Skip to content

fix: Change encoding from HMAC to AES when setting secret key #26487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix: Change encoding from HMAC to AES when setting secret key #26487

wants to merge 3 commits into from

Conversation

@auden-woolfson
Copy link
Contributor

@auden-woolfson auden-woolfson commented Oct 30, 2025

Description

This is required to stop failures on the refresh token secret key property

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Change encoding of refresh token secret key to AES

@auden-woolfson auden-woolfson requested a review from a team as a code owner October 30, 2025 20:05
@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Oct 30, 2025
@prestodb-ci prestodb-ci requested review from a team, ShahimSharafudeen and nmahadevuni and removed request for a team October 30, 2025 20:05
@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Oct 30, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates RefreshTokensConfig to interpret provided Base64-encoded secret keys as raw AES keys instead of HMAC-SHA keys, addressing failures in refresh token secret key property.

Class diagram for updated RefreshTokensConfig secret key handling

classDiagram
    class RefreshTokensConfig {
        -SecretKey secretKey
        +RefreshTokensConfig setSecretKey(String key)
    }
    class SecretKeySpec {
        +SecretKeySpec(byte[] key, String algorithm)
    }
    RefreshTokensConfig --> SecretKeySpec : uses for AES key
Loading

Flow diagram for secret key encoding change from HMAC to AES

flowchart TD
    A["Base64-encoded key input"] --> B["Decode key bytes"]
    B --> C["Create SecretKeySpec with AES algorithm"]
    C --> D["Assign to secretKey property"]
Loading

File-Level Changes

Change Details Files
Switch refresh token secret key decoding from HMAC to AES
  • Removed Keys.hmacShaKeyFor and its HMAC-based key derivation
  • Replaced with new SecretKeySpec using algorithm "AES"
  • Continued decoding the key bytes via Decoders.BASE64.decode
  • Kept method signature and fluent return style
 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/RefreshTokensConfig.java
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

tdcmeehan
tdcmeehan reviewed Oct 30, 2025
View reviewed changes
presto-main/src/main/java/com/facebook/presto/server/security/oauth2/RefreshTokensConfig.java
}

secretKey = Keys.hmacShaKeyFor(Decoders.BASE64.decode(key));
secretKey = new SecretKeySpec(Decoders.BASE64.decode(key), "AES");
Copy link
Contributor

@tdcmeehan tdcmeehan Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The corresponding Trino PR had a test, is it applicable here, and if so could you add it? trinodb/trino@3c687c3

@tdcmeehan tdcmeehan requested a review from yhwang October 31, 2025 17:44
yhwang
yhwang reviewed Nov 3, 2025
View reviewed changes
Copy link
Member

@yhwang yhwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just left a minor question, and the changes look good to me

yhwang
yhwang approved these changes Nov 5, 2025
View reviewed changes
Copy link
Member

@yhwang yhwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

@auden-woolfson auden-woolfson force-pushed the fix_refresh_token_key_encoding_oss branch 2 times, most recently from 81df6d6 to 02d3235 Compare November 10, 2025 21:11
@auden-woolfson auden-woolfson force-pushed the fix_refresh_token_key_encoding_oss branch from 02d3235 to c6be714 Compare November 13, 2025 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@yhwang yhwang yhwang approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@nmahadevuni nmahadevuni Awaiting requested review from nmahadevuni nmahadevuni was automatically assigned from prestodb/ibm-reviewers

@ShahimSharafudeen ShahimSharafudeen Awaiting requested review from ShahimSharafudeen ShahimSharafudeen was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@auden-woolfson @yhwang @tdcmeehan @prestodb-ci