From bc7acab857b952353a959339b06c79d851a9d879 Mon Sep 17 00:00:00 2001 From: "Daniel A. Wozniak" Date: Wed, 16 Sep 2020 00:25:10 +0000 Subject: [PATCH] Fix CVE-2020-25592 and add tests (bsc#1178319) Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319) (bsc#1178362) (bsc#1178361) (CVE-2020-25592) (CVE-2020-17490) (CVE-2020-16846) --- salt/netapi/__init__.py | 43 +++++++++++++++++++++++++ tests/integration/netapi/test_client.py | 13 ++++++-- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/salt/netapi/__init__.py b/salt/netapi/__init__.py index dec19b37ef..cba1ec574f 100644 --- a/salt/netapi/__init__.py +++ b/salt/netapi/__init__.py @@ -109,6 +109,49 @@ class NetapiClient: "Authorization error occurred." ) + def _prep_auth_info(self, clear_load): + sensitive_load_keys = [] + key = None + if "token" in clear_load: + auth_type = "token" + err_name = "TokenAuthenticationError" + sensitive_load_keys = ["token"] + return auth_type, err_name, key, sensitive_load_keys + elif "eauth" in clear_load: + auth_type = "eauth" + err_name = "EauthAuthenticationError" + sensitive_load_keys = ["username", "password"] + return auth_type, err_name, key, sensitive_load_keys + raise salt.exceptions.EauthAuthenticationError( + "No authentication credentials given" + ) + + def _authorize_ssh(self, low): + auth_type, err_name, key, sensitive_load_keys = self._prep_auth_info(low) + auth_check = self.loadauth.check_authentication(low, auth_type, key=key) + auth_list = auth_check.get("auth_list", []) + error = auth_check.get("error") + if error: + raise salt.exceptions.EauthAuthenticationError(error) + delimiter = low.get("kwargs", {}).get("delimiter", DEFAULT_TARGET_DELIM) + _res = self.ckminions.check_minions( + low["tgt"], low.get("tgt_type", "glob"), delimiter + ) + minions = _res.get("minions", list()) + missing = _res.get("missing", list()) + authorized = self.ckminions.auth_check( + auth_list, + low["fun"], + low.get("arg", []), + low["tgt"], + low.get("tgt_type", "glob"), + minions=minions, + ) + if not authorized: + raise salt.exceptions.EauthAuthenticationError( + "Authorization error occurred." + ) + def run(self, low): """ Execute the specified function in the specified client by passing the diff --git a/tests/integration/netapi/test_client.py b/tests/integration/netapi/test_client.py index 70471d3148..9eb6e52920 100644 --- a/tests/integration/netapi/test_client.py +++ b/tests/integration/netapi/test_client.py @@ -15,10 +15,12 @@ from tests.support.helpers import ( SKIP_IF_NOT_RUNNING_PYTEST, SaveRequestsPostHandler, Webserver, + requires_sshd_server, slowTest, ) from tests.support.mixins import AdaptedConfigurationTestCaseMixin from tests.support.mock import patch +from tests.support.paths import TMP, TMP_CONF_DIR from tests.support.runtests import RUNTIME_VARS from tests.support.unit import TestCase, skipIf @@ -178,7 +180,12 @@ class NetapiSSHClientTest(SSHCase): """ opts = AdaptedConfigurationTestCaseMixin.get_config("client_config").copy() self.netapi = salt.netapi.NetapiClient(opts) - self.priv_file = os.path.join(RUNTIME_VARS.TMP_SSH_CONF_DIR, "client_key") + opts = salt.config.client_config(os.path.join(TMP_CONF_DIR, "master")) + naopts = copy.deepcopy(opts) + naopts["ignore_host_keys"] = True + self.netapi = salt.netapi.NetapiClient(naopts) + + self.priv_file = os.path.join(RUNTIME_VARS.TMP_CONF_DIR, "key_test") self.rosters = os.path.join(RUNTIME_VARS.TMP_CONF_DIR) self.roster_file = os.path.join(self.rosters, "roster") @@ -325,7 +332,7 @@ class NetapiSSHClientTest(SSHCase): "roster": "cache", "client": "ssh", "tgt": "root|id>{} #@127.0.0.1".format(path), - "roster_file": self.roster_file, + "roster_file": "/tmp/salt-tests-tmpdir/config/roaster", "rosters": "/", "fun": "test.ping", "eauth": "auto", @@ -355,7 +362,7 @@ class NetapiSSHClientTest(SSHCase): "eauth": "auto", "username": "saltdev_auto", "password": "saltdev", - "roster_file": self.roster_file, + "roster_file": "/tmp/salt-tests-tmpdir/config/roaster", "rosters": "/", "ssh_options": ["|id>{} #".format(path), "lol"], } -- 2.29.2