search

OxalisCommunity / oxalis

Oxalis - PEPPOL Access Point open source implementation - Core component
Other
121 stars 90 forks source link

Oxalis v5.0.5 Docker image seems to be missing features from the 5.0.5 release #538

Closed theneva closed 2 years ago

theneva commented 2 years ago

Hi! :wave:

I was very happy to see https://github.com/OxalisCommunity/oxalis/issues/448 closed in https://github.com/OxalisCommunity/oxalis/pull/527 and https://github.com/OxalisCommunity/oxalis/pull/528, and released as part of Oxalis version 5.0.5 (https://github.com/OxalisCommunity/oxalis/releases/tag/v5.0.5).

However, when I tried running the 5.0.5 Docker image, I noticed that the @Secret-annotated fields are still being logged, contrary to the screenshot in #527.

I think this reproduction is clean enough to clearly illustrate the issue:

$ docker run --rm norstella/oxalis:5.0.5

Unable to find image 'norstella/oxalis:5.0.5' locally
5.0.5: Pulling from norstella/oxalis
e7c96db7181b: Already exists
…
13:32:42.463 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => PATH: oxalis-keystore.jks
13:32:42.463 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => PASSWORD: changeit
13:32:42.463 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => KEY_ALIAS: ap
13:32:42.464 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => KEY_PASSWORD: changeit
13:32:42.464 [main] INFO  n.o.commons.settings.SettingsBuilder - Header => PARSER: sbdh
13:32:42.464 [main] INFO  n.o.commons.settings.SettingsBuilder - Persister => PAYLOAD: default
13:32:42.464 [main] INFO  n.o.commons.settings.SettingsBuilder - Persister => RECEIPT: default
13:32:42.464 [main] INFO  n.o.commons.settings.SettingsBuilder - Persister => EXCEPTION: default
…

This leads me to believe that the latest Docker release somehow did not include the latest changes. Is that possible, or am I doing something wrong?

If so, would someone please release a new Docker image with the changes meant to be included in Oxalis version 5.0.5?

This also affects the 5.0.3(!) release of the AS4 Docker image (norstella/oxalis-as4:5.0.3), which is built from norstella/oxalis:5.0.5. That would also need to be rebuilt and re-released after a fix :smile:

aaron-kumar commented 2 years ago

@theneva : I cross-verified that both Oxalis (norstella/oxalis:5.0.5) and Oxalis-AS4 (norstella/oxalis-as4:5.0.3) are hiding the secrets. Note that there is nothing like something released correctly but not published correctly in docker hub. There is automated job which publish tag to docker hub, no manual step. 

