Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private key decryption fails in py3 #258

Closed
andrewhollomon opened this issue Aug 2, 2017 · 12 comments
Closed

Private key decryption fails in py3 #258

andrewhollomon opened this issue Aug 2, 2017 · 12 comments
Assignees
@adobeDan
Labels
bug docs
Milestone
v2.2.1

Comments

@andrewhollomon
Copy link

I am working to set up user-sync to use a private-encrypted.key. User sync is running on Windows server. Have created encrypted private key using openssl (openssl pkcs8 -in private.key -topk8 -v2 des3 -out private-encrypted.key)

Connector-umapi.yml is

enterprise:
org_id: "##############@AdobeOrg"
secure_api_key_key: ADOBE_API_KEY
secure_client_secret_key: ADOBE_API_CLIENT_SECRET
tech_acct: "###############@techacct.adobe.com"
secure_priv_pass_key: ADOBE_PRIV_KEY_PASSWORD
priv_key_path: private-encrypted.key

Entries have been created in Windows credential manager - and entries other than the one for secure_priv_pass_key, like client secret and API key, are successfully used.

Running user sync returns

2017-08-02 08:59:28 10672 DEBUG ldap - Connected
2017-08-02 08:59:28 10672 DEBUG umapi - UMAPI initialized with options: {'logger_name': 'umapi', 'test_mode': True, 'server': {'host': 'usermanagement.adobe.io', 'endpoint': '/v2/usermanagement', 'ims_host': 'ims-na1.adobelogin.com', 'ims_endpoint_jwt': '/ims/exchange/jwt', 'timeout': 120, 'retries': 3}, 'enterprise': {'org_id': '##########@AdobeOrg', 'tech_acct': '###########@techacct.adobe.com'}}
2017-08-02 08:59:28 10672 DEBUG umapi - umapi: reading private key data from file C:\PEX\private-encrypted.key
2017-08-02 08:59:28 10672 ERROR umapi - Found unused keys: ['secure_priv_pass_key'] in: umapi configuration.enterprise
2017-08-02 08:59:28 10672 INFO main - ========== End Run (User Sync version: 2.2) (Total time: 0:00:00)

It's possible I have misconfigured something, but I've checked everything over and it looks to be configured per the best practices docs.
@andrewhollomon andrewhollomon changed the title Unsuccessful private-encrypted.key w/ Windows Credential Manager seteup Unsuccessful private-encrypted.key w/ Windows Credential Manager setup Aug 2, 2017
@phil-levy
Copy link
Contributor

Two thoughts:

  1. Is the indentation in the connector-umapi.yml file correct? As pasted, the items under enterprise: are not indented.

  2. Are you really running the 2.2 (or 2.1.1) version of user sync? You didn't include the part of the log where it lists the version.

@andrewhollomon
Copy link
Author

Thanks, I can confirm we are running 2.2 and the exact connector-umapi.yml formatting shown below

capture

@andrewhollomon
Copy link
Author

andrewhollomon commented Aug 3, 2017
edited
Loading

In order to take Windows Credential Manager out of the equation - I tried instead using priv_key_pass and adding the passphrase directly to the umapi.yml file.

That results in the following:

