From 29f1f4b4c0401e5c5ce68409a3af1b2cbdabbadd Mon Sep 17 00:00:00 2001 From: "Alejandro M. Ramallo" Date: Fri, 23 Aug 2024 16:15:58 +0100 Subject: [PATCH 1/6] repalce enacl with public_key and crypto Signed-off-by: Alejandro M. Ramallo --- apps/bondy/src/bondy_auth_wamp_cryptosign.erl | 36 ++--- apps/bondy/src/bondy_cryptosign.erl | 127 ++++++++++++++++++ .../test/bondy_auth_wamp_cryptosign_SUITE.erl | 7 +- 3 files changed, 141 insertions(+), 29 deletions(-) create mode 100644 apps/bondy/src/bondy_cryptosign.erl diff --git a/apps/bondy/src/bondy_auth_wamp_cryptosign.erl b/apps/bondy/src/bondy_auth_wamp_cryptosign.erl index ae6c874a..92b03a76 100644 --- a/apps/bondy/src/bondy_auth_wamp_cryptosign.erl +++ b/apps/bondy/src/bondy_auth_wamp_cryptosign.erl @@ -34,7 +34,6 @@ -type state() :: map(). -type challenge_error() :: missing_pubkey | no_matching_pubkey. - %% BONDY_AUTH CALLBACKS -export([init/1]). -export([requirements/0]). @@ -43,6 +42,9 @@ + + + %% ============================================================================= %% BONDY_AUTH CALLBACKS %% ============================================================================= @@ -109,7 +111,7 @@ challenge(Details, Ctxt, State) -> case lists:member(Key, Keys) of true -> - Challenge = enacl:randombytes(32), + Challenge = bondy_cryptosign:strong_rand_bytes(), NewState = State#{ pubkey => Key, challenge => Challenge @@ -141,15 +143,14 @@ challenge(Details, Ctxt, State) -> {ok, DataOut :: map(), CBState :: state()} | {error, Reason :: any(), CBState :: state()}. -authenticate(EncSignature, _, _, #{pubkey := PK} = State) +authenticate(EncSignature, _, _, #{pubkey := Pub} = State) when is_binary(EncSignature) -> try Challenge = maps:get(challenge, State), - Signature0 = decode_hex(EncSignature), - Signature = normalise_signature(Signature0, Challenge), + Signature = decode_hex(EncSignature), %% Verify that the Challenge was signed using the Ed25519 key - case enacl:sign_verify_detached(Signature, Challenge, PK) of + case bondy_cryptosign:verify(Signature, Challenge, Pub) of true -> {ok, #{}, State}; @@ -159,11 +160,11 @@ when is_binary(EncSignature) -> end catch error:badarg -> - %% enacl failed {error, invalid_signature, State}; + error:invalid_signature -> - %% normalise failed {error, invalid_signature, State}; + throw:invalid_hex_encoding -> {error, invalid_signature, State} end. @@ -171,7 +172,6 @@ when is_binary(EncSignature) -> - %% ============================================================================= %% PRIVATE %% ============================================================================= @@ -199,21 +199,3 @@ encode_hex(Bin) when is_binary(Bin) -> list_to_binary(hex_utils:bin_to_hexstr(Bin)). -%% @private -%% @doc As the cryptosign spec is not formal some clients e.g. Python -%% return Signature(64) ++ Challenge(32) while others e.g. JS return just the -%% Signature(64). -%% @end -normalise_signature(Signature, _) when byte_size(Signature) == 64 -> - Signature; - -normalise_signature(Signature, Challenge) when byte_size(Signature) == 96 -> - case binary:match(Signature, Challenge) of - {64, 32} -> - binary:part(Signature, {0, 64}); - _ -> - throw(invalid_signature) - end; - -normalise_signature(_, _) -> - throw(invalid_signature). diff --git a/apps/bondy/src/bondy_cryptosign.erl b/apps/bondy/src/bondy_cryptosign.erl new file mode 100644 index 00000000..c17737b9 --- /dev/null +++ b/apps/bondy/src/bondy_cryptosign.erl @@ -0,0 +1,127 @@ +%% ============================================================================= +%% bondy_cryptosign.erl - +%% +%% Copyright (c) 2016-2024 Leapsight. All rights reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% ============================================================================= + + +%% ----------------------------------------------------------------------------- +%% @doc This modules provides the necessary functions to support the +%% Cryptosign capabilities. +%% @end +%% ----------------------------------------------------------------------------- +-module(bondy_cryptosign). + +-type key_pair() :: #{public => binary(), secret => binary()}. + +%% API +-export([generate_key/0]). +-export([normalise_signature/2]). +-export([sign/2]). +-export([strong_rand_bytes/0]). +-export([strong_rand_bytes/1]). +-export([verify/3]). + + +%% ============================================================================= +%% API +%% ============================================================================= + + + +%% ----------------------------------------------------------------------------- +%% @doc +%% @end +%% ----------------------------------------------------------------------------- +-spec generate_key() -> KeyPair :: key_pair(). + +generate_key() -> + {Pub, Priv} = crypto:generate_key(eddsa, ed25519), + #{public => Pub, secret => Priv}. + + +%% ----------------------------------------------------------------------------- +%% @doc Calls `strong_rand_bytes/1' with the default length value `32`. +%% @end +%% ----------------------------------------------------------------------------- +-spec strong_rand_bytes() -> binary(). + +strong_rand_bytes() -> + strong_rand_bytes(32). + + +%% ----------------------------------------------------------------------------- +%% @doc +%% @end +%% ----------------------------------------------------------------------------- +-spec strong_rand_bytes(pos_integer()) -> binary(). + +strong_rand_bytes(Length) when is_integer(Length) andalso Length >= 0 -> + crypto:strong_rand_bytes(Length). + + +%% ----------------------------------------------------------------------------- +%% @doc +%% @end +%% ----------------------------------------------------------------------------- +-spec sign(Challenge :: binary(), KeyPair :: key_pair()) -> + Signature :: binary(). + +sign(Challenge, #{public := Pub, secret := Priv}) -> + public_key:sign(Challenge, ignored, {ed_pri, ed25519, Pub, Priv}, []). + + +%% ----------------------------------------------------------------------------- +%% @doc +%% @end +%% ----------------------------------------------------------------------------- +-spec verify( + Signature :: binary(), Challenge :: binary(), PublicKey :: binary()) -> boolean() | no_return() + +verify(Signature, Challenge, PublicKey) -> + Normalised = normalise_signature(Signature, Challenge), + + public_key:verify( + Challenge, ignored, Normalised, {ed_pub, ed25519, PublicKey} + ). + + + +%% ============================================================================= +%% PRIVATE +%% ============================================================================= + + + +%% ----------------------------------------------------------------------------- +%% @private +%% @doc As the cryptosign spec is not formal some clients e.g. Python +%% return Signature(64) ++ Challenge(32) while others e.g. JS return just the +%% Signature(64). +%% @end +%% ----------------------------------------------------------------------------- +normalise_signature(Signature, _) when byte_size(Signature) == 64 -> + Signature; + +normalise_signature(Signature, Challenge) when byte_size(Signature) == 96 -> + case binary:match(Signature, Challenge) of + {64, 32} -> + binary:part(Signature, {0, 64}); + _ -> + error(invalid_signature) + end; + +normalise_signature(_, _) -> + error(invalid_signature). diff --git a/apps/bondy/test/bondy_auth_wamp_cryptosign_SUITE.erl b/apps/bondy/test/bondy_auth_wamp_cryptosign_SUITE.erl index 9baf43f1..c3f1a1db 100644 --- a/apps/bondy/test/bondy_auth_wamp_cryptosign_SUITE.erl +++ b/apps/bondy/test/bondy_auth_wamp_cryptosign_SUITE.erl @@ -35,7 +35,10 @@ all() -> init_per_suite(Config) -> bondy_ct:start_bondy(), - KeyPairs = [enacl:crypto_sign_ed25519_keypair() || _ <- lists:seq(1, 3)], + KeyPairs = [ + bondy_cryptosign:generate_key() + || _ <- lists:seq(1, 3) + ], RealmUri = <<"com.example.test.auth_cryptosign">>, ok = add_realm(RealmUri, KeyPairs), @@ -152,7 +155,7 @@ test_1(Config) -> Message = hex_utils:hexstr_to_bin(HexMessage), Signature = list_to_binary( hex_utils:bin_to_hexstr( - enacl:sign_detached(Message, maps:get(secret, KeyPair)) + bondy_cryptosign:sign(Message, KeyPair) ) ), From 52dbbf8397aa5d70cebcdef5dd7464783ee6b37b Mon Sep 17 00:00:00 2001 From: "Alejandro M. Ramallo" Date: Sat, 24 Aug 2024 21:11:24 +0100 Subject: [PATCH 2/6] fix missing dot Signed-off-by: Alejandro M. Ramallo --- apps/bondy/src/bondy_cryptosign.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/bondy/src/bondy_cryptosign.erl b/apps/bondy/src/bondy_cryptosign.erl index c17737b9..b8c45895 100644 --- a/apps/bondy/src/bondy_cryptosign.erl +++ b/apps/bondy/src/bondy_cryptosign.erl @@ -88,7 +88,7 @@ sign(Challenge, #{public := Pub, secret := Priv}) -> %% @end %% ----------------------------------------------------------------------------- -spec verify( - Signature :: binary(), Challenge :: binary(), PublicKey :: binary()) -> boolean() | no_return() + Signature :: binary(), Challenge :: binary(), PublicKey :: binary()) -> boolean() | no_return(). verify(Signature, Challenge, PublicKey) -> Normalised = normalise_signature(Signature, Challenge), From b4b3b53e56535d3266b964bee81d1d1230725b2d Mon Sep 17 00:00:00 2001 From: "Alejandro M. Ramallo" Date: Sat, 24 Aug 2024 21:15:30 +0100 Subject: [PATCH 3/6] Replace enacl with crypto for password hashing and cryptosign - RETIRING argon2 algorithm until we finish a replacement via a Rust NIF - Remove enacl and pbkdf2 libs. Use new crypto module functions instead. Signed-off-by: Alejandro M. Ramallo --- apps/bondy/src/bondy.app.src | 2 - apps/bondy/src/bondy_bridge_relay_client.erl | 14 +-- apps/bondy/src/bondy_password.erl | 36 +++---- apps/bondy/src/bondy_password_cra.erl | 8 +- apps/bondy/src/bondy_password_scram.erl | 99 +++++++++---------- apps/bondy/src/bondy_utils.erl | 2 +- apps/bondy/test/bondy_auth_ticket_SUITE.erl | 2 +- .../test/bondy_auth_wamp_scram_SUITE.erl | 2 +- apps/bondy/test/bondy_password_SUITE.erl | 50 +++++++--- apps/bondy/test/bondy_rbac_user_SUITE.erl | 2 +- config/bridge/bondy.conf.template | 8 +- rebar.lock | 8 -- schema/bondy.schema | 94 +++++++++--------- 13 files changed, 172 insertions(+), 155 deletions(-) diff --git a/apps/bondy/src/bondy.app.src b/apps/bondy/src/bondy.app.src index 8b7f3a44..92f3cc89 100644 --- a/apps/bondy/src/bondy.app.src +++ b/apps/bondy/src/bondy.app.src @@ -40,9 +40,7 @@ sasl, tools, %% 3rd-party Crypto - enacl, jose, - pbkdf2, stringprep, %% 3rd-party Web Sevrver|client cowboy, diff --git a/apps/bondy/src/bondy_bridge_relay_client.erl b/apps/bondy/src/bondy_bridge_relay_client.erl index 24bef047..11c6df08 100644 --- a/apps/bondy/src/bondy_bridge_relay_client.erl +++ b/apps/bondy/src/bondy_bridge_relay_client.erl @@ -1198,14 +1198,14 @@ signer(PubKey, #{cryptosign := #{exec := Filename}}) -> error(Reason) end; -signer(_, #{cryptosign := #{privkey := HexString}}) -> +signer(PubKey, #{cryptosign := #{privkey := HexString}}) -> %% For testing only, this will be remove on 1.0.0 fun(Message) -> PrivKey = hex_utils:hexstr_to_bin(HexString), - sign(Message, PrivKey) + sign(Message, PrivKey, PubKey) end; -signer(_, #{cryptosign := #{privkey_env_var := Var}}) -> +signer(PubKey, #{cryptosign := #{privkey_env_var := Var}}) -> case os:getenv(Var) of false -> @@ -1213,7 +1213,7 @@ signer(_, #{cryptosign := #{privkey_env_var := Var}}) -> HexString -> fun(Message) -> PrivKey = hex_utils:hexstr_to_bin(HexString), - sign(Message, PrivKey) + sign(Message, PrivKey, PubKey) end end; @@ -1222,10 +1222,12 @@ signer(_, Conf) -> %% @private -sign(Message, PrivKey) -> +sign(Message, PrivKey, PubKey) -> list_to_binary( hex_utils:bin_to_hexstr( - enacl:sign_detached(Message, PrivKey) + bondy_cryptosign:sign( + Message, #{public => PubKey, secret => PrivKey} + ) ) ). diff --git a/apps/bondy/src/bondy_password.erl b/apps/bondy/src/bondy_password.erl index b76e9f55..cfa5da1a 100644 --- a/apps/bondy/src/bondy_password.erl +++ b/apps/bondy/src/bondy_password.erl @@ -56,7 +56,7 @@ key => kdf, required => true, default => bondy_config:get([security, password, scram, kdf]), - datatype => {in, [pbkdf2, <<"pbkdf2">>, argon2id13, <<"argon2id13">>]}, + datatype => {in, [pbkdf2, argon2id13, <<"pbkdf2">>, <<"argon2id13">>]}, validator => fun bondy_data_validators:existing_atom/1 }, iterations => #{ @@ -199,7 +199,6 @@ replace(Password, PWD) -> new(Password, #{protocol => Protocol, params => Params}). - %% ----------------------------------------------------------------------------- %% @doc %% @end @@ -234,7 +233,6 @@ opts_validator() -> ?OPTS_VALIDATOR. - %% ----------------------------------------------------------------------------- %% @doc %% @end @@ -332,17 +330,17 @@ verify_hash(_Hash, #{version := ?VERSION, protocol := scram} = _PW) -> error(not_implemented); verify_hash(Hash, #{version := ?VERSION, protocol := cra} = PW) -> - SPassword = maps_utils:get_path([data, salted_password], PW), - pbkdf2:compare_secure(pbkdf2:to_hex(Hash), pbkdf2:to_hex(SPassword)); + Salted = maps_utils:get_path([data, salted_password], PW), + crypto:hash_equals(Hash, Salted); verify_hash(Hash, #{version := <<"1.1">>} = PW) -> - #{hash_pass := StoredHash} = PW, - %% StoredHash is base64 encoded - pbkdf2:compare_secure(pbkdf2:to_hex(Hash), pbkdf2:to_hex(StoredHash)); + #{hash_pass := Salted} = PW, + %% Stored Salted is base64 encoded in 1.1 + crypto:hash_equals(Hash, Salted); verify_hash(Hash, #{version := <<"1.0">>} = PW) when is_binary(Hash) -> - #{hash_pass := StoredHash} = PW, - pbkdf2:compare_secure(pbkdf2:to_hex(Hash), StoredHash); + #{hash_pass := Salted} = PW, + crypto:hash_equals(Hash, Salted); verify_hash(Hash, #{} = PW) -> verify_string(Hash, add_version(PW)). @@ -373,7 +371,7 @@ verify_string(String, #{version := ?VERSION, protocol := cra} = PW) -> verify_string(String, #{version := <<"1.1">>} = PW) -> #{ - hash_pass := StoredHash, + hash_pass := Salted, hash_func := HashFun, iterations := HashIter, salt := Salt @@ -381,23 +379,21 @@ verify_string(String, #{version := <<"1.1">>} = PW) -> HashLen = hash_length(PW), %% We use keylen in version > 1.0 - {ok, Hash0} = pbkdf2:pbkdf2(HashFun, String, Salt, HashIter, HashLen), + Hash0 = crypto:pbkdf2_hmac(HashFun, String, Salt, HashIter, HashLen), - pbkdf2:compare_secure( - pbkdf2:to_hex(StoredHash), - pbkdf2:to_hex(base64:encode(Hash0)) %% StoredHash is base64 encoded - ); + %% Stored Salted is base64 encoded in 1.1 + crypto:hash_equals(Salted, base64:encode(Hash0)); verify_string(String, #{version := <<"1.0">>} = PW) -> #{ - hash_pass := StoredHash, + hash_pass := Salted, hash_func := HashFun, iterations := HashIter, salt := Salt } = PW, - {ok, Hash} = pbkdf2:pbkdf2(HashFun, String, Salt, HashIter), - %% StoredHash is hex value - pbkdf2:compare_secure(pbkdf2:to_hex(Hash), StoredHash); + HashLen = hash_length(PW), + Hash = crypto:pbkdf2_hmac(HashFun, String, Salt, HashIter, HashLen), + crypto:hash_equals(Hash, Salted); %% to handle the error: reason=function_clause %% example: [{bondy_password,verify_string,[<<\"Nes 2907\">>,[{hash_pass,<<\"adcebee9a2cbbe4e26c340f95da646a1ab60c676\">>},{auth_name,pbkdf2},{hash_func,sha},{salt,<<76,202,0,27,196,167,217,222,194,142,96,185,219,169,96,233>>},{iterations,65536}]] diff --git a/apps/bondy/src/bondy_password_cra.erl b/apps/bondy/src/bondy_password_cra.erl index f65ae5b4..67358752 100644 --- a/apps/bondy/src/bondy_password_cra.erl +++ b/apps/bondy/src/bondy_password_cra.erl @@ -166,7 +166,7 @@ nonce_length() -> -spec salt() -> binary(). salt() -> - base64:encode(enacl:randombytes(salt_length())). + base64:encode(crypto:strong_rand_bytes(salt_length())). %% ----------------------------------------------------------------------------- @@ -176,7 +176,7 @@ salt() -> -spec nonce() -> binary(). nonce() -> - base64:encode(enacl:randombytes(nonce_length())). + base64:encode(crypto:strong_rand_bytes(nonce_length())). %% ----------------------------------------------------------------------------- @@ -192,7 +192,7 @@ salted_password(Password, Salt, #{kdf := pbkdf2} = Params) -> hash_length := HashLen } = Params, - {ok, SaltedPassword} = pbkdf2:pbkdf2( + SaltedPassword = crypto:pbkdf2_hmac( HashFun, Password, Salt, Iterations, HashLen ), base64:encode(SaltedPassword). @@ -205,7 +205,7 @@ salted_password(Password, Salt, #{kdf := pbkdf2} = Params) -> -spec compare(binary(), binary()) -> boolean(). compare(A, B) -> - pbkdf2:compare_secure(pbkdf2:to_hex(A), pbkdf2:to_hex(B)). + crypto:hash_equals(A, B). diff --git a/apps/bondy/src/bondy_password_scram.erl b/apps/bondy/src/bondy_password_scram.erl index b2b81d54..39192fc9 100644 --- a/apps/bondy/src/bondy_password_scram.erl +++ b/apps/bondy/src/bondy_password_scram.erl @@ -39,7 +39,9 @@ salt := binary(), salt_length := non_neg_integer() }. --type kdf() :: pbkdf2 | argon2id13. +%% OPTION RETIRED UNTIL NEW IMPLEMENTATION IS DONE +%% -type kdf() :: pbkdf2 | argon2id13. +-type kdf() :: pbkdf2. -type hash_fun() :: sha256. -export_type([data/0]). @@ -182,7 +184,7 @@ salt_length() -> salt() -> %% REVIEW salt as based64 - enacl:randombytes(salt_length()). + crypto:strong_rand_bytes(salt_length()). %% ----------------------------------------------------------------------------- @@ -192,7 +194,7 @@ salt() -> -spec server_nonce(ClientNonce :: binary()) -> ServerNonce :: binary(). server_nonce(ClientNonce) -> - <>. + <>. %% ----------------------------------------------------------------------------- @@ -204,15 +206,15 @@ server_nonce(ClientNonce) -> Salt :: binary(), Params :: params()) -> SaltedPassword :: binary(). -salted_password(Password, Salt, #{kdf := argon2id13} = Params) -> - Normalised = stringprep:resourceprep(Password), - #{ - kdf := KDF, - iterations := Iterations, - memory := Memory - } = Params, - %% REVIEW encode SALT with base64? - enacl:pwhash(Normalised, Salt, Iterations, Memory, KDF); +%% salted_password(Password, Salt, #{kdf := argon2id13} = Params) -> +%% Normalised = stringprep:resourceprep(Password), +%% #{ +%% kdf := KDF, +%% iterations := Iterations, +%% memory := Memory +%% } = Params, +%% %% REVIEW encode SALT with base64? +%% enacl:pwhash(Normalised, Salt, Iterations, Memory, KDF); salted_password(Password, Salt, #{kdf := pbkdf2} = Params) -> Normalised = stringprep:resourceprep(Password), @@ -222,10 +224,7 @@ salted_password(Password, Salt, #{kdf := pbkdf2} = Params) -> hash_length := HashLen } = Params, - {ok, SaltedPassword} = pbkdf2:pbkdf2( - HashFun, Normalised, Salt, Iterations, HashLen - ), - SaltedPassword. + crypto:pbkdf2_hmac(HashFun, Normalised, Salt, Iterations, HashLen). %% ----------------------------------------------------------------------------- @@ -370,8 +369,8 @@ auth_message( validate_kdf(#{kdf := pbkdf2} = Params) -> Params; -validate_kdf(#{kdf := argon2id13} = Params) -> - Params; +%% validate_kdf(#{kdf := argon2id13} = Params) -> +%% Params; validate_kdf(#{kdf := _}) -> error({invalid_argument, kdf}); @@ -412,19 +411,19 @@ iterations_to_integer(pbkdf2, N) when is_integer(N) -> N >= 4096 andalso N =< 65536 orelse error({invalid_argument, iterations}), N; -iterations_to_integer(argon2id13, Name) when is_atom(Name) -> - %% We convert