Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG][SEC]: Fixes AuthN server-side providers #2099

Merged
merged 6 commits into from
May 2, 2024
Merged

[BUG][SEC]: Fixes AuthN server-side providers #2099

merged 6 commits into from
May 2, 2024

Conversation

tazarov
Copy link
Contributor

@tazarov tazarov commented May 1, 2024

Description of changes

Summarize the changes made by this PR.

  • Improvements & Bug fixes
    • Added random jitter to mitigate timing attacks on early exist conditions
    • Added generic AuthError for early exist conditions
    • Added checks for missing headers(as this was throwing key error)
    • Made it possible to use the TokenTransportHeader Enum when defining client-side auth(docs also updated)
    • Improved validation of wrong Token transport headers with a friendlier user message
    • Broader exception handling now logs only exception type and line number to prevent unintentional information disclosure(A02: 2021-Cryptographic Failures - owasp top10)
    • Aligned both token and basic auth logic flow with exist conditions
    • Fixed an issue with replacement of auth headers Basic and Bearer with regex which aligns well with case-insensitivity of http headers as well as properly checking that the respective string is at the beginning of the header value
    • Basic auth username check is not early exit case - this simplifies the logic for pwd check
    • Basic auth splitting on ':' is now works for only the first split this will prevent unexpected exceptions in case the user adds more than a single ':' in the base64-encoded header value
    • Basic auth - decoded username and password are converted to string to prevent http header injections

Test plan

How are these changes tested?

  • Tests pass locally with pytest for python, yarn test for js, cargo test for rust

Documentation Changes

Docs PR TBD

@tazarov
fix: AuthN provider fixes
ee70234 
- Added random jitter to mitigate timing attacks on early exit conditions (#2098)
- Added generic AuthError for early exit conditions
- Added checks for missing headers(as this was throwing key error)
- Made it possible to use the TokenTransportHeader Enum when defining client-side auth(docs also updated)
- Improved validation of wrong Token transport headers with a friendlier user message
- Broader exception handling now logs only exception type and line number to prevent unintentional information disclosure(A02: 2021-Cryptographic Failures - owasp top10)
- Aligned both token and basic auth logic flow with exist conditions
- Fixed an issue with replacement of auth headers Basic and Bearer with regex which aligns well with case-insensitivity of http headers as well as properly checking that the respective string is at the beginning of the header value
- Basic auth username check is not early exit case - this simplifies the logic for pwd check
- Basic auth splitting on ':' is now works for only the first split this will prevent unexpected exceptions in case the user adds more than a single ':' in the base64-encoded header value
- Basic auth - decoded username and password are converted to string to prevent http header injections
@tazarov Graphite App
Copy link
Contributor Author

tazarov commented May 1, 2024

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @tazarov and the rest of your teammates on Graphite Graphite

@github-actions GitHub Actions
Copy link

github-actions bot commented May 1, 2024

Reviewer Checklist

Please leverage this checklist to ensure your code review is thorough before approving

Testing, Bugs, Errors, Logs, Documentation

  • Can you think of any use case in which the code does not behave as intended? Have they been tested?
  • Can you think of any inputs or external events that could break the code? Is user input validated and safe? Have they been tested?
  • If appropriate, are there adequate property based tests?
  • If appropriate, are there adequate unit tests?
  • Should any logging, debugging, tracing information be added or removed?
  • Are error messages user-friendly?
  • Have all documentation changes needed been made?
  • Have all non-obvious changes been commented?

System Compatibility

  • Are there any potential impacts on other parts of the system or backward compatibility?
  • Does this change intersect with any items on our roadmap, and if so, is there a plan for fitting them together?

Quality

  • Is this code of a unexpectedly high quality (Readability, Modularity, Intuitiveness)

@tazarov tazarov requested a review from beggers May 2, 2024 05:48
beggers
beggers reviewed May 2, 2024
View reviewed changes
Copy link
Contributor

@beggers beggers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all seems very reasonable with a couple minor requests

chromadb/auth/token_authn/__init__.py Outdated Show resolved Hide resolved
chromadb/auth/token_authn/__init__.py Outdated Show resolved Hide resolved
@tazarov
fix: Pulled allow token header checks in a separate function
d5b665a 
- Also made the check a little more explicit for readability
@vercel Vercel
Copy link

vercel bot commented May 2, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
chroma ❌ Failed (Inspect) May 2, 2024 5:58pm

@beggers beggers enabled auto-merge (squash) May 2, 2024 18:30
@beggers beggers disabled auto-merge May 2, 2024 18:38
@beggers beggers merged commit 31c7f9d into main May 2, 2024
126 of 127 checks passed
@tazarov tazarov mentioned this pull request May 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@beggers beggers beggers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tazarov @beggers