Client side state persistance config missing (in logs)

syndesisio / syndesis-rest

The API for Syndesis - a flexible, customizable, cloud-hosted platform that provides core integration capabilities as a service. It leverages Red Hat's existing product architecture using OpenShift Online/Dedicated and Fuse Integration Services.

https://syndesis-staging.b6ff.rh-idev.openshiftapps.com/api/v1/

Apache License 2.0

6 stars 17 forks source link

Client side state persistance config missing (in logs) #657

Closed rhuss closed 6 years ago

rhuss commented 7 years ago

On staging in the logs:

2017-09-30 20:34:47.220  WARN [-,,,] 1 --- [           main] io.syndesis.runtime.Application          :
*** Client side state persistence configuration is not defined, please set
    CLIENT_STATE_AUTHENTICATION_ALGORITHM
    CLIENT_STATE_AUTHENTICATION_KEY
    CLIENT_STATE_ENCRYPTION_ALGORITHM
    CLIENT_STATE_ENCRYPTION_KEY
    CLIENT_STATE_TID
 environment variables.
*** Using randomized values for missing properties, this will not work across restarts or when scaled!
2017-09-30 20:34:47.832  INFO [-,,,] 1 --- [           main] org.reflections.Reflections              : Refl

I this something harmful ? What needs to be done here ? // @zregvart

zregvart commented 7 years ago

We discussed this at some point and decided that it would not be proper to deliver hard coded keys. The downside of using random keys is that (as stated) if the pod is restarted any ongoing OAuth skirmishes will fail to complete. Not sure if we can add to OpenShift templates to generate some random keys?

rhuss commented 7 years ago

We can create random keys during template instantiation, so that would make much sense. Could we use application.properties, too? Think this would be nice to not pollute the env namespace and to diverge configuration (as we already have an application properties file).

zregvart commented 7 years ago

This is an option right now, we should be able to place something like this in the application.yml:

client:
  state:
    authentication-algorithm: HmacSHA1
    authentication-key: oID3dF6UovTkzMyr3a9dr0kgTnE=
    encryption-algorithm: AES/CBC/PKCS5Padding
    encryption-key: T2NasjRXURA3dSL8dUQubQ==
    tid: 1

The keys are 20 (authentication) and 16 (encryption) bytes Base64 encoded random values. That of course changes with the algorithm parameters.

rhuss commented 7 years ago

Can we keep the algorithm fix and just create the keys, right ? Not sure whether the template mechanism supports base64 encoding. Just in case, could we do the encoding on our own (within the code), so that we could put here arbitrary random strings ?

zregvart commented 7 years ago

Yes on all accounts.