[
https://issues.apache.org/jira/browse/SOLR-16077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501598#comment-17501598
]
Ben commented on SOLR-16077:
----------------------------
Thanks for the quick response, Jan!
Sure, I wrote similar Python code this morning:
{code:java}
#!/usr/bin/env python3
import base64, getpass, hashlib
password = getpass.getpass('Password: ').encode()
salt = getpass.getpass('Salt: ').encode()
m = hashlib.sha256()
m.update(salt)
m.update(password)
result = m.digest()
# Weirdly, we have to hash it twice.
result = hashlib.sha256(result).digest()
result_b64 = base64.b64encode(result).decode()
salt_b64 = base64.b64encode(salt).decode()
print(result_b64 + " " + salt_b64)
{code}
But it was frustrating that I had to read the source code (and Java docs) to
learn how to do this, then have to scratch my head as to _why_ it was written
the way it is, and also not have a way to test my implementation matched yours
(without a full example of password, salt, and output) other than deploying a
Solr instance every time I wanted to test.
{quote}Most users would likely use the HTTP API to add users, thus not needing
to care ahout the hash algo etc.
{quote}
What's the recommended path here, then? Deploying an unauthenticated instance
first in order to create the first account via the API seems suboptimal for
secure deployments, let alone automating them. Deploying a local Solr instance
every time I needed to deploy an instance with new credentials is also weird,
when instead a simple explanation would make it easy for anyone to write the
above script.
{quote}Are you proposing changes to the documentation, the code or both?
{quote}
I'm proposing a change to the documentation, because security.json is the first
thing you see when reading it. It should work and make sense.
I'm also proposing a change to the code, because why bother explaining a bug in
the documentation instead of just fixing it? It also seems strange that code
directly related to authentication wouldn't have received enough review to
catch all these basic issues.
But if backwards compatibility (understandably) makes that too big of an ask,
simply adding the following pseudocode to the explanation of the "credentials"
field would have saved me a ton of time:
{code:java}
encode_base64(sha256(sha256(salt + password))) + " " + encode_base64(salt)
{code}
I hope that describing my experience with the documentation doesn't come across
as frustration with the developers. I just want to communicate how it reads
from an administrator's perspective. Thanks again for your feedback and
assistance!
> Solr basic authentication is undocumented and a bit strange
> -----------------------------------------------------------
>
> Key: SOLR-16077
> URL: https://issues.apache.org/jira/browse/SOLR-16077
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Reporter: Ben
> Priority: Major
> Labels: documentation, easyfix, security
>
> I'm working with Solr 7 because reasons, but the issue also seems to persist
> in the current code base.
> h2. Documentation
> Here's the Solr 8.1 documentation for the [Basic Authentication
> Plugin|[https://solr.apache.org/guide/8_1/basic-authentication-plugin.html]].
> In the security.json example, we see
> {code:java}
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}, {code}
> but the only explanation given for this is "A user called 'solr', with a
> password {{'SolrRocks'}} has been defined."
> What's missing is:
> * Explanation of how to produce such a credential string. In psuedocode,
> this amounts to:
> **
> {code:java}
> encode_base64(sha256(sha256(salt + password))) + " " +
> encode_base64(salt){code}
> * The salt used, in addition to the password used, so that users can test
> that their produced credentials will match Solr's handling.
> I've spent a good bit of searching through articles and watching videos, and
> I couldn't find any that actually explained this until I saw the source code.
> The only explanation I've seen for adding users was to first stand up an
> unauthenticated instance, and then add them via the API, which doesn't
> translate well into automated deployments.
> h2. Code
> Let's get back to that pseudocode.
> {code:java}
> encode_base64(sha256(sha256(salt + password))) + " " +
> encode_base64(salt){code}
> Strangely, we're hashing twice! Here it is in [the
> source|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java#L129].
> In more detail:
> {code:java}
> if (saltKey != null) {
> digest.reset();
> digest.update(Base64.getDecoder().decode(saltKey));
> }
> byte[] btPass = digest.digest(password.getBytes(StandardCharsets.UTF_8));
> digest.reset();
> btPass = digest.digest(btPass);
> return Base64.getEncoder().encodeToString(btPass); {code}
> Some observations:
> * Nit: the salt is base64'd before being passed to the function then
> immediately unbase64'd again, but that's beside the point.
> * The salt is added to the message, then the password, and then digest() is
> called. This produces a SHA256 hash digest.
> * digest() [basically calls
> reset()|https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html],
> so there's no need to call reset()
> * The previous digest is then hashed again! This is surprising. Is there a
> reason?
> h2. Outro
> I'm not too familiar with secure coding practices, especially in Java, so
> perhaps this was to work around some sort of limitation with
> java.secure.MessageDigest when this particular code was produced 7 years ago.
> It certainly seems strange to do this in terms of code quality, but I feel
> like my more immediate issue is that it's incredibly non-obvious to an end
> user just trying to secure a Solr instance.
> Is there a reason it's coded this way? How should end-users learn how to
> configure security.json? If the code is updated to use only a single round of
> SHA256 hashing, how will existing Solr deployments update smoothly?
> Thanks!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
