Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail if reading from closed KeyStoreWrapper #30394

Merged
merged 6 commits into from
May 14, 2018

Conversation

tvernum
Copy link
Contributor

@tvernum tvernum commented May 4, 2018

In #28255 the implementation of the elasticsearch.keystore was changed
to no longer be built on top of a PKCS#12 keystore. A side effect of
that change was that calling getString or getFile on a closed
KeyStoreWrapper ceased to throw an exception, and would instead return
a value consisting of all 0 bytes.

This change restores the previous behaviour as closely as possible.
It is possible to retrieve the keys from a closed keystore, but any
attempt to get or set the entries will throw an IllegalStateException.

The only divergence from the previous behaviour is that "isLoaded"
will now return false if the keystore is closed, in keeping with the
"loaded and retrievable" description in the parent javadoc.

In elastic#28255 the implementation of the elasticsearch.keystore was changed
to no longer be built on top of a PKCS#12 keystore. A side effect of
that change was that calling getString or getFile on a closed
KeyStoreWrapper ceased to throw an exception, and would instead return
a value consisting of all 0 bytes.

This change restores the previous behaviour as closely as possible.
It is possible to retrieve the _keys_ from a closed keystore, but any
attempt to get or set the entries will throw an IllegalStateException.

The only divergence from the previous behaviour is that "isLoaded"
will now return false if the keystore is closed, in keeping with the
"loaded and retrievable" description in the parent javadoc.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@tvernum tvernum added >non-issue and removed >bug labels May 4, 2018
@tvernum
Copy link
Contributor Author

tvernum commented May 4, 2018

I've (re-)labelled this >non-issue on the assumption that we'll fix it before 6.3.0 is released (in which case we fix the bug in the same release that it was introduced.

If for some reason we decide not to put this into 6.3.0 then we can re-label and I'll update the release-notes accordingly.

@tvernum
Copy link
Contributor Author

tvernum commented May 4, 2018

pinging @jkakavas since you were involved in the design of keystore v3 and might be interested

Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks mostly ok for fixing the immediate bug, but I think we need some followup work here to make this actually thread safe. A separate thread (eg a service in x-pack) could be in the middle of async startup, and have the keystore closed underneath it, while in the middle of reading a value (after the closed check).

@jaymode
Copy link
Member

jaymode commented May 4, 2018

A separate thread (eg a service in x-pack) could be in the middle of async startup, and have the keystore closed underneath it, while in the middle of reading a value (after the closed check).

I think we should fix this here unless there is some immediate need to get this fix in. Making the methods synchronized should be enough to accomplish this

@rjernst
Copy link
Member

rjernst commented May 4, 2018

I agree @jaymode. At first I thought we might want something that would allow parallel reading, but these are only read during startup, and there aren't that many. Let's start with synchronized and revisit later if necessary.

- synchronize methods
- ensureOpen before encrypt or save
Save needs to be sychronized (so that the data doesn't get zero'd out
while being written to disk)
Encrypt is only called from save, so it can stay as an assert isLoaded
rather than ensureOpen
@tvernum
Copy link
Contributor Author

tvernum commented May 7, 2018

I've made three changes to this PR:

  1. Added synchronized across the getXXX,setXXX and close methods.
    setString (etc) were problematic because the race condition would make it possible to store secret data in a keystore that was already closed, and therefore that new data would not clear zero'd out.

  2. Added ensureOpen and sychronized to the save method so that it's not possible to store data that has been (or is being) zero'd out.

  3. Removed the closed == false check from isLoaded

The last one is a bit of an issue. At the moment there is no method that allows a caller to check that it is safe to read from a SecretSettings object. The docs for isLoaded imply that it could be the method to do that, but Settings.Builder uses isLoaded to check that SecretSettings have been loaded before being added to the Settings object. We want this check to exist for safety, but it should continue to allow closed settings.

I think we may need a new isOpen (or similar) method, but this isn't the PR to do that.

@tvernum

This comment has been minimized.

@tvernum

This comment has been minimized.