2017-08-02 18:11:39 5268 DEBUG umapi - umapi: reading private key data from file C:\PEX\private-encrypted.key
2017-08-02 18:11:39 5268 DEBUG umapi - umapi: creating connection for org @AdobeOrg at endpoint https://usermanagement.adobe.io/v2/usermanagement
2017-08-02 18:11:39 5268 INFO main - ========== End Run (User Sync version: 2.2) (Total time: 0:00:00)
Traceback (most recent call last):
File "c:\pex\install\user_sync-2.2-py3-none-any.whl.c04b8967bba0a28ae4ad16fc13483e0aae93d864\user_sync-2.2-py3-none-any.whl\user_sync\connector\umapi.py", line 127, in init
retry_max_attempts=server_options['retries'] + 1,
File "c:\pex\install\umapi_client-2.5.2-py2.py3-none-any.whl.ea790a0014316bf9fd44be8a726cd6891a11e4c8\umapi_client-2.5.2-py2.py3-none-any.whl\umapi_client\connection.py", line 120, in init
self.auth = self._get_auth(ims_host=ims_host, ims_endpoint_jwt=ims_endpoint_jwt, **auth_dict)
File "c:\pex\install\umapi_client-2.5.2-py2.py3-none-any.whl.ea790a0014316bf9fd44be8a726cd6891a11e4c8\umapi_client-2.5.2-py2.py3-none-any.whl\umapi_client\connection.py", line 138, in _get_auth
jwt = JWT(self.org_id, tech_acct_id, ims_host, api_key, six.StringIO(private_key_data))
TypeError: initial_value must be str or None, not bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "c:\pex\install\user_sync-2.2-py3-none-any.whl.c04b8967bba0a28ae4ad16fc13483e0aae93d864\user_sync-2.2-py3-none-any.whl\user_sync\app.py", line 362, in main
begin_work(config_loader)
File "c:\pex\install\user_sync-2.2-py3-none-any.whl.c04b8967bba0a28ae4ad16fc13483e0aae93d864\user_sync-2.2-py3-none-any.whl\user_sync\app.py", line 202, in begin_work
umapi_primary_connector = user_sync.connector.umapi.UmapiConnector(primary_name, primary_umapi_config)
File "c:\pex\install\user_sync-2.2-py3-none-any.whl.c04b8967bba0a28ae4ad16fc13483e0aae93d864\user_sync-2.2-py3-none-any.whl\user_sync\connector\umapi.py", line 130, in init
raise AssertionException("Connection to org %s at endpoint %s failed: %s" % (org_id, um_endpoint, e))
user_sync.error.AssertionException: Connection to org @AdobeOrg at endpoint https://usermanagement.adobe.io/v2/usermanagement failed: initial_value must be str or None, not bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\PEX\user-sync.pex.bootstrap_pex\pex.py", line 360, in execute
File "C:\PEX\user-sync.pex.bootstrap_pex\pex.py", line 288, in _wrap_coverage
File "C:\PEX\user-sync.pex.bootstrap_pex\pex.py", line 320, in _wrap_profiling
File "C:\PEX\user-sync.pex.bootstrap_pex\pex.py", line 403, in _execute
File "C:\PEX\user-sync.pex.bootstrap_pex\pex.py", line 461, in execute_entry
File "C:\PEX\user-sync.pex.bootstrap_pex\pex.py", line 466, in execute_module
File "C:\Program Files\Python36\lib\runpy.py", line 208, in run_module
return _run_code(code, {}, init_globals, run_name, mod_spec)
File "C:\Program Files\Python36\lib\runpy.py", line 85, in _run_code
exec(code, run_globals)
File "c:\pex\install\user_sync-2.2-py3-none-any.whl.c04b8967bba0a28ae4ad16fc13483e0aae93d864\user_sync-2.2-py3-none-any.whl\user_sync\app.py", line 389, in
main()
File "c:\pex\install\user_sync-2.2-py3-none-any.whl.c04b8967bba0a28ae4ad16fc13483e0aae93d864\user_sync-2.2-py3-none-any.whl\user_sync\app.py", line 370, in main
logger.critical(e.message)
AttributeError: 'AssertionException' object has no attribute 'message'

@adobeDan
Copy link
Contributor

adobeDan commented Aug 3, 2017
edited
Loading

So you had a misconfiguration in your initial setup: rather than secure_priv_pass_key you should have used secure_priv_key_pass_key. (You always take the base name, in this case priv_key_pass as in your second setup, and prepend secure_ and append _key. The result is unfortunately redundant in this case, which causes a lot of people - including myself - to make the same mistake you did by dropping the first key.) @phil-levy Can you check to see that we don't make this mistake in the docs somewhere?

The error encountered with your second setup looks like it might be a py3-specific bug: apparently the result of decrypting the private key file is a byte-string rather than a standard string, and this is not what six.StringIO is expecting. Can you confirm that you are running in py3?

@adobe-apiplatform adobe-apiplatform deleted a comment from phil-levy Aug 3, 2017
@andrewhollomon
Copy link
Author

Got it, thanks. I'm running Python 3.6.2 (2017-07-17). I can also confirm I do get further by using secure_priv_key_pass_key with the result being the same type error that I receive using priv_key_pass

@brotskydotcom brotskydotcom self-assigned this Aug 3, 2017
@adobeDan adobeDan assigned adobeDan and unassigned brotskydotcom Aug 3, 2017
@adobeDan adobeDan added bug and removed bug labels Aug 3, 2017
@adobeDan
Copy link
Contributor

adobeDan commented Aug 3, 2017

OK, I've now got this as a bug. I'll try to push a fix this week, although we may not release immediately. @andrewhollomon Can you do a build yourself, or do you need me to post a build for you here? If so, it looks like you would need windows 10/py3, yes?

