From 7bd6835819d7d6b158f307939da1e618f860c42a Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Tue, 21 Nov 2023 09:49:14 +0100

Subject: [PATCH] Integration tests for verifying Referer header in the UI

Validate that the change_password and login_password endpoints

verify the HTTP Referer header. There is some overlap in the

tests: belt and suspenders.

All endpoints except session/login_x509 are covered, sometimes

having to rely on expected bad results (see the i18n endpoint).

session/login_x509 is not tested yet as it requires significant

additional setup in order to associate a user certificate with

a user entry, etc.

This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf

and adding:

Satisfy Any

Require all granted

Then comment out Auth and SSLVerify, etc. and restart httpd.

With a valid Referer will fail with a 401 and log that there is no

KRB5CCNAME. This comes after the referer check.

With an invalid Referer it will fail with a 400 Bad Request as

expected.

CVE-2023-5455

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

---

 ipatests/test_ipaserver/httptest.py           |   7 +-

 ipatests/test_ipaserver/test_changepw.py      |  12 +-

 .../test_ipaserver/test_login_password.py     |  88 ++++++++++++

 ipatests/test_ipaserver/test_referer.py       | 136 ++++++++++++++++++

 ipatests/util.py                              |   4 +-

 5 files changed, 242 insertions(+), 5 deletions(-)

 create mode 100644 ipatests/test_ipaserver/test_login_password.py

 create mode 100644 ipatests/test_ipaserver/test_referer.py

diff --git a/ipatests/test_ipaserver/httptest.py b/ipatests/test_ipaserver/httptest.py

index 13003bc85c2e1fee5cb78e1c9fc50d39e6e88eb1..01c2abae890af6cc3e36fbfec25f6b4665865c87 100644

--- a/ipatests/test_ipaserver/httptest.py

+++ b/ipatests/test_ipaserver/httptest.py

@@ -34,7 +34,7 @@ class Unauthorized_HTTP_test(object):

     cacert = api.env.tls_ca_cert

     content_type = 'application/x-www-form-urlencoded'

-    def send_request(self, method='POST', params=None):

+    def send_request(self, method='POST', params=None, host=None):

         """

         Send a request to HTTP server

@@ -44,7 +44,10 @@ class Unauthorized_HTTP_test(object):

             # urlencode *can* take two arguments

             # pylint: disable=too-many-function-args

             params = urllib.parse.urlencode(params, True)

-        url = 'https://' + self.host + self.app_uri

+        if host:

+            url = 'https://' + host + self.app_uri

+        else:

+            url = 'https://' + self.host + self.app_uri

         headers = {'Content-Type' : self.content_type,

                    'Referer' : url}

diff --git a/ipatests/test_ipaserver/test_changepw.py b/ipatests/test_ipaserver/test_changepw.py

index 3f8331266889a209b62f97a0eed40c51f7aa3475..64a2aa533a31b0d655a0028a2e008e8559f9b4cd 100644

--- a/ipatests/test_ipaserver/test_changepw.py

+++ b/ipatests/test_ipaserver/test_changepw.py

@@ -52,10 +52,11 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):

         except errors.NotFound:

             pass

-    def _changepw(self, user, old_password, new_password):

+    def _changepw(self, user, old_password, new_password, host=None):

         return self.send_request(params={'user': str(user),

                                   'old_password' : str(old_password),

                                   'new_password' : str(new_password)},

+                                 host=host

                                  )

     def _checkpw(self, user, password):

@@ -88,6 +89,15 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test):

         # make sure that password is NOT changed

         self._checkpw(testuser, old_password)

+    def test_invalid_referer(self):

+        response = self._changepw(testuser, old_password, new_password,

+                                  'attacker.test')

+

+        assert_equal(response.status, 400)

+

+        # make sure that password is NOT changed

+        self._checkpw(testuser, old_password)

