mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
86b073a7f0
Validate that the change_password and login_password endpoints verify the HTTP Referer header. There is some overlap in the tests: belt and suspenders. All endpoints except session/login_x509 are covered, sometimes having to rely on expected bad results (see the i18n endpoint). session/login_x509 is not tested yet as it requires significant additional setup in order to associate a user certificate with a user entry, etc. This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf and adding: Satisfy Any Require all granted Then comment out Auth and SSLVerify, etc. and restart httpd. With a valid Referer will fail with a 401 and log that there is no KRB5CCNAME. This comes after the referer check. With an invalid Referer it will fail with a 400 Bad Request as expected. CVE-2023-5455 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
121 lines
4.3 KiB
Python
121 lines
4.3 KiB
Python
# Authors:
|
|
# Martin Kosek <mkosek@redhat.com>
|
|
#
|
|
# Copyright (C) 2012 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import pytest
|
|
|
|
from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
|
|
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
|
|
from ipatests.util import assert_equal
|
|
from ipalib import api, errors
|
|
from ipapython.dn import DN
|
|
from ipapython.ipaldap import ldap_initialize
|
|
|
|
testuser = u'tuser'
|
|
old_password = u'old_password'
|
|
new_password = u'new_password'
|
|
|
|
|
|
@pytest.mark.tier1
|
|
class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):
|
|
app_uri = '/ipa/session/change_password'
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def changepw_setup(self, request):
|
|
try:
|
|
api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User')
|
|
api.Command['passwd'](testuser, password=u'old_password')
|
|
except errors.ExecutionError as e:
|
|
pytest.skip(
|
|
'Cannot set up test user: %s' % e
|
|
)
|
|
|
|
def fin():
|
|
try:
|
|
api.Command['user_del']([testuser])
|
|
except errors.NotFound:
|
|
pass
|
|
|
|
request.addfinalizer(fin)
|
|
|
|
def _changepw(self, user, old_password, new_password, host=None):
|
|
return self.send_request(params={'user': str(user),
|
|
'old_password' : str(old_password),
|
|
'new_password' : str(new_password)},
|
|
host=host
|
|
)
|
|
|
|
def _checkpw(self, user, password):
|
|
dn = str(DN(('uid', user), api.env.container_user, api.env.basedn))
|
|
conn = ldap_initialize(api.env.ldap_uri)
|
|
try:
|
|
conn.simple_bind_s(dn, password)
|
|
finally:
|
|
conn.unbind_s()
|
|
|
|
def test_bad_options(self):
|
|
for params in (None, # no params
|
|
{'user': 'foo'}, # missing options
|
|
{'user': 'foo',
|
|
'old_password' : 'old'}, # missing option
|
|
{'user': 'foo',
|
|
'old_password' : 'old',
|
|
'new_password' : ''}, # empty option
|
|
):
|
|
response = self.send_request(params=params)
|
|
assert_equal(response.status, 400)
|
|
assert_equal(response.reason, 'Bad Request')
|
|
|
|
def test_invalid_auth(self):
|
|
response = self._changepw(testuser, 'wrongpassword', 'new_password')
|
|
|
|
assert_equal(response.status, 200)
|
|
assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'invalid-password')
|
|
|
|
# make sure that password is NOT changed
|
|
self._checkpw(testuser, old_password)
|
|
|
|
def test_invalid_referer(self):
|
|
response = self._changepw(testuser, old_password, new_password,
|
|
'attacker.test')
|
|
|
|
assert_equal(response.status, 400)
|
|
|
|
# make sure that password is NOT changed
|
|
self._checkpw(testuser, old_password)
|
|
|
|
def test_pwpolicy_error(self):
|
|
response = self._changepw(testuser, old_password, '1')
|
|
|
|
assert_equal(response.status, 200)
|
|
assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'policy-error')
|
|
assert_equal(response.getheader('X-IPA-Pwchange-Policy-Error'),
|
|
'Constraint violation: Password is too short')
|
|
|
|
# make sure that password is NOT changed
|
|
self._checkpw(testuser, old_password)
|
|
|
|
def test_pwpolicy_success(self):
|
|
response = self._changepw(testuser, old_password, new_password)
|
|
|
|
assert_equal(response.status, 200)
|
|
assert_equal(response.getheader('X-IPA-Pwchange-Result'), 'ok')
|
|
|
|
# make sure that password IS changed
|
|
self._checkpw(testuser, new_password)
|