icinga2/lib/remote/apiuser.cpp

/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */

#include "remote/apiuser.hpp"
#include "remote/apiuser-ti.cpp"
#include "base/configtype.hpp"
#include "base/base64.hpp"
#include "base/tlsutility.hpp"
#include "base/utility.hpp"

using namespace icinga;

REGISTER_TYPE(ApiUser);

ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)
{
	for (const ApiUser::Ptr& user : ConfigType::GetObjectsByType<ApiUser>()) {
		if (user->GetClientCN() == cn)
			return user;
	}

	return nullptr;
}

ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header)
{
	String::SizeType pos = auth_header.FindFirstOf(" ");
	String username, password;

	if (pos != String::NPos && auth_header.SubStr(0, pos) == "Basic") {
		String credentials_base64 = auth_header.SubStr(pos + 1);
		String credentials = Base64::Decode(credentials_base64);

		String::SizeType cpos = credentials.FindFirstOf(":");

		if (cpos != String::NPos) {
			username = credentials.SubStr(0, cpos);
			password = credentials.SubStr(cpos + 1);
		}
	}

	const ApiUser::Ptr& user = ApiUser::GetByName(username);

	/* Deny authentication if:
	 * 1) user does not exist
	 * 2) given password is empty
	 * 2) configured password does not match.
	 */
	if (!user || password.IsEmpty())
		return nullptr;
	else if (user && !Utility::ComparePasswords(password, user->GetPassword()))
		return nullptr;

	return user;
}
Replace Copyright header with a short version, part I CLion -> replace in path 2019-02-25 14:48:22 +01:00			`/* Icinga 2 \| (c) 2012 Icinga GmbH \| GPLv2+ */`
Implement the ApiUser object type Hide password in GetPassword() and add CheckPassword(). Includes basic unit tests. refs #9471 2015-06-22 17:51:11 +02:00
			`#include "remote/apiuser.hpp"`
Fix compatibility with CMake < 3.1 2018-01-18 13:50:38 +01:00			`#include "remote/apiuser-ti.cpp"`
Rename DynamicObject/DynamicType to ConfigObject/ConfigType fixes #9914 2015-08-15 20:28:05 +02:00			`#include "base/configtype.hpp"`
Authenticate API user before parsing body 2018-02-08 14:54:52 +01:00			`#include "base/base64.hpp"`
Hash API password and comparison fixes #4920 2017-08-11 16:23:24 +02:00			`#include "base/tlsutility.hpp"`
Secure ApiUser::GetByAuthHeader() against timing attacks 2019-02-22 11:37:07 +01:00			`#include "base/utility.hpp"`
Implement the ApiUser object type Hide password in GetPassword() and add CheckPassword(). Includes basic unit tests. refs #9471 2015-06-22 17:51:11 +02:00
			`using namespace icinga;`

			`REGISTER_TYPE(ApiUser);`

Add ApiUser::GetByClientCN() refs #9471 refs #9086 2015-07-09 15:25:51 +02:00			`ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)`
			`{`
Replace BOOST_FOREACH with range-based for loops fixes #12538 2016-08-25 06:19:44 +02:00			`for (const ApiUser::Ptr& user : ConfigType::GetObjectsByType<ApiUser>()) {`
Add ApiUser::GetByClientCN() refs #9471 refs #9086 2015-07-09 15:25:51 +02:00			`if (user->GetClientCN() == cn)`
			`return user;`
			`}`

Use nullptr instead of <Type>::Ptr() 2017-11-30 08:36:35 +01:00			`return nullptr;`
Add ApiUser::GetByClientCN() refs #9471 refs #9086 2015-07-09 15:25:51 +02:00			`}`
Authenticate API user before parsing body 2018-02-08 14:54:52 +01:00
Limit HTTP body size 2018-02-19 13:33:58 +01:00			`ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header)`
			`{`
Authenticate API user before parsing body 2018-02-08 14:54:52 +01:00			`String::SizeType pos = auth_header.FindFirstOf(" ");`
			`String username, password;`

			`if (pos != String::NPos && auth_header.SubStr(0, pos) == "Basic") {`
			`String credentials_base64 = auth_header.SubStr(pos + 1);`
			`String credentials = Base64::Decode(credentials_base64);`

			`String::SizeType cpos = credentials.FindFirstOf(":");`

			`if (cpos != String::NPos) {`
			`username = credentials.SubStr(0, cpos);`
			`password = credentials.SubStr(cpos + 1);`
			`}`
			`}`

			`const ApiUser::Ptr& user = ApiUser::GetByName(username);`

Merge branch 'feature/security-features' 2018-02-21 16:19:54 +01:00			`/* Deny authentication if:`
			`* 1) user does not exist`
			`* 2) given password is empty`
			`* 2) configured password does not match.`
			`*/`
			`if (!user \|\| password.IsEmpty())`
Authenticate API user before parsing body 2018-02-08 14:54:52 +01:00			`return nullptr;`
Secure ApiUser::GetByAuthHeader() against timing attacks 2019-02-22 11:37:07 +01:00			`else if (user && !Utility::ComparePasswords(password, user->GetPassword()))`
Remove ApiUser password_hash functionality This affects and fixes - Windows reload - Config validation - RHEL 7.5 OpenSSL memory corruption - Hash algorithm, requested changes refs #6378 refs #6279 refs #6278 2018-06-18 11:05:56 +02:00			`return nullptr;`
Authenticate API user before parsing body 2018-02-08 14:54:52 +01:00
			`return user;`
			`}`
Merge branch 'feature/security-features' 2018-02-21 16:19:54 +01:00