[#3398] Protected basic auth

src/lib/database/database_connection.cc

@@ -7,6 +7,7 @@
 #include <config.h>
 
 #include <cc/cfg_to_element.h>
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <database/db_exceptions.h>
 #include <database/db_log.h>
@@ -18,6 +19,7 @@
 #include <vector>
 
 using namespace isc::asiolink;
+using namespace isc::data;
 using namespace isc::util;
 using namespace std;
 
@@ -59,6 +61,8 @@ DatabaseConnection::parse(const std::string& dbaccess) {
                 // at the position of ending apostrophe.
                 auto password = dba.substr(password_pos + password_prefix.length(),
                                            password_end_pos - password_pos - password_prefix.length());
+                // Refuse default passwords.
+                DefaultCredentials::check(password);
                 mapped_tokens.insert(make_pair("password", password));
 
                 // We need to erase the password from the access string because the generic

src/lib/database/tests/database_connection_unittest.cc

@@ -7,6 +7,7 @@
 #include <config.h>
 #include <cc/cfg_to_element.h>
 #include <cc/data.h>
+#include <cc/default_credentials.h>
 #include <database/database_connection.h>
 #include <database/dbaccess_parser.h>
 #include <exceptions/exceptions.h>
@@ -425,6 +426,13 @@ TEST(DatabaseConnectionTest, parseInvalid) {
     EXPECT_EQ("", parameters[""]);
 }
 
+// This test checks that quoted default password is refused.
+TEST(DatabaseConnectionTest, parseQuotedDefaultPassword) {
+
+    std::string bad = "user=me password='1234' name=kea type=mysql";
+    EXPECT_THROW(DatabaseConnection::parse(bad), DefaultCredential);
+}
+
 /// @brief redactedAccessString test
 ///
 /// Checks that the redacted configuration string includes the password only

src/lib/database/testutils/schema.cc

@@ -32,6 +32,7 @@ const char* VALID_SECURE_USER = "user=keatest_secure";
 const char* INVALID_USER = "user=invaliduser";
 const char* VALID_PASSWORD = "password=keatest";
 const char* INVALID_PASSWORD = "password=invalid";
+const char* DEFAULT_PASSWORD = "password=1234";
 const char* VALID_TIMEOUT = "connect-timeout=10";
 const char* INVALID_TIMEOUT_1 = "connect-timeout=foo";
 const char* INVALID_TIMEOUT_2 = "connect-timeout=-17";

src/lib/database/testutils/schema.h

@@ -28,6 +28,7 @@ extern const char* VALID_SECURE_USER;
 extern const char* INVALID_USER;
 extern const char* VALID_PASSWORD;
 extern const char* INVALID_PASSWORD;
+extern const char* DEFAULT_PASSWORD;
 extern const char* VALID_TIMEOUT;
 extern const char* INVALID_TIMEOUT_1;
 extern const char* INVALID_TIMEOUT_2;

src/lib/http/basic_auth_config.cc

@@ -6,6 +6,7 @@
 
 #include <config.h>
 
+#include <cc/default_credentials.h>
 #include <http/auth_log.h>
 #include <http/basic_auth_config.h>
 #include <util/filesystem.h>
@@ -224,6 +225,13 @@ BasicHttpAuthConfig::parse(const ConstElementPtr& config) {
                           << password_cfg->getPosition() << ")");
             }
             password = password_cfg->stringValue();
+            try {
+                DefaultCredentials::check(password);
+            } catch (const DefaultCredential&) {
+                isc_throw(DhcpConfigError,
+                          "password must not be a default one ("
+                          << password_cfg->getPosition() << ")");
+            }
         }
 
         // password file.

src/lib/http/tests/basic_auth_config_unittests.cc

@@ -440,6 +440,18 @@ TEST(BasicHttpAuthConfigTest, parse) {
     EXPECT_EQ("", config.getClientList().front().getPassword());
     config.clear();
 
+    // Default password is refused.
+    password_cfg = Element::create(string("1234"));
+    client_cfg = Element::createMap();
+    client_cfg->set("user", user_cfg);
+    client_cfg->set("password", password_cfg);
+    clients_cfg = Element::createList();
+    clients_cfg->add(client_cfg);
+    cfg->set("clients", clients_cfg);
+    EXPECT_THROW_MSG(config.parse(cfg), DhcpConfigError,
+                     "password must not be a default one (:0:0)");
+    password_cfg = Element::create(string(""));
+
     // The password-file parameter must be a string.
     ElementPtr password_file_cfg = Element::create(1);
     client_cfg = Element::createMap();