+

     def test_pwpolicy_error(self):

         response = self._changepw(testuser, old_password, '1')

diff --git a/ipatests/test_ipaserver/test_login_password.py b/ipatests/test_ipaserver/test_login_password.py

new file mode 100644

index 0000000000000000000000000000000000000000..9425cb7977fbc87210bf91464e0257830a938baf

--- /dev/null

+++ b/ipatests/test_ipaserver/test_login_password.py

@@ -0,0 +1,88 @@

+# Copyright (C) 2023  Red Hat

+# see file 'COPYING' for use and warranty information

+#

+# This program is free software; you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+

+import os

+import pytest

+import uuid

+

+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test

+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test

+from ipatests.util import assert_equal

+from ipalib import api, errors

+from ipapython.ipautil import run

+

+testuser = u'tuser'

+password = u'password'

+

+

+@pytest.mark.tier1

+class test_login_password(XMLRPC_test, Unauthorized_HTTP_test):

+    app_uri = '/ipa/session/login_password'

+

+    @pytest.fixture(autouse=True)

+    def login_setup(self, request):

+        ccache = os.path.join('/tmp', str(uuid.uuid4()))

+        try:

+            api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User')

+            api.Command['passwd'](testuser, password=password)

+            run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password),

+                env={"KRB5CCNAME": ccache})

+        except errors.ExecutionError as e:

+            pytest.skip(

+                'Cannot set up test user: %s' % e

+            )

+

+        def fin():

+            try:

+                api.Command['user_del']([testuser])

+            except errors.NotFound:

+                pass

+            os.unlink(ccache)

+

+        request.addfinalizer(fin)

+

+    def _login(self, user, password, host=None):

+        return self.send_request(params={'user': str(user),

+                                 'password' : str(password)},

+                                 host=host)

+

+    def test_bad_options(self):

+        for params in (

+            None,                             # no params

+            {"user": "foo"},                  # missing options

+            {"user": "foo", "password": ""},  # empty option

+        ):

+            response = self.send_request(params=params)

+            assert_equal(response.status, 400)

+            assert_equal(response.reason, 'Bad Request')

+

+    def test_invalid_auth(self):

+        response = self._login(testuser, 'wrongpassword')

+

+        assert_equal(response.status, 401)

+        assert_equal(response.getheader('X-IPA-Rejection-Reason'),

+                     'invalid-password')

+

+    def test_invalid_referer(self):

+        response = self._login(testuser, password, 'attacker.test')

+

+        assert_equal(response.status, 400)

+

+    def test_success(self):

+        response = self._login(testuser, password)

+

+        assert_equal(response.status, 200)

+        assert response.getheader('X-IPA-Rejection-Reason') is None

diff --git a/ipatests/test_ipaserver/test_referer.py b/ipatests/test_ipaserver/test_referer.py

new file mode 100644

index 0000000000000000000000000000000000000000..4eade8bbaf304c48bf71c16892858d899b43cf88

--- /dev/null

+++ b/ipatests/test_ipaserver/test_referer.py

@@ -0,0 +1,128 @@

+# Copyright (C) 2023  Red Hat

+# see file 'COPYING' for use and warranty information

+#

+# This program is free software; you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation, either version 3 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

+

+import os

+import pytest

+import uuid

+

+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test

+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test

+from ipatests.util import assert_equal

+from ipalib import api, errors

+from ipapython.ipautil import run

+

+testuser = u'tuser'

+password = u'password'

+

+

+@pytest.mark.tier1

+class test_referer(XMLRPC_test, Unauthorized_HTTP_test):

+

+    @pytest.fixture(autouse=True)

+    def login_setup(self, request):

+        ccache = os.path.join('/tmp', str(uuid.uuid4()))

+        tokenid = None

+        try:

+            api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User')

+            api.Command['passwd'](testuser, password=password)

+            run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password),

+                env={"KRB5CCNAME": ccache})

