[jboss-jira] [Red Hat JIRA] (WFWIP-373) :resolve-expression does not resolve encrypted expressions
[
https://issues.redhat.com/browse/WFWIP-373?page=com.atlassian.jira.plugin...
]
Brian Stansberry edited comment on WFWIP-373 at 2/19/21 1:42 PM:
-----------------------------------------------------------------
[~dlofthouse] Not resolving is not a bug. It is by design. We should not support resolving
via a management API call, and the resolve-expressions op is specifically meant to not do
that.
If the credential-store handling is different from vault (e.g. the weird result"
=>
":RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB")
then that is something to fix for this RFE.
If vault behaves the same way, then it's a general, low-priority, bug to not do the
weird stripping of the vault equivalent of ENC:
Simply returning the unresolved expression is IMHO ok. IIRC that is what we decided to do,
with due consideration first. Doing something else would be an enhancement.
was (Author: brian.stansberry):
[~dlofthouse] Note resolving is not a bug. It is by design. We should not support
resolving via a management API call, and the resolve-expressions op is specifically meant
to not do that.
If the credential-store handling is different from vault (e.g. the weird result"
=>
":RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB")
then that is something to fix for this RFE.
If vault behaves the same way, then it's a general, low-priority, bug to not do the
weird stripping of the vault equivalent of ENC:
Simply returning the unresolved expression is IMHO ok. IIRC that is what we decided to do,
with due consideration first. Doing something else would be an enhancement.
:resolve-expression does not resolve encrypted expressions
----------------------------------------------------------
Key: WFWIP-373
URL: https://issues.redhat.com/browse/WFWIP-373
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Ondrej Kotek
Assignee: Darran Lofthouse
Priority: Major
TheĀ {{:resolve-expression}} operation does not resolve encrypted expressions.
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/expression=encryption:read-resource
{
"outcome" => "success",
"result" => {
"default-resolver" => "Default",
"prefix" => "ENC",
"resolvers" => [
{
"name" => "Default",
"credential-store" => "credentialstorethree",
"secret-key" => "secretkey"
},
{
"name" => "resolver2",
"credential-store" => "credentialstorethree",
"secret-key" => "secretkey2"
}
]
}
}
[standalone@localhost:9990 /]
/subsystem=elytron/expression=encryption:create-expression(clear-text=CredentialStoreTwoPassword)
{
"outcome" => "success",
"result" => {"expression" =>
"${ENC::RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB}"}
}
[standalone@localhost:9990 /]
:resolve-expression(expression="${ENC::RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB}")
{
"outcome" => "success",
"result" =>
":RUxZAUMQHrI7PMuvU+0pJ9EgITJmFPWa9iIb5yZ6i9K3mtgnY2kLo3AIL4d/GIeo7GKzSkXB"
}
{noformat}
--
This message was sent by Atlassian Jira
(v8.13.1#813001)