Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

E2E integration tests for converting encrypted saved objects #106567

Closed
jportner opened this issue Jul 22, 2021 · 1 comment · Fixed by #106897
Closed

E2E integration tests for converting encrypted saved objects #106567

jportner opened this issue Jul 22, 2021 · 1 comment · Fixed by #106897
Assignees
@jportner
Labels
bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

Blocks: #100067

In doing some local testing for the linked issue above, there is an indication that we are not handling AAD correctly for converted saved objects. From @chrisronline :

the scenario is:

  • With a 7.14 branch, start up ES (with a dedicated data path) and Kibana (both 7.14)
  • Create rules/connectors in the default space and a custom space
  • Copy the data out of the dedicated data path into a new dedicated data path
  • On master, start ES (with the second dedicated data path) and Kibana (the kibana has source changes like namespaceType: * single -> namespaceType: multiple-isolated as well as changing from .get to .resolve)
  • Observe error: server log [12:06:49.294] [error][encryptedSavedObjects][plugins] Failed to decrypt "apiKey" attribute: Unsupported state or unable to authenticate data

The ESO service has some special handling in place for converted objects, but at first glance this may not be correct. We just attempt to decrypt the object with/without the namespace in its descriptor (which feeds into its additionally-authenticated data, or AAD). However it looks like we need to attempt to decrypt the object with its old ID (originId).

We need to create E2E integration tests for an encrypted saved object that is converted, and probably update our algorithm in the ESO service to correctly handle these cases.
@jportner jportner added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Jul 22, 2021
@jportner jportner self-assigned this Jul 22, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jportner jportner added the bug Fixes for quality problems that affect the customer experience label Jul 22, 2021
@chrisronline chrisronline mentioned this issue Jul 22, 2021
Closed
@jportner jportner mentioned this issue Jul 27, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jportner jportner

Labels
bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix ESO migration decryption for converted saved object types jportner/kibana
2 participants
@jportner @elasticmachine