Fixes #25903: Refactor API tokens after clear-text removal #6031
+405
−200
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amousset
force-pushed
the
arch_25903/refactor_api_tokens_after_clear_text_removal
branch
from
ef47b5e to
3d3c090
Compare
|
Commit modified |
amousset
force-pushed
the
arch_25903/refactor_api_tokens_after_clear_text_removal
branch
from
3d3c090 to
5c706c4
Compare
|
Commit modified |
amousset
force-pushed
the
arch_25903/refactor_api_tokens_after_clear_text_removal
branch
from
5c706c4 to
d060cfb
Compare
|
Commit modified |
amousset
force-pushed
the
arch_25903/refactor_api_tokens_after_clear_text_removal
branch
from
d060cfb to
e729750
Compare
|
Commit modified |
|
Commit modified |
amousset
force-pushed
the
arch_25903/refactor_api_tokens_after_clear_text_removal
branch
from
e729750 to
2057a85
Compare
clarktsiory
reviewed
Nov 25, 2024
webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/api/DataStructures.scala
Outdated
Show resolved
Hide resolved
clarktsiory
reviewed
Nov 25, 2024
webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/api/DataStructures.scala
Outdated
Show resolved
Hide resolved
Fixes #25903: Refactor API tokens after clear-text removal
|
PR updated with a new commit |
clarktsiory
reviewed
Nov 25, 2024
webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/api/DataStructures.scala
Outdated
Show resolved
Hide resolved
Fixes #25903: Refactor API tokens after clear-text removal
|
PR updated with a new commit |
clarktsiory
reviewed
Nov 26, 2024
| @@ -536,7 +536,7 @@ class APIAccountSerialisationImpl(xmlVersion: String) extends APIAccountSerialis | |||
| ( | |||
| <id>{account.id.value}</id> | |||
| <name>{account.name.value}</name> | |||
| <token>{account.token.value}</token> | |||
| <token>{account.token.exposeHash()}</token> | |||
There was a problem hiding this comment.
Since in an Option is returned, it will write Some("thehash"), and this would break. It should be a String, so .getOrElse("")
There was a problem hiding this comment.
It compiles now but this will cause a problem without the getOrElse : https://scastie.scala-lang.org/h2QlFY3BSzqlEBruNceAvA
webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/users/User.scala
Outdated
Show resolved
Hide resolved
webapp/sources/rudder/rudder-core/src/main/scala/com/normation/rudder/api/DataStructures.scala
Show resolved
Hide resolved
webapp/sources/rudder/rudder-web/src/main/elm/sources/Accounts/JsonDecoder.elm
Show resolved
Hide resolved
…xt removal Fixes #25903: Refactor API tokens after clear-text removal
|
PR updated with a new commit |
fanf
reviewed
Nov 28, 2024
| @@ -1142,7 +1142,7 @@ class LDAPEntityMapper( | |||
| mod.resetValuesTo(A_API_UUID, principal.id.value) | |||
| mod.resetValuesTo(A_NAME, principal.name.value) | |||
| mod.resetValuesTo(A_CREATION_DATETIME, GeneralizedTime(principal.creationDate).toString) | |||
| mod.resetValuesTo(A_API_TOKEN, principal.token.exposeHash()) | |||
| mod.resetValuesTo(A_API_TOKEN, principal.token.exposeHash().getOrElse("")) | |||
There was a problem hiding this comment.
I don't think that will work. The API token is a mandatory field in the schema for apiAccount.
Perhaps we want to be able to have that case, but it seems to be a hard hypothesis in the lower layout. We can perhaps workaround it with a marker value that would be extracted as none.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://issues.rudder.io/issues/25903
A similar change needs to be done in the api-authorizations plugins for user tokens.
Backend
Data types
Split the
ApiTokentype, which used to contain both clear-text and hashed values into two separate types to prevent confusions and prevent misusage as much as possible:ApiTokenSecret: The token value, to be sent to the creator and not stored on the serverApiTokenHash: The token hash, as stored (either in LDAP or memory)Also modifying the account types:
ApiAccountnow contains aApiTokenHashNewApiAccountis created, to be used after creation, and contains aApiTokenSecretNotes:
expose()methods (and make the value private)Usage
The JSON serialization of the accounts, used by the API tokens Web interface, is modified:
Frontend