Skip to content

Commit

Permalink
Issue 5687 - UI - sensitive information disclosure
Browse files Browse the repository at this point in the history 
Bug Description: In several places either the clear text password or the pasword
                 hash can be read by unpriviledged users.

Fix Description: When processing user entries do not attempt to decode
                 userpassword.  When setting the password for chaining or
                 replication agreements/repl manager write the password
                 to a temporary file that can be passed to the CLI.

                 Also, improved user add wizard allowing to search attributes

relates: #5687

Reviewed by: spichugi & vashirov (Thanks!!)
  • Loading branch information
@mreynolds389
mreynolds389 committed Mar 6, 2023
1 parent 5a75518 commit 8483d60
Show file tree
Hide file tree
Showing 19 changed files with 770 additions and 472 deletions.
12 changes: 10 additions & 2 deletions dirsrvtests/tests/suites/config/compact_test.py
View file
Expand Up @@ -86,6 +86,13 @@ def test_compaction_interval_and_time(topo):
now = datetime.datetime.now()
current_hour = now.hour
current_minute = now.minute + 2

if current_minute >= 60:
# handle time wrapping/rollover
current_minute = current_minute - 60
# Bump to the next hour
current_hour += 1

if current_hour < 10:
hour = "0" + str(current_hour)
else:
Expand All @@ -94,6 +101,7 @@ def test_compaction_interval_and_time(topo):
minute = "0" + str(current_minute)
else:
minute = str(current_minute)

compact_time = hour + ":" + minute

# Set compaction TOD
Expand All @@ -102,10 +110,10 @@ def test_compaction_interval_and_time(topo):
inst.deleteErrorLogs(restart=True)

# Check compaction occurred as expected
time.sleep(60)
time.sleep(45)
assert not inst.searchErrorsLog("Compacting databases")

time.sleep(61)
time.sleep(90)
assert inst.searchErrorsLog("Compacting databases")
inst.deleteErrorLogs(restart=False)

Expand Down
6 changes: 5 additions & 1 deletion src/cockpit/389-console/src/ds.jsx
View file
Expand Up @@ -94,6 +94,7 @@ export class DSInstance extends React.Component {
backupRows: [],
notifications: [],
activeTabKey: 1,
createKey: 0,
wasActiveList: [],
progressValue: 0,
loadingOperate: false,
Expand Down Expand Up @@ -576,8 +577,10 @@ export class DSInstance extends React.Component {
}

openCreateInstanceModal() {
const key = this.state.createKey + 1;
this.setState({
showCreateInstanceModal: true
showCreateInstanceModal: true,
createKey: key
});
}

Expand Down Expand Up @@ -855,6 +858,7 @@ export class DSInstance extends React.Component {
{serverDropdown}
{mainPage}
<CreateInstanceModal
key={this.state.createKey}
showModal={this.state.showCreateInstanceModal}
closeHandler={this.closeCreateInstanceModal}
addNotification={this.addNotification}
Expand Down
103 changes: 35 additions & 68 deletions src/cockpit/389-console/src/dsModals.jsx
View file
Expand Up @@ -4,7 +4,7 @@ import PropTypes from "prop-types";
import { DoubleConfirmModal } from "./lib/notifications.jsx";
import { BackupTable } from "./lib/database/databaseTables.jsx";
import { BackupModal } from "./lib/database/backups.jsx";
import { log_cmd, bad_file_name, valid_dn } from "./lib/tools.jsx";
import { log_cmd, bad_file_name, valid_dn, callCmdStreamPassword } from "./lib/tools.jsx";
import {
Button,
Checkbox,
Expand Down Expand Up @@ -66,37 +66,6 @@ export class CreateInstanceModal extends React.Component {
this.handleCreateInstance = this.handleCreateInstance.bind(this);
this.validInstName = this.validInstName.bind(this);
this.validRootDN = this.validRootDN.bind(this);
this.resetModal = this.resetModal.bind(this);
}

componentDidMount() {
this.resetModal();
}

resetModal() {
this.setState({
createServerId: "",
createPort: 389,
createSecurePort: 636,
createDM: "cn=Directory Manager",
createDMPassword: "",
createDMPasswordConfirm: "",
createDBCheckbox: false,
createDBSuffix: "",
createDBName: "",
createTLSCert: true,
createInitDB: "noInit",
loadingCreate: false,
createOK: false,
modalMsg: "",
errObj: {
createServerId: true,
createDMPassword: true,
createDMPasswordConfirm: true,
createDBSuffix: false,
createDBName: false,
},
});
}

validInstName(name) {
Expand Down Expand Up @@ -210,35 +179,25 @@ export class CreateInstanceModal extends React.Component {
createDBCheckbox
} = this.state;
const { closeHandler, addNotification, loadInstanceList } = this.props;

let self_sign = "False";
if (createTLSCert) {
self_sign = "True";
}
let newServerId = createServerId;
newServerId = newServerId.replace(/^slapd-/i, ""); // strip "slapd-"
let setup_inf =
"[general]\n" +
"config_version = 2\n" +
"full_machine_name = FQDN\n\n" +
"[slapd]\n" +
"user = dirsrv\n" +
"group = dirsrv\n" +
"instance_name = INST_NAME\n" +
"port = PORT\n" +
"root_dn = ROOTDN\n" +
"root_password = ROOTPW\n" +
"secure_port = SECURE_PORT\n" +
"self_sign_cert = SELF_SIGN\n";

