[BugFix] Fix security integration miss encrypt password bug (#60666)
This commit is contained in:
Harbor Liu
GitHub
parent
2a3e4bc8a7
commit
fb3c1fbeb3
|
|
@ -60,6 +60,10 @@ public class PrintableMap<K, V> {
|
|||
SENSITIVE_KEY.add("azure.adls1.oauth2_credential");
|
||||
SENSITIVE_KEY.add("azure.adls2.shared_key");
|
||||
SENSITIVE_KEY.add("azure.adls2.oauth2_client_secret");
|
||||
SENSITIVE_KEY.add("authentication_ldap_simple_bind_root_pwd");
|
||||
SENSITIVE_KEY.add("authentication_ldap_simple_ssl_conn_trust_store_pwd");
|
||||
SENSITIVE_KEY.add("client_secret");
|
||||
SENSITIVE_KEY.add("ldap_bind_root_pwd");
|
||||
}
|
||||
|
||||
public PrintableMap(Map<K, V> map, String keyValueSaperator,
|
||||
|
|
|
|||
|
|
@ -2220,12 +2220,10 @@ public class ShowExecutor {
|
|||
SecurityIntegration securityIntegration = authenticationManager.getSecurityIntegration(name);
|
||||
if (securityIntegration != null) {
|
||||
Map<String, String> propertyMap = securityIntegration.getPropertyMap();
|
||||
String propString = propertyMap.entrySet().stream()
|
||||
.map(entry -> "\"" + entry.getKey() + "\" = \"" + entry.getValue() + "\"")
|
||||
.collect(Collectors.joining(",\n"));
|
||||
PrintableMap<String, String> printableMap = new PrintableMap<>(propertyMap, "=", true, false, true);
|
||||
infos.add(Lists.newArrayList(name,
|
||||
"CREATE SECURITY INTEGRATION `" + name +
|
||||
"` PROPERTIES (\n" + propString + "\n)"));
|
||||
"` PROPERTIES (\n" + printableMap + "\n)"));
|
||||
}
|
||||
return new ShowResultSet(showResultMetaFactory.getMetadata(statement), infos);
|
||||
}
|
||||
|
|
@ -2268,12 +2266,10 @@ public class ShowExecutor {
|
|||
GroupProvider groupProviderLog = authenticationManager.getGroupProvider(name);
|
||||
if (groupProviderLog != null) {
|
||||
Map<String, String> propertyMap = groupProviderLog.getProperties();
|
||||
String propString = propertyMap.entrySet().stream()
|
||||
.map(entry -> "\"" + entry.getKey() + "\" = \"" + entry.getValue() + "\"")
|
||||
.collect(Collectors.joining(",\n"));
|
||||
PrintableMap<String, String> printableMap = new PrintableMap<>(propertyMap, "=", true, false, true);
|
||||
infos.add(Lists.newArrayList(name,
|
||||
"CREATE GROUP PROVIDER `" + name +
|
||||
"` PROPERTIES (\n" + propString + "\n)"));
|
||||
"` PROPERTIES (\n" + printableMap + "\n)"));
|
||||
}
|
||||
return new ShowResultSet(showResultMetaFactory.getMetadata(statement), infos);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ import com.starrocks.sql.ast.SetPassVar;
|
|||
import com.starrocks.sql.ast.SetStmt;
|
||||
import com.starrocks.sql.ast.StatementBase;
|
||||
import com.starrocks.sql.ast.SubqueryRelation;
|
||||
import com.starrocks.sql.ast.integration.ShowCreateSecurityIntegrationStatement;
|
||||
import com.starrocks.sql.ast.pipe.CreatePipeStmt;
|
||||
|
||||
import java.util.List;
|
||||
|
|
@ -218,4 +219,9 @@ public class AuditEncryptionChecker implements AstVisitor<Boolean, Void> {
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Boolean visitShowCreateSecurityIntegrationStatement(ShowCreateSecurityIntegrationStatement statement, Void context) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,18 +20,25 @@ import com.starrocks.common.Config;
|
|||
import com.starrocks.common.DdlException;
|
||||
import com.starrocks.mysql.MysqlCodec;
|
||||
import com.starrocks.mysql.privilege.AuthPlugin;
|
||||
import com.starrocks.persist.EditLog;
|
||||
import com.starrocks.qe.ConnectContext;
|
||||
import com.starrocks.qe.ShowExecutor;
|
||||
import com.starrocks.qe.ShowResultSet;
|
||||
import com.starrocks.server.GlobalStateMgr;
|
||||
import com.starrocks.sql.analyzer.Analyzer;
|
||||
import com.starrocks.sql.analyzer.SemanticException;
|
||||
import com.starrocks.sql.ast.QueryStatement;
|
||||
import com.starrocks.sql.ast.StatementBase;
|
||||
import com.starrocks.sql.ast.UserIdentity;
|
||||
import com.starrocks.sql.ast.group.ShowCreateGroupProviderStmt;
|
||||
import com.starrocks.sql.ast.integration.ShowCreateSecurityIntegrationStatement;
|
||||
import com.starrocks.sql.parser.NodePosition;
|
||||
import com.starrocks.sql.parser.SqlParser;
|
||||
import mockit.Mock;
|
||||
import mockit.MockUp;
|
||||
import org.junit.jupiter.api.Assertions;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.wildfly.common.Assert;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
|
|
@ -46,6 +53,11 @@ import java.util.List;
|
|||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.anyShort;
|
||||
import static org.mockito.Mockito.doNothing;
|
||||
import static org.mockito.Mockito.spy;
|
||||
|
||||
public class SecurityIntegrationTest {
|
||||
private final MockTokenUtils mockTokenUtils = new MockTokenUtils();
|
||||
|
||||
|
|
@ -225,4 +237,59 @@ public class SecurityIntegrationTest {
|
|||
new UserIdentity("admin", "%"),
|
||||
"x".getBytes(StandardCharsets.UTF_8)));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testLDAPSecurityIntegrationPassword() throws DdlException, AuthenticationException, IOException {
|
||||
EditLog editLog = spy(new EditLog(null));
|
||||
doNothing().when(editLog).logEdit(anyShort(), any());
|
||||
GlobalStateMgr.getCurrentState().setEditLog(editLog);
|
||||
AuthenticationMgr authenticationMgr = new AuthenticationMgr();
|
||||
GlobalStateMgr.getCurrentState().setAuthenticationMgr(authenticationMgr);
|
||||
|
||||
Map<String, String> properties = new HashMap<>();
|
||||
properties.put(SecurityIntegration.SECURITY_INTEGRATION_PROPERTY_TYPE_KEY, "authentication_ldap_simple");
|
||||
properties.put(SimpleLDAPSecurityIntegration.AUTHENTICATION_LDAP_SIMPLE_SERVER_HOST, "localhost");
|
||||
properties.put(SimpleLDAPSecurityIntegration.AUTHENTICATION_LDAP_SIMPLE_SERVER_PORT, "389");
|
||||
properties.put(SimpleLDAPSecurityIntegration.AUTHENTICATION_LDAP_SIMPLE_BIND_ROOT_DN, "cn=admin,dc=example,dc=com");
|
||||
properties.put(SimpleLDAPSecurityIntegration.AUTHENTICATION_LDAP_SIMPLE_BIND_ROOT_PWD, "12345");
|
||||
properties.put(SimpleLDAPSecurityIntegration.AUTHENTICATION_LDAP_SIMPLE_BIND_BASE_DN, "");
|
||||
properties.put(SimpleLDAPSecurityIntegration.AUTHENTICATION_LDAP_SIMPLE_USER_SEARCH_ATTR, "");
|
||||
authenticationMgr.createSecurityIntegration("ldap", properties, true);