Creating docker_oxalis-as4-5.0.3_1 ... done
Attaching to docker_oxalis-as4-5.0.3_1
.....
oxalis-as4-5.0.3_1  |
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,912  INFO [network.oxalis.commons.filesystem.detector.EnvironmentHomeDetector] Using Oxalis folder specified as environment variable 'OXALIS_HOME' with value '/etc/oxalis'.
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,918  INFO [network.oxalis.commons.filesystem.FileSystemModule] Home folder: /etc/oxalis
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,920  INFO [network.oxalis.commons.filesystem.FileSystemModule] Configuration folder: /etc/oxalis/conf
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,920  INFO [network.oxalis.commons.config.ConfigModule] Configuration file: /etc/oxalis/conf/oxalis.conf
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,943  INFO [network.oxalis.commons.settings.SettingsBuilder] File system => CONF: conf
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,943  INFO [network.oxalis.commons.settings.SettingsBuilder] File system => INBOUND: /peppol
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:23,944  INFO [network.oxalis.commons.settings.SettingsBuilder] File system => PLUGIN: plugin
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,951  INFO [network.oxalis.commons.filesystem.detector.EnvironmentHomeDetector] Using Oxalis folder specified as environment variable 'OXALIS_HOME' with value '/etc/oxalis'.
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,952  INFO [network.oxalis.commons.filesystem.FileSystemModule] Home folder: /etc/oxalis
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,956  INFO [network.oxalis.commons.filesystem.FileSystemModule] Configuration folder: /etc/oxalis/conf
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,957  INFO [network.oxalis.commons.config.ConfigModule] Configuration file: /etc/oxalis/conf/oxalis.conf
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,981  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_TOTAL: 20
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,989  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_MAX_ROUTE: 2
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,994  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_VALIDATE_AFTER_INACTIVITY: 1000
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,995  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_TIME_TO_LIVE: 30
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,995  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_CONNECT: 300000
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,996  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_READ: 300000
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,996  INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_SOCKET: 0
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,996  INFO [network.oxalis.commons.settings.SettingsBuilder] Error => TRACKER: quiet
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,997  INFO [network.oxalis.commons.settings.SettingsBuilder] AS2 => NOTIFICATION: not.in.use@difi.no
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:25,997  INFO [network.oxalis.commons.settings.SettingsBuilder] File system => CONF: conf
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,001  INFO [network.oxalis.commons.settings.SettingsBuilder] File system => INBOUND: /peppol
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,009  INFO [network.oxalis.commons.settings.SettingsBuilder] File system => PLUGIN: plugin
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,010  INFO [network.oxalis.commons.settings.SettingsBuilder] Identifiers => HOSTNAME:
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,010  INFO [network.oxalis.commons.settings.SettingsBuilder] Identifiers => MSGID_GENERATOR: default
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,010  INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => PATH: ap_keystore_test.jks
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,011  INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => PASSWORD: ************
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,011  INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => KEY_ALIAS: cert
oxalis-as4-5.0.3_1  | 2021-09-03 15:21:26,011  INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => KEY_PASSWORD: ************

I can see that you did not configured OXALIS_HOME, volumes and related configuration correctly. Either you can specify all parameters in command line or use docker compose file. I hope that is helpful.

I am closing this issue.

theneva commented 2 years ago

Thanks for the response, @aaron-kumar!

You're right – if I specify a keystore PASSWORD, it gets masked:

$ docker run --rm -it -e JAVA_OPTS="-Doxalis.keystore.password=some-secret" norstella/oxalis:5.0.5
…
13:00:09.727 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => PATH: oxalis-keystore.jks
13:00:09.727 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => PASSWORD: ***********
13:00:09.728 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => KEY_ALIAS: ap
13:00:09.728 [main] INFO  n.o.commons.settings.SettingsBuilder - Key store => KEY_PASSWORD: changeit
…

Note that the KEY_PASSWORD, which I did not change, does not get masked in this scenario.

Still, I find it surprising and confusing that fields annotated with @Secret are only masked in the output if they're actually set to a non-default value. I ran my test specifically to verify the masking before I upgraded my installation, and this sure made me not trust it.

Is this intentional behaviour for some reason I'm not seeing?

As a separate note, I think it would be nice if the masker did not give away the password's length in the output. I believe it's pretty common to always print 8 asterisks. Would you be open to a PR changing it?

aaron-kumar commented 2 years ago

@theneva , Default values are Not masked in original PR (see below in code snippet) , that's why you can see them in logs. 

        if (config.hasPath(settings.get(key))) {
            String value = config.getString(settings.get(key));
            return maskIfSecret(value, isSecret);
        } else if (field.getAnnotation(DefaultValue.class) != null) {
            return field.getAnnotation(DefaultValue.class).value();

These default values will only be printed if OXALIS_HOME is not set which otherwise required for production setting. This is not advised to use "default values" of keystore and password otherwise whole point of masking these will be lost.

If you are running docker say in Windows command line, use following command to set OXALIS_HOME and associated volumes

docker run -d  -it --name oxalis-as4 --env OXALIS_HOME=/etc/oxalis -v %cd%/.oxalis:/etc/oxalis -v %cd%/peppol:/var/peppol/ -p 8080:8080 norstella/oxalis-as4:5.0.3

Feel free to raise PR for printing 8 asterisk for password