+            result = api.Command["otptoken_add"](

+                type=u'HOTP', description=u'testotp',

+                ipatokenotpalgorithm=u'sha512', ipatokenowner=testuser,

+                ipatokenotpdigits=u'6')

+            tokenid = result['result']['ipatokenuniqueid'][0]

+        except errors.ExecutionError as e:

+            pytest.skip(

+                'Cannot set up test user: %s' % e

+            )

+

+        def fin():

+            try:

+                api.Command['user_del']([testuser])

+                api.Command['otptoken_del']([tokenid])

+            except errors.NotFound:

+                pass

+            os.unlink(ccache)

+

+        request.addfinalizer(fin)

+

+    def _request(self, params={}, host=None):

+        # implicit is that self.app_uri is set to the appropriate value

+        return self.send_request(params=params, host=host)

+

+    def test_login_password_valid(self):

+        """Valid authentication of a user"""

+        self.app_uri = "/ipa/session/login_password"

+        response = self._request(

+            params={'user': 'tuser', 'password': password})

+        assert_equal(response.status, 200, self.app_uri)

+

+    def test_change_password_valid(self):

+        """This actually changes the user password"""

+        self.app_uri = "/ipa/session/change_password"

+        response = self._request(

+            params={'user': 'tuser',

+                    'old_password': password,

+                    'new_password': 'new_password'}

+        )

+        assert_equal(response.status, 200, self.app_uri)

+

+    def test_sync_token_valid(self):

+        """We aren't testing that sync works, just that we can get there"""

+        self.app_uri = "/ipa/session/sync_token"

+        response = self._request(

+            params={'user': 'tuser',

+                    'first_code': '1234',

+                    'second_code': '5678',

+                    'password': 'password'})

+        assert_equal(response.status, 200, self.app_uri)

+

+    # /ipa/session/login_x509 is not tested yet as it requires

+    # significant additional setup.

+    # This can be manually verified by adding

+    # Satisfy Any and Require all granted to the configuration

+    # section and comment out all Auth directives. The request

+    # will fail and log that there is no KRB5CCNAME which comes

+    # after the referer check.

+

+    def test_endpoints_auth_required(self):

+        """Test endpoints that require pre-authorization which will

+           fail before we even get to the Referer check

+        """

+        self.endpoints = {

+            "/ipa/xml",

+            "/ipa/session/login_kerberos",

+            "/ipa/session/json",

+            "/ipa/session/xml"

+        }

+        for self.app_uri in self.endpoints:

+            response = self._request(host="attacker.test")

+

+            # referer is checked after auth

+            assert_equal(response.status, 401, self.app_uri)

+

+    def notest_endpoints_invalid(self):

+        """Pass in a bad Referer, expect a 400 Bad Request"""

+        self.endpoints = {

+            "/ipa/session/login_password",

+            "/ipa/session/change_password",

+            "/ipa/session/sync_token",

+        }

+        for self.app_uri in self.endpoints:

+            response = self._request(host="attacker.test")

+

+            assert_equal(response.status, 400, self.app_uri)

diff --git a/ipatests/util.py b/ipatests/util.py

index 6d1e78260089e65d5d2dd44a5a312021c2fdd781..bde93b6c5c96c2f996462683036dbbb549f914f2 100644

--- a/ipatests/util.py

+++ b/ipatests/util.py

@@ -169,12 +169,12 @@ class ExceptionNotRaised(Exception):

         return self.msg % self.expected.__name__

-def assert_equal(val1, val2):

+def assert_equal(val1, val2, msg=''):

     """

     Assert ``val1`` and ``val2`` are the same type and of equal value.

     """

     assert type(val1) is type(val2), '%r != %r' % (val1, val2)

-    assert val1 == val2, '%r != %r' % (val1, val2)

+    assert val1 == val2, '%r != %r %r' % (val1, val2, msg)

 def assert_not_equal(val1, val2):

-- 

2.26.3