feat: add optional token hashing #25982
Conversation
authorizer/task_test.go
Outdated
| Bucket: "holder", | ||
| RetentionPeriodSeconds: 1, | ||
| }) | ||
| if err != nil { |
authorizer/task_test.go
Outdated
| t.Fatal(err) | ||
| }) | ||
| if err != nil { | ||
| t.Fatal(err) |
authorization/http_server_test.go
Outdated
| @@ -185,21 +182,16 @@ func TestService_handlePostAuthorization(t *testing.T) { | |||
| handler.handlePostAuthorization(w, r) | |||
|
|
|||
| res := w.Result() | |||
| content := res.Header.Get("Content-Type") | |||
| contentType := res.Header.Get("Content-Type") | |||
| body, _ := io.ReadAll(res.Body) | |||
There was a problem hiding this comment.
maybe an error check on ReadAll? probably never fails, though....
authorization/http_server_test.go
Outdated
| } | ||
| diff, err := jsonDiff(string(body), tt.wants.body) | ||
| require.NoError(t, err) | ||
| require.Empty(t, diff) |
There was a problem hiding this comment.
A little context message in these two would help debugging: diff failed on <whatever this is doing> and
expected no difference in authorization response or something like that.
authorization/http_server_test.go
Outdated
| } | ||
| diff, err := jsonDiff(string(body), tt.wants.body) | ||
| require.NoError(t, err) | ||
| require.Empty(t, diff) |
authorization/http_server_test.go
Outdated
| t.Errorf("%q. handleDeleteAuthorization() = %v, want %v", tt.name, content, tt.wants.contentType) | ||
| require.Equal(t, tt.wants.statusCode, res.StatusCode) | ||
| if tt.wants.contentType != "" { | ||
| require.Equal(t, tt.wants.contentType, contentType) |
There was a problem hiding this comment.
mention handleDeleteAuthorization in the log message.
| } | ||
|
|
||
| // deleteIndices removes indices for the given token and hashedToken. | ||
| func (s *Store) deleteIndices(ctx context.Context, tx kv.Tx, token, hashedToken string) error { |
There was a problem hiding this comment.
I'm wondering if this should be more robust. Even if we can't get one bucket, remove the (hashed) token from the other, and if we can't remove one token, still try to remove the other. Would that leave us in a better state for recovery, or not?
There was a problem hiding this comment.
If error will get returned up the call tree and cause the BoltDB transaction to be rolled back, so we won't leave BoltDB in an inconsistent state.
Add optional token hashing with `--use-hashed-tokens` command line option.
Create duplicate tokens from being created. This is a bug introduced earlier in this PR. Also improve tests so they detect the bug and use testify throughout.
Fix a bug that only allowed hashed tokens to be looked up if they used the currently active hashing algorithm. Also added tests for configuration migration scenarios (enabling and disabling hashing, changing hashing scheme).
Address PR issues on comments, error handling, and add final token matching check in `Store.GetAuthorizationByToken`.
Changes in addition to minor cleanups: - `authentication.Store` can now log info and warnings - Improved logic in `UpdateAuthorization` when both Token and HashedToken are set. Added supporting test cases.
gwossum
force-pushed
the
gw/edge306/token_hashing
branch
from
15f8e92 to
6aa2d1a
Compare
| // Create the hasher used for hashing new tokens before storage. | ||
| hasher, err := influxdb2_algo.New(influxdb2_algo.WithVariant(options.hasherVariant)) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("creating hasher for AuthorizationHasher: %w", err) |
There was a problem hiding this comment.
display hasherVariant for error?
fmt.Errorf("creating hasher with variant %s for AuthorizationHasher: %w", options.hasherVariant, err)| // AllHashes generates a list of PHC-encoded hashes of token for all deterministic (i.e. non-salted) supported hashes. | ||
| func (h *AuthorizationHasher) AllHashes(token string) ([]string, error) { | ||
| hashes := make([]string, len(h.allHashers)) | ||
| for idx, hasher := range h.allHashers { |
There was a problem hiding this comment.
Could there ever be a code path where h.allHashers could be empty and we expect for it not to be? Would it be a good idea to check h.allHashers len and warn on it if its == 0?
| for idx, hasher := range h.allHashers { | ||
| digest, err := hasher.Hash(token) | ||
| if err != nil { | ||
| variantName := "N/A" |
There was a problem hiding this comment.
Hardcoding "N/A" here seems weird to me. Could this be an enum or a constant of some sort?
| t.Fatal(err) | ||
| } | ||
| storage, err := NewStore(context.Background(), s, useHashedTokens) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Add some context to this error so we know what failed
require.NoError(t, err, "creating new store")| t.Fatalf("failed to unmarshal authorization: %v", err) | ||
| } | ||
| req, err := newPostAuthorizationRequest(tt.args.authorization) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Similar to above - add small context string.
| return nil | ||
| }) | ||
| if err != nil { | ||
| return fmt.Errorf("error migrating hashed tokens: %w", err) |
There was a problem hiding this comment.
Adding some more context to the error such as ID and maybe token description? Similar to the s.log.Warn above?
| // Redact Token, if needed. This is done at the lowest level so it is impossible to serialize | ||
| // raw tokens if hashing is enabled. | ||
| if s.useHashedTokens { | ||
| // Redact a copy, not the original. The raw Token value is still needed by the caller in some cases. |
There was a problem hiding this comment.
Nice thank you for the comment, makes the code below much easier to reason about.
| // error is returned. | ||
| func (s *Store) transformToken(a *influxdb.Authorization) error { | ||
| // Verify Token and HashedToken match if both are set. | ||
| if a.Token != "" && a.HashedToken != "" { |
There was a problem hiding this comment.
since 'a' is a pointer should there be a nil check for safety before field access?
| // Note that even if a.HashedToken is set, we will regenerate it here. This ensures | ||
| // that a.HashedToken will be stored using the currently configured hashing algorithm. | ||
| if hashedToken, err := s.hasher.Hash(a.Token); err != nil { | ||
| return fmt.Errorf("error hashing token: %w", err) |
There was a problem hiding this comment.
Any other information such as description or ID?
| if auth.HashedToken != "" { | ||
| match, err := s.hasher.Match(auth.HashedToken, token) | ||
| if err != nil { | ||
| return false, fmt.Errorf("error matching hashed token for validation: %w", err) |
There was a problem hiding this comment.
More information like ID and description?
| @@ -71,42 +142,12 @@ func (s *Store) CreateAuthorization(ctx context.Context, tx kv.Tx, a *influxdb.A | |||
| a.ID = id | |||
| } | |||
|
|
|||
| // Token must be unique to create authorization. | |||
There was a problem hiding this comment.
If s.uniqueAuthToken fails should the mutation of a.HashedToken = hashedToken be reverted/rolled back at all? https://github.com/influxdata/EAR/issues/5819#issuecomment-2686492432
| return string(got) == token | ||
| } | ||
| if len(allHashes) > 0 { | ||
| if got, _, _, err := jsonparser.Get(value, "hashedToken"); err == nil { |
There was a problem hiding this comment.
Should you check if err is not nil? It appears that this method will throw errors for a few different reasons. It may be good to add a safety check if err != nil.
| allHashes, err := s.hasher.AllHashes(token) | ||
| if err != nil { | ||
| s.log.Error("error generating hashes in filterPredicateFn", zap.Error(err)) | ||
| // On error, continue onward. allHashes is empty and we'll effectively ignore hashedToken, |
| Bucket: "holder", | ||
| RetentionPeriodSeconds: 1, | ||
| }) | ||
| require.NoError(t, err) |
| if err != nil { | ||
| t.Fatal(err) | ||
| } | ||
| require.NoError(t, err) |
| t.Fatal(err) | ||
| } | ||
| err = svc.CreateOrganization(context.Background(), otherOrg) | ||
| require.NoError(t, err) |
| t.Fatal(err) | ||
| } | ||
| err := all.Up(context.Background(), zaptest.NewLogger(t), store) | ||
| require.NoError(t, err) |
| t.Fatal(err) | ||
| } | ||
| authStore, err := authorization.NewStore(context.Background(), store, useHashedTokens) | ||
| require.NoError(t, err) |
| ctx := context.Background() | ||
| store := bolt.NewKVStore(cmd.logger.With(zap.String("system", "bolt-kvstore")), cmd.boltPath) | ||
| if err := store.Open(ctx); err != nil { | ||
| return err | ||
| } | ||
| defer store.Close() | ||
| defer func() { | ||
| rErr = errors.Join(store.Close(), rErr) |
There was a problem hiding this comment.
For these defers can errors2.Capture be used?
see
influxdb/tsdb/index/tsi1/partition.go
Line 301 in 1efb8da
| if t.Token != "" { | ||
| token = t.Token | ||
| } else if t.HashedToken != "" { | ||
| token = "REDACTED" |
There was a problem hiding this comment.
Could "N/A" and "REDACTED" be Enums or consts?
There was a problem hiding this comment.
Should this be added? I assume yes because its post fixed with testdata, but, just checking.
|
|
||
| for _, want := range tc.want { | ||
| actual, err := v2.authSvc.FindAuthorizationByToken(ctx, want.Token) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Please add string context to NoError
| } | ||
| if diff := cmp.Diff(want.Status, actual.Status); diff != "" { | ||
| t.Fatal(diff) | ||
| require.NoError(t, err) |
| t.Run(tc.name, func(t *testing.T) { // better do not run in parallel | ||
| ctx := context.Background() | ||
| log := zaptest.NewLogger(t) | ||
| for _, useHashedTokens := range []bool{false, true} { |
There was a problem hiding this comment.
Please add strings with context to NoError's in this function.
There was a problem hiding this comment.
Also did not mean to approve. Dismissing my approval.
Add optional token hashing with --use-hashed-tokens command line option.