-
Notifications
You must be signed in to change notification settings - Fork 89
improve sudo, not fixing existing bugs yet ref T68510 #242
Conversation
satang500
commented
May 16, 2017
- only show sudo button to users who have access
- sudo should not require logging in again, but should still require confirmation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am extremely concerned about the security of this approach. I would recommend completely rethinking the design of this feature before proceeding.
} | ||
if( inner != null && inner.isAdmin(user)) { | ||
return true; | ||
} else if (outer != null && outer.isAdmin(user)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need for an "else if" since you are returning from the "if" above.
@@ -111,6 +111,10 @@ public User authenticate(String username, String secret) { | |||
return authentication.authenticate(username, secret); | |||
} | |||
|
|||
public boolean isamdin(User user) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incorrect spelling
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What @tedpearson meant is camel case isAdmin
is the convention
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What i meant is that "amdin" is not a word.
hydra-web/src/js/app.js
Outdated
} else { | ||
alertify.error("Unknown token name " + tokenName); | ||
return; | ||
} | ||
var username = $.trim(usernameInput.value); | ||
var password = passwordInput.value; | ||
passwordCache = passwordInput.value; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would HIGHLY DISCOURAGE any attempt to save ldap passwords on the browser side. I recommend that we completely change our approach to something that does not involve the caching of passwords on the browser.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be using a secure https only cookie that cannot be accessed by js and that gets refreshed on every request so that it doesn't expire unless there is a period of inactivity greater than the ttl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, i see what this does. Yeah, caching in memory isn't great. It's visible in the call stack of anything in this require block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. This is a good PR. Most comments are related to coding styles and possible simplification. End user functionality appears to be working properly.
The only thing that I didn't see is that sudo should timeout automatically after a short period of time, e.g. 15 minutes.
Merging master into this PR would make review easier.
hydra-web/src/js/app.js
Outdated
var token = Cookies.get("token"); | ||
if(app.issudo(username, token)) { | ||
app.sudoCb(false, true); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not move this block of code to the success handler of /update/settings
a few lines below? They both use username
and token
cookies and handle sudo checkbox value and visibility.
hydra-web/src/js/app.js
Outdated
@@ -111,6 +119,27 @@ function( | |||
} | |||
}); | |||
}, | |||
issudo: function(username, token) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rename this function to isadmin
to match endpoint name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will change
hydra-web/src/js/app.js
Outdated
app.sudoCb(false, true); | ||
} else { | ||
app.sudoCb(false, false); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of the explicit if/else
, you can use response
directly:
app.sudoCb(false, response == 'true')
or assign it to a variable called visible
to make the code more self-documenting
hydra-web/src/js/app.js
Outdated
data: { | ||
username: username, | ||
token: token, | ||
sudo: Cookies.get("sudo"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the extra trailing ,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice catch. will remove.
hydra-web/src/js/app.js
Outdated
sudo:function() { | ||
var sudoUrl = app.authprefix() + "/authentication/sudo"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider refactor this function - I feel the way it mixes username/token validation and unsudo
makes it less readable than it can be.
@@ -34,6 +35,7 @@ | |||
|
|||
private static final Logger log = LoggerFactory.getLogger(PermissionsManager.class); | |||
|
|||
@VisibleForTesting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unnecessary?
@@ -111,6 +111,10 @@ public User authenticate(String username, String secret) { | |||
return authentication.authenticate(username, secret); | |||
} | |||
|
|||
public boolean isamdin(User user) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What @tedpearson meant is camel case isAdmin
is the convention
public User getUser(String username) { | ||
User user = authentication.getUser(username); | ||
return user; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return authentication.getUser(username);
builder = Response.ok(Boolean.toString(false)); | ||
} else { | ||
builder = Response.ok(Boolean.toString(true)); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just do:
builder = Response.ok(Boolean.toString(isadmin))
builder.header("Access-Control-Allow-Origin", | ||
"http://" + uriInfo.getAbsolutePath().getHost() + | ||
":" + configuration.webPort); | ||
builder.header("Access-Control-Allow-Methods", "POST"); | ||
return builder.build(); | ||
} catch (Exception ex) { | ||
log.warn("Internal error in sudo attempt for user {} with ssl {}", username, usingSSL, ex); | ||
return Response.serverError().entity(ex.toString()).build(); | ||
// TODO: don't show "Accept out https certificate" and hydra.png |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this TODO here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mistakenly added will remove
Also please make sure any script that requires sudo privilege, such as fail-minion, still works. |
will keep the bug described in app.js as it is for now. |
New changes look good to me. You should merge master to this PR (and resolve the web build files conflict and regenerate them with webpack -p as part of the merge). |