BaseComputedIDDataConnectorParser logs secret - should it?

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

The UKf helpdesk were passed idp-process.log to assist an debugging IdP configuration problem, and I noticed this line close to the ERROR:

2016-09-29 16:50:17,567 - DEBUG [net.shibboleth.idp.attribute.resolver.spring.dc.impl.BaseComputedIDDataConnectorParser:80] - Data Connector 'myStoredId': Generated Attribute: 'persistentID', sourceAttribute = 'uid', salt (or property): '*** redacted ***'

From an opsec point of view, I would not expect the salt to be logged. However, from an application development point of view, https://issues.shibboleth.net/jira/browse/IDP-771 and https://issues.shibboleth.net/jira/browse/IDP-982 were both diagnosed specifically because the DEBUG log has the salt in them.

Not sure what to make of this, so flagging it up here.

Environment

None

Activity

Rod Widdowson

October 19, 2016 at 7:23 AM

R8517

Rod Widdowson

October 1, 2016 at 4:12 PM

This all makes sense

I'll give this another 48 hours to give others time to comment and then make it so.

Alex Stuart

September 30, 2016 at 2:46 PM

(edited)

Could the DEBUG message be modified to say "secret is logged at TRACE" to give any folks debugging a clue as to how to get the value?

Ian Young

September 30, 2016 at 2:39 PM

I agree it is hard to find a balance here. It's quite common for DEBUG logs to be mailed around when debugging things, though, and that should never accidentally compromise any cryptographic secrets. To make the point, imagine how we'd feel if this were the IdP's signing key.

I suggest a compromise: leave the existing message in at DEBUG but remove the secret. Add a new message logging the secret at TRACE.

Scott Cantor

September 30, 2016 at 2:00 PM

I don't have a good answer given how many problems we have debugging these problems, but it seems like the simplest short term fix is to move it to TRACE.

Resize work item view side panel

Fixed

Details

Assignee

Rod Widdowson

Reporter

Alex Stuart

Original estimate

Created September 30, 2016 at 9:30 AM

Updated August 6, 2021 at 9:57 PM

Resolved October 19, 2016 at 7:23 AM

BaseComputedIDDataConnectorParser logs secret - should it?

Description

Environment

Activity

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Affects versions