@tvernum
Copy link
Contributor Author

tvernum commented May 9, 2018

run gradle build tests (again) 😿

@tvernum
Copy link
Contributor Author

tvernum commented May 9, 2018

@rjernst I've updated this since you reviewed - are you good with the changes?

Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tvernum tvernum merged commit 6517ac9 into elastic:master May 14, 2018
tvernum added a commit that referenced this pull request May 15, 2018
In #28255 the implementation of the elasticsearch.keystore was changed
to no longer be built on top of a PKCS#12 keystore. A side effect of
that change was that calling getString or getFile on a closed
KeyStoreWrapper ceased to throw an exception, and would instead return
a value consisting of all 0 bytes.

This change restores the previous behaviour as closely as possible.
It is possible to retrieve the _keys_ from a closed keystore, but any
attempt to get or set the entries will throw an IllegalStateException.
tvernum added a commit that referenced this pull request May 15, 2018
In #28255 the implementation of the elasticsearch.keystore was changed
to no longer be built on top of a PKCS#12 keystore. A side effect of
that change was that calling getString or getFile on a closed
KeyStoreWrapper ceased to throw an exception, and would instead return
a value consisting of all 0 bytes.

This change restores the previous behaviour as closely as possible.
It is possible to retrieve the _keys_ from a closed keystore, but any
attempt to get or set the entries will throw an IllegalStateException.
dnhatn added a commit that referenced this pull request May 15, 2018
* 6.x:
  Revert "Silence IndexUpgradeIT test failures. (#30430)"
  [DOCS] Remove references to changelog and to highlights
  Revert "Mute ML upgrade test (#30458)"
  [ML] Fix BWC version for backport of #30125
  [Docs] Improve section detailing translog usage (#30573)
  [Tests] Relax allowed delta in extended_stats aggregation (#30569)
  Fail if reading from closed KeyStoreWrapper (#30394)
  [ML] Reverse engineer Grok patterns from categorization results (#30125)
  Derive max composite buffers from max content len
  Update build file due to doc file rename
  SQL: Extract SQL request and response classes (#30457)
  Remove the changelog (#30593)
  Revert "Add deprecation warning for default shards (#30587)"
  Silence IndexUpgradeIT test failures. (#30430)
  Add deprecation warning for default shards (#30587)
  [DOCS] Adds 6.4.0 release highlight pages
  [DOCS] Adds release highlight pages (#30590)
  Docs: Document how to rebuild analyzers (#30498)
  [DOCS] Fixes title capitalization in security content
  LLRest: Add equals and hashcode tests for Request (#30584)
  [DOCS] Fix realm setting names (#30499)
  [DOCS] Fix path info for various security files (#30502)
  Docs: document precision limitations of geo_bounding_box (#30540)
  Fix non existing javadocs link in RestClientTests
  Auto-expand replicas only after failing nodes (#30553)
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request May 15, 2018
…ngs-to-true

* elastic/master:
  [DOCS] Restores 7.0.0 release notes and highlights
  Remove assert statements from field caps documentation. (elastic#30601)
  Repository GCS plugin new client library (elastic#30168)
  HLRestClient: Follow-up for put index template api (elastic#30592)
  Unmute IndexUpgradeIT tests
  [DOCS] Remove references to changelog and to highlights
  Side-step pending deletes check (elastic#30571)
  [DOCS] Remove references to removed changelog
  Revert "Mute ML upgrade test (elastic#30458)"
  [ML] Adjust BWC version following backport of elastic#30125
  [Docs] Improve section detailing translog usage (elastic#30573)
  [Tests] Relax allowed delta in extended_stats aggregation (elastic#30569)
  [ML] Reverse engineer Grok patterns from categorization results (elastic#30125)
  Update build file due to doc file rename
  Remove the changelog (elastic#30593)
  Fix issue with finishing handshake in ssl driver (elastic#30580)
  Fail if reading from closed KeyStoreWrapper (elastic#30394)
  Silence IndexUpgradeIT test failures. (elastic#30430)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants