Skip to content

Commit

Permalink
Update wording on error message and readme
Browse files Browse the repository at this point in the history
Signed-off-by: Louis Chu <[email protected]>
  • Loading branch information
noCharger committed Oct 11, 2022
1 parent 3b35e77 commit 2ba789e
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 9 deletions.
8 changes: 5 additions & 3 deletions src/plugins/data_source/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,14 +73,16 @@ The data source saved object client wrapper overrides the write related action f

### Cryptography service

The cryptography service performs encryption / decryption on data source credentials (support no_auth and username_password for now). Highlight the following security best practices (see more details on https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1756)
The cryptography service encrypts and decrypts data source credentials (support no_auth and username_password credential types). Highlight the best security practices listed below:

a. Envelope encryption - has multiple benefits including strong protection on data keys, encryption the same data with multiple wrappign keys, etc
a. Envelope encryption - provides strong protection on data keys. Read more details [here](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#envelope-encryption)

b. Key derivation algorithm - HKDF with SHA-384, which “helps you avoid accidental reuse of a data encryption key and reduces the risk of overusing a data key.”
b. Key derivation with HMAC - KDF with SHA-384 protects against accidental reuse of a data encryption keys and reduces the risk of overusing data keys.

c. Signature algorithm - ECDSA with P-384 and SHA-384. Under multiple data source case, data source documents stored on OpenSearch can be modified / replaced by attacker. With ECDSA signature, ciphertext decryption will fail if it’s getting pullted. No one will be able to create another signature that verifies with the public key because the private key has been dropped.

Please check https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1756 for more details.

---

## Development
Expand Down
4 changes: 2 additions & 2 deletions src/plugins/data_source/server/client/configure_client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ export const configureClient = async (

return await getQueryClient(rootClient, dataSource, cryptography);
} catch (error: any) {
logger.error(`Fail to get data source client for dataSourceId: [${dataSourceId}]`);
logger.error(`Failed to get data source client for dataSourceId: [${dataSourceId}]`);
logger.error(error);
// Re-throw as DataSourceConfigError
throw new DataSourceConfigError('Fail to get data source client: ', error);
throw new DataSourceConfigError('Failed to get data source client: ', error);
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ export const configureLegacyClient = async (

return await getQueryClient(rootClient, dataSource, cryptography, callApiParams);
} catch (error: any) {
logger.error(`Fail to get data source client for dataSourceId: [${dataSourceId}]`);
logger.error(`Failed to get data source client for dataSourceId: [${dataSourceId}]`);
logger.error(error);
// Re-throw as DataSourceConfigError
throw new DataSourceConfigError('Fail to get data source client: ', error);
throw new DataSourceConfigError('Failed to get data source client: ', error);
}
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ export class DataSourceSavedObjectsClientWrapper {
});
attributes = savedObject.attributes;
} catch (err: any) {
const errMsg = `Fail to fetch existing data source for dataSourceId [${id}]`;
const errMsg = `Failed to fetch existing data source for dataSourceId [${id}]`;
this.logger.error(errMsg);
this.logger.error(err);
throw SavedObjectsErrorHelpers.decorateBadRequestError(err, errMsg);
Expand Down Expand Up @@ -350,7 +350,7 @@ export class DataSourceSavedObjectsClientWrapper {
const { encryptionContext } = await this.cryptography
.decodeAndDecrypt(password)
.catch((err: any) => {
const errMsg = `Fail to update existing data source for dataSourceId [${id}]: unable to decrypt "auth.credentials.password"`;
const errMsg = `Failed to update existing data source for dataSourceId [${id}]: unable to decrypt "auth.credentials.password"`;
this.logger.error(errMsg);
this.logger.error(err);
throw SavedObjectsErrorHelpers.decorateBadRequestError(err, errMsg);
Expand Down

0 comments on commit 2ba789e

Please sign in to comment.