@andrewhollomon
Copy link
Author

Thanks and Yep, I should be able to do a build.

@adobeDan adobeDan changed the title Unsuccessful private-encrypted.key w/ Windows Credential Manager setup Private key decryption fails in py3 Aug 4, 2017
@adobeDan
Copy link
Contributor

adobeDan commented Aug 4, 2017

@phil-levy noticed we have a bug in our sample umapi config file - it has the wrong value for the sample secure password key. I'll fix that too.

@adobeDan adobeDan added the docs label Aug 4, 2017
@adobeDan
Copy link
Contributor

adobeDan commented Aug 4, 2017

@andrewhollomon This is fixed in v2 head (app version 2.2.1). I have made a tag v2.2.1rc1; you can download the zip of that, expand it, and do make pex in the user-sync.py directory.

phil-levy added a commit that referenced this issue Aug 4, 2017
@phil-levy
Merge pull request #259 from adobe-apiplatform/v2
126c60e 
fix #258: Private key decryption fails in py3
@adobeDan adobeDan added this to the v2.2.1 milestone Aug 4, 2017
@adobeDan
Copy link
Contributor

adobeDan commented Aug 4, 2017

@andrewhollomon To get a clean build to work on Windows, I also had to fix #260. So now there is a tag v2.2.1rc2, and attached is a build of that for you to try.

@andrewhollomon
Copy link
Author

andrewhollomon commented Aug 5, 2017
edited
Loading

Thanks @adobeDan I can confirm being able to read and use an encrypted private key w/ passphrase stored in Windows credential manager with the 2.2.1.rc2 build.

2017-08-04 16:55:07 5512 DEBUG umapi - umapi: reading private key data from file C:\PEX\private-encrypted.key
2017-08-04 16:55:07 5512 DEBUG umapi - umapi: creating connection for org @AdobeOrg at endpoint https://usermanagement.adobe.io/v2/usermanagement
2017-08-04 16:55:08 5512 DEBUG urllib3.connectionpool - Starting new HTTPS connection (1): ims-na1.adobelogin.com
2017-08-04 16:55:09 5512 DEBUG urllib3.connectionpool - https://ims-na1.adobelogin.com:443 "POST /ims/exchange/jwt HTTP/1.1" 200 976

@adobeDan
Copy link
Contributor

adobeDan commented Aug 5, 2017

Yay! Thanks so much @andrewhollomon for confirming. Enjoy syncing! :)

adobeDan added a commit that referenced this issue Aug 5, 2017
@adobeDan
fix to fixes of #257 and #258: issues revealed by testing
393402b 
The fix for #257 was broken from the get-go, referring to the wrong local variable. This is why one should test before pushing a commit...

The fix for #258 was broken in the case of exceptions that have unicode messages (py2-only).  The py2 exception __str__ method doesn't handle the presence of unicode exception messages, but logging can handle unicode.  So rather than invoking the exception's str handler, we explicitly use logging format on the exception message itself.

The fix for #258 was then applied everywhere we format an exception message, in case any of them have unicode strings.
@adobeDan adobeDan mentioned this issue Aug 12, 2017
Merged
adobeDan added a commit that referenced this issue Aug 12, 2017
@adobeDan
Merge pull request #263 from adobe-apiplatform/v2_doc_update
5fd4369 
Merge changes for #258.  The fix for #258 included example file and doc file changes that should have been in release 2.2 and so need to go to master ASAP. This means that we will also get the fix for #258 into master, which means the head version on master is now 2.1.1. Because this fix has been built and proven by customers, we are OK with the possibility that someone will pull and build head rather than downloading a given release.
@gglen gglen mentioned this issue Dec 7, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adobeDan adobeDan

Labels
bug docs
Projects
None yet
Milestone
v2.2.1
Development

No branches or pull requests
4 participants
@brotskydotcom @phil-levy @andrewhollomon @adobeDan