Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/sign fails to authenticate #105

Open
mikehale opened this issue Aug 15, 2013 · 8 comments
Open

/sign fails to authenticate #105

mikehale opened this issue Aug 15, 2013 · 8 comments

Comments

@mikehale
Copy link

I just deployed l2met from 27b6331 and it is returning 'Authentication failed.' when I attempt to sign credentials. I'm pretty sure I'm using the same secret on the process and the request, thinking that perhaps this was a code regression?
@ryandotsmith
Copy link
Owner

Can you provide the command you are using to sign?

@mikehale
Copy link
Author 

$ curl 'http://localhost:5000/sign' --data "lu:t" -u 'BecstsYSkJY33Us91kgl6qPubHowWXcqaBxqhu7Nu6_=:'
Authentication failed.

It looks like this is an encoding error possibly in kr/fernet. If you replace the '_' with some alpha numeric character (for both the l2met process and the curl command) everything just works.

So far I can't get auth to work with '+' or '_' in the SECRETS env.

@ryandotsmith
Copy link
Owner

@mikehale so is it a problem with the command used to generate SECRETS?

@mikehale
Copy link
Author

I'm not sure. Ruby properly url encodes/decodes strings that l2met/fernet has trouble with. I'm not certain which is out of spec.

@mikehale
Copy link
Author

This shows that in ruby decoding an encoded string returns the original string:

$ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64|ruby -ruri -e 's=STDIN.read.chomp; puts [s, URI.decode(URI.encode(s))]'
sRd/0ehjza+7zMRjmytZG4yNVUJ7+NhyXWZY+dx/Rg4=
sRd/0ehjza+7zMRjmytZG4yNVUJ7+NhyXWZY+dx/Rg4=

@ryandotsmith
Copy link
Owner

I suspect this problem may be with the way that l2met is decoding the authorization header. You can see the call to decode here:

https://github.com/ryandotsmith/l2met/blob/master/auth/auth.go#L53

Notice I am using the base64 pkg's StdEncoding variable. I noticed that there is a URLEncoding variable that will handle the URL safe versions of base64. I am going to research and test the different implementation to see if the URLENcoding provides a more robust implementation of header parsing.

@ryandotsmith
Copy link
Owner

Using URLEncoding did not solve the problem. After some more digging, I may have uncovered a bug in kr/fernet. Here is my bug report. fernet/fernet-go#5

ryandotsmith added a commit that referenced this issue Aug 16, 2013
@ryandotsmith
Improve Auth Header Parsing
cfa2fc0 
Related: #105

Use the URL safe version of base64 decoding. Don't break
when comparing secret keys to advert possible timing attacks.
Add tests for auth parsing.
@jamischarles
Copy link

Was seeing this as well using the ./scripts/setup script.

It failed 5 times in a row for me (I manually wiped the repo and heroku app each time).

I increased the sleep in the script to 5, then it worked (not sure if there's a correlation).

@ryandotsmith ryandotsmith mentioned this issue Sep 5, 2013
Closed
ryandotsmith added a commit that referenced this issue Sep 5, 2013
@ryandotsmith
Bugfix: Workaround for secret decryption
d44a377 
Related #105
Related #114

There is an outstanding issue (#115) with the pkg that
l2met uses to deal with the encryption of Librato credentials
in which certain characters are not properly parsed which results
in the shared key not being able to decrypt data.

This patch trims the known-to-be-bad characters away from
the generated secret.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikehale @ryandotsmith @jamischarles