[#3398] Protected basic auth

2025-08-30 13:37:55 +00:00 · 2024-12-20 17:52:21 +01:00
parent 6d95ccb0f0
commit adde63ca56
6 changed files with 34 additions and 0 deletions
--- a/src/lib/database/database_connection.cc
+++ b/src/lib/database/database_connection.cc
@@ -7,6 +7,7 @@
 #include <config.h>

 #include <cc/cfg_to_element.h>
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <database/db_exceptions.h>
 #include <database/db_log.h>
@@ -18,6 +19,7 @@
 #include <vector>

 using namespace isc::asiolink;
+using namespace isc::data;
 using namespace isc::util;
 using namespace std;

@@ -59,6 +61,8 @@ DatabaseConnection::parse(const std::string& dbaccess) {
                // at the position of ending apostrophe.
                auto password = dba.substr(password_pos + password_prefix.length(),
                                           password_end_pos - password_pos - password_prefix.length());
+                // Refuse default passwords.
+                DefaultCredentials::check(password);
                mapped_tokens.insert(make_pair("password", password));

                // We need to erase the password from the access string because the generic
--- a/src/lib/database/tests/database_connection_unittest.cc
+++ b/src/lib/database/tests/database_connection_unittest.cc
@@ -7,6 +7,7 @@
 #include <config.h>
 #include <cc/cfg_to_element.h>
 #include <cc/data.h>
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <database/dbaccess_parser.h>
 #include <exceptions/exceptions.h>
@@ -425,6 +426,13 @@ TEST(DatabaseConnectionTest, parseInvalid) {
    EXPECT_EQ("", parameters[""]);
 }

+// This test checks that quoted default password is refused.
+TEST(DatabaseConnectionTest, parseQuotedDefaultPassword) {
+
+    std::string bad = "user=me password='1234' name=kea type=mysql";
+    EXPECT_THROW(DatabaseConnection::parse(bad), DefaultCredential);
+}
+
 /// @brief redactedAccessString test
 ///
 /// Checks that the redacted configuration string includes the password only
--- a/src/lib/database/testutils/schema.cc
+++ b/src/lib/database/testutils/schema.cc
@@ -32,6 +32,7 @@ const char* VALID_SECURE_USER = "user=keatest_secure";
 const char* INVALID_USER = "user=invaliduser";
 const char* VALID_PASSWORD = "password=keatest";
 const char* INVALID_PASSWORD = "password=invalid";
+const char* DEFAULT_PASSWORD = "password=1234";
 const char* VALID_TIMEOUT = "connect-timeout=10";
 const char* INVALID_TIMEOUT_1 = "connect-timeout=foo";
 const char* INVALID_TIMEOUT_2 = "connect-timeout=-17";
--- a/src/lib/database/testutils/schema.h
+++ b/src/lib/database/testutils/schema.h
@@ -28,6 +28,7 @@ extern const char* VALID_SECURE_USER;
 extern const char* INVALID_USER;
 extern const char* VALID_PASSWORD;
 extern const char* INVALID_PASSWORD;
+extern const char* DEFAULT_PASSWORD;
 extern const char* VALID_TIMEOUT;
 extern const char* INVALID_TIMEOUT_1;
 extern const char* INVALID_TIMEOUT_2;
--- a/src/lib/http/basic_auth_config.cc
+++ b/src/lib/http/basic_auth_config.cc
@@ -6,6 +6,7 @@

 #include <config.h>

+#include <cc/default_credentials.h>
 #include <http/auth_log.h>
 #include <http/basic_auth_config.h>
 #include <util/filesystem.h>
@@ -224,6 +225,13 @@ BasicHttpAuthConfig::parse(const ConstElementPtr& config) {
                          << password_cfg->getPosition() << ")");
            }
            password = password_cfg->stringValue();
+            try {
+                DefaultCredentials::check(password);
+            } catch (const DefaultCredential&) {
+                isc_throw(DhcpConfigError,
+                          "password must not be a default one ("
+                          << password_cfg->getPosition() << ")");
+            }
        }

        // password file.
--- a/src/lib/http/tests/basic_auth_config_unittests.cc
+++ b/src/lib/http/tests/basic_auth_config_unittests.cc
@@ -440,6 +440,18 @@ TEST(BasicHttpAuthConfigTest, parse) {
    EXPECT_EQ("", config.getClientList().front().getPassword());
    config.clear();

+    // Default password is refused.
+    password_cfg = Element::create(string("1234"));
+    client_cfg = Element::createMap();
+    client_cfg->set("user", user_cfg);
+    client_cfg->set("password", password_cfg);
+    clients_cfg = Element::createList();
+    clients_cfg->add(client_cfg);
+    cfg->set("clients", clients_cfg);
+    EXPECT_THROW_MSG(config.parse(cfg), DhcpConfigError,
+                     "password must not be a default one (:0:0)");
+    password_cfg = Element::create(string(""));
+
    // The password-file parameter must be a string.
    ElementPtr password_file_cfg = Element::create(1);
    client_cfg = Element::createMap();