standalone configuration security

[Andrew Marker]

The warning message about the property seems to be incorrect, and using the documented property seems to lead to failure.

Today, I was testing a move from v6.5.7 to v6.5.9 and I saw a warning that I did not see in the previous version at runtime.  I'm not having a functional problem, but there seems to be a disconnect between the code and the documentation.

When I start CAS, I am seeing the following ERROR.

Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties

    cas.standalone.configurationsecurity.iterations = 999 (Origin: "cas.standalone.configurationSecurity.iterations" from property source "commandLineArgs")

----------------------------

The documented property is:

cas.standalone.configuration-security.iteration=999

2022-09-06 12:58:30,001 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could not decrypt value [{cas-cipher}someawesometext]

> It appears the documented property does not work

----------------------

To try to understand the scope I tried the following:

2022-09-06 13:13:22,629 ERROR [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <

Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties

    cas.standalone.configuration-security.iterations = 999

This however seemed still to function.

----------------------

In the event my original was incorrect and being ignored giving way to the default, I tried what is posted.

cas.standalone.configuration-security.iteration=0

This too led to a fail to decrypt message.

----------------------

Using the old naming convention, I pass 

• iterations
• password
• provider (SunJCE).

I've never needed to pass:

• Algorithm
• Initialization vector

Is there some additional requirement necessary to move to the new property names?

[Andrew Marker]

In my CAS instance:

These  are working with error message:

* cas.standalone.configuration-security.iterations

* cas.standalone.configurationsecurity.iterations

This is what is documented and it fails:

* cas.standalone.configuration-security.iteration

[Ray Bon]

Andrew,

The current property is 'iteration'; https://github.com/apereo/cas/blob/6.5.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/config/standalone/StandaloneConfigurationSecurityProperties.java

'iterations' "worked" because the real default was used; since 'Failed to bind properties' message was printed.

Maybe setting debug/trace logging for org.apereo.cas.util will provide some more insight.

Ray

On Tue, 2022-09-06 at 11:40 -0700, Andrew Marker wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Andrew Marker]

Hi Ray,

Thanks for the response.

I initially found the Issue I have described and provided the messages for when I was running v6.3.7.4.  it was not related to that version but it was at that point I was trying for the first time to encrypt properties.

I reached out to Unicon (in March 2022) with whom my organization contracts with for open source support. I was looking for help to encrypt properties and I was trying to follow the guidance I could find in the CAS documentation.

 After beginning the conversation much the way you have by identifying the properties as they are documented, we finally got beyond the point were we just refer to the documentation or the code references and through testing re-affirmed the failure I am describing. 

I was told that it will be fixed in a future version an answer that satisfied my need as I could continue to leverage the camelCase as described in the quasi official CAS how-too blog .  Today, in v6.5.9 It still works with camelCase.

I'm trying to surface the issue now because with the move to v6.5.9 during my review the error message appeared at startup.

-- You cannot use the property as documented or referred to in the Class you sent.   It just does not work when placed in the a commandLineArgs collection.

If I use:

--cas.standalone.configuration-security.iterations=999

--cas.standalone.configurationSecurity.iterations=999

2022-09-07 14:39:35,708 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]>

2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password>

2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider>

2022-09-07 14:39:35,717 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt iterations>

........

2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [cas.authn.ldap[0].bindCredential]>

2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...>

2022-09-07 14:39:38,303 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]...>

2022-09-07 14:39:38,319 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypted value [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==] successfully.>

When I use what is documented:

--cas.standalone.configuration-security.iteration=999

2022-09-07 14:32:13,852 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]>

2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password>

2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider>

      NO ITERATOR Picked up           

.......

2022-09-07 14:32:16,279 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [cas.authn.ldap[0].bindCredential]>

2022-09-07 14:32:16,279 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...>

2022-09-07 14:32:16,363 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]...>

2022-09-07 14:32:16,416 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could not decrypt value [{cas-cipher}wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]>

-------------------------------------------------------

If the fact is:  The documentation and class say: iteration but the command line uses iterations and that is intentional, it is confusing.   

If this is good grammar and the tech document requires you to know the difference to make a jump from the literally represented value to the contextual place to use one vs the other.  Man it would be great if that was explained in the documentation. I've always been able to just use the property as documented.

[Ray Bon]

Andrew,

CamelCase or kabob-case does not matter, spring handles both (kabob is newer).

The options should have the same name regardless of where they are set. What differs is when they are processed during startup. Some other step is getting in the way for the property file, but it sounds like the developers know there is a problem with that 'other step'.

Ray

[Andrew Marker]

Hi all,

In 6.6 this still doesn't work as documented: 6.6x / Configuration / Securing Configuration Properties. 

• If you use iteration (as documented)  OUTCOME: failure when the first encrypted property is accessed: CAS shuts down.
  
  
• If you use iterations OUTCOMES: success
  • property is read and encrypted properties are decrypted during the initialization of CAS when they are accessed.
  • An error message is written to the log 

I have tested this passing it through at startup.

export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATION=35

or 

--cas.standalone.configuration-security.iteration=35

When i use iterations it does, unless the iteration value is actually wrong.

I have been told that the unit test for this passes: great.  It doesn't actually mean at run time it functions as expected.

[Andrew Marker]

HI all,

I am moving from 6.5 to 6.6 and all is going well. In the end, if I follow the guidance provided in the error message and the documentation.  This still fails.  The difference is simple: iteration vs iterations.

 I just wanted top point out that this particular property does not work. I am setting this through the startup command it also doesn't work when set as an environment variable.  

• The first option is the documented property name. Please see 6.6.X > Configuration > Securing Configuration Properties
• It fails to work, CAS shuts down after the first attempted access of an encrypted property. 

--cas.standalone.configuration-security.iteration=35

or

export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATION=35

• The second option is not in the documentation
• It does work
• It returns  and ERROR [cas.configuration.CasConfigurationPropertiesValidator] -- full message below.
• If I use this property but set the value to anything but the originally used iteration (say 39 for example) it fails just as though had used the documented property name.
  • this tells me it is actually working and not relying on  the default.

--cas.standalone.configuration-security.iterations=35

or

export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATIONS=35

HERE is the message.

Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties cas.standalone.configuration-security.iterations = 35 (Origin: "cas.standalone.configuration-security.iterations" from property source "commandLineArgs")Listed settings above are no longer recognized by CAS 6.6.12. They may have been renamed, removed, or relocated to a new namespace in the CAS configuration schema. CAS will ignore such settings to proceed with its normal initialization sequence. Please consult the CAS documentation to review and adjust each setting to find an alternative or remove the definition from the property source. Failure to do so puts the server stability in danger and complicates future upgrades.

I will follow the guidance when the property actually works.

I bring this up, because it does not.  In the past when brought this up there has been assertion that it can't be broken because the unit test passes.  Ultimately I'm seeing that because of the path of execution whatever the unit test coverage, it isn't covering the way the property is used.

[Ray Bon]

Andrew,

interations is used in apereo/cas/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/support/CasConfigurationJasyptCipherExecutor.java

iteration is used in apereo/cas/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/config/standalone/StandaloneConfigurationSecurityProperties.java

So it looks like the property was changed in one location (the second path above) which generates the 'failed to bind' message, but not the first path above.

Ray

I was told that it will be fixed in a future version an answer that satisfied my need as I could continue to leverage the camelCase as described in thequasi official CAS how-too blog .  Today, in v6.5.9 It still works with camelCase.

If the fact is:  The documentation and class say: iteration but the command line usesiterations and that is intentional, it is confusing.