WIP - OIDC keycloak implementation alpha cut#93
Conversation
I believe the missing ingredients was the CLASSIC_SESSION_HASH and thus the cookie between this and other services did not agree.
Safe-guard not having jwt secret (it's a disaster without it.)
… tapir cookie with refresh too.
… switch to turn this off.) Username needs casefolging. Add "login" to Makefile.
Add logout-callback endpoint. It's NOOP and until we need it, we may set it to none on keycloak. It is "Backchannel logout URL"
Ues the updated arxiv-base.
legacy_auth_provider.py to include the tracking cookie.
Make the tapir cookie optional for refresh. Some day, we may ditch it.
2. Add kc-to-tapir bridge prototype code
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # Update the password for each fetched user_id | ||
| email: str | ||
| for user_id, email in user_ids: | ||
| if "cornell.edu" in email or "arxiv.org" in email: |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to ensure that the email addresses are checked more robustly. Instead of using a substring match, we should parse the email addresses and check the domain part explicitly. This can be done using the email.utils module to parse the email address and then checking the domain part.
- Parse the email address to extract the domain part.
- Check if the domain part matches "cornell.edu" or "arxiv.org".
- Update the code in the
hack_credsfunction to implement this change.
| @@ -42,3 +42,4 @@ | ||
| for user_id, email in user_ids: | ||
| if "cornell.edu" in email or "arxiv.org" in email: | ||
| domain = email.split('@')[-1] | ||
| if domain == "cornell.edu" or domain == "arxiv.org": | ||
| continue |
| # Update the password for each fetched user_id | ||
| email: str | ||
| for user_id, email in user_ids: | ||
| if "cornell.edu" in email or "arxiv.org" in email: |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to ensure that the email addresses are properly validated to belong to the allowed domains (cornell.edu and arxiv.org). Instead of using a simple substring check, we should parse the email addresses and verify the domain part explicitly.
- We will use the
email.utilsmodule to parse the email addresses and extract the domain part. - We will then check if the domain part matches the allowed domains (
cornell.eduandarxiv.org).
| @@ -42,3 +42,5 @@ | ||
| for user_id, email in user_ids: | ||
| if "cornell.edu" in email or "arxiv.org" in email: | ||
| from email.utils import parseaddr | ||
| domain = parseaddr(email)[1].split('@')[-1] | ||
| if domain == "cornell.edu" or domain == "arxiv.org": | ||
| continue |
| if "cornell.edu" in email or "arxiv.org" in email: | ||
| continue | ||
| new_password = generate_random_password() | ||
| print(f"{email},{new_password}", file=creds_file) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we should avoid logging sensitive information such as passwords in clear text. Instead, we can log a placeholder or mask the sensitive data. In this case, we can log the email and a masked version of the password (e.g., only showing the first and last character of the password with the rest replaced by asterisks).
- Modify the code to mask the password before logging it.
- Ensure that the functionality of the code remains unchanged, i.e., the passwords are still updated in the database correctly.
| @@ -45,3 +45,4 @@ | ||
| new_password = generate_random_password() | ||
| print(f"{email},{new_password}", file=creds_file) | ||
| masked_password = new_password[0] + '*' * (len(new_password) - 2) + new_password[-1] | ||
| print(f"{email},{masked_password}", file=creds_file) | ||
| cursor.execute( |
| response.set_cookie(session_cookie_key, token, max_age=cookie_max_age, | ||
| domain=domain, path="/", secure=secure, samesite=samesite) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies
| response.set_cookie(session_cookie_key, "", max_age=0, | ||
| domain=domain, path="/", secure=secure, samesite=samesite) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies
| response.set_cookie(classic_cookie_key, tapir_cookie, max_age=cookie_max_age, | ||
| domain=domain, path="/", secure=secure, samesite=samesite) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies
| response.set_cookie(classic_cookie_key, '', max_age=0, | ||
| domain=domain, path="/", secure=secure, samesite=samesite) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies
|
|
||
| if tapir_cookie: | ||
| logger.debug('%s=%s',classic_cookie_key, tapir_cookie) | ||
| response.set_cookie(classic_cookie_key, tapir_cookie, max_age=cookie_max_age, |
Check warning
Code scanning / CodeQL
Construction of a cookie using user-supplied input
Include the access token in the URL so the web app can see it.
1 participant
No description provided.