names to their values according to - %% https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash_argon2id.h - case Name of - interactive -> 2; - moderate -> 3; - sensitive -> 4; - _ -> error({invalid_argument, iterations}) - end; - -iterations_to_integer(argon2id13, N) when is_integer(N) -> - N >= 1 andalso N =< 4294967295 orelse error({invalid_argument, iterations}), - N; +%% iterations_to_integer(argon2id13, Name) when is_atom(Name) -> +%% %% We convert names to their values according to +%% %% https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash_argon2id.h +%% case Name of +%% interactive -> 2; +%% moderate -> 3; +%% sensitive -> 4; +%% _ -> error({invalid_argument, iterations}) +%% end; + +%% iterations_to_integer(argon2id13, N) when is_integer(N) -> +%% N >= 1 andalso N =< 4294967295 orelse error({invalid_argument, iterations}), +%% N; iterations_to_integer(_, _) -> error({invalid_argument, iterations}). @@ -434,25 +433,25 @@ iterations_to_integer(_, _) -> memory_to_integer(pbkdf2, _) -> undefined; -memory_to_integer(argon2id13, undefined) -> - memory_to_integer(argon2id13, interactive); - -memory_to_integer(argon2id13, Name) when is_atom(Name) -> - %% We convert names to their values according to - %% https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash_argon2id.h - case Name of - interactive -> 67108864; - moderate -> 268435456; - sensitive -> 1073741824; - _ -> error({invalid_argument, memory}) - end; - -memory_to_integer(argon2id13, N) when is_integer(N) -> - %% Notice that the underlying library (libsodium) allows up to - %% 4398046510080 but we have restricted this value to avoid a configuration - %% error to enable a DoS attack. - N >= 8192 andalso N =< 1073741824 orelse error({invalid_argument, memory}), - N; +%% memory_to_integer(argon2id13, undefined) -> +%% memory_to_integer(argon2id13, interactive); + +%% memory_to_integer(argon2id13, Name) when is_atom(Name) -> +%% %% We convert names to their values according to +%% %% https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_pwhash_argon2id.h +%% case Name of +%% interactive -> 67108864; +%% moderate -> 268435456; +%% sensitive -> 1073741824; +%% _ -> error({invalid_argument, memory}) +%% end; + +%% memory_to_integer(argon2id13, N) when is_integer(N) -> +%% %% Notice that the underlying library (libsodium) allows up to +%% %% 4398046510080 but we have restricted this value to avoid a configuration +%% %% error to enable a DoS attack. +%% N >= 8192 andalso N =< 1073741824 orelse error({invalid_argument, memory}), +%% N; memory_to_integer(_, _) -> error({invalid_argument, memory}). diff --git a/apps/bondy/src/bondy_utils.erl b/apps/bondy/src/bondy_utils.erl index 1edcae79..d52eb595 100644 --- a/apps/bondy/src/bondy_utils.erl +++ b/apps/bondy/src/bondy_utils.erl @@ -484,7 +484,7 @@ get_nonce() -> %% @end %% ----------------------------------------------------------------------------- get_nonce(Len) -> - base64:encode(enacl:randombytes(Len)). + base64:encode(crypto:strong_rand_bytes(Len)). %% ----------------------------------------------------------------------------- diff --git a/apps/bondy/test/bondy_auth_ticket_SUITE.erl b/apps/bondy/test/bondy_auth_ticket_SUITE.erl index e784d4b6..16d04660 100644 --- a/apps/bondy/test/bondy_auth_ticket_SUITE.erl +++ b/apps/bondy/test/bondy_auth_ticket_SUITE.erl @@ -42,7 +42,7 @@ all() -> init_per_suite(Config) -> bondy_ct:start_bondy(), - KeyPairs = [enacl:crypto_sign_ed25519_keypair() || _ <- lists:seq(1, 3)], + KeyPairs = [bondy_cryptosign:generate_key() || _ <- lists:seq(1, 3)], RealmUri = <<"com.example.test.auth_ticket">>, ok = add_realm(RealmUri, KeyPairs), [{realm_uri, RealmUri}, {keypairs, KeyPairs} | Config]. diff --git a/apps/bondy/test/bondy_auth_wamp_scram_SUITE.erl b/apps/bondy/test/bondy_auth_wamp_scram_SUITE.erl index ae812e39..75090707 100644 --- a/apps/bondy/test/bondy_auth_wamp_scram_SUITE.erl +++ b/apps/bondy/test/bondy_auth_wamp_scram_SUITE.erl @@ -156,7 +156,7 @@ test_1(Config) -> lists:member(?WAMP_SCRAM_AUTH, bondy_auth:available_methods(Ctxt1)) ), - ClientNonce = enacl:randombytes(16), + ClientNonce = crypto:strong_rand_bytes(16), HelloDetails = #{authextra => #{ <<"nonce">> => base64:encode(ClientNonce) }}, diff --git a/apps/bondy/test/bondy_password_SUITE.erl b/apps/bondy/test/bondy_password_SUITE.erl index 48683e67..aec0ba97 100644 --- a/apps/bondy/test/bondy_password_SUITE.erl +++ b/apps/bondy/test/bondy_password_SUITE.erl @@ -123,6 +123,9 @@ new_cra_options(_) -> ok. + + + new_scram_too_low_iterations(_) -> ?assertError( @@ -133,14 +136,23 @@ new_scram_too_low_iterations(_) -> }) ), + %% TEMPORARILY INVALID UNTIL WE REPLACE ARGON2id13 IMPLEMENTATION ?assertError( - {invalid_argument, iterations}, + {invalid_argument, kdf}, bondy_password:new(?P1, #{ protocol => scram, - params => #{kdf => argon2id13, iterations => 0} + params => #{kdf => argon2id13} }) ). + %% ?assertError( + %% {invalid_argument, iterations}, + %% bondy_password:new(?P1, #{ + %% protocol => scram, + %% params => #{kdf => argon2id13, iterations => 0} + %% }) + %% ). + new_scram_too_high_iterations(_) -> @@ -152,14 +164,23 @@ new_scram_too_high_iterations(_) -> }) ), + %% TEMPORARILY INVALID UNTIL WE REPLACE ARGON2id13 IMPLEMENTATION ?assertError( - {invalid_argument, iterations}, + {invalid_argument, kdf}, bondy_password:new(?P1, #{ protocol => scram, - params => #{kdf => argon2id13, iterations => 4294967295 + 1} + params => #{kdf => argon2id13} }) ). + %% ?assertError( + %% {invalid_argument, iterations}, + %% bondy_password:new(?P1, #{ + %% protocol => scram, + %% params => #{kdf => argon2id13, iterations => 4294967295 + 1} + %% }) + %% ). + new_scram_options_pbkdf2(_) -> Opts = #{ @@ -180,7 +201,6 @@ new_scram_options_pbkdf2(_) -> ok. - new_scram_options_argon2id13(_) -> Opts = #{ @@ -188,14 +208,18 @@ new_scram_options_argon2id13(_) -> params => #{kdf => argon2id13} }, - - A = bondy_password:new(?P1, Opts), - - ?assertMatch( - #{protocol := scram, params := #{kdf := argon2id13}}, - A + %% TEMPORARILY INVALID UNTIL WE REPLACE ARGON2id13 IMPLEMENTATION + ?assertError( + {invalid_argument, kdf}, + bondy_password:new(?P1, Opts) ), - ?assertEqual(true, bondy_password:verify_string(?P1, A)), - ?assertEqual(false, bondy_password:verify_string(?P2, A)), + + %% A = bondy_password:new(?P1, Opts), + %% ?assertMatch( + %% #{protocol := scram, params := #{kdf := argon2id13}}, + %% A + %% ), + %% ?assertEqual(true, bondy_password:verify_string(?P1, A)), + %% ?assertEqual(false, bondy_password:verify_string(?P2, A)), ok. diff --git a/apps/bondy/test/bondy_rbac_user_SUITE.erl b/apps/bondy/test/bondy_rbac_user_SUITE.erl index 5d73dd96..c939e6cc 100644 --- a/apps/bondy/test/bondy_rbac_user_SUITE.erl +++ b/apps/bondy/test/bondy_rbac_user_SUITE.erl @@ -48,7 +48,7 @@ all() -> init_per_suite(Config) -> bondy_ct:start_bondy(), - KeyPairs = [enacl:crypto_sign_ed25519_keypair() || _ <- lists:seq(1, 3)], + KeyPairs = [bondy_cryptosign:generate_key() || _ <- lists:seq(1, 3)], PubKeys = [ maps:get(public, KeyPair) || KeyPair <- KeyPairs diff --git a/config/bridge/bondy.conf.template b/config/bridge/bondy.conf.template index 79ceab72..07e29e8b 100644 --- a/config/bridge/bondy.conf.template +++ b/config/bridge/bondy.conf.template @@ -247,7 +247,7 @@ security.password.max_length = 254 ## Default: pbkdf2 ## ## Acceptable values: -## - one of: pbkdf2, argon2id13 +## - one of: pbkdf2 security.password.scram.kdf = pbkdf2 @@ -273,7 +273,8 @@ security.password.pbkdf2.iterations = 10000 ## Acceptable values: ## - one of: interactive, moderate, sensitive ## - an integer -security.password.argon2id13.iterations = moderate +## OPTION RETIRED UNTIL NEW IMPLEMENTATION IS DONE +## security.password.argon2id13.iterations = moderate ## Defines the default memory to be used with the argon2id13 key ## derivation function. It should be an integer in the range 8192..1073741824 @@ -290,7 +291,8 @@ security.password.argon2id13.iterations = moderate ## Acceptable values: ## - one of: interactive, moderate, sensitive ## - a byte size with units, e.g. 10GB -security.password.argon2id13.memory = interactive +## OPTION RETIRED UNTIL NEW IMPLEMENTATION IS DONE +## security.password.argon2id13.memory = interactive ## ============================================================================= diff --git a/rebar.lock b/rebar.lock index e2bf1432..0aca05e2 100644 --- a/rebar.lock +++ b/rebar.lock @@ -30,10 +30,6 @@ {git,"https://github.com/kivra/email.git", {ref,"b62e070111e635e739628254eab8db2835631d28"}}, 0}, - {<<"enacl">>, - {git,"https://github.com/aeternity/enacl.git", - {ref,"4eb7ec70084ba7c87b1af8797c4c4e90c84f95a2"}}, - 0}, {<<"erlcloud">>,{pkg,<<"erlcloud">>,<<"3.7.3">>},0}, {<<"gproc">>,{pkg,<<"gproc">>,<<"0.9.0">>},1}, {<<"hackney">>,{pkg,<<"hackney">>,<<"1.19.1">>},0}, @@ -87,10 +83,6 @@ {git,"http://github.com/lasp-lang/partisan.git", {ref,"7fc89a6a790c36a6c94a080758b6571693e48636"}}, 0}, - {<<"pbkdf2">>, - {git,"https://github.com/leapsight-oss/erlang-pbkdf2.git", - {ref,"84f964b1875b047c3ad93d43cc350c45d6e27f9c"}}, - 0}, {<<"plum_db">>, {git,"https://github.com/Leapsight/plum_db.git", {ref,"10687f0d61faa3cf787842ecd85eef1bd3cf4672"}}, diff --git a/schema/bondy.schema b/schema/bondy.schema index 3903249d..431912ca 100644 --- a/schema/bondy.schema +++ b/schema/bondy.schema @@ -231,7 +231,9 @@ "security.password.scram.kdf", "bondy.security.password.scram.kdf", [ {default, pbkdf2}, - {datatype, {enum, [pbkdf2, argon2id13]}} + %% argon2id13 RETIRED UNTIL NEW IMPLEMENTATION IS DONE + %% {datatype, {enum, [pbkdf2, argon2id13]}} + {datatype, {enum, [pbkdf2]}} ]}. @@ -283,29 +285,30 @@ %% - sensitive (integer 4) %% @end %% ----------------------------------------------------------------------------- -{mapping, - "security.password.argon2id13.iterations", - "bondy.security.password.argon2id13.iterations", [ - {default, moderate}, - {datatype, [ - {enum, [interactive, moderate, sensitive]}, integer - ]} -]}. +%% argon2id13 RETIRED UNTIL NEW IMPLEMENTATION IS DONE +%% {mapping, +%% "security.password.argon2id13.iterations", +%% "bondy.security.password.argon2id13.iterations", [ +%% {default, moderate}, +%% {datatype, [ +%% {enum, [interactive, moderate, sensitive]}, integer +%% ]} +%% ]}. -{translation, "bondy.security.password.argon2id13.iterations", - fun(Conf) -> - case cuttlefish:conf_get("security.password.argon2id13.iterations", Conf) of - Value when is_integer(Value), Value >= 1, Value =< 4294967295 -> - Value; - Value when Value == interactive; Value == moderate; Value == sensitive -> - Value; - _ -> - cuttlefish:invalid( - "value should be an integer in the range 1..4294967295" - ) - end - end -}. +%% {translation, "bondy.security.password.argon2id13.iterations", +%% fun(Conf) -> +%% case cuttlefish:conf_get("security.password.argon2id13.iterations", Conf) of +%% Value when is_integer(Value), Value >= 1, Value =< 4294967295 -> +%% Value; +%% Value when Value == interactive; Value == moderate; Value == sensitive -> +%% Value; +%% _ -> +%% cuttlefish:invalid( +%% "value should be an integer in the range 1..4294967295" +%% ) +%% end +%% end +%% }. %% ----------------------------------------------------------------------------- %% @doc Defines the default memory to be used with the argon2id13 key @@ -320,29 +323,30 @@ %% DoS attack). %% @end %% ----------------------------------------------------------------------------- -{mapping, - "security.password.argon2id13.memory", - "bondy.security.password.argon2id13.memory", [ - {default, interactive}, - {datatype, [ - {enum, [interactive, moderate, sensitive]}, bytesize - ]} -]}. +%% RETIRED TILL NEW IMPLEMENTATION IS DONE +%% {mapping, +%% "security.password.argon2id13.memory", +%% "bondy.security.password.argon2id13.memory", [ +%% {default, interactive}, +%% {datatype, [ +%% {enum, [interactive, moderate, sensitive]}, bytesize +%% ]} +%% ]}. -{translation, "bondy.security.password.argon2id13.memory", - fun(Conf) -> - case cuttlefish:conf_get("security.password.argon2id13.memory", Conf) of - Value when is_integer(Value), Value >= 8192, Value =< 1073741824 -> - Value; - Value when Value == interactive; Value == moderate; Value == sensitive -> - Value; - _ -> - cuttlefish:invalid( - "value should be an integer in the range 1..4294967295" - ) - end - end -}. +%% {translation, "bondy.security.password.argon2id13.memory", +%% fun(Conf) -> +%% case cuttlefish:conf_get("security.password.argon2id13.memory", Conf) of +%% Value when is_integer(Value), Value >= 8192, Value =< 1073741824 -> +%% Value; +%% Value when Value == interactive; Value == moderate; Value == sensitive -> +%% Value; +%% _ -> +%% cuttlefish:invalid( +%% "value should be an integer in the range 1..4294967295" +%% ) +%% end +%% end +%% }. %% ----------------------------------------------------------------------------- %% @doc The default expiration time on or after which authentication ticket From b336db6a76fda82623c74577303e50ed7dd2e3db Mon Sep 17 00:00:00 2001 From: "Alejandro M. Ramallo" Date: Sun, 25 Aug 2024 12:14:12 +0100 Subject: [PATCH 4/6] Upgraded dependencies to altest - wamp (jsone and msgpack) - brod - observer_cli - stringprep - uuid - telemetry - erlcloud - hackney - jose Signed-off-by: Alejandro M. Ramallo --- apps/bondy_broker_bridge/rebar.config | 6 +-- rebar.config | 23 +++------ rebar.lock | 74 +++++++++++++-------------- 3 files changed, 43 insertions(+), 60 deletions(-) diff --git a/apps/bondy_broker_bridge/rebar.config b/apps/bondy_broker_bridge/rebar.config index 8b37ee47..fc753221 100644 --- a/apps/bondy_broker_bridge/rebar.config +++ b/apps/bondy_broker_bridge/rebar.config @@ -6,12 +6,10 @@ {git, "https://gitlab.com/leapsight/mops.git", {branch, "master"}} }, {wamp, - {git, "https://github.com/Leapsight/wamp.git", {tag, "0.9.11"}} + {git, "https://github.com/Leapsight/wamp.git", {tag, "1.0.0"}} }, %% Used by Kafka Bridge - {brod, - {git, "https://github.com/klarna/brod.git", {tag, "3.17.0"}} - }, + {brod, "4.1.0"}, {hash, ".*", {git, "https://github.com/leapsight/hash", {branch, master}} }, diff --git a/rebar.config b/rebar.config index e463d8db..aa716a79 100644 --- a/rebar.config +++ b/rebar.config @@ -26,18 +26,9 @@ %% Crypto %% ------------------------------------------------------------------------- {jose, - {git, "https://github.com/potatosalad/erlang-jose.git", {tag, "1.11.6"}} - }, - {pbkdf2, - {git, - "https://github.com/leapsight-oss/erlang-pbkdf2.git", - {branch, "master"} - } - }, - {stringprep, "1.0.29"}, - {enacl, - {git, "https://github.com/aeternity/enacl.git", {branch, "master"}} + {git, "https://github.com/potatosalad/erlang-jose.git", {tag, "1.11.10"}} }, + {stringprep, "1.0.30"}, %% ------------------------------------------------------------------------- %% Web Server|client %% ------------------------------------------------------------------------- @@ -51,7 +42,7 @@ %% ------------------------------------------------------------------------- %% Utils %% ------------------------------------------------------------------------- - {uuid, "2.0.6", {pkg, uuid_erl}}, + {uuid, "2.0.7", {pkg, uuid_erl}}, {app_config, {git, "https://github.com/leapsight/app_config.git", {tag, "1.1.1"}} }, @@ -82,11 +73,11 @@ %% Instrumentation/Debugging %% ------------------------------------------------------------------------- bear, - {observer_cli, "1.7.4"}, + {observer_cli, "1.7.5"}, %% Exposes metrics to Promethues {prometheus, "4.10.0"}, {prometheus_cowboy, "0.1.8"}, - {telemetry, "1.2.1"}, + {telemetry, "1.3.0"}, {riak_sysmon, {git, "https://github.com/Leapsight/riak_sysmon.git", {tag, "2.2.0"}} }, @@ -95,7 +86,7 @@ %% WAMP message encoding/decoding %% ------------------------------------------------------------------------- {wamp, - {git, "https://github.com/Leapsight/wamp.git", {tag, "0.9.11"}} + {git, "https://github.com/Leapsight/wamp.git", {tag, "1.0.0"}} }, %% ------------------------------------------------------------------------- %% Core Deps @@ -150,9 +141,7 @@ tools, compiler, %% required by sidejob %% Crypto - enacl, jose, - pbkdf2, stringprep, %% Web Server|client cowboy, diff --git a/rebar.lock b/rebar.lock index 0aca05e2..28c9076c 100644 --- a/rebar.lock +++ b/rebar.lock @@ -17,10 +17,7 @@ 2}, {<<"bear">>,{pkg,<<"bear">>,<<"1.0.0">>},0}, {<<"bert">>,{pkg,<<"bert">>,<<"0.1.0">>},0}, - {<<"brod">>, - {git,"https://github.com/klarna/brod.git", - {ref,"6966f0244b87904363cb8053ac0364ff281411d9"}}, - 0}, + {<<"brod">>,{pkg,<<"brod">>,<<"4.1.0">>},0}, {<<"certifi">>,{pkg,<<"certifi">>,<<"2.12.0">>},1}, {<<"cowboy">>,{pkg,<<"cowboy">>,<<"2.10.0">>},0}, {<<"cowlib">>,{pkg,<<"cowlib">>,<<"2.12.1">>},1}, @@ -30,9 +27,9 @@ {git,"https://github.com/kivra/email.git", {ref,"b62e070111e635e739628254eab8db2835631d28"}}, 0}, - {<<"erlcloud">>,{pkg,<<"erlcloud">>,<<"3.7.3">>},0}, + {<<"erlcloud">>,{pkg,<<"erlcloud">>,<<"3.7.6">>},0}, {<<"gproc">>,{pkg,<<"gproc">>,<<"0.9.0">>},1}, - {<<"hackney">>,{pkg,<<"hackney">>,<<"1.19.1">>},0}, + {<<"hackney">>,{pkg,<<"hackney">>,<<"1.20.1">>},0}, {<<"hash">>, {git,"https://github.com/leapsight/hash", {ref,"dfbcc9ee089626f84068a1dcee3b1753a716871e"}}, @@ -41,11 +38,11 @@ {<<"jobs">>,{pkg,<<"jobs">>,<<"0.10.0">>},0}, {<<"jose">>, {git,"https://github.com/potatosalad/erlang-jose.git", - {ref,"991649695aaccd92c8effb1c1e88e6159fe8e9a6"}}, + {ref,"eb6de2cb506b55533f550a1b0776c81b15317e23"}}, 0}, - {<<"jsone">>,{pkg,<<"jsone">>,<<"1.6.1">>},1}, + {<<"jsone">>,{pkg,<<"jsone">>,<<"1.8.1">>},1}, {<<"jsx">>,{pkg,<<"jsx">>,<<"2.11.0">>},1}, - {<<"kafka_protocol">>,{pkg,<<"kafka_protocol">>,<<"4.1.3">>},1}, + {<<"kafka_protocol">>,{pkg,<<"kafka_protocol">>,<<"4.1.5">>},1}, {<<"key_value">>, {git,"https://gitlab.com/leapsight/key_value.git", {ref,"414fb19cd067b368666ceb5a2a63f1f24109562b"}}, @@ -66,13 +63,13 @@ {ref,"afa2da62e0e691ce33d1008cc424c994fff339bf"}}, 1}, {<<"metrics">>,{pkg,<<"metrics">>,<<"1.0.1">>},1}, - {<<"mimerl">>,{pkg,<<"mimerl">>,<<"1.2.0">>},1}, + {<<"mimerl">>,{pkg,<<"mimerl">>,<<"1.3.0">>},1}, {<<"mops">>, {git,"https://gitlab.com/leapsight/mops.git", {ref,"3955142d3720dc5b7a481e28124a2c5421dcd078"}}, 0}, {<<"msgpack">>,{pkg,<<"msgpack">>,<<"0.7.0">>},0}, - {<<"observer_cli">>,{pkg,<<"observer_cli">>,<<"1.7.4">>},0}, + {<<"observer_cli">>,{pkg,<<"observer_cli">>,<<"1.7.5">>},0}, {<<"opentelemetry_api">>,{pkg,<<"opentelemetry_api">>,<<"1.2.1">>},1}, {<<"opentelemetry_semantic_conventions">>, {pkg,<<"opentelemetry_semantic_conventions">>,<<"0.2.0">>}, @@ -91,9 +88,9 @@ {<<"prometheus_cowboy">>,{pkg,<<"prometheus_cowboy">>,<<"0.1.8">>},0}, {<<"prometheus_httpd">>,{pkg,<<"prometheus_httpd">>,<<"2.1.11">>},1}, {<<"quantile_estimator">>,{pkg,<<"quantile_estimator">>,<<"0.2.1">>},1}, - {<<"quickrand">>,{pkg,<<"quickrand">>,<<"2.0.6">>},1}, + {<<"quickrand">>,{pkg,<<"quickrand">>,<<"2.0.7">>},1}, {<<"ranch">>,{pkg,<<"ranch">>,<<"1.8.0">>},1}, - {<<"recon">>,{pkg,<<"recon">>,<<"2.5.4">>},1}, + {<<"recon">>,{pkg,<<"recon">>,<<"2.5.5">>},1}, {<<"resulto">>,{pkg,<<"resulto">>,<<"0.1.1">>},0}, {<<"riak_sysmon">>, {git,"https://github.com/Leapsight/riak_sysmon.git", @@ -103,10 +100,9 @@ {<<"setup">>,{pkg,<<"setup">>,<<"2.1.0">>},1}, {<<"sext">>,{pkg,<<"sext">>,<<"1.9.0">>},1}, {<<"sidejob">>,{pkg,<<"sidejob">>,<<"2.1.0">>},0}, - {<<"snappyer">>,{pkg,<<"snappyer">>,<<"1.2.9">>},1}, {<<"ssl_verify_fun">>,{pkg,<<"ssl_verify_fun">>,<<"1.1.7">>},1}, {<<"stringprep">>,{pkg,<<"stringprep">>,<<"1.0.29">>},0}, - {<<"telemetry">>,{pkg,<<"telemetry">>,<<"1.2.1">>},0}, + {<<"telemetry">>,{pkg,<<"telemetry">>,<<"1.3.0">>},0}, {<<"tuplespace">>, {git,"https://gitlab.com/leapsight/tuplespace.git", {ref,"d5e540dc2e1d3a4b75dbf3841de99d4547e118ff"}}, @@ -117,10 +113,10 @@ {git,"https://github.com/leapsight/utils.git", {ref,"641bd36d997970d355a700009bbaa6b84f0bd987"}}, 0}, - {<<"uuid">>,{pkg,<<"uuid_erl">>,<<"2.0.6">>},0}, + {<<"uuid">>,{pkg,<<"uuid_erl">>,<<"2.0.7">>},0}, {<<"wamp">>, {git,"https://github.com/Leapsight/wamp.git", - {ref,"73c97fd06c5905d492d252d01bbd73cebe4ae337"}}, + {ref,"61d4cdc64abca737b4bb971d8e0b7012c37cac2a"}}, 0}]}. [ {pkg_hash,[ @@ -130,26 +126,27 @@ {<<"base16">>, <<"283644E2B21BD5915ACB7178BED7851FB07C6E5749B8FAD68A53C501092176D9">>}, {<<"bear">>, <<"430419C1126B477686CDE843E88BA0F2C7DC5CDF0881C677500074F704339A99">>}, {<<"bert">>, <<"A87D6693515070A9B287C1043CB7E5B2406BE0357685022764BFBD2609703555">>}, + {<<"brod">>, <<"88141FDAB3DB47E0BEA4325760FF886F3DB0339052899C2B1A86EDE353C7CD19">>}, {<<"certifi">>, <<"2D1CCA2EC95F59643862AF91F001478C9863C2AC9CB6E2F89780BFD8DE987329">>}, {<<"cowboy">>, <<"FF9FFEFF91DAE4AE270DD975642997AFE2A1179D94B1887863E43F681A203E26">>}, {<<"cowlib">>, <<"A9FA9A625F1D2025FE6B462CB865881329B5CAFF8F1854D1CBC9F9533F00E1E1">>}, {<<"crc32cer">>, <<"C6C2275C5FB60A95F4935D414F30B50EE9CFED494081C9B36EBB02EDFC2F48DB">>}, {<<"eini">>, <<"FCC3CBD49BBDD9A1D9735C7365DAFFCD84481CCE81E6CB80537883AA44AC4895">>}, - {<<"erlcloud">>, <<"31F8A89C391B003350C832BDA550EC93E813889D2A3533915435A56B0ACCA844">>}, + {<<"erlcloud">>, <<"8D36B5137C693686C09D141139DFA164B8102ECE1BDEEF4178A548748CABD570">>}, {<<"gproc">>, <<"853CCB7805E9ADA25D227A157BA966F7B34508F386A3E7E21992B1B484230699">>}, - {<<"hackney">>, <<"59DE4716E985DD2B5CBD4954FA1AE187E2B610A9C4520FFCB0B1653C3D6E5559">>}, + {<<"hackney">>, <<"8D97AEC62DDDDD757D128BFD1DF6C5861093419F8F7A4223823537BAD5D064E2">>}, {<<"idna">>, <<"8A63070E9F7D0C62EB9D9FCB360A7DE382448200FBBD1B106CC96D3D8099DF8D">>}, {<<"jobs">>, <<"329C024A889249EA8262D0EF70BC7A498B7C96DA95977EBD026B13B069FB0E13">>}, - {<<"jsone">>, <<"7EA1098FE004C4127320FE0E3CF6A951B01F82039FEAA56C322DC7E34DD59762">>}, + {<<"jsone">>, <<"6BC74D3863D55D420077346DA97C601711017A057F2FD1DF65D6D65DD562FBAB">>}, {<<"jsx">>, <<"08154624050333919B4AC1B789667D5F4DB166DC50E190C4D778D1587F102EE0">>}, - {<<"kafka_protocol">>, <<"362D85A898D4148A43DBABB10A30BB2D6FF32BA0097EB06981D11B34E2E0A9CD">>}, + {<<"kafka_protocol">>, <<"D15E64994A8CA99716AB47DB4132614359AC1BFA56D6C5B4341FDC1AA4041518">>}, {<<"lhttpc">>, <<"044F16F0018C7AA7E945E9E9406C7F6035E0B8BC08BF77B00C78CE260E1071E3">>}, {<<"logger_colorful">>, <<"548A7F21C7F2F6713CD2E1A7B1323B2AD712E11AE5913D2FB05BE6F34B799081">>}, {<<"lrw">>, <<"E5BCA6EFD184C03451FF416D3B8FA250BFE867E02B705AF530A0E61CE7B5B32A">>}, {<<"metrics">>, <<"25F094DEA2CDA98213CECC3AEFF09E940299D950904393B2A29D191C346A8486">>}, - {<<"mimerl">>, <<"67E2D3F571088D5CFD3E550C383094B47159F3EEE8FFA08E64106CDF5E981BE3">>}, + {<<"mimerl">>, <<"D0CD9FC04B9061F82490F6581E0128379830E78535E017F7780F37FEA7545726">>}, {<<"msgpack">>, <<"128AE0A2227C7E7A2847C0F0F73551C268464F8C1EE96BFFB920BC0A5712B295">>}, - {<<"observer_cli">>, <<"3C1BFB6D91BF68F6A3D15F46AE20DA0F7740D363EE5BC041191CE8722A6C4FAE">>}, + {<<"observer_cli">>, <<"CF73407C40BA3933A4BE8BE5CDBFCD647A7EC24B49F1D75E912AE1F2E58BC5D4">>}, {<<"opentelemetry_api">>, <<"7B69ED4F40025C005DE0B74FCE8C0549625D59CB4DF12D15C32FE6DC5076FF42">>}, {<<"opentelemetry_semantic_conventions">>, <<"B67FE459C2938FCAB341CB0951C44860C62347C005ACE1B50F8402576F241435">>}, {<<"p1_utils">>, <<"2D39B5015A567BBD2CC7033EEB93A7C60D8C84EFE1EF69A3473FAA07FA268187">>}, @@ -158,21 +155,20 @@ {<<"prometheus_cowboy">>, <<"CFCE0BC7B668C5096639084FCD873826E6220EA714BF60A716F5BD080EF2A99C">>}, {<<"prometheus_httpd">>, <<"F616ED9B85B536B195D94104063025A91F904A4CFC20255363F49A197D96C896">>}, {<<"quantile_estimator">>, <<"EF50A361F11B5F26B5F16D0696E46A9E4661756492C981F7B2229EF42FF1CD15">>}, - {<<"quickrand">>, <<"37E49398D614534F2861633F8E1155828676DF31ED90872616E4A526E6B9CF38">>}, + {<<"quickrand">>, <<"D2BD76676A446E6A058D678444B7FDA1387B813710D1AF6D6E29BB92186C8820">>}, {<<"ranch">>, <<"8C7A100A139FD57F17327B6413E4167AC559FBC04CA7448E9BE9057311597A1D">>}, - {<<"recon">>, <<"05DD52A119EE4059FA9DAA1AB7CE81BC7A8161A2F12E9D42E9D551FFD2BA901C">>}, + {<<"recon">>, <<"C108A4C406FA301A529151A3BB53158CADC4064EC0C5F99B03DDB8C0E4281BDF">>}, {<<"resulto">>, <<"81A22FA01BBE17C238D0670579ADD6661CCB54F3A9EA921FF6EA3F9500E9C19D">>}, {<<"rocksdb">>, <<"0AE072F9818DAC03E18BA0E4B436450D24040DFB1A526E2198B451FD9FA0284F">>}, {<<"setup">>, <<"05F69185A5EB71474C9BC6BA892565651EC7507791F85632B7B914DBFE130510">>}, {<<"sext">>, <<"1DBF44C7797A369B41E40D098DD9EC295BFD0076AB112AB96C4EB666F7F0F6EF">>}, {<<"sidejob">>, <<"5D6A7C9C620778CB1908E46B552D767DF2ED4D77070BB7B5B8773D4FF18D1D37">>}, - {<<"snappyer">>, <<"9CC58470798648CE34C662CA0AA6DAAE31367667714C9A543384430A3586E5D3">>}, {<<"ssl_verify_fun">>, <<"354C321CF377240C7B8716899E182CE4890C5938111A1296ADD3EC74CF1715DF">>}, {<<"stringprep">>, <<"02F23E8C3A219A3DFE40A22E908BECE3A2F68AF0FF599EA8A7B714ECB21E62EE">>}, - {<<"telemetry">>, <<"68FDFE8D8F05A8428483A97D7AAB2F268AAFF24B49E0F599FAA091F1D4E7F61C">>}, + {<<"telemetry">>, <<"FEDEBBAE410D715CF8E7062C96A1EF32EC22E764197F70CDA73D82778D61E7A2">>}, {<<"types">>, <<"5782B67231E8C174FE2835395E71E669FE0121076779D2A09F1C0D58EE0E2F13">>}, {<<"unicode_util_compat">>, <<"BC84380C9AB48177092F43AC89E4DFA2C6D62B40B8BD132B1059ECC7232F9A78">>}, - {<<"uuid">>, <<"8767AAE0D93A0EFD062B5B30BB21188E121721C683200E164445065C08C2100A">>}]}, + {<<"uuid">>, <<"B2078D2CC814F53AFA52D36C91E08962C7E7373585C623F4C0EA6DFB04B2AF94">>}]}, {pkg_hash_ext,[ {<<"accept">>, <<"11B18C220BCC2EAB63B5470C038EF10EB6783BCB1FCDB11AA4137DEFA5AC1BB8">>}, {<<"acceptor_pool">>, <<"0CBCD83FDC8B9AD2EEE2067EF8B91A14858A5883CB7CD800E6FCD5803E158788">>}, @@ -180,26 +176,27 @@ {<<"base16">>, <<"02AFD0827E61A7B07093873E063575CA3A2B07520567C7F8CEC7C5D42F052D76">>}, {<<"bear">>, <<"157B67901ADF84FF0DA6EAE035CA1292A0AC18AA55148154D8C582B2C68959DB">>}, {<<"bert">>, <<"2A561521EC3529B248658A3E2D3D4BFE6729B0AB8291C701BF15EF413EDA1506">>}, + {<<"brod">>, <<"389F459B1D59662C1ACDD9C39D54DDBD45645B4AC619F3BC6F467FCFBF7FB413">>}, {<<"certifi">>, <<"EE68D85DF22E554040CDB4BE100F33873AC6051387BAF6A8F6CE82272340FF1C">>}, {<<"cowboy">>, <<"3AFDCCB7183CC6F143CB14D3CF51FA00E53DB9EC80CDCD525482F5E99BC41D6B">>}, {<<"cowlib">>, <<"163B73F6367A7341B33C794C4E88E7DBFE6498AC42DCD69EF44C5BC5507C8DB0">>}, {<<"crc32cer">>, <<"251499085482920DEB6C9B7AADABF9FB4C432F96ADD97AB42AEE4501E5B6F591">>}, {<<"eini">>, <<"DA64AE8DB7C2F502E6F20CDF44CD3D9BE364412B87FF49FEBF282540F673DFCB">>}, - {<<"erlcloud">>, <<"112B6E9B1C78FA4CD8E189681F2249E6E8C133D5AAB746ACFECBFA40B18E42DA">>}, + {<<"erlcloud">>, <<"02998462851B0AF48D48FAD06322F12DB4BF7E61C3860DD2CDE4122A0B14330B">>}, {<<"gproc">>, <<"587E8AF698CCD3504CF4BA8D90F893EDE2B0F58CABB8A916E2BF9321DE3CF10B">>}, - {<<"hackney">>, <<"8AA08234BDEFC269995C63C2282CF3CD0E36FEBE3A6BFAB11B610572FDD1CAD0">>}, + {<<"hackney">>, <<"FE9094E5F1A2A2C0A7D10918FEE36BFEC0EC2A979994CFF8CFE8058CD9AF38E3">>}, {<<"idna">>, <<"92376EB7894412ED19AC475E4A86F7B413C1B9FBB5BD16DCCD57934157944CEA">>}, {<<"jobs">>, <<"09D486146BD32897726BB1F63DD95D1EB7F6F5A4C21C38CA58AB1646E8229724">>}, - {<<"jsone">>, <<"A6C1DF6081DF742068D2ED747A4FE8A7740C56421B53E02BC9D4907DD3502922">>}, + {<<"jsone">>, <<"C78918124148C51A7A84C678E39BBC6281F8CB582F1D88584628A98468E99738">>}, {<<"jsx">>, <<"EED26A0D04D217F9EECEFFFB89714452556CF90EB38F290A27A4D45B9988F8C0">>}, - {<<"kafka_protocol">>, <<"28CF73001270D972524DD0FAD4A59074F4441219F9CF237AD808A2AC1EC97487">>}, + {<<"kafka_protocol">>, <<"C956C9357FEF493B7072A35D0C3E2BE02AA5186C804A412D29E62423BB15E5D9">>}, {<<"lhttpc">>, <<"76B5FA6149D1E10D4B1FBC4EBD51D371DB19C1AB9F0A9ECF5B526440DF064E97">>}, {<<"logger_colorful">>, <<"D2A11586B2311FF2CC4B2C38835FE8C8768D2087AE9BF7D9EA80C8C33E92689D">>}, {<<"lrw">>, <<"B81D24DE6248EA2509279C992F7B675B110EE166A63F4B2FAB97652446CAD611">>}, {<<"metrics">>, <<"69B09ADDDC4F74A40716AE54D140F93BEB0FB8978D8636EADED0C31B6F099F16">>}, - {<<"mimerl">>, <<"F278585650AA581986264638EBF698F8BB19DF297F66AD91B18910DFC6E19323">>}, + {<<"mimerl">>, <<"A1E15A50D1887217DE95F0B9B0793E32853F7C258A5CD227650889B38839FE9D">>}, {<<"msgpack">>, <<"4649353DA003E6F438D105E4B1E0F17757F6F5EC8687A6F30875FF3AC4CE2A51">>}, - {<<"observer_cli">>, <<"50DE6D95D814F447458BD5D72666A74624EDDB0EF98BDCEE61A0153AAE0865FF">>}, + {<<"observer_cli">>, <<"872CF8E833A3A71EBD05420692678EC8AAEDE8FD96C805A4687398F6B23A3014">>}, {<<"opentelemetry_api">>, <<"6D7A27B7CAD2AD69A09CABF6670514CAFCEC717C8441BEB5C96322BAC3D05350">>}, {<<"opentelemetry_semantic_conventions">>, <<"D61FA1F5639EE8668D74B527E6806E0503EFC55A42DB7B5F39939D84C07D6895">>}, {<<"p1_utils">>, <<"9219214428F2C6E5D3187FF8EB9A8783695C2427420BE9A259840E07ADA32847">>}, @@ -208,19 +205,18 @@ {<<"prometheus_cowboy">>, <<"BA286BECA9302618418892D37BCD5DC669A6CC001F4EB6D6AF85FF81F3F4F34C">>}, {<<"prometheus_httpd">>, <<"0BBE831452CFDF9588538EB2F570B26F30C348ADAE5E95A7D87F35A5910BCF92">>}, {<<"quantile_estimator">>, <<"282A8A323CA2A845C9E6F787D166348F776C1D4A41EDE63046D72D422E3DA946">>}, - {<<"quickrand">>, <<"86A03C7FC96B9C6B9FA6BEF5FCEB773E359C772EE3814BE60B8EB44B54F99140">>}, + {<<"quickrand">>, <<"B8ACBF89A224BC217C3070CA8BEBC6EB236DBE7F9767993B274084EA044D35F0">>}, {<<"ranch">>, <<"49FBCFD3682FAB1F5D109351B61257676DA1A2FDBE295904176D5E521A2DDFE5">>}, - {<<"recon">>, <<"E9AB01AC7FC8572E41EB59385EFEB3FB0FF5BF02103816535BACAEDF327D0263">>}, + {<<"recon">>, <<"632A6F447DF7CCC1A4A10BDCFCE71514412B16660FE59DECA0FCF0AA3C054404">>}, {<<"resulto">>, <<"B2D55EB62782980668E152D8488126B1669785E2130195F450D0048D63796D25">>}, {<<"rocksdb">>, <<"185E645EA480E9325D5EFE362BF3D2A38EDFC31B5145031B0CBEED978E89523C">>}, {<<"setup">>, <<"EFD072578F0CF85BEA96CAAFFC7ADB0992398272522660A136E10567377071C5">>}, {<<"sext">>, <<"2FEA5B8C41FBDF05C3058149B0CF38A03CC79E1430C861CD425F99840E018755">>}, {<<"sidejob">>, <<"6DC3DAC041C8C07C64401ECD22684730DA1497F5F14377B3CA9C5B2B9A135181">>}, - {<<"snappyer">>, <<"18D00CA218AE613416E6EECAFE1078DB86342A66F86277BD45C95F05BF1C8B29">>}, {<<"ssl_verify_fun">>, <<"FE4C190E8F37401D30167C8C405EDA19469F34577987C76DDE613E838BBC67F8">>}, {<<"stringprep">>, <<"928EBA304C3006EB1512110EBD7B87DB163B00859A09375A1E4466152C6C462A">>}, - {<<"telemetry">>, <<"DAD9CE9D8EFFC621708F99EAC538EF1CBE05D6A874DD741DE2E689C47FEAFED5">>}, + {<<"telemetry">>, <<"7015FC8919DBE63764F4B4B87A95B7C0996BD539E0D499BE6EC9D7F3875B79E6">>}, {<<"types">>, <<"04285239F4954C5EDE56F78ED7778EDE24E3F2E997F7B16402A167AF0CC2658A">>}, {<<"unicode_util_compat">>, <<"25EEE6D67DF61960CF6A794239566599B09E17E668D3700247BC498638152521">>}, - {<<"uuid">>, <<"1D54D5DE4CC66317D882F62347A21655601E84CCCE913E80AADE202CDB3A8C65">>}]} + {<<"uuid">>, <<"4E4C5CA3461DC47C5E157ED42AA3981A053B7A186792AF972A27B14A9489324E">>}]} ]. From e2b51a1337d0bd182c091facdd0ff0c8a0bde605 Mon Sep 17 00:00:00 2001 From: "Alejandro M. Ramallo" Date: Thu, 29 Aug 2024 20:34:33 +0100 Subject: [PATCH 5/6] fix bug in bondy_rbac:concat_role Signed-off-by: Alejandro M. Ramallo --- apps/bondy/src/bondy_rbac.erl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/bondy/src/bondy_rbac.erl b/apps/bondy/src/bondy_rbac.erl index f157d1cc..dc107c7c 100644 --- a/apps/bondy/src/bondy_rbac.erl +++ b/apps/bondy/src/bondy_rbac.erl @@ -1355,6 +1355,9 @@ find_grants(Realm, KeyPattern, Type, Opts0) -> concat_role(user, Name) -> <<"user/", Name/binary>>; +concat_role(group, all) -> + <<"group/all">>; + concat_role(group, anonymous) -> <<"group/anonymous">>; From 86826994988c069c57437e4ad7e28eca7c7a093c Mon Sep 17 00:00:00 2001 From: "Alejandro M. Ramallo" Date: Thu, 29 Aug 2024 20:36:08 +0100 Subject: [PATCH 6/6] disable proxy protocol for test node Signed-off-by: Alejandro M. Ramallo --- config/test/node_1_bondy.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/test/node_1_bondy.conf.template b/config/test/node_1_bondy.conf.template index 61398550..0d10a903 100644 --- a/config/test/node_1_bondy.conf.template +++ b/config/test/node_1_bondy.conf.template @@ -141,7 +141,7 @@ bridge.listener.tls.idle_timeout = 30s -wamp.tcp.proxy_protocol = on +wamp.tcp.proxy_protocol = off wamp.tcp.proxy_protocol.mode = relaxed api_gateway.http.proxy_protocol = on api_gateway.http.proxy_protocol.mode = relaxed