Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to pass specific characters password to ElasticSearch through Sulu/ArticleBundle #1391

Open
Braskalyne opened this issue Feb 5, 2024 · 5 comments

Comments

@Braskalyne
Copy link

Elasticsearch Version

6.8.0

Installed Plugins

Sulu - SuluArticle/Bundle

Java Version

bundled

OS Version

Ubuntu 20.04

Problem Description

I'm working on a project using Sulu 2.4.15 - php 8.2 - Symfony 5.5 - Sulu/Article-bundle 2.5.1

I usually use ElasticSearch with Sulu, which is recommended as standard. But until now, I've never secured the ElasticSearch connection via login/password.
For this project, our customer is imposing a password made up of special characters, but I can't get in.
For my example, I have an elastic 6.8.0 image:
Capture d’écran de 2024-02-01 13-46-28
The password is "toto?"
When I access my ES via Curl by encoding the password ( toto%3F ) I have no problem:
Capture d’écran de 2024-02-01 13-48-46

But when I try to run a command that requires connecting to ElasticSearch from Sulu/ArticleBundle, like a sulu:article:reindex , I can't authenticate (1st screen is my .env.local, 2nd screen is the command on the left / the logs of ES on the right)

Capture d’écran de 2024-02-01 13-53-00

Capture d’écran de 2024-02-01 13-53-33

However, if I set the password in my ES docker to "toto" and remove %3F from my .env url, I don't have any connection problems. The problem comes from the special character "?

Digging through the error messages, I came across this file :
vendor/elasticsearch/elasticsearch/src/Elasticsearch/Connections/Connection.php

And I realized that just before the query, the string was not decoded. If I modify it manually at this point, either by using an urldecode function or by hard-coding it, then I'm able to connect & do my reindex : (lines 235 and 236 both operate) :

Capture d’écran de 2024-02-01 13-58-01

But I don't understand why I need to manually "urldecode" my string, and this solution isn't viable since it's in the vendor/ folder.

I feel like I've searched in multiple places, asked on Slack Sulu, but I can't find any answer for what seems to be a very basic concern.

I've already tried it in my .env :

ELASTICSEARCH_HOST=http://elastic:toto%[email protected]:9200
ELASTICSEARCH_HOST="http://elastic:toto%[email protected]:9200"
ELASTICSEARCH_HOST=http://elastic:[email protected]:9200
ELASTICSEARCH_HOST=http://elastic:toto\%[email protected]:9200
ELASTICSEARCH_HOST=http://elastic:toto\[email protected]:9200
ELASTICSEARCH_HOST=http://elastic:toto%%[email protected]:9200
etc...

Thanks a lot !

Steps to Reproduce

Install ES 6.8.0 :

cat docker-compose.yml 
version: '3,7'

services:
  elasticsearch:
   image: elasticsearch:6.8.0
   ports:
     - 9200:9200
   environment:
     - discovery.type=single-node
     - ELASTIC_PASSWORD=toto?
     - xpack.security.enabled=true

Install a 2.5 Sulu project : https://docs.sulu.io/en/2.5/
Install Sulu/ArticleBundle 2.5 : https://github.com/sulu/SuluArticleBundle

Try a command like

bin/console sulu:article:reindex

Logs (if relevant)

Capture d’écran de 2024-02-01 14-03-21

@Braskalyne
Copy link
Author

I forgot to mention: I tried with a new Sulu project and an ES 7.17 image and had exactly the same problem.

@ezimuel
Copy link
Contributor

ezimuel commented Feb 9, 2024

I'm not familiar with Sulu, so I can only try to help. Moreover, we are not supporting anymore 6.x of elasticsearch-php.
That said, did you try to use the double quotation to set the URL?

For instance:

ELASTICSEARCH_HOST="http://elastic:[email protected]:9200"

or

ELASTIC_PASSWORD="toto?"

The ? character is not allowed in the URL so this will be encoded at the end with %3F but the encoding is managed by elasticsearch-php itself.

@Braskalyne
Copy link
Author

I'm trying with a 7.17 image just to be sure.
If i'm trying

ELASTICSEARCH_HOST="http://elastic:[email protected]:9200"

i got

In ClientBuilder.php line 811:
                                                              
  Could not parse URI: "http://elastic:[email protected]:9200"  

@ezimuel
Copy link
Contributor

ezimuel commented Apr 15, 2024

@Braskalyne sorry for the late reply. DId you solve this or is still an issue?
I'm wondering, the ELASTIC_PASSWORD that you used in the docker compose is an env variable that you created or something managed by Sulu?
Instead of passing the username:password in the URL you can also use the setBasicAuthentication() function of the ClientBuilder, as follows:

$client = ClientBuilder::create()
   ->setHosts(['127.0.0.1:9200'])
   ->setBasicAuthentication('elastic', 'toto?')
   ->build();

@Braskalyne
Copy link
Author

@ezimuel

In the end, I tested several characters 1 by 1 to determine which would pass through the string and which would break the connection, so as to be able to offer the security team enough characters to make the password secure. Here are the ones I tested:

Work: .!*&~;_-$()
Not working: ?@#^[]{}%.

For example, (Tp3&(..!56xV--_&$ is working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants