Skip to content

Commit

Permalink
Guard against configuration mistakes leading to security issues
Browse files Browse the repository at this point in the history
We should protect a user against config mistakes, where they forget to
set auth-type appropriately, while providing authenticator-specific
parameters.
  • Loading branch information
robklg committed May 19, 2024
1 parent b76ec5e commit 46268a8
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 12 deletions.
24 changes: 24 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ unftp-auth-rest = { version = "0.2.6", optional = true }
unftp-auth-jsonfile = { version = "0.3.4", optional = true }
unftp-sbe-rooter = "0.2.1"
unftp-sbe-restrict = "0.1.2"
strum = { version = "0.26.2", features = ["derive"] }
strum_macros = "0.26.2"

[target.'cfg(unix)'.dependencies]
unftp-auth-pam = { version = "0.2.5", optional = true }
Expand Down
13 changes: 7 additions & 6 deletions src/args.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
use crate::app;
use clap::{Arg, ArgEnum, Command};
use std::str::FromStr;
use strum_macros::{Display, EnumString};

pub const AUTH_JSON_PATH: &str = "auth-json-path";
pub const AUTH_PAM_SERVICE: &str = "auth-pam-service";
Expand Down Expand Up @@ -44,13 +45,13 @@ pub const STORAGE_BACKEND_TYPE: &str = "sbe-type";
pub const USR_JSON_PATH: &str = "usr-json-path";
pub const VERBOSITY: &str = "verbosity";

#[derive(ArgEnum, Clone, Debug)]
#[allow(non_camel_case_types)]
#[derive(Debug, EnumString, Display, PartialEq)]
#[strum(serialize_all = "lowercase")]
pub enum AuthType {
anonymous,
pam,
rest,
json,
Anonymous,
Pam,
Rest,
Json,
}

#[derive(ArgEnum, Clone, Debug)]
Expand Down
55 changes: 49 additions & 6 deletions src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ mod storage;
use crate::{
app::libunftp_version, args::FtpsClientAuthType, auth::DefaultUserProvider, notify::FTPListener,
};
use args::AuthType;
use auth::LookupAuthenticator;
use clap::ArgMatches;
use domain::events::{EventDispatcher, FTPEvent, FTPEventPayload};
Expand Down Expand Up @@ -92,13 +93,55 @@ fn load_user_file(
fn make_auth(
m: &clap::ArgMatches,
) -> Result<Arc<dyn auth_spi::Authenticator<user::User> + Send + Sync + 'static>, String> {
let mut auth: LookupAuthenticator = match m.value_of(args::AUTH_TYPE) {
None | Some("anonymous") => make_anon_auth(),
Some("pam") => make_pam_auth(m),
Some("rest") => make_rest_auth(m),
Some("json") => make_json_auth(m),
unknown_type => Err(format!("unknown auth type: {}", unknown_type.unwrap())),
let default_auth_type = AuthType::Anonymous.to_string();
let auth_type_variant = match m
.value_of(args::AUTH_TYPE)
.unwrap_or(&default_auth_type)
.parse::<AuthType>()
{
Ok(auth_type_variant) => auth_type_variant,
Err(strum::ParseError::VariantNotFound) => {
return Err(format!(
"unknown auth type: {}",
m.value_of(args::AUTH_TYPE).unwrap_or(&default_auth_type)
))
}
};

let mut auth: LookupAuthenticator = match auth_type_variant {
AuthType::Anonymous => make_anon_auth(),
AuthType::Pam => make_pam_auth(m),
AuthType::Rest => make_rest_auth(m),
AuthType::Json => make_json_auth(m),
}?;

if auth_type_variant != AuthType::Pam && m.is_present(args::AUTH_PAM_SERVICE) {
return Err(format!(
"parameter {} set while auth_type is set to {}",
args::AUTH_PAM_SERVICE,
m.value_of(args::AUTH_TYPE).unwrap()
));
} else if auth_type_variant != AuthType::Json && m.is_present(args::AUTH_JSON_PATH) {
return Err(format!(
"parameter {} set while auth_type is set to {}",
args::AUTH_JSON_PATH,
m.value_of(args::AUTH_TYPE).unwrap()
));
} else if auth_type_variant != AuthType::Rest
&& [
args::AUTH_REST_URL,
args::AUTH_REST_REGEX,
args::AUTH_REST_SELECTOR,
]
.iter()
.any(|&arg| m.is_present(arg))
{
return Err(format!(
"REST auth parameter(s) set while auth_type is set to {}",
m.value_of(args::AUTH_TYPE).unwrap()
));
}

auth.set_usr_detail(match m.value_of(args::USR_JSON_PATH) {
Some(path) => {
let json: String = load_user_file(path)
Expand Down

0 comments on commit 46268a8

Please sign in to comment.