Giters

Nike-Inc / cerberus

The Cerberus micro-service, a secure property store for cloud applications. It includes a REST API, authentication and encryption features, as well as a self-service web UI for users.

Home Page:http://nike-inc.github.io/cerberus

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Regex Parsing Bug on IAM Role Authentication

dylan-raithel-lookout opened this issue · comments

commented

For an IAM role that exists, and is attached to an SDB, Cerberus throws an authentication error. It looks like a parsing bug on the role name that leads to the name being suffixed with a space. When I remove and re-add the role from the SDB, save it, then edit it, I can confirm that it's adding another space.

Initial stack trace:

A Important error occured
com.amazonaws.services.kms.model.AWSKMSException: Unable to authenticate IAM role due to the following error(s):
Error ID:64081477-2add-4ccf-a042-d6627076474f
Code: 10
Message: An error occurred while fulfilling the request
Please refer to the Cerberus Java Client documentation.
If you are unsure of what this means please ask in the #cd channel on Slack. (Service: null; Status Code: 0; Error Code: null; Request ID: null)
at com.lookout.cerberus.client.SecretStoreClient.authenticate(SecretStoreClient.java:110)
at com.lookout.cerberus.client.SecretStoreClient.(SecretStoreClient.java:50)
at com.lookout.cerberus.client.SecretStoreClient.(SecretStoreClient.java:58)
at com.lookout.cerberus.client.Cerberus.initializeCerberusClient(Cerberus.java:82)
at com.lookout.cerberus.client.Cerberus.fetchFromCerberus(Cerberus.java:59)
at com.lookout.cerberus.client.Cerberus.retrieve(Cerberus.java:53)
at com.lookout.bac.instruction.processor.FileSystemSecretSaver.process(FileSystemSecretSaver.java:30)
at com.lookout.bac.instruction.processor.InstructionProcessor.processInstruction(InstructionProcessor.java:13)
at com.lookout.bac.instruction.InstructionManager.process(InstructionManager.java:33)
at com.lookout.bac.instruction.InstructionManager.processInstruction(InstructionManager.java:38)
at com.lookout.bac.Application.main(Application.java:30)

See attached screenshots as well.

commented

To reproduce the error:

  1. Add the ARN for the role to the SDB
  2. Save
  3. Edit and view the entry, see that there's an extra trailing space at the end
  4. Remove the space
  5. Save
  6. See 500 error thrown in UI
commented

@dylan-raithel-lookout we will check this out.

commented

The CRUD operations on V1 and V2 disallow adding IAM Principals with trailing white space, and there was code added in release: https://github.com/Nike-Inc/cerberus-management-service/releases/tag/v3.2.1 that enabled this and cleaned up the bad data.

What I think happened is that you used the admin endpoint to restore data that was from before this flyway upgrade script ran to your new highlander env. But you restored it after the script ran in this new environment meaning that the data never got sanitized.

#184 will prevent this from happing to other people as well as cleaning up the data that was allowed in.