From fca44bb0328b7609b9ea5e779a8df0084ff8e9c4 Mon Sep 17 00:00:00 2001 From: Zachary Wasserman Date: Wed, 4 Nov 2020 12:09:00 -0800 Subject: [PATCH] Make enroll secret and node key validation case-sensitive (#5) - Modify column collation to make comparisons case-sensitive. - Add tests for case-sensitivity. Fixes https://github.com/kolide/fleet/issues/2333 --- server/datastore/datastore_app_test.go | 16 +++++++++ server/datastore/datastore_hosts_test.go | 12 +++++++ server/datastore/datastore_test.go | 2 ++ ...2520_ModifyEnrollSecretNodeKeyCollation.go | 35 +++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 server/datastore/mysql/migrations/tables/20201102112520_ModifyEnrollSecretNodeKeyCollation.go diff --git a/server/datastore/datastore_app_test.go b/server/datastore/datastore_app_test.go index 587e12c46e..3ef66aaa93 100644 --- a/server/datastore/datastore_app_test.go +++ b/server/datastore/datastore_app_test.go @@ -118,7 +118,23 @@ func testEnrollSecrets(t *testing.T, ds kolide.Datastore) { name, err = ds.VerifyEnrollSecret("two_secret") assert.NoError(t, err) assert.Equal(t, "two", name) +} +func testEnrollSecretsCaseSensitive(t *testing.T, ds kolide.Datastore) { + err := ds.ApplyEnrollSecretSpec( + &kolide.EnrollSecretSpec{ + Secrets: []kolide.EnrollSecret{ + kolide.EnrollSecret{Name: "one", Secret: "one_secret", Active: true}, + kolide.EnrollSecret{Name: "two", Secret: "two_secret", Active: false}, + }, + }, + ) + require.NoError(t, err) + + _, err = ds.VerifyEnrollSecret("one_secret") + assert.NoError(t, err, "enroll secret should match with matching case") + _, err = ds.VerifyEnrollSecret("One_Secret") + assert.Error(t, err, "enroll secret with different case should not verify") } func testEnrollSecretRoundtrip(t *testing.T, ds kolide.Datastore) { diff --git a/server/datastore/datastore_hosts_test.go b/server/datastore/datastore_hosts_test.go index 5bf61bafb2..c49ac1abdd 100644 --- a/server/datastore/datastore_hosts_test.go +++ b/server/datastore/datastore_hosts_test.go @@ -7,6 +7,7 @@ import ( "strconv" "testing" "time" + "strings" "github.com/WatchBeam/clock" "github.com/kolide/fleet/server/kolide" @@ -221,6 +222,17 @@ func testAuthenticateHost(t *testing.T, ds kolide.Datastore) { assert.NotNil(t, err) } +func testAuthenticateHostCaseSensitive(t *testing.T, ds kolide.Datastore) { + test.AddAllHostsLabel(t, ds) + for _, tt := range enrollTests { + h, err := ds.EnrollHost(tt.uuid, tt.nodeKey, "default") + require.Nil(t, err) + + _, err = ds.AuthenticateHost(strings.ToUpper(h.NodeKey)) + require.Error(t, err, "node key authentication should be case sensitive") + } +} + func testSearchHosts(t *testing.T, ds kolide.Datastore) { _, err := ds.NewHost(&kolide.Host{ OsqueryHostID: "1234", diff --git a/server/datastore/datastore_test.go b/server/datastore/datastore_test.go index f94a177676..ad32f91ccf 100644 --- a/server/datastore/datastore_test.go +++ b/server/datastore/datastore_test.go @@ -10,6 +10,7 @@ var testFunctions = [...]func(*testing.T, kolide.Datastore){ testOrgInfo, testAdditionalQueries, testEnrollSecrets, + testEnrollSecretsCaseSensitive, testEnrollSecretRoundtrip, testCreateInvite, testInviteByEmail, @@ -24,6 +25,7 @@ var testFunctions = [...]func(*testing.T, kolide.Datastore){ testDeletePack, testEnrollHost, testAuthenticateHost, + testAuthenticateHostCaseSensitive, testLabels, testSaveLabel, testManagingLabelsOnPacks, diff --git a/server/datastore/mysql/migrations/tables/20201102112520_ModifyEnrollSecretNodeKeyCollation.go b/server/datastore/mysql/migrations/tables/20201102112520_ModifyEnrollSecretNodeKeyCollation.go new file mode 100644 index 0000000000..b9e6b3285a --- /dev/null +++ b/server/datastore/mysql/migrations/tables/20201102112520_ModifyEnrollSecretNodeKeyCollation.go @@ -0,0 +1,35 @@ +package tables + +import ( + "database/sql" + + "github.com/pkg/errors" +) + +func init() { + MigrationClient.AddMigration(Up_20201102112520, Down_20201102112520) +} + +func Up_20201102112520(tx *sql.Tx) error { + query := ` + ALTER TABLE enroll_secrets + MODIFY secret VARCHAR(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin + ` + if _, err := tx.Exec(query); err != nil { + return errors.Wrap(err, "alter enroll secret collation") + } + + query = ` + ALTER TABLE hosts + MODIFY node_key VARCHAR(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin + ` + if _, err := tx.Exec(query); err != nil { + return errors.Wrap(err, "alter node key collation") + } + + return nil +} + +func Down_20201102112520(tx *sql.Tx) error { + return nil +}