-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microservices: Unexpected behaviour of Hasher & HashProcessor #437
Comments
Hi, I think there is an assumption that those two micro-services should work the same way, but that is not true.
The Attribute Processor is about processing attributes. The subject_id element corresponds to the SAML Subject/NameID element value, which is not an attribute.
It depends on what you are trying to achieve. Each has its place and its own behaviour. If you want to combine them, you can also do that. It all depends on your use case. |
Thanks for having a look into this. I'll dig a bit deeper: This is also related to federational use cases with best practices for identifier migration and support in mind. Also I think this does not explain the mentioned errors related to processing the primary_identifier attribute, described in (2); (2.1); (2.2), this should not happen in the first place I guess. Example use case (not exactly the same as the one I'm trying to achieve, but for relevance/illustration purposes):
But:
default limitations (without modifications / extensions / custom processors):
At least the second part (2) should be considered a bug I guess |
Identifier migration means that the value that used to be released to some attribute will now be released as the value of one or more additional attributes. Then, after some time, the old attribute may stop being released. The easiest way to do this is to copy the value of one attribute to the other attributes that should have the same value. The Hasher and the HashProcessor are different things. They work in a different way. You should not expect them to do the same thing. If they were identical we would not need both. Having said this, (2) does sound problematic but it is a separate issye.
It looks to me that the primary_identifier plugin has a bug here: instead of setting the value directly, it should set it as the only element of a list. - data.attributes[primary_identifier] = primary_identifier_val
+ data.attributes[primary_identifier] = [primary_identifier_val] Then, both issues mentioned with the Hasher and the HashProcessor should go away. |
Any update on this @github-canni ? |
Thanks for getting back, and sorry for my late reply. I had to rebuild my prior setup as I worked around the issues experienced. Regarding (2): Hashing a value from the "primary identifier" microservice
I tried it, and the fix seems to work. Regarding (1): Comparing hash results from Hasher / HashProcessor Identifier migration
In terms of "identifier" migration at SPs: As you stated correctly in a reply before, the SAML Subject/NameID element is not an attribute, so we cannot copy from/to this value with default microservices (exception: primary identifier can replace the internal "subject_id", which is not an attribute, and Hasher can hash it). This consideration for identifier migrations was the origin of the experienced hashing issues: I wanted satosa to deliver the same hash value: This is considered best practice to help SPs relying on the older NameID migrate to another identifier attribute seamlessly. But: Hashing the subject_id with hasher and then trying to get the same hash value delivered as an attribute by reproducing the hashing process with HashProcessor using the same salt will fail as they produce different hash values. Expectations Solutions (for documentation purposes): Thanks for your work! |
Code Version
Satosa 8.2.0 (docker), running an saml2 frontend and oidc backend, proxy from OIDC to SAML
Expected Behavior
Current Behavior
(1) Hasher and HashProcessor, e.g.
but: Hasher and HashProcessor, both configured to hash that attribute containing the input string value, produce different output values (of course they were not used at the same time but tested separately) [this could be due to internals, e.g. prepending vs. appending salt, using different libs etc.]
(2) Trying to hash an attribute, which was scoped and generated by the processor "primary identifier", return unexpected results:
Possible Solutions
(1) Align Hasher / Hashprocessor outputs with preserved backwards compatibility, e.g. by providing a new parameter to align hash functions (rewrite/align/split internal hashing processes)
(2) There might be a fix for the "primary identifier" processor (which might be the root cause of that issue) - otherwise a fix for Hasher and HashProcessor could be provided
Workarounds
Of course own / modified / custom modules could be written. But usually I try to find a way with default functions.
(1) Use either or, not both. The issue is that Attribute Processor > HashProcessor cannot update/modify subject_id. In the microservice "hasher" the subject_id can be hashed as well among with the attributes. The HashProcessor seem only to be able to hash attributes from the internal map (I might be wrong here and would love to get feedback on that matter).
(2) Do not hash the target attribut produced from "primary identifier" with Hasher microservice but with AtributeProcessor > HashProcessor. There you could use "ScopeProcessor" appending an arbitrary string before hashing with the HashProcessor. This is a workaround as HashProcessor would fail otherwise.
Steps to Reproduce
(1)
(2)
The text was updated successfully, but these errors were encountered: