[#529] Use salt when deriving the encryption key #572

r.loginov · 2024-12-10T12:43:08Z

r.loginov commented

2024-12-10 12:43:08 +00:00

close #529

As part of the testing, the following scenarios were performed:

Scenario 1:

Issued credits via frostfs-s3-authmate, which uses the current AccessBox format (without salt)
Made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt)
Made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt)

Result: it worked correctly.

Scenario 2:

I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt)
I made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt)

Result: it worked correctly

Scenario 3:

I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt)
I made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt)

Result: we expect to get an error :

2024-12-05T12:50:17.192+0300    error   failed to pass authentication   {"request_id": "c06d4c80-23c9-4749-8d2a-b1648e85fbf4", "error": "get box by access key '8ABAwQ3sAMbjAPozUQJ9F7maEwTenUXvYJaRAMbUXVrC0CAnVH4hGBUe9cxv3F3hdN3nax1YL96Jtc6Xqo5wPeriA': get gate box: get tokens: failed to decode gate: decrypt tokens: chacha20poly1305: message authentication failed"}

close #529 As part of the testing, the following scenarios were performed: **Scenario 1:** - Issued credits via frostfs-s3-authmate, which uses the current AccessBox format (without salt) - Made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt) - Made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt) **Result:** it worked correctly. **Scenario 2:** - I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt) - I made requests with frostfs-s3-gw, which uses the new AccessBox format (with salt) **Result:** it worked correctly **Scenario 3:** - I wrote out credits via frostfs-s3-authmate, which uses the new AccessBox format (with salt) - I made requests with frostfs-s3-gw, which uses the current AccessBox format (without salt) **Result:** we expect to get an error : ``` 2024-12-05T12:50:17.192+0300 error failed to pass authentication {"request_id": "c06d4c80-23c9-4749-8d2a-b1648e85fbf4", "error": "get box by access key '8ABAwQ3sAMbjAPozUQJ9F7maEwTenUXvYJaRAMbUXVrC0CAnVH4hGBUe9cxv3F3hdN3nax1YL96Jtc6Xqo5wPeriA': get gate box: get tokens: failed to decode gate: decrypt tokens: chacha20poly1305: message authentication failed"} ```

r.loginov self-assigned this 2024-12-10 12:43:08 +00:00

r.loginov added 1 commit 2024-12-10 12:43:09 +00:00

[#529 ] Use salt when deriving the encryption key

/ DCO (pull_request) Successful in 2m32s

Details

/ Vulncheck (pull_request) Successful in 2m44s

Details

/ Builds (pull_request) Successful in 2m8s

Details

/ Lint (pull_request) Successful in 3m18s

Details

/ Tests (pull_request) Successful in 2m11s

Details

3fa56f2309

Signed-off-by: Roman Loginov <r.loginov@yadro.com>

r.loginov requested review from alexvanin 2024-12-10 12:43:09 +00:00

r.loginov requested review from dkirillov 2024-12-10 12:43:09 +00:00

r.loginov removed review request for dkirillov 2024-12-10 12:43:16 +00:00

r.loginov removed review request for alexvanin 2024-12-10 12:43:17 +00:00

r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 3fa56f2309 to d1812cefc0

2024-12-10 13:08:19 +00:00

Compare

r.loginov requested review from alexvanin 2024-12-10 13:21:36 +00:00

r.loginov requested review from dkirillov 2024-12-10 13:21:37 +00:00

r.loginov requested review from pogpp 2024-12-10 13:21:40 +00:00

r.loginov requested review from mbiryukova 2024-12-10 13:21:46 +00:00

r.loginov requested review from nzinkevich 2024-12-10 13:21:49 +00:00

potyarkin approved these changes 2024-12-10 13:48:42 +00:00

Dismissed

potyarkin left a comment

I assumed that backwards compatible solution would be uglier when I opened the issue (#529). This one is almost elegant. I like it.

👍 1

dkirillov approved these changes 2024-12-10 15:08:07 +00:00

Dismissed

creds/accessbox/accessbox_test.go Outdated

					
				@ -45,0 +70,4 @@

						require.Error(t, err)

					})

					t.Run("wrang private key", func(t *testing.T) {

dkirillov commented

2024-12-10 15:05:26 +00:00

Typo wrang -> wrong?

Typo `wrang` -> `wrong`?

👍 1

r.loginov marked this conversation as resolved

nzinkevich approved these changes 2024-12-11 05:55:01 +00:00

Dismissed

r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from d1812cefc0 to 371bbb2128

2024-12-11 06:27:28 +00:00

Compare

r.loginov dismissed potyarkin's review 2024-12-11 06:27:28 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

r.loginov dismissed dkirillov's review 2024-12-11 06:27:28 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

r.loginov dismissed nzinkevich's review 2024-12-11 06:27:28 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

alexvanin added this to the v0.33.0 milestone 2024-12-11 07:39:11 +00:00

dkirillov approved these changes 2024-12-11 08:18:01 +00:00

Dismissed

r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 371bbb2128 to 0165813b9a

2024-12-11 13:44:14 +00:00

Compare

r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 0165813b9a to 4521881800

2024-12-13 11:38:09 +00:00

Compare

r.loginov force-pushed feature/529-use_salt_when_deriving_encryption_key from 4521881800 to 4d07ff13f7

2024-12-19 09:10:54 +00:00

Compare

r.loginov dismissed dkirillov's review 2024-12-19 09:10:54 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

dkirillov approved these changes 2024-12-19 12:57:31 +00:00

/ DCO (pull_request) Successful in 5m3s

Required

Details

/ Vulncheck (pull_request) Successful in 5m21s

Required

Details

/ Builds (pull_request) Successful in 2m7s

Required

Details

/ Lint (pull_request) Successful in 3m12s

Required

Details

/ Tests (pull_request) Successful in 2m11s

Required

Details

This pull request doesn't have enough approvals yet. 1 of 2 approvals granted.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u feature/529-use_salt_when_deriving_encryption_key:r.loginov-feature/529-use_salt_when_deriving_encryption_key

git checkout r.loginov-feature/529-use_salt_when_deriving_encryption_key

Sign in to join this conversation.

No reviewers

No labels

No milestone

No project

No assignees

4 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-s3-gw#572