From 8fd99e3b24db683ad129d89dfe266becf77f2ef2 Mon Sep 17 00:00:00 2001 From: Nick Muerdter Date: Fri, 18 May 2018 23:44:51 -0600 Subject: [PATCH] Simplify random_token implementation to use set_secure_random_alphanum. Use nginx NDK to use set_secure_random_alphanum for our random_token implementation. This is both faster and simpler than our previous implementation. It's limited to 64 characters in length, but that should be fine for our purposes. --- src/api-umbrella/cli/read_config.lua | 2 +- .../proxy/models/active_config.lua | 3 +- src/api-umbrella/utils/random_token.lua | 41 +------------------ 3 files changed, 4 insertions(+), 42 deletions(-) diff --git a/src/api-umbrella/cli/read_config.lua b/src/api-umbrella/cli/read_config.lua index 252a2d1d1..9b96a3667 100644 --- a/src/api-umbrella/cli/read_config.lua +++ b/src/api-umbrella/cli/read_config.lua @@ -385,7 +385,7 @@ local function set_cached_random_tokens() if not config["web"]["rails_secret_token"] then deep_defaults(cached, { web = { - rails_secret_token = random_token(128), + rails_secret_token = random_token(64), }, }) end diff --git a/src/api-umbrella/proxy/models/active_config.lua b/src/api-umbrella/proxy/models/active_config.lua index c7828bcf5..e0780c1f8 100644 --- a/src/api-umbrella/proxy/models/active_config.lua +++ b/src/api-umbrella/proxy/models/active_config.lua @@ -5,6 +5,7 @@ local host_normalize = require "api-umbrella.utils.host_normalize" local load_backends = require "api-umbrella.proxy.load_backends" local mustache_unescape = require "api-umbrella.utils.mustache_unescape" local plutils = require "pl.utils" +local random_token = require "api-umbrella.utils.random_token" local resolve_backend_dns = require "api-umbrella.proxy.jobs.resolve_backend_dns" local tablex = require "pl.tablex" local utils = require "api-umbrella.proxy.utils" @@ -183,7 +184,7 @@ end local function parse_website_backend(website_backend) if not website_backend["_id"] then - website_backend["_id"] = ndk.set_var.set_secure_random_alphanum(32) + website_backend["_id"] = random_token(32) end if website_backend["frontend_host"] then diff --git a/src/api-umbrella/utils/random_token.lua b/src/api-umbrella/utils/random_token.lua index 4d92ff283..f26df4591 100644 --- a/src/api-umbrella/utils/random_token.lua +++ b/src/api-umbrella/utils/random_token.lua @@ -1,42 +1,3 @@ -local resty_random = require "resty.random" - -local encode_base64 = ngx.encode_base64 -local gsub = ngx.re.gsub -local random_bytes = resty_random.bytes - return function(length) - local token = "" - -- Loop until we've generated a valid token. The basic process: - -- - -- 1. Generate secure random bytes. - -- 2. Convert random bytes to base64. - -- 3. Strip out special characters from base64 result, so we're left with - -- just alphanumerics. - -- - -- It should be extraordinarily rare that this needs to loop, but since we - -- strip out some of the special characters from the resulting base64 string, - -- this loops in case we strip more than expected. - while string.len(token) < length do - -- Attempt to generate cryptographically secure random bytes. We - -- purposefully generate more bytes than we need, since we'll be stripping - -- some of the base64 characters out. - local num_bytes = length + 10 - local strong_random = random_bytes(num_bytes, true) - if not strong_random then - ngx.log(ngx.WARN, "Could not generate cryptographically secure random data. Falling back to non-secure random data.") - strong_random = random_bytes(num_bytes, false) - end - - -- Encode with base64. - token = token .. encode_base64(strong_random) - - -- Strip +, /, and = out of the base64 result, since we just want a-z, A-Z, - -- and 0-9 in our tokens. - token = gsub(token, "[+/=]", "", "jo") - - -- Take just the number of characters requested. - token = string.sub(token, 1, length) - end - - return token + return ndk.set_var.set_secure_random_alphanum(length) end