mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
86b073a7f0
Validate that the change_password and login_password endpoints verify the HTTP Referer header. There is some overlap in the tests: belt and suspenders. All endpoints except session/login_x509 are covered, sometimes having to rely on expected bad results (see the i18n endpoint). session/login_x509 is not tested yet as it requires significant additional setup in order to associate a user certificate with a user entry, etc. This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf and adding: Satisfy Any Require all granted Then comment out Auth and SSLVerify, etc. and restart httpd. With a valid Referer will fail with a 401 and log that there is no KRB5CCNAME. This comes after the referer check. With an invalid Referer it will fail with a 400 Bad Request as expected. CVE-2023-5455 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
137 lines
5.1 KiB
Python
137 lines
5.1 KiB
Python
# Copyright (C) 2023 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import os
|
|
import pytest
|
|
import uuid
|
|
|
|
from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
|
|
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
|
|
from ipatests.util import assert_equal
|
|
from ipalib import api, errors
|
|
from ipapython.ipautil import run
|
|
|
|
testuser = u'tuser'
|
|
password = u'password'
|
|
|
|
|
|
@pytest.mark.tier1
|
|
class test_referer(XMLRPC_test, Unauthorized_HTTP_test):
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def login_setup(self, request):
|
|
ccache = os.path.join('/tmp', str(uuid.uuid4()))
|
|
tokenid = None
|
|
try:
|
|
api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User')
|
|
api.Command['passwd'](testuser, password=password)
|
|
run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password),
|
|
env={"KRB5CCNAME": ccache})
|
|
result = api.Command["otptoken_add"](
|
|
type='HOTP', description='testotp',
|
|
ipatokenotpalgorithm='sha512', ipatokenowner=testuser,
|
|
ipatokenotpdigits='6')
|
|
tokenid = result['result']['ipatokenuniqueid'][0]
|
|
except errors.ExecutionError as e:
|
|
pytest.skip(
|
|
'Cannot set up test user: %s' % e
|
|
)
|
|
|
|
def fin():
|
|
try:
|
|
api.Command['user_del']([testuser])
|
|
api.Command['otptoken_del']([tokenid])
|
|
except errors.NotFound:
|
|
pass
|
|
os.unlink(ccache)
|
|
|
|
request.addfinalizer(fin)
|
|
|
|
def _request(self, params={}, host=None):
|
|
# implicit is that self.app_uri is set to the appropriate value
|
|
return self.send_request(params=params, host=host)
|
|
|
|
def test_login_password_valid(self):
|
|
"""Valid authentication of a user"""
|
|
self.app_uri = "/ipa/session/login_password"
|
|
response = self._request(
|
|
params={'user': 'tuser', 'password': password})
|
|
assert_equal(response.status, 200, self.app_uri)
|
|
|
|
def test_change_password_valid(self):
|
|
"""This actually changes the user password"""
|
|
self.app_uri = "/ipa/session/change_password"
|
|
response = self._request(
|
|
params={'user': 'tuser',
|
|
'old_password': password,
|
|
'new_password': 'new_password'}
|
|
)
|
|
assert_equal(response.status, 200, self.app_uri)
|
|
|
|
def test_sync_token_valid(self):
|
|
"""We aren't testing that sync works, just that we can get there"""
|
|
self.app_uri = "/ipa/session/sync_token"
|
|
response = self._request(
|
|
params={'user': 'tuser',
|
|
'first_code': '1234',
|
|
'second_code': '5678',
|
|
'password': 'password'})
|
|
assert_equal(response.status, 200, self.app_uri)
|
|
|
|
def test_i18n_messages_valid(self):
|
|
# i18n_messages requires a valid JSON request and we send
|
|
# nothing. If we get a 500 error then it got past the
|
|
# referer check.
|
|
self.app_uri = "/ipa/i18n_messages"
|
|
response = self._request()
|
|
assert_equal(response.status, 500, self.app_uri)
|
|
|
|
# /ipa/session/login_x509 is not tested yet as it requires
|
|
# significant additional setup.
|
|
# This can be manually verified by adding
|
|
# Satisfy Any and Require all granted to the configuration
|
|
# section and comment out all Auth directives. The request
|
|
# will fail and log that there is no KRB5CCNAME which comes
|
|
# after the referer check.
|
|
|
|
def test_endpoints_auth_required(self):
|
|
"""Test endpoints that require pre-authorization which will
|
|
fail before we even get to the Referer check
|
|
"""
|
|
self.endpoints = {
|
|
"/ipa/xml",
|
|
"/ipa/session/login_kerberos",
|
|
"/ipa/session/json",
|
|
"/ipa/session/xml"
|
|
}
|
|
for self.app_uri in self.endpoints:
|
|
response = self._request(host="attacker.test")
|
|
|
|
# referer is checked after auth
|
|
assert_equal(response.status, 401, self.app_uri)
|
|
|
|
def notest_endpoints_invalid(self):
|
|
"""Pass in a bad Referer, expect a 400 Bad Request"""
|
|
self.endpoints = {
|
|
"/ipa/session/login_password",
|
|
"/ipa/session/change_password",
|
|
"/ipa/session/sync_token",
|
|
}
|
|
for self.app_uri in self.endpoints:
|
|
response = self._request(host="attacker.test")
|
|
|
|
assert_equal(response.status, 400, self.app_uri)
|