Closed theneva closed 2 years ago
@theneva : I cross-verified that both Oxalis (norstella/oxalis:5.0.5) and Oxalis-AS4 (norstella/oxalis-as4:5.0.3) are hiding the secrets. Note that there is nothing like something released correctly but not published correctly in docker hub. There is automated job which publish tag to docker hub, no manual step.
Creating docker_oxalis-as4-5.0.3_1 ... done
Attaching to docker_oxalis-as4-5.0.3_1
.....
oxalis-as4-5.0.3_1 |
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,912 INFO [network.oxalis.commons.filesystem.detector.EnvironmentHomeDetector] Using Oxalis folder specified as environment variable 'OXALIS_HOME' with value '/etc/oxalis'.
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,918 INFO [network.oxalis.commons.filesystem.FileSystemModule] Home folder: /etc/oxalis
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,920 INFO [network.oxalis.commons.filesystem.FileSystemModule] Configuration folder: /etc/oxalis/conf
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,920 INFO [network.oxalis.commons.config.ConfigModule] Configuration file: /etc/oxalis/conf/oxalis.conf
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,943 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => CONF: conf
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,943 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => INBOUND: /peppol
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:23,944 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => PLUGIN: plugin
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,951 INFO [network.oxalis.commons.filesystem.detector.EnvironmentHomeDetector] Using Oxalis folder specified as environment variable 'OXALIS_HOME' with value '/etc/oxalis'.
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,952 INFO [network.oxalis.commons.filesystem.FileSystemModule] Home folder: /etc/oxalis
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,956 INFO [network.oxalis.commons.filesystem.FileSystemModule] Configuration folder: /etc/oxalis/conf
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,957 INFO [network.oxalis.commons.config.ConfigModule] Configuration file: /etc/oxalis/conf/oxalis.conf
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,981 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_TOTAL: 20
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,989 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_MAX_ROUTE: 2
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,994 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_VALIDATE_AFTER_INACTIVITY: 1000
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,995 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_TIME_TO_LIVE: 30
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,995 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_CONNECT: 300000
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,996 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_READ: 300000
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,996 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_SOCKET: 0
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,996 INFO [network.oxalis.commons.settings.SettingsBuilder] Error => TRACKER: quiet
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,997 INFO [network.oxalis.commons.settings.SettingsBuilder] AS2 => NOTIFICATION: not.in.use@difi.no
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:25,997 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => CONF: conf
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,001 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => INBOUND: /peppol
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,009 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => PLUGIN: plugin
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,010 INFO [network.oxalis.commons.settings.SettingsBuilder] Identifiers => HOSTNAME:
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,010 INFO [network.oxalis.commons.settings.SettingsBuilder] Identifiers => MSGID_GENERATOR: default
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,010 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => PATH: ap_keystore_test.jks
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,011 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => PASSWORD: ************
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,011 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => KEY_ALIAS: cert
oxalis-as4-5.0.3_1 | 2021-09-03 15:21:26,011 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => KEY_PASSWORD: ************
I can see that you did not configured OXALIS_HOME, volumes and related configuration correctly. Either you can specify all parameters in command line or use docker compose file. I hope that is helpful.
I am closing this issue.
Thanks for the response, @aaron-kumar!
You're right – if I specify a keystore PASSWORD, it gets masked:
$ docker run --rm -it -e JAVA_OPTS="-Doxalis.keystore.password=some-secret" norstella/oxalis:5.0.5
…
13:00:09.727 [main] INFO n.o.commons.settings.SettingsBuilder - Key store => PATH: oxalis-keystore.jks
13:00:09.727 [main] INFO n.o.commons.settings.SettingsBuilder - Key store => PASSWORD: ***********
13:00:09.728 [main] INFO n.o.commons.settings.SettingsBuilder - Key store => KEY_ALIAS: ap
13:00:09.728 [main] INFO n.o.commons.settings.SettingsBuilder - Key store => KEY_PASSWORD: changeit
…
Note that the KEY_PASSWORD, which I did not change, does not get masked in this scenario.
Still, I find it surprising and confusing that fields annotated with @Secret
are only masked in the output if they're actually set to a non-default value. I ran my test specifically to verify the masking before I upgraded my installation, and this sure made me not trust it.
Is this intentional behaviour for some reason I'm not seeing?
As a separate note, I think it would be nice if the masker did not give away the password's length in the output. I believe it's pretty common to always print 8 asterisks. Would you be open to a PR changing it?
@theneva , Default values are Not masked in original PR (see below in code snippet) , that's why you can see them in logs.
if (config.hasPath(settings.get(key))) {
String value = config.getString(settings.get(key));
return maskIfSecret(value, isSecret);
} else if (field.getAnnotation(DefaultValue.class) != null) {
return field.getAnnotation(DefaultValue.class).value();
These default values will only be printed if OXALIS_HOME is not set which otherwise required for production setting. This is not advised to use "default values" of keystore and password otherwise whole point of masking these will be lost.
If you are running docker say in Windows command line, use following command to set OXALIS_HOME and associated volumes
docker run -d -it --name oxalis-as4 --env OXALIS_HOME=/etc/oxalis -v %cd%/.oxalis:/etc/oxalis -v %cd%/peppol:/var/peppol/ -p 8080:8080 norstella/oxalis-as4:5.0.3
Feel free to raise PR for printing 8 asterisk for password
Hi! :wave:
I was very happy to see https://github.com/OxalisCommunity/oxalis/issues/448 closed in https://github.com/OxalisCommunity/oxalis/pull/527 and https://github.com/OxalisCommunity/oxalis/pull/528, and released as part of Oxalis version 5.0.5 (https://github.com/OxalisCommunity/oxalis/releases/tag/v5.0.5).
However, when I tried running the 5.0.5 Docker image, I noticed that the
@Secret
-annotated fields are still being logged, contrary to the screenshot in #527.I think this reproduction is clean enough to clearly illustrate the issue:
This leads me to believe that the latest Docker release somehow did not include the latest changes. Is that possible, or am I doing something wrong?
If so, would someone please release a new Docker image with the changes meant to be included in Oxalis version 5.0.5?
This also affects the 5.0.3(!) release of the AS4 Docker image (
norstella/oxalis-as4:5.0.3
), which is built fromnorstella/oxalis:5.0.5
. That would also need to be rebuilt and re-released after a fix :smile: