zeroflag opened a new pull request #478:
URL: https://github.com/apache/knox/pull/478
## What changes were proposed in this pull request?
When the hmac secret length is shorter than required by the signing
algorithm then token generation will fail with no meaningful message.
```json
{ "Unable to acquire token." }
```
The gateway log doesn't contain any information about what went wrong.
I found no simply way to add validation logic to the secret creation
(bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value <..>) and
prevent creating the secret with invalid length, so I added a check to
TokenResorce>>init() instead.
## How was this patch tested?
1. Created a shorter than expected secret:
```
$ bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value 1234
```
2. Set the signing alg to HS256 (keylength = 32)
```
<param>
<name>knox.token.sigalg</name>
<value>HS256</value>
</param>
```
3. Tried to create a token
```
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
```
4. Checked the exception in gateway.logs
```
com.nimbusds.jose.KeyLengthException: Unexpected key length (for HS256
algorithm)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