|
||||
|
||||
ShowResultSet resultSet =
|
||||
ShowExecutor.execute(new ShowCreateSecurityIntegrationStatement("ldap", NodePosition.ZERO), null);
|
||||
Assert.assertTrue(
|
||||
resultSet.getResultRows().get(0).get(1).contains("\"authentication_ldap_simple_bind_root_pwd\" = \"***\""));
|
||||
|
||||
|
||||
properties = new HashMap<>();
|
||||
properties.put(SecurityIntegration.SECURITY_INTEGRATION_PROPERTY_TYPE_KEY, "authentication_oauth2");
|
||||
properties.put(OAuth2AuthenticationProvider.OAUTH2_CLIENT_SECRET, "123");
|
||||
authenticationMgr.createSecurityIntegration("oauth2", properties, true);
|
||||
resultSet =
|
||||
ShowExecutor.execute(new ShowCreateSecurityIntegrationStatement("oauth2", NodePosition.ZERO), null);
|
||||
Assert.assertTrue(
|
||||
resultSet.getResultRows().get(0).get(1).contains("\"client_secret\" = \"***\""));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testShowCreateGroupProviderPassword() throws DdlException {
|
||||
EditLog editLog = spy(new EditLog(null));
|
||||
doNothing().when(editLog).logEdit(anyShort(), any());
|
||||
GlobalStateMgr.getCurrentState().setEditLog(editLog);
|
||||
AuthenticationMgr authenticationMgr = new AuthenticationMgr();
|
||||
GlobalStateMgr.getCurrentState().setAuthenticationMgr(authenticationMgr);
|
||||
|
||||
Map<String, String> properties = new HashMap<>();
|
||||
properties.put(GroupProvider.GROUP_PROVIDER_PROPERTY_TYPE_KEY, "ldap");
|
||||
properties.put("ldap_bind_root_dn", "cn=admin,dc=example,dc=com");
|
||||
properties.put("ldap_bind_root_pwd", "12345");
|
||||
properties.put("ldap_search_base_dn", "dc=example,dc=com");
|
||||
authenticationMgr.replayCreateGroupProvider("ldap_group", properties);
|
||||
|
||||
ShowResultSet resultSet =
|
||||
ShowExecutor.execute(new ShowCreateGroupProviderStmt("ldap_group", NodePosition.ZERO), null);
|
||||
Assert.assertTrue(
|
||||
resultSet.getResultRows().get(0).get(1).contains("\"ldap_bind_root_pwd\" = \"***\""));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,9 +18,7 @@ create security integration oidc properties("type"="authentication_jwt", "jwks_u
|
|||
show create security integration oidc;
|
||||
-- result:
|
||||
oidc CREATE SECURITY INTEGRATION `oidc` PROPERTIES (
|
||||
"type" = "authentication_jwt",
|
||||
"principal_field" = "sub",
|
||||
"jwks_url" = "jwks.json"
|
||||
"type" = "authentication_jwt", "principal_field" = "sub", "jwks_url" = "jwks.json"
|
||||
)
|
||||
-- !result
|
||||
alter security integration oidc set ("principal_field"="preferred_name");
|
||||
|
|
@ -29,9 +27,7 @@ alter security integration oidc set ("principal_field"="preferred_name");
|
|||
show create security integration oidc;
|
||||
-- result:
|
||||
oidc CREATE SECURITY INTEGRATION `oidc` PROPERTIES (
|
||||
"type" = "authentication_jwt",
|
||||
"principal_field" = "preferred_name",
|
||||
"jwks_url" = "jwks.json"
|
||||
"type" = "authentication_jwt", "principal_field" = "preferred_name", "jwks_url" = "jwks.json"
|
||||
)
|
||||
-- !result
|
||||
execute as u1 with no revert;
|
||||
|
|
|
|||
Loading…
Reference in New Issue