diff options
author | Devaev Maxim <[email protected]> | 2020-05-15 17:30:14 +0300 |
---|---|---|
committer | Devaev Maxim <[email protected]> | 2020-05-16 17:35:10 +0300 |
commit | 2eef3061ce8e3222da7864bfe4fd2bf767b5e5f1 (patch) | |
tree | f9adc498cc1ebc5362489bd9ae550a36dec4f0a0 | |
parent | a364e689c6d944be90ce80ad34594b21309cdb05 (diff) |
improved security checks
-rw-r--r-- | kvmd/apps/ipmi/auth.py | 4 | ||||
-rw-r--r-- | kvmd/apps/kvmd/auth.py | 4 | ||||
-rw-r--r-- | kvmd/apps/vnc/rfb/__init__.py | 56 | ||||
-rw-r--r-- | kvmd/apps/vnc/vncauth.py | 2 | ||||
-rw-r--r-- | kvmd/plugins/auth/htpasswd.py | 2 | ||||
-rw-r--r-- | kvmd/plugins/auth/http.py | 2 | ||||
-rw-r--r-- | kvmd/plugins/auth/pam.py | 2 |
7 files changed, 46 insertions, 26 deletions
diff --git a/kvmd/apps/ipmi/auth.py b/kvmd/apps/ipmi/auth.py index 6b33216a..29804140 100644 --- a/kvmd/apps/ipmi/auth.py +++ b/kvmd/apps/ipmi/auth.py @@ -70,9 +70,13 @@ class IpmiAuthManager: (ipmi_user, ipmi_passwd) = left.split(":") ipmi_user = ipmi_user.strip() + if len(ipmi_user) == 0: + raise IpmiPasswdError(f"Empty IPMI user (left) at line #{number}") (kvmd_user, kvmd_passwd) = right.split(":") kvmd_user = kvmd_user.strip() + if len(kvmd_user) == 0: + raise IpmiPasswdError(f"Empty KVMD user (left) at line #{number}") if ipmi_user in credentials: raise IpmiPasswdError(f"Found duplicating user {ipmi_user!r} (left) at line #{number}") diff --git a/kvmd/apps/kvmd/auth.py b/kvmd/apps/kvmd/auth.py index 5e3551b5..e75c7e40 100644 --- a/kvmd/apps/kvmd/auth.py +++ b/kvmd/apps/kvmd/auth.py @@ -71,6 +71,8 @@ class AuthManager: return self.__enabled async def authorize(self, user: str, passwd: str) -> bool: + assert user == user.strip() + assert user assert self.__enabled assert self.__internal_service @@ -87,6 +89,8 @@ class AuthManager: return ok async def login(self, user: str, passwd: str) -> Optional[str]: + assert user == user.strip() + assert user assert self.__enabled if (await self.authorize(user, passwd)): for (token, token_user) in self.__tokens.items(): diff --git a/kvmd/apps/vnc/rfb/__init__.py b/kvmd/apps/vnc/rfb/__init__.py index 600920bf..70ed087d 100644 --- a/kvmd/apps/vnc/rfb/__init__.py +++ b/kvmd/apps/vnc/rfb/__init__.py @@ -277,54 +277,58 @@ class RfbClient(RfbClientStream): # pylint: disable=too-many-instance-attribute async def __handshake_security_vencrypt_userpass(self) -> None: (user_length, passwd_length) = await self._read_struct("LL") - user = await self._read_text(user_length) + user = (await self._read_text(user_length)).strip() passwd = await self._read_text(passwd_length) - ok = await self._authorize_userpass(user, passwd) - await self.__handshake_security_send_result(ok, user) + allow = await self._authorize_userpass(user, passwd) + if allow: + assert user + await self.__handshake_security_send_result( + allow=allow, + allow_msg=f"Access granted for user {user!r}", + deny_msg=f"Access denied for user {user!r}", + deny_reason="Invalid username or password", + ) async def __handshake_security_none(self) -> None: - ok = await self._on_authorized_none() - await self.__handshake_security_send_result(ok, "") + allow = await self._on_authorized_none() + await self.__handshake_security_send_result( + allow=allow, + allow_msg="NoneAuth access granted", + deny_msg="NoneAuth access denied", + deny_reason="Access denied", + ) async def __handshake_security_vnc_auth(self) -> None: challenge = rfb_make_challenge() await self._write_struct("", challenge) - (ok, user) = (False, "") + user = "" response = (await self._read_struct("16s"))[0] for passwd in self.