fix(alloc/exec): trim spaces on secretID to prevent error on lookup #11897
Conversation
If the ACL Token set in localstorage contains spaces, any RPC calls to
`Allocations.Exec` results in:
Connection Closed: 1011 acl token lookup failed: index error: UUID
must be 36 characters
How to reproduce:
1. Set token in `https://<nomad-instance>/ui/settings/tokens`,
preferably with an added space before the token. The token gets set
correctly, which means that the system is handling spaces just fine.
2. Exec into any allocation through the web UI, which would fail as
described above.
Sample Request Payload:
{
version: 1,
auth_token: " XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX"
}
Proposed fix:
RPC to `Allocations.Exec` calls `ACLTokenBySecretID()`, which should
pass the trimmed secretID to lookup the ACL token. A simple
`strings.TrimSpace()` call around `secretID` should fix the issue.
Signed-off-by: Chinmay D. Pai <[email protected]>
There was a problem hiding this comment.
Hi @Thunderbottom! Thanks for opening this PR!
I think it's arguable whether or not we should be doing this in the API but this should definitely not be touched at the state store level. We should be doing any input validation "further out". Can you rework this so that it's happening when we initially validate the request?
Hm, I believe prefixed and suffixed spaces have very little to contribute anyways to the token and can be stripped at store level validations. Could you let me know of any specific concerns that would make you vary of making such changes at this level?
Do you mean at the UI front or the backend? The current implementation handles all validation cases regardless where there's spaces in the token. I'd be more than happy to rework this if you point me to where I should be making changes. Sorry if that's asking for too much from you, and thanks for your time :) |
Primarily separation of concerns and long-term maintainability. Keeping validation code together makes sure we don't have parts of the code base that are handling unvalidated code when they shouldn't be.
Where we parse the token from the header in the HTTP server seems like the right place for this kind of thing, I think? See |
|
|
|
It's been a bit since we've heard back on this, so going to close this in lieu of #16469. But thanks for bringing this to our attention! |
If the ACL Token set in localstorage contains prefixed/suffixed spaces, any RPC calls to
Allocations.Execresults in:How to reproduce:
Set token in
https://<nomad-instance>/ui/settings/tokens, preferably with an added space before the token. The token gets set correctly, which means that the system is handling spaces just fine.Exec into any allocation through the web UI, which would fail as described above.
Sample Request Payload:
{ "version": 1, "auth_token": " XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", }Notice the prefixed added space in the
auth_tokenvalue which causes the error.Proposed fix:
RPC to
Allocations.ExeccallsACLTokenBySecretID(), which should pass the space-trimmedsecretIDto lookup the ACL token. A simplestrings.TrimSpace()call aroundsecretIDshould fix the issue.