Preserve ApiKey credentials for async verification #51244
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete.
tvernum
added
>bug
:Security/Authentication
|
Pinging @elastic/es-security (:Security/Authentication) |
tvernum
commented
Jan 21, 2020
| // The second authentication should pass (but not immediately, but will not block) | ||
| PlainActionFuture<AuthenticationResult> future2 = new PlainActionFuture<>(); | ||
|
|
||
| service.authenticateWithApiKeyIfPresent(threadPool.getThreadContext(), future2); |
There was a problem hiding this comment.
Without the fix to not close the credentials, this line would fail with:
SecureString has already been closed
|
This is good catch for race conditions. The fix itself is easy to follow. The test code is more involved and took me sometime to understand it. But I don't have any suggestions on how it can be made simpler. Race condition testing is mostly tricky anyway. Other than the one comment about wrapping ActionListener earlier, everything else LGTM. |
jkakavas
approved these changes
Jan 21, 2020
| final ApiKeyCredentials creds = new ApiKeyCredentials(randomAlphaOfLength(12), new SecureString(apiKey.toCharArray())); | ||
| final PlainActionFuture<AuthenticationResult> future1 = new PlainActionFuture<>(); | ||
|
|
||
| // Call the top level method because it has been know to be buggy in async situations |
There was a problem hiding this comment.
Suggested change
| // Call the top level method because it has been know to be buggy in async situations | |
| // Call the top level method because it has been known to be buggy in async situations |
I can't see any comment from you @ywangd, can you point me to it? |
ywangd
approved these changes
Jan 24, 2020
| validateApiKeyCredentials(docId, source, credentials, clock, listener); | ||
| } | ||
| final Map<String, Object> source = response.getSource(); | ||
| validateApiKeyCredentials(docId, source, credentials, clock, ActionListener.wrap( |
There was a problem hiding this comment.
A minor comment: Is it worthwhile to wrap the ActionListeners earlier on so that we don't have to call credentials.close() in multiple places. That is once we know credentials is not null, we can have:
var credentialsClosingListener = ActionListener.wrap(...);Then just use the new listener in subsequent code. At this point, it may be worthwhile to extract this part of code into a new method.
There was a problem hiding this comment.
Good idea, I'll see how it looks.
| hashWait.notify(); | ||
| } | ||
|
|
||
| assertThat(future1.actionGet(TimeValue.timeValueSeconds(2)).isAuthenticated(), is(true)); |
There was a problem hiding this comment.
Mainly curious: it really takes 2 seconds for the notify to work?
There was a problem hiding this comment.
No, but in these tests there's a delicate balance between not having the tests run too long and not getting noise.
This should be done in milliseconds. But if the VM that running CI get slowed down for some reason, or we get really long GC pause, and this takes 1.5 seconds, that shouldn't cause the test to fail.
We want a time that is long enough that the timeout means "this is never going to happen, the test failed" but not so long that you're sitting there wondering if the test is ever going to be done.
| ApiKeyService realService = createApiKeyService(Settings.EMPTY); | ||
| ApiKeyService service = Mockito.spy(realService); | ||
|
|
||
| final Object hashWait = new Object(); |
There was a problem hiding this comment.
Trivial: Could probably replace this with a CompletableFuture object? If so, could save a couple of lines.
There was a problem hiding this comment.
I used a semaphore instead, but thanks for the prompt. When I wrote the test I planned to come back and replace the wait/notify with something else after it was all working, but I forgot.
- Wrap the listener in 1 place - Use a semaphore instead of Object.wait
tvernum
commented
Jan 24, 2020
x-pack/plugin/watcher/src/main/java/org/elasticsearch/xpack/watcher/common/http/HttpProxy.java
Outdated
Show resolved
Hide resolved
…tcher/common/http/HttpProxy.java
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Jan 24, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: elastic#51244
tvernum
added a commit
that referenced
this pull request
Jan 24, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: #51244
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Jan 24, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: elastic#51244
tvernum
added a commit
that referenced
this pull request
Jan 28, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: #51244
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Feb 3, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: elastic#51244
tvernum
added a commit
that referenced
this pull request
Feb 4, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: #51244
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Feb 4, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: elastic#51244
tvernum
added a commit
that referenced
this pull request
Feb 4, 2020
The ApiKeyService would aggressively "close" ApiKeyCredentials objects during processing. However, under rare circumstances, the verfication of the secret key would be performed asychronously and may need access to the SecureString after it had been closed by the caller. The trigger for this would be if the cache already held a Future for that ApiKey, but the future was not yet complete. In this case the verification of the secret key would take place asynchronously on the generic thread pool. This commit moves the "close" of the credentials to the body of the listener so that it only occurs after key verification is complete. Backport of: #51244
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The ApiKeyService would aggressively "close" ApiKeyCredentials objects
during processing. However, under rare circumstances, the verfication
of the secret key would be performed asychronously and may need access
to the SecureString after it had been closed by the caller.
The trigger for this would be if the cache already held a Future for
that ApiKey, but the future was not yet complete. In this case the
verification of the secret key would take place asynchronously on the
generic thread pool.
This commit moves the "close" of the credentials to the body of the
listener so that it only occurs after key verification is complete.