Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ldap-auth) credential rate-limiting and hashing of cache key #5497

Merged
merged 2 commits into from
Jan 29, 2020
Merged

fix(ldap-auth) credential rate-limiting and hashing of cache key #5497

merged 2 commits into from
Jan 29, 2020

Conversation

bungle
Copy link
Member

@bungle bungle commented Jan 24, 2020
edited
Loading

Summary

fix(ldap-auth) credential to have id for rate-limiting

Currently ldap-auth does set virtual credential in context on authentication, but that virtual credential does not have id which means that rate-limiting plugin cannot rate-limit by the credential, and thus fall-backs to rate-limit by ip.

This commit adds cache_key as id for that virtual credential.

fix(ldap-auth) hash cache key

Currently ldap-auth does seem to use username and password in a cache_key in plain. This is potentially dangerous and may be leaked through it to different places:

  • memory
  • admin api
    • logs

This commit fixes that by calling sha1_bin on that when generating a cache key. It also drops the use of md5.

Issues resolved

Fix #4129

@bungle bungle requested a review from p0pr0ck5 January 24, 2020 09:00
@bungle bungle changed the title Fix/ldap credential ratelimiting fix(ldap-auth) credential rate-limiting and hashing of cache key Jan 24, 2020
@bungle
Copy link
Member Author

bungle commented Jan 24, 2020

Let me know if this can be rebased to master even when it does change the cache_key.

kikito
kikito requested changes Jan 24, 2020
View reviewed changes
kong/plugins/ldap-auth/access.lua Outdated Show resolved Hide resolved
spec/03-plugins/20-ldap-auth/01-access_spec.lua Outdated Show resolved Hide resolved
spec/03-plugins/20-ldap-auth/02-invalidations_spec.lua Outdated Show resolved Hide resolved
@bungle bungle force-pushed the fix/ldap-credential-ratelimiting branch from 2b2eeff to 423f845 Compare January 24, 2020 12:12
@bungle bungle force-pushed the fix/ldap-credential-ratelimiting branch 4 times, most recently from 2610a3f to b9d448c Compare January 24, 2020 18:03
@bungle
fix(ldap-auth) credential to have id for rate-limiting
df30702 
### Summary

Currently `ldap-auth` does set virtual credential in context
on authentication, but that virtual credential does not have
`id` which means that rate-limiting plugin cannot rate-limit
by the credential, and thus fall-backs to rate-limit by ip.

This commit adds `cache_key` as id for that virtual credential.

### Issues Resolved

Fix #4129
@bungle
fix(ldap-auth) hash cache key
460ec5b 
### Summary

Currently `ldap-auth` does seem to use `username` and `password`
in a `cache_key` in plain. This is potentially dangerous and may
be leaked through it to different places:
- memory
- admin api
  - logs

This commit fixes that by calling `sha1_bin` on that when
generating a cache key. It also drops the use of `md5`.
@bungle bungle force-pushed the fix/ldap-credential-ratelimiting branch from 5b12ea6 to 460ec5b Compare January 24, 2020 19:13
@bungle bungle merged commit 8d93003 into next Jan 29, 2020
@bungle bungle deleted the fix/ldap-credential-ratelimiting branch January 29, 2020 15:33
@hishamhm hishamhm added this to the 2.1.0 milestone Feb 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0pr0ck5 p0pr0ck5 p0pr0ck5 left review comments

@kikito kikito kikito approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@bungle @kikito @p0pr0ck5 @hishamhm