Cookies problems with Gerrit 2.9.4 and it's GitHub plugin
21 views
Skip to first unread message
Justin Clift
Apr 22, 2015, 5:34:18 AM4/22/15
to Repo and Gerrit Discussion
Hi all,
Our production version of Gerrit is running 2.9.4 at the moment, and it's
associated GitHub plugin (a prebuilt one).
We're getting several of these messages in the error_log file:
*************************************************************************
[2015-04-22 02:28:04,153] ERROR com.googlesource.gerrit.plugins.github.oauth.OAuthCookieProvider : Decryption failed
javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:420)
at javax.crypto.Cipher.doFinal(Cipher.java:1922)
at com.googlesource.gerrit.plugins.github.oauth.TokenCipher.decode(TokenCipher.java:101)
at com.googlesource.gerrit.plugins.github.oauth.OAuthCookie.<init>(OAuthCookie.java:72)
at com.googlesource.gerrit.plugins.github.oauth.OAuthCookieProvider.getFromCookie(OAuthCookieProvider.java:46)
at com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.getOAuthCookie(OAuthWebFilter.java:254)
at com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:85)
at com.googlesource.gerrit.plugins.github.oauth.OAuthFilter.doFilter(OAuthFilter.java:83)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:219)
...
*************************************************************************
Any idea what might be causing it?
Regards and best wishes,
Justin Clift
--
GlusterFS - http://www.gluster.org
An open source, distributed file system scaling to several
petabytes, and handling thousands of clients.
My personal twitter: twitter.com/realjustinclift
Our production version of Gerrit is running 2.9.4 at the moment, and it's
associated GitHub plugin (a prebuilt one).
We're getting several of these messages in the error_log file:
*************************************************************************
[2015-04-22 02:28:04,153] ERROR com.googlesource.gerrit.plugins.github.oauth.OAuthCookieProvider : Decryption failed
javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:420)
at javax.crypto.Cipher.doFinal(Cipher.java:1922)
at com.googlesource.gerrit.plugins.github.oauth.TokenCipher.decode(TokenCipher.java:101)
at com.googlesource.gerrit.plugins.github.oauth.OAuthCookie.<init>(OAuthCookie.java:72)
at com.googlesource.gerrit.plugins.github.oauth.OAuthCookieProvider.getFromCookie(OAuthCookieProvider.java:46)
at com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.getOAuthCookie(OAuthWebFilter.java:254)
at com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:85)
at com.googlesource.gerrit.plugins.github.oauth.OAuthFilter.doFilter(OAuthFilter.java:83)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1539)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:524)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:219)
...
*************************************************************************
Any idea what might be causing it?
Regards and best wishes,
Justin Clift
--
GlusterFS - http://www.gluster.org
An open source, distributed file system scaling to several
petabytes, and handling thousands of clients.
My personal twitter: twitter.com/realjustinclift
Luca Milanesio
Apr 22, 2015, 5:36:43 AM4/22/15
to Justin Clift, Repo and Gerrit Discussion
Hi Justin,
the OAuth cookie is encrypted using a server-side transient random key.
When you get errors like the one you’ve shown, it means that some clients are sending a cookie that cannot be decrypted by the server. Most likely are very old sessions related to a Gerrit running instance that doesn’t exist anymore (possibly Gerrit was restarted)
Nothing to worry about: from the client side the cookie gets invalidated and the user logged in again using OAuth.
Luca.
> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
the OAuth cookie is encrypted using a server-side transient random key.
When you get errors like the one you’ve shown, it means that some clients are sending a cookie that cannot be decrypted by the server. Most likely are very old sessions related to a Gerrit running instance that doesn’t exist anymore (possibly Gerrit was restarted)
Nothing to worry about: from the client side the cookie gets invalidated and the user logged in again using OAuth.
Luca.
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Justin Clift
Apr 22, 2015, 5:42:37 AM4/22/15
to Luca Milanesio, Repo and Gerrit Discussion
On 22 Apr 2015, at 10:36, Luca Milanesio <luca.mi...@gmail.com> wrote:
> Hi Justin,
> the OAuth cookie is encrypted using a server-side transient random key.
>
> When you get errors like the one you’ve shown, it means that some clients are sending a cookie that cannot be decrypted by the server. Most likely are very old sessions related to a Gerrit running instance that doesn’t exist anymore (possibly Gerrit was restarted)
>
> Nothing to worry about: from the client side the cookie gets invalidated and the user logged in again using OAuth.
Thanks Luca. :)
> Hi Justin,
> the OAuth cookie is encrypted using a server-side transient random key.
>
> When you get errors like the one you’ve shown, it means that some clients are sending a cookie that cannot be decrypted by the server. Most likely are very old sessions related to a Gerrit running instance that doesn’t exist anymore (possibly Gerrit was restarted)
>
> Nothing to worry about: from the client side the cookie gets invalidated and the user logged in again using OAuth.
+ Justin
Luca Milanesio
Apr 22, 2015, 6:20:13 AM4/22/15
to Repo and Gerrit Discussion, Justin Clift
One note about the GitHub plugin: since Gerrit 2.10.3 a new OAuth authentication method is available and the GitHub plugin will move to implement the Gerrit OAuth extension point.
A patch for Gerrit 2.10.x [1] is under review and once approved you’ll be able to reuse the existing GitHub plugin with the Gerrit OAuth framework (instead of the current HTTP authentication).
There will be however the choice between keeping the HTTP-style authentication or using OAuth (both will still be supported).
This is due to the current status of OAuth vs. HTTP authentication: even if Gerrit OAuth is production-ready, it still misses a lot of features that are available on HTTP authentication:
- logout URL
- post-registration URL
- external ID
- scopes
- Git/HTTP-OAUTH authentication
When those features will be available as well on Gerrit OAuth extension, we will definitely drop the HTTP authentication style on GitHub.
Feedback is more than welcome :-)
Luca.
[1] https://gerrit-review.googlesource.com/#/c/66674/
A patch for Gerrit 2.10.x [1] is under review and once approved you’ll be able to reuse the existing GitHub plugin with the Gerrit OAuth framework (instead of the current HTTP authentication).
There will be however the choice between keeping the HTTP-style authentication or using OAuth (both will still be supported).
This is due to the current status of OAuth vs. HTTP authentication: even if Gerrit OAuth is production-ready, it still misses a lot of features that are available on HTTP authentication:
- logout URL
- post-registration URL
- external ID
- scopes
- Git/HTTP-OAUTH authentication
When those features will be available as well on Gerrit OAuth extension, we will definitely drop the HTTP authentication style on GitHub.
Feedback is more than welcome :-)
Luca.
[1] https://gerrit-review.googlesource.com/#/c/66674/
Reply all
Reply to author
Forward
0 new messages