Skip to content

Fix hash-related method signatures #531

Open
gustavocovas wants to merge 2 commits intomasterfrom
fix-hash-functions-calls
Open

Fix hash-related method signatures #531
gustavocovas wants to merge 2 commits intomasterfrom
fix-hash-functions-calls

Conversation

@gustavocovas
Copy link
Contributor

@gustavocovas gustavocovas commented Mar 22, 2021

...to prevent hash functions that do not produce unique values

Description

Closes #530.

Proposed Changes

Since pbkdf2 works with a func() Hash.hash type, returning such type at GetValidHashFunction in api/auth/authmongo.go should simplify the calls to pbkdf2.Key. Our hash functions passed to pbkdf2.Key should not produce unique values anymore (#526), and we can upgrade our Dockerfile to Go 1.16.

Testing

Test locally and check that the panic: crypto/hmac: hash generation function does not produce unique values is not called anymore.

make test
make install
source .env
make run-client

docker logs -f -t <huskyci-api-container-id>

You might want to make more checks. I believe that the stored hashes for users passwords in a production system should not be valid anymore, since apparently we were not using the pbkdf2 library correctly.

GabhenDM
GabhenDM reviewed Mar 23, 2021
View reviewed changes
Copy link
Contributor

@GabhenDM GabhenDM left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM!

Indeed it's a breaking change, i ran "make install" on master branch, switched to the fixed branch and rebuilt the API and got the following error:

[HUSKYCI][*] poc-golang-gosec -> https://github.com/globocom/huskyCI.git
[HUSKYCI][ERROR] Sending request to huskyCI: Unauthorized Husky-Token ZjMxYjU3YTUtMjkwMS00ZjliLWFlYzgtMWVmMDNmODE5ZTk0OnllSVAyMEdsNDNPcW9XazdBaFhlZ1ZMdkZUdGpaVl9tWkxHbGxuNmhGbXc9
make: *** [Makefile:155: run-client] Error 1

So it also affects client access tokens to the API.

Maybe we can think of a script to be executed on build and regenerate all tokens/hashes?

Also got this log (manually debugging :D)

huskyCI_API  | 2021/03/23 03:26:06 {"version":"1.1","host":"af2ed42488eb","short_message":" [Hash value from random data is different]","full_message":" [Hash value from random data is different]","timestamp":1616469966,"level":6,"action":"testToken","app":"undefined","file":"/go/src/github.com/globocom/huskyCI/api/log/log.go","info":"VALIDATE","line":31,"tags":"undefined"}

That error is returned from the ValidateRandomData (api/token/token.go line 83), as expected on the hash part of the token it fails. 🐼

deployments/dockerfiles/api.Dockerfile
@@ -1,4 +1,4 @@
FROM golang:1.15
FROM golang:1.16
Copy link
Contributor

@GabhenDM GabhenDM Mar 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we need to fix on this specific version, could just allow for latest image.

@rogeriobastos
Copy link

rogeriobastos commented Jul 6, 2021

Hi guys, I've been testing this fix in a fresh new installation and it works fine.
I think this fix shouldn't be blocked to new users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@GabhenDM GabhenDM GabhenDM left review comments

@Amad3eu Amad3eu Amad3eu approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Verify pbkdf2 hash function implementation

4 participants

@gustavocovas @rogeriobastos @GabhenDM @Amad3eu