Basic Auth: deprecation of DES crypt · kubernetes/ingress-nginx#7251

(12 留言) (0 反應) (0 負責人)Go (15,199 star) (7,888 fork)batch import

help wantedkind/featurepriority/important-longterm

描述

When using a RHEL / CentOS / UBI 7 or 8 base image build of nginx several of the e2e tests fail due to DES deprecation with crypt.

ingress-nginx should default to SHA hashed passwords for basic auth, currently hashes generated from openssl passwd -crypt can replace -crypt with -6, and the following line should indicate a different hashing method in the salt, like foo:$6$

https://github.com/kubernetes/ingress-nginx/blob/b1c8e3047ba31d7ea78f6e0915d187db75230ba5/test/e2e/annotations/auth.go#L210

Without specifying a different hashing method in the salt the test will fail with a 500 code and a log message error like crypt_r() failed (22: Invalid argument) when using of the the above mentioned base images.

If the approach with updating the tests sounds acceptable I would be happy to submit a PR.

/kind feature

貢獻者指南

技術棧: go
領域: backendtesting
議題類型: feature
難度: 2
預計時間: 1-3 hours
活動狀態: stale
清晰度: clear
前置要求: Go programmingbasic auth conceptse2e testing experience
新手友善度: 80
研究方向: Look at the test file at test/e2e/annotations/auth.go line 210. Currently it uses 'openssl passwd crypt' which generates DES hashes. Change the hash generation to use SHA 512 by modifying the salt in the test to start with '$6$'. Also ensure that the password hash in the test matches the new format. Run the e2e tests to verify they pass on RHEL/CentOS/UBI base images.