Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-28039

Support bundle password sanitizer can incorrectly sanitize token "type"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 3.29.2
    • Fix Version/s: None
    • Component/s: Support Tools
    • Notability:
      n/a

      Description

      The support bundle generator can incorrectly sanitize the "type" field of a token.

      A support bundle security database export is expected to contain something like this:

      ... "bearerToken": "<some token string>", "type": "bearerToken" ...
      

      But when it is sanitized by the exporter, the export result is:

      ... "bearerToken": "**REDACTED**", "type": "**REDACTED**" ...
      

      instead of the expected

      ... "bearerToken": "**REDACTED**", "type": "bearerToken" ...
      
      2021-06-21 10:20:22,181-0300 ERROR [FelixStartLevel] *SYSTEM org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl - Failed transition: NEW -> STARTED
      org.sonatype.goodies.common.MultipleFailures$MultipleFailuresException: Failed to validate facets; 1 failure
      	at org.sonatype.goodies.common.MultipleFailures.maybePropagate(MultipleFailures.java:95)
      	at org.sonatype.nexus.repository.manager.internal.RepositoryImpl.validate(RepositoryImpl.java:171)
      	at org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl.newRepository(RepositoryManagerImpl.java:193)
      	at org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl.restoreRepositories(RepositoryManagerImpl.java:270)
      	at org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl.doStart(RepositoryManagerImpl.java:252)
      	at org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport.start(StateGuardLifecycleSupport.java:69)
      	at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
      	at org.sonatype.nexus.common.stateguard.StateGuard$TransitionImpl.run(StateGuard.java:193)
      	at org.sonatype.nexus.common.stateguard.TransitionsInterceptor.invoke(TransitionsInterceptor.java:57)
      	at org.sonatype.nexus.extender.NexusLifecycleManager.startComponent(NexusLifecycleManager.java:199)
      	at org.sonatype.nexus.extender.NexusLifecycleManager.to(NexusLifecycleManager.java:111)
      	at org.sonatype.nexus.extender.NexusContextListener.moveToPhase(NexusContextListener.java:321)
      	at org.sonatype.nexus.extender.NexusContextListener.frameworkEvent(NexusContextListener.java:218)
      	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1431)
      	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
      	at java.lang.Thread.run(Thread.java:748)
      	Suppressed: java.lang.IllegalArgumentException: Unknown AuthenticationConfiguration type: **REDACTED** (through reference chain: org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl$Config["authentication"])
      		at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4236)
      		at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4167)
      		at org.sonatype.nexus.repository.config.internal.ConfigurationFacetImpl.convert(ConfigurationFacetImpl.java:75)
      		at org.sonatype.nexus.repository.config.internal.ConfigurationFacetImpl.readSection(ConfigurationFacetImpl.java:84)
      		at org.sonatype.nexus.repository.config.internal.ConfigurationFacetImpl.validateSection(ConfigurationFacetImpl.java:121)
      		at org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl.doValidate(HttpClientFacetImpl.java:145)
      		at org.sonatype.nexus.repository.FacetSupport.validate(FacetSupport.java:113)
      		at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
      		at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:272)
      		at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:54)
      		at org.sonatype.nexus.repository.manager.internal.RepositoryImpl.validate(RepositoryImpl.java:160)
      		... 14 common frames omitted
      	Caused by: com.fasterxml.jackson.databind.JsonMappingException: Unknown AuthenticationConfiguration type: **REDACTED** (through reference chain: org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl$Config["authentication"])
      		at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:397)
      		at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:356)
      		at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1726)
      		at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:295)
      		at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:156)
      		at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4231)
      		... 24 common frames omitted
      	Caused by: java.lang.IllegalStateException: Unknown AuthenticationConfiguration type: **REDACTED**
      		at com.google.common.base.Preconditions.checkState(Preconditions.java:824)
      		at org.sonatype.nexus.internal.httpclient.AuthenticationConfigurationDeserializer.deserialize(AuthenticationConfigurationDeserializer.java:70)
      		at org.sonatype.nexus.internal.httpclient.AuthenticationConfigurationDeserializer.deserializeWithType(AuthenticationConfigurationDeserializer.java:63)
      		at org.sonatype.nexus.internal.httpclient.AuthenticationConfigurationDeserializer.deserializeWithType(AuthenticationConfigurationDeserializer.java:1)
      		at com.fasterxml.jackson.databind.deser.impl.FieldProperty.deserializeAndSet(FieldProperty.java:147)
      		at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:293)
      		... 26 common frames omitted
      

      Problem

      The support team has tooling that can boot customer support zips, as long as expected fields are redacted. Since the type value is not expected to be redacted, booting a support zip with type redacted will fail. Booting customer support zips is vital to proper support.

      Expected

      Do not sanitize the token "type" value - that is not something we wish to redact. Continue to redact any token value.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Oliverio Michael Oliverio
              Team:
              NXRM - Sentinels
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title