Pad short secrets

[Synse]

This PR updates the encrypt_new and decrypt (for Splunk 7.2 or later secrets) functions to pad the splunk.secret to 254 bytes if the file is less than 254 bytes.

If we strace a splunk show-encrypted call, we can see that the splunkd binary does the same padding for short secrets. When this happens it also writes a Read custom key data size=[bytes] message to stderr.

[root@91d3c9294444 splunk]# strace -f /opt/splunk/bin/splunk show-encrypted --value 'foo'
<...SNIP...>
[pid 50471] openat(AT_FDCWD, "/opt/splunk/etc/auth/splunk.secret", O_RDONLY) = 3
[pid 50471] read(3, "notarealsecret", 254) = 14  # << we only read 14 bytes ("notarealsecret") from /opt/splunk/etc/auth/splunk.secret
[pid 50471] read(3, "", 240)            = 0      # << we read 240 bytes of nulls (14+240 = 254 bytes)
[pid 50471] write(2, "Read custom key data size=14\n", 29Read custom key data size=14) = 29
[pid 50471] stat("/opt/splunk/etc/auth/splunk.secret", {st_mode=S_IFREG|0400, st_size=14, ...}) = 0
[pid 50471] close(3)                    = 0
<...SNIP...>

If the contents of splunk.secret are 254 bytes (or more) it only reads 254 bytes and doesn't output the custom key data size message. Both of these cases are already covered by splunksecrets.py.

Testing

I've updated the tests accordingly but for manual testing I used a splunk/splunk container and the updated splunksecrets.py:

# docker container and local have the same splunk.secret
$ cat splunk.secret && echo
notarealsecret
$ docker exec -it splunk sudo cat /opt/splunk/etc/auth/splunk.secret && echo
notarealsecret

# we can encrypt with splunksecrets and decrypt with splunk show-decrypted
$ splunksecrets splunk-encrypt --splunk-secret splunk.secret --password '1: from splunksecrets to splunk'
secret too short (14 bytes), padding to 254 bytes with nulls
$7$AxDuMlIUPIn76nBAbnLDC7RI8av2L08ZTZpMWrI+vu94WzFPFq1343ZomUP5NNf53ndGrKpYgs0Rpgo7vMVW
$ docker exec -it splunk sudo /opt/splunk/bin/splunk show-decrypted --value '$7$AxDuMlIUPIn76nBAbnLDC7RI8av2L08ZTZpMWrI+vu94WzFPFq1343ZomUP5NNf53ndGrKpYgs0Rpgo7vMVW'
Read custom key data size=14
1: from splunksecrets to splunk

# and we can encrypt with splunk show-encrypted and decrypt with splunksecrets
$ docker exec -it splunk sudo /opt/splunk/bin/splunk show-encrypted --value '2: from splunk to splunksecrets' && echo
Read custom key data size=14
$7$71DoIvj4k5ATEFRBUMWjfap+u2Jqq6Xd+ypAOUi516enJ2KD0zjuWYmYb2cASjzthdYgUPIKREjnAsERqtqL
$ splunksecrets splunk-decrypt --splunk-secret splunk.secret --ciphertext '$7$71DoIvj4k5ATEFRBUMWjfap+u2Jqq6Xd+ypAOUi516enJ2KD0zjuWYmYb2cASjzthdYgUPIKREjnAsERqtqL'
secret too short (14 bytes), padding to 254 bytes with nulls
2: from splunk to splunksecrets

[mcm]

I’ve always wondered what the scenario is where Splunk.secret is that short… is it caused by a system that’s been upgraded from a very old version?

[Synse]

I’ve always wondered what the scenario is where Splunk.secret is that short… is it caused by a system that’s been upgraded from a very old version?

I'm not sure if there's anything that would cause it other than users configuring their own splunk.secret.

I originally noticed this when testing with the [splunk/splunk](https://hub.docker.com/r/splunk/splunk/) docker container when I set SPLUNK_SECRET (which sets the contents of ${SPLUNK_HOME}/etc/splunk.secret) to a very short value.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (ae2f628) to head (1a10366).

Additional details and impacted files

@@            Coverage Diff            @@
##            master       #14   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines          201       165   -36     
=========================================
- Hits           201       165   -36     

Flag	Coverage Δ
	100.00% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cschmidt0121]

Hope you don't mind me making changes; looks like another test needed updating. :)

[Synse]

Hope you don't mind me making changes; looks like another test needed updating. :)

Not at all, good catch. I didn't look closely at all of the tests and that one was still passing 🤦

Before your change I get:

======================================================================
ERROR: test_decrypt_raises_value_error_short_secret2 (tests.TestSplunkSecrets)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/workspaces/splunksecrets/tests.py", line 140, in test_decrypt_raises_value_error_short_secret2
    splunksecrets.decrypt(
  File "/workspaces/splunksecrets/splunksecrets.py", line 86, in decrypt
    plaintext = decryptor.update(ciphertext).decode()
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xee in position 1: invalid continuation byte

----------------------------------------------------------------------

when commenting out the with self.assertRaises(ValueError) so it was "passing" but not correctly. I'll open a separate PR to update the tests for the pre-7.2 tests so the same doesn't happen with those.

[Synse]

732d686 ensures that the secret is bytes so that padding doesn't fail with TypeError: The fill character must be a unicode character, not bytes if the secret is a string. I noticed this is the case today when using the SPLUNK_SECRET environment variable and also fixed that in 5d8b556.

I decided to fix it in both places so that things work if folks are using the CLI or calling encrypt_new / decrypt from other Python.