[NXP-31055] Fix handling of & character in encrypted properties - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2021.14
Fix Version/s: 2021.23
Component/s: nuxeoctl start/stop/admin

Release Notes Summary:
Decrypted conf properties containing xml special characters are now allowed
Tags:
- SupCom
- nxplatform
Backlog priority:
1,000
Sprint:
nxplatform #64, nxplatform #65
Story Points:
3

Description

Since NXP-28880, the encrypted passwords are decrypted at runtime. But unless previously the special character & is not escaped, which causes errors during the startup.

Steps to reproduce:

for test purpose only, copy the attached file to templates/common/config/default-ldap-users-directory-bundle.xml.nxftl

add these 2 properties to nuxeo.conf

nuxeo.ldap.binddn=cn=Manager,dc=nuxeo
nuxeo.ldap.url=ldap://localhost:389

encrypt the LDAP bind password

bin/nuxeoctl config nuxeo.ldap.bindpassword "Y1&eg*7cW%xL%5&%" -encrypt

start Nuxeo

observe this error

ERROR [OSGiRuntimeService] Error deploying config default-ldap-users-directory-bundle.xml (Could not resolve registration from file:/nuxeo/appl/nuxeo2021/nxserver/config/default-ldap-users-directory-bundle.xml (org.xml.sax.SAXParseException; lineNumber: 38; columnNumber: 26; The entity name must immediately follow the '&' in the entity reference.))
java.io.IOException: Could not resolve registration from file:/nuxeo/appl/nuxeo2021/nxserver/config/default-ldap-users-directory-bundle.xml (org.xml.sax.SAXParseException; lineNumber: 38; columnNumber: 26; The entity name must immediately follow the '&' in the entity reference.)
        at org.nuxeo.runtime.model.impl.DefaultRuntimeContext.createRegistrationInfo(DefaultRuntimeContext.java:233) ~[nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.runtime.model.impl.DefaultRuntimeContext.deploy(DefaultRuntimeContext.java:135) ~[nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.runtime.model.impl.DefaultRuntimeContext.deploy(DefaultRuntimeContext.java:129) ~[nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.runtime.osgi.OSGiRuntimeService.loadConfig(OSGiRuntimeService.java:325) [nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.runtime.AbstractRuntimeService.start(AbstractRuntimeService.java:137) [nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.runtime.api.Framework.initialize(Framework.java:131) [nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.runtime.osgi.OSGiRuntimeActivator.start(OSGiRuntimeActivator.java:84) [nuxeo-runtime-2021.16.7.jar:?]
        at org.nuxeo.osgi.BundleImpl.start(BundleImpl.java:292) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.BundleRegistry.doRegister(BundleRegistry.java:177) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.BundleRegistry.register(BundleRegistry.java:125) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.BundleRegistry.install(BundleRegistry.java:98) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.OSGiAdapter.install(OSGiAdapter.java:180) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.application.loader.FrameworkLoader.install(FrameworkLoader.java:256) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.application.loader.FrameworkLoader.doStart(FrameworkLoader.java:221) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.osgi.application.loader.FrameworkLoader.start(FrameworkLoader.java:125) [nuxeo-runtime-osgi-2021.8.6.jar:?]
        at org.nuxeo.runtime.deployment.NuxeoStarter.start(NuxeoStarter.java:124) [nuxeo-runtime-deploy-2021.2.52.jar:?]
        at org.nuxeo.runtime.deployment.NuxeoStarter.contextInitialized(NuxeoStarter.java:93) [nuxeo-runtime-deploy-2021.2.52.jar:?]
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:726) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:690) [catalina-9.0.58.jar:9.0.58]
        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1889) [catalina-9.0.58.jar:9.0.58]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]

Expected behavior: Nuxeo starts correctly and the provided password is used to establish the connection

Workaround is to manually escape the & characters when encrypting the property

bin/nuxeoctl config nuxeo.ldap.bindpassword "Y1&amp;eg*7cW%xL%5&amp;%" -encrypt

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

default-ldap-users-directory-bundle.xml.nxftl
1 kB
2022-06-06 20:38

Activity

People

Assignee:

Guillaume Renard

Reporter:

Thierry Martins

Participants:

Guillaume Renard, Jenkins, Thierry Martins

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2022-06-06 20:37

Updated:

2022-07-18 11:53

Resolved:

2022-06-29 16:43