__vnc_passwds: passwd_bytes = passwd.encode("utf-8", errors="ignore") if rfb_encrypt_challenge(challenge, passwd_bytes) == response: user = await self._on_authorized_vnc_passwd(passwd) if user: - ok = True + assert user == user.strip() break - await self.__handshake_security_send_result(ok, user) + await self.__handshake_security_send_result( + allow=bool(user), + allow_msg="VNCAuth access granted for user {user!r}", + deny_msg="VNCAuth access denied (user not found)", + deny_reason="Invalid password", + ) - async def __handshake_security_send_result(self, ok: bool, user: str) -> None: - if ok: - if self.__none_auth_only: - assert len(user) == 0 - get_logger(0).info("[main] Client %s: Anonymous access granted", self._remote) - else: - assert user - get_logger(0).info("[main] Client %s: Access granted for user %r", self._remote, user) + async def __handshake_security_send_result(self, allow: bool, allow_msg: str, deny_msg: str, deny_reason: str) -> None: + if allow: + get_logger(0).info("[main] Client %s: %s", self._remote, allow_msg) await self._write_struct("L", 0) else: await self._write_struct("L", 1, drain=(self.__rfb_version < 8)) - if self.__none_auth_only: - reason = msg = "Anonymous access denied" - elif user: - reason = "Invalid username or password" - msg = f"Access denied for user {user!r}" - else: - reason = "Invalid password" - msg = "Access denied" if self.__rfb_version >= 8: - await self._write_reason(reason) - raise RfbError(msg) + await self._write_reason(deny_reason) + raise RfbError(deny_msg) # ===== diff --git a/kvmd/apps/vnc/vncauth.py b/kvmd/apps/vnc/vncauth.py index 2a66ee1d..b27d74d5 100644 --- a/kvmd/apps/vnc/vncauth.py +++ b/kvmd/apps/vnc/vncauth.py @@ -81,6 +81,8 @@ class VncAuthManager: (kvmd_user, kvmd_passwd) = kvmd_userpass.split(":") kvmd_user = kvmd_user.strip() + if len(kvmd_user) == 0: + raise VncAuthError(f"Empty KVMD user (right part) at line #{number}") if vnc_passwd in credentials: raise VncAuthError(f"Found duplicating VNC password (left part) at line #{number}") diff --git a/kvmd/plugins/auth/htpasswd.py b/kvmd/plugins/auth/htpasswd.py index 94e29711..045475f8 100644 --- a/kvmd/plugins/auth/htpasswd.py +++ b/kvmd/plugins/auth/htpasswd.py @@ -43,5 +43,7 @@ class Plugin(BaseAuthService): } async def authorize(self, user: str, passwd: str) -> bool: + assert user == user.strip() + assert user htpasswd = passlib.apache.HtpasswdFile(self.__path) return htpasswd.check_password(user, passwd) diff --git a/kvmd/plugins/auth/http.py b/kvmd/plugins/auth/http.py index 66e23ea1..4cba34fe 100644 --- a/kvmd/plugins/auth/http.py +++ b/kvmd/plugins/auth/http.py @@ -71,6 +71,8 @@ class Plugin(BaseAuthService): } async def authorize(self, user: str, passwd: str) -> bool: + assert user == user.strip() + assert user session = self.__ensure_session() try: async with session.request( diff --git a/kvmd/plugins/auth/pam.py b/kvmd/plugins/auth/pam.py index bb364c8c..bcdde5e4 100644 --- a/kvmd/plugins/auth/pam.py +++ b/kvmd/plugins/auth/pam.py @@ -67,6 +67,8 @@ class Plugin(BaseAuthService): } async def authorize(self, user: str, passwd: str) -> bool: + assert user == user.strip() + assert user async with self.__lock: return (await aiotools.run_async(self.__inner_authorize, user, passwd)) |