Make enroll secret and node key validation case-sensitive (#5)

- Modify column collation to make comparisons case-sensitive. - Add tests for case-sensitivity. Fixes https://github.com/kolide/fleet/issues/2333
2026-05-22 16:39:01 +00:00 · 2020-11-04 12:09:00 -08:00 · 2020-11-04 12:09:00 -08:00 · fca44bb032
commit fca44bb032
parent d604c6a106
4 changed files with 65 additions and 0 deletions
--- a/server/datastore/datastore_app_test.go
+++ b/server/datastore/datastore_app_test.go
@ -118,7 +118,23 @@ func testEnrollSecrets(t *testing.T, ds kolide.Datastore) {
 	name, err = ds.VerifyEnrollSecret("two_secret")
 	assert.NoError(t, err)
 	assert.Equal(t, "two", name)
+}

+func testEnrollSecretsCaseSensitive(t *testing.T, ds kolide.Datastore) {
+	err := ds.ApplyEnrollSecretSpec(
+		&kolide.EnrollSecretSpec{
+			Secrets: []kolide.EnrollSecret{
+				kolide.EnrollSecret{Name: "one", Secret: "one_secret", Active: true},
+				kolide.EnrollSecret{Name: "two", Secret: "two_secret", Active: false},
+			},
+		},
+	)
+	require.NoError(t, err)
+
+	_, err = ds.VerifyEnrollSecret("one_secret")
+	assert.NoError(t, err, "enroll secret should match with matching case")
+	_, err = ds.VerifyEnrollSecret("One_Secret")
+	assert.Error(t, err, "enroll secret with different case should not verify")
 }

 func testEnrollSecretRoundtrip(t *testing.T, ds kolide.Datastore) {
--- a/server/datastore/datastore_hosts_test.go
+++ b/server/datastore/datastore_hosts_test.go
@ -7,6 +7,7 @@ import (
 	"strconv"
 	"testing"
 	"time"
+	"strings"

 	"github.com/WatchBeam/clock"
 	"github.com/kolide/fleet/server/kolide"
@ -221,6 +222,17 @@ func testAuthenticateHost(t *testing.T, ds kolide.Datastore) {
 	assert.NotNil(t, err)
 }

+func testAuthenticateHostCaseSensitive(t *testing.T, ds kolide.Datastore) {
+	test.AddAllHostsLabel(t, ds)
+	for _, tt := range enrollTests {
+		h, err := ds.EnrollHost(tt.uuid, tt.nodeKey, "default")
+		require.Nil(t, err)
+
+		_, err = ds.AuthenticateHost(strings.ToUpper(h.NodeKey))
+		require.Error(t, err, "node key authentication should be case sensitive")
+	}
+}
+
 func testSearchHosts(t *testing.T, ds kolide.Datastore) {
 	_, err := ds.NewHost(&kolide.Host{
 		OsqueryHostID:    "1234",
--- a/server/datastore/datastore_test.go
+++ b/server/datastore/datastore_test.go
@ -10,6 +10,7 @@ var testFunctions = [...]func(*testing.T, kolide.Datastore){
 	testOrgInfo,
 	testAdditionalQueries,
 	testEnrollSecrets,
+	testEnrollSecretsCaseSensitive,
 	testEnrollSecretRoundtrip,
 	testCreateInvite,
 	testInviteByEmail,
@ -24,6 +25,7 @@ var testFunctions = [...]func(*testing.T, kolide.Datastore){
 	testDeletePack,
 	testEnrollHost,
 	testAuthenticateHost,
+	testAuthenticateHostCaseSensitive,
 	testLabels,
 	testSaveLabel,
 	testManagingLabelsOnPacks,
--- a/server/datastore/mysql/migrations/tables/20201102112520_ModifyEnrollSecretNodeKeyCollation.go
+++ b/server/datastore/mysql/migrations/tables/20201102112520_ModifyEnrollSecretNodeKeyCollation.go
@ -0,0 +1,35 @@
+package tables
+
+import (
+    "database/sql"
+
+    "github.com/pkg/errors"
+)
+
+func init() {
+    MigrationClient.AddMigration(Up_20201102112520, Down_20201102112520)
+}
+
+func Up_20201102112520(tx *sql.Tx) error {
+    query := `
+		ALTER TABLE enroll_secrets
+		MODIFY secret VARCHAR(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin
+	`
+    if _, err := tx.Exec(query); err != nil {
+        return errors.Wrap(err, "alter enroll secret collation")
+    }
+
+    query = `
+		ALTER TABLE hosts
+		MODIFY node_key VARCHAR(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin
+	`
+    if _, err := tx.Exec(query); err != nil {
+        return errors.Wrap(err, "alter node key collation")
+    }
+
+    return nil
+}
+
+func Down_20201102112520(tx *sql.Tx) error {
+    return nil
+}