiu-constantin-petu-dbk
force-pushed
the
secure_cookies
branch
from
f36379e
to
2c9765c
Compare
If they are not configured zot will generate a random hashing key at startup, invalidating all cookies if zot is restarted. closes: #2526
What type of PR is this?
bug
Which issue does this PR fix:
restarting zot invalidates currently active sessions.
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs showing the issue:
#2526
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
no
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.