// Server ID
let newServerId = createServerId;
newServerId = newServerId.replace(/^slapd-/i, ""); // strip "slapd-"
setup_inf = setup_inf.replace("INST_NAME", newServerId);
setup_inf = setup_inf.replace("PORT", createPort);
setup_inf = setup_inf.replace("SECURE_PORT", createSecurePort);
setup_inf = setup_inf.replace("ROOTDN", createDM);
setup_inf = setup_inf.replace("ROOTPW", createDMPassword);
// Setup Self-Signed Certs
if (createTLSCert) {
setup_inf = setup_inf.replace("SELF_SIGN", "True");
} else {
setup_inf = setup_inf.replace("SELF_SIGN", "False");
}
"instance_name = " + newServerId + "\n" +
"port = " + createPort + "\n" +
"root_dn = " + createDM + "\n" +
// "root_password = ROOTPW\n" +
"secure_port = " + createSecurePort + "\n" +
"self_sign_cert = " + self_sign + "\n";

if (createDBCheckbox) {
setup_inf += "\n[backend-" + createDBName + "]\nsuffix = " + createDBSuffix + "\n";
Expand Down Expand Up @@ -361,20 +320,28 @@ export class CreateInstanceModal extends React.Component {
);
})
.done(_ => {
// Success!!! Now cleanup everything up...
log_cmd("handleCreateInstance", "Instance creation compelete, clean everything up...", rm_cmd);
cockpit.spawn(rm_cmd, { superuser: true }); // Remove Inf file with clear text password
this.setState({
loadingCreate: false
});

loadInstanceList(createServerId);
addNotification(
"success",
`Successfully created instance: slapd-${createServerId}`
);
closeHandler();
this.resetModal();
// Success!!! Now set Root DN pw, and cleanup everything up...
log_cmd("handleCreateInstance", "Instance creation compelete, remove INF file...", rm_cmd);
cockpit.spawn(rm_cmd, { superuser: true });

const dm_pw_cmd = ['dsconf', '-j', 'ldapi://%2fvar%2frun%2fslapd-' + newServerId + '.socket',
'directory_manager', 'password_change'];
const config = {
cmd: dm_pw_cmd,
promptArg: "",
passwd: createDMPassword,
addNotification: addNotification,
success_msg: `Successfully created instance: slapd-${createServerId}`,
error_msg: "Failed to set Directory Manager password",
state_callback: () => { this.setState({ loadingCreate: false }) },
reload_func: loadInstanceList,
reload_arg: createServerId,
ext_func: closeHandler,
ext_arg: "",
funcName: "handleCreateInstance",
funcDesc: "Set Directory Manager password..."
};
callCmdStreamPassword(config);
});
});
});
Expand Down
43 changes: 17 additions & 26 deletions src/cockpit/389-console/src/lib/database/chaining.jsx
View file
@@ -1,7 +1,7 @@
import cockpit from "cockpit";
import React from "react";
import { DoubleConfirmModal } from "../notifications.jsx";
import { log_cmd } from "../tools.jsx";
import { log_cmd, callCmdStreamPassword } from "../tools.jsx";
import {
Button,
Checkbox,
Expand Down Expand Up @@ -1162,6 +1162,7 @@ export class ChainingConfig extends React.Component {

saveLink() {
const missingArgs = {};
let bind_pw = "";
let errors = false;

if (this.state.nsfarmserverurl == "") {
Expand Down Expand Up @@ -1225,7 +1226,7 @@ export class ChainingConfig extends React.Component {
cmd.push('--bind-dn=' + this.state.nsmultiplexorbinddn);
}
if (this.state.nsmultiplexorcredentials != this.state._nsmultiplexorcredentials) {
cmd.push('--bind-pw=' + this.state.nsmultiplexorcredentials);
bind_pw = this.state.nsmultiplexorcredentials
}
if (this.state.timelimit != this.state._timelimit) {
cmd.push('--time-limit=' + this.state.timelimit);
Expand Down Expand Up @@ -1298,30 +1299,20 @@ export class ChainingConfig extends React.Component {
saving: true
});
// Something changed, perform the update
log_cmd("saveLink", "Save chaining link config", cmd);
cockpit
.spawn(cmd, { superuser: true, err: "message" })
.done(content => {
this.props.reload(this.props.suffix);
this.props.addNotification(
"success",
`Successfully Updated Link Configuration`
);
this.setState({
saving: false
});
})
.fail(err => {
const errMsg = JSON.parse(err);
this.props.reload(this.props.suffix);
this.props.addNotification(
"error",
`Failed to update link configuration - ${errMsg.desc}`
);
this.setState({
saving: false
});
});
const config = {
cmd: cmd,
promptArg: "--bind-pw-prompt",
passwd: bind_pw,
addNotification: this.props.addNotification,
success_msg: "Successfully Updated Link Configuration",
error_msg: "Failed to update link configuration",
state_callback: () => { this.setState({ saving: false }) },
reload_func: this.props.reload,
reload_arg: this.props.suffix,
funcName: "saveLink",
funcDesc: "Save chaining link config"
};
callCmdStreamPassword(config);
}
}

Expand Down
20 changes: 10 additions & 10 deletions src/cockpit/389-console/src/lib/database/databaseConfig.jsx
View file
Expand Up @@ -398,7 +398,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
unit="%"
/>
</GridItem>
Expand All @@ -422,7 +422,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand Down Expand Up @@ -623,7 +623,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand All @@ -646,7 +646,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand All @@ -669,7 +669,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand All @@ -692,7 +692,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand All @@ -715,7 +715,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand Down Expand Up @@ -810,7 +810,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand Down Expand Up @@ -922,7 +922,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand All @@ -945,7 +945,7 @@ export class GlobalDatabaseConfig extends React.Component {
inputAriaLabel="number input"
minusBtnAriaLabel="minus"
plusBtnAriaLabel="plus"
widthChars={8}
widthChars={10}
/>
</GridItem>
</Grid>
Expand Down

0 comments on commit 8483d60

Please sign in to comment.