[#529] Use salt when deriving the encryption key #572

Merged
Member

close #529

As part of the testing, the following scenarios were performed:

Scenario 1:

  • Issued credits via frostfs-s3-authmate, which uses the current AccessBox format (without salt)
  • Made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt)
  • Made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt)

Result: it worked correctly.

Scenario 2:

  • I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt)
  • I made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt)

Result: it worked correctly

Scenario 3:

  • I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt)
  • I made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt)

Result: we expect to get an error :

2024-12-05T12:50:17.192+0300    error   failed to pass authentication   {"request_id": "c06d4c80-23c9-4749-8d2a-b1648e85fbf4", "error": "get box by access key '8ABAwQ3sAMbjAPozUQJ9F7maEwTenUXvYJaRAMbUXVrC0CAnVH4hGBUe9cxv3F3hdN3nax1YL96Jtc6Xqo5wPeriA': get gate box: get tokens: failed to decode gate: decrypt tokens: chacha20poly1305: message authentication failed"}
close #529 As part of the testing, the following scenarios were performed: **Scenario 1:** - Issued credits via frostfs-s3-authmate, which uses the current AccessBox format (without salt) - Made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt) - Made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt) **Result:** it worked correctly. **Scenario 2:** - I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt) - I made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt) **Result:** it worked correctly **Scenario 3:** - I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt) - I made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt) **Result:** we expect to get an error : ``` 2024-12-05T12:50:17.192+0300 error failed to pass authentication {"request_id": "c06d4c80-23c9-4749-8d2a-b1648e85fbf4", "error": "get box by access key '8ABAwQ3sAMbjAPozUQJ9F7maEwTenUXvYJaRAMbUXVrC0CAnVH4hGBUe9cxv3F3hdN3nax1YL96Jtc6Xqo5wPeriA': get gate box: get tokens: failed to decode gate: decrypt tokens: chacha20poly1305: message authentication failed"} ```
r.loginov self-assigned this 2024-12-10 12:43:08 +00:00
r.loginov added 1 commit 2024-12-10 12:43:09 +00:00
[#529] Use salt when deriving the encryption key
All checks were successful
/ DCO (pull_request) Successful in 2m32s
/ Vulncheck (pull_request) Successful in 2m44s
/ Builds (pull_request) Successful in 2m8s
/ Lint (pull_request) Successful in 3m18s
/ Tests (pull_request) Successful in 2m11s
3fa56f2309
Signed-off-by: Roman Loginov <r.loginov@yadro.com>
r.loginov requested review from alexvanin 2024-12-10 12:43:09 +00:00
r.loginov requested review from dkirillov 2024-12-10 12:43:09 +00:00
r.loginov removed review request for dkirillov 2024-12-10 12:43:16 +00:00
r.loginov removed review request for alexvanin 2024-12-10 12:43:17 +00:00
r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 3fa56f2309 to d1812cefc0 2024-12-10 13:08:19 +00:00 Compare
r.loginov requested review from alexvanin 2024-12-10 13:21:36 +00:00
r.loginov requested review from dkirillov 2024-12-10 13:21:37 +00:00
r.loginov requested review from pogpp 2024-12-10 13:21:40 +00:00
r.loginov requested review from mbiryukova 2024-12-10 13:21:46 +00:00
r.loginov requested review from nzinkevich 2024-12-10 13:21:49 +00:00
potyarkin approved these changes 2024-12-10 13:48:42 +00:00
Dismissed
potyarkin left a comment
Member

I assumed that backwards compatible solution would be uglier when I opened the issue (#529). This one is almost elegant. I like it.

I assumed that backwards compatible solution would be uglier when I opened the issue (#529). This one is almost elegant. I like it.
dkirillov approved these changes 2024-12-10 15:08:07 +00:00
Dismissed
@ -45,0 +70,4 @@
require.Error(t, err)
})
t.Run("wrang private key", func(t *testing.T) {
Member

Typo wrang -> wrong?

Typo `wrang` -> `wrong`?
r.loginov marked this conversation as resolved
nzinkevich approved these changes 2024-12-11 05:55:01 +00:00
Dismissed
r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from d1812cefc0 to 371bbb2128 2024-12-11 06:27:28 +00:00 Compare
r.loginov dismissed potyarkin's review 2024-12-11 06:27:28 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

r.loginov dismissed dkirillov's review 2024-12-11 06:27:28 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

r.loginov dismissed nzinkevich's review 2024-12-11 06:27:28 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

alexvanin added this to the v0.33.0 milestone 2024-12-11 07:39:11 +00:00
dkirillov approved these changes 2024-12-11 08:18:01 +00:00
Dismissed
r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 371bbb2128 to 0165813b9a 2024-12-11 13:44:14 +00:00 Compare
r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 0165813b9a to 4521881800 2024-12-13 11:38:09 +00:00 Compare
r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 4521881800 to 4d07ff13f7 2024-12-19 09:10:54 +00:00 Compare
r.loginov dismissed dkirillov's review 2024-12-19 09:10:54 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

dkirillov approved these changes 2024-12-19 12:57:31 +00:00
alexvanin approved these changes 2024-12-25 12:31:02 +00:00
alexvanin merged commit a725c68d06 into master 2024-12-25 12:31:51 +00:00
alexvanin deleted branch feature/529-use_salt_when_deriving_encryption_key 2024-12-25 12:32:06 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
5 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#572
No description provided.