I have a modular input, which accepts AWS credentials while configuring input for the addon. In that secret key field is password type field. So after inputs are saved into input.conf, it creates a encrypted data for secret key and stored in password.conf.
this code to get decrypted data while processing events was working fine for the addon.
but After the addon upgrade using addon builder V-4.X.X
the same code returning ***** instead of actual value.
what might be the issue? is something needs to do before upgrading?
or is there any other ways to get decrypted data from password.conf file?
Tested this out some more and was able to reproduce this.
For AOB version 3.x, the encrypted field is stored with 8 stars (********) in the conf file.
index = main
access_key = ********
For AOB version 4.x, the encrypted field is stored with 6 stars (******) in the conf file.
index = main
access_key = ******
Considering your issue, old test input has access key value with 8 stars because it was created using AOB 3.x After upgrade to AOB 4.x, the code is now designed to handle values with 6 stars. Thus, it will not be able to decrypt access key value of old input as it contains 8 stars.
This is a breaking change from AOB 3.x to 4.x which I think isn't documented anywhere. I'll create a ticket to make sure this is documented.
I think the user will have to reconfigure the inputs after upgrade for this one unfortunately 😞 .
Hi @ashwini ,
I tried to reproduce this issue but was not able to. I created a new add-on and created a mod-input to read the password field from the configuration file. The add-on builder was then upgraded from 3.0.1 to 4.1.1. In that case also, I can get the password field via the old input configured.
Can you please let me know the following things to help me understand the issue better? :
1. what EXACT versions of add-on builder did you upgrade FROM and TO?
2. What is the Splunk version you are using?
3. Is the add-on you are referring to published on the Splunk-base or can I obtain it from somewhere? It would be great if I can actually see the code.
4. Also, can you please provide detailed steps of reproduction?
5. Was the input already configured in your add-on along with add-on builder on the same machine and then you upgraded the add-on builder OR; was it imported to add-on builder 4.x and then you configured the input?
Hmm. Doesn't that seem like a desired behavior these days for password fields to not show/expose passwords upon editing? What I'm hearing is that the new version of Add-on Builder has stronger security implementations for upgraded apps. Did I get that right? Is this causing any problem like storing the wrong password?
Thanks for the response @sloshburch ,
I get it the new version of AOB has stronger security implementations,
I am not facing any issues with storing and reading password field values for newly configured inputs I mean the inputs configured after upgrade.
my concern is for the old inputs which are configured before addon upgrade are not fetching events from AWS as the secret key(which is password input field) is encrypted and not getting actual value to connect to aws.
Is this the behavior of addon's upgraded using new version? Doesn't they allow old inputs to run?