All Apps and Add-ons

How to decrypt the input field value which is encrypted and stored in password.conf in splunk addon?

ashwini
Engager

I have a modular input, which accepts AWS credentials while configuring input for the addon. In that secret key field is password type field. So after inputs are saved into input.conf, it creates a encrypted data for secret key and stored in password.conf.

 this code to get decrypted data while processing events was working fine for the addon.

 

 

 

helper.get_arg('access_key')

 

 

 

but After the addon upgrade using addon builder V-4.X.X

the same code  returning ***** instead of actual value.

what might be the issue? is something needs to do before upgrading?

or is there any other ways to get decrypted data from password.conf file?

Labels (2)
0 Karma

pdudhaiya
Splunk Employee
Splunk Employee

Tested this out some more and was able to reproduce this.

 

Reason

For AOB version 3.x, the encrypted field is stored with 8 stars (********) in the conf file.

For example,

[test_input_1]

index = main

access_key = ********

 

For AOB version 4.x, the encrypted field is stored with 6 stars (******) in the conf file.

For example,

[test_input_1]

index = main

access_key = ******

 

Considering your issue, old test input has access key value with 8 stars because it was created using AOB 3.x After upgrade to AOB 4.x, the code is now designed to handle values with 6 stars. Thus, it will not be able to decrypt access key value of old input as it contains 8 stars.

This is a breaking change from AOB 3.x to 4.x which I think isn't documented anywhere. I'll create a ticket to make sure this is documented.

 

Conclusion

I think the user will have to reconfigure the inputs after upgrade for this one unfortunately 😞 .

Tags (4)
0 Karma

pdudhaiya
Splunk Employee
Splunk Employee

Filed a bug for this : ADDON-54501
Filed a doc task to update the documentation for this : ADDON-54497

ashwini
Engager

@pdudhaiya  Thanks for your response. We recommended users to edit old inputs, fill secret keys and save after upgrading.  

Tags (2)
0 Karma

pdudhaiya
Splunk Employee
Splunk Employee

Hi @ashwini ,

I tried to reproduce this issue but was not able to. I created a new add-on and created a mod-input to read the password field from the configuration file. The add-on builder was then upgraded from 3.0.1 to 4.1.1. In that case also, I can get the password field via the old input configured.

Can you please let me know the following things to help me understand the issue better? :

1. what EXACT versions of add-on builder did you upgrade FROM and TO?

2. What is the Splunk version you are using?

3. Is the add-on you are referring to published on the Splunk-base or can I obtain it from somewhere? It would be great if I can actually see the code.

4. Also, can you please provide detailed steps of reproduction?

5. Was the input already configured in your add-on along with add-on builder on the same machine and then you upgraded the add-on builder OR; was it imported to add-on builder 4.x and then you configured the input?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hmm. Doesn't that seem like a desired behavior these days for password fields to not show/expose passwords upon editing? What I'm hearing is that the new version of Add-on Builder has stronger security implementations for upgraded apps. Did I get that right? Is this causing any problem like storing the wrong password?

0 Karma

ashwini
Engager

Thanks for the response @sloshburch ,

I get it the new version of AOB has stronger security implementations,

I am not facing any issues with storing and reading password field values for newly configured inputs I mean the inputs configured after upgrade.

my concern is for the old inputs which are configured before addon upgrade are not fetching events from AWS as the secret key(which is password input field) is encrypted and not getting actual value to connect to aws. 

Is this the behavior of addon's upgraded using new version? Doesn't they allow old inputs to run?

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...