mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 07:35:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 27
etherpad-lite/src/node/hooks/express/webaccess.js

227 lines
11 KiB
JavaScript
Raw Normal View History

webaccess: Fix some ESLint errors
2020-11-18 17:25:56 -05:00
'use strict';
webaccess: Remove user's password from session info This prevents the password from being logged or stored in the database.
2020-10-24 20:47:03 -04:00
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
const assert = require('assert').strict;
webaccess: Use `const` or `let` instead of `var`
2020-08-25 17:04:34 -04:00
const log4js = require('log4js');
const httpLogger = log4js.getLogger('http');
const settings = require('../../utils/Settings');
webaccess: Fix some ESLint errors
2020-11-18 17:25:56 -05:00
const hooks = require('../../../static/js/pluginfw/hooks');
webaccess: Check for read-only pad ID in `userCanModify` This currently isn't absolutely necessary because all current callers of `userCanModify` already check for a read-only pad ID themselves. However: * This adds defense in depth. * This makes it possible to simply replace the import handler's `allowAnyoneToImport` check with a call to `userCanModify`.
2020-10-01 15:44:24 -04:00
const readOnlyManager = require('../../db/ReadOnlyManager');
Moved webaccess
2012-02-25 13:38:09 +01:00
webaccess: Split authFailure hook into authnFailure and authzFailure This makes it possible for plugins to return different pages to the user depending on whether the auth failure was authn or authz.
2020-08-27 14:33:58 -04:00
hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead';
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
// Promisified wrapper around hooks.aCallFirst.
const aCallFirst = (hookName, context, pred = null) => new Promise((resolve, reject) => {
hooks.aCallFirst(hookName, context, (err, r) => err != null ? reject(err) : resolve(r), pred);
});
const aCallFirst0 =
async (hookName, context, pred = null) => (await aCallFirst(hookName, context, pred))[0];
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
exports.normalizeAuthzLevel = (level) => {
if (!level) return false;
switch (level) {
case true:
return 'create';
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
case 'readOnly':
security: Enable authorize plugins to grant modify-only access
2020-09-11 19:46:47 -04:00
case 'modify':
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
case 'create':
return level;
default:
httpLogger.warn(`Unknown authorization level '${level}', denying access`);
}
return false;
};
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
exports.userCanModify = (padId, req) => {
webaccess: Check for read-only pad ID in `userCanModify` This currently isn't absolutely necessary because all current callers of `userCanModify` already check for a read-only pad ID themselves. However: * This adds defense in depth. * This makes it possible to simply replace the import handler's `allowAnyoneToImport` check with a call to `userCanModify`.
2020-10-01 15:44:24 -04:00
if (readOnlyManager.isReadOnlyId(padId)) return false;
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
if (!settings.requireAuthentication) return true;
const {session: {user} = {}} = req;
assert(user); // If authn required and user == null, the request should have already been denied.
feature: New user-specific `readOnly` and `canCreate` settings (#4370) Also: * Group the tests for readability. * Factor out some common test setup.
2020-09-28 06:22:06 -04:00
if (user.readOnly) return false;
security: Enable authorize plugins to grant read-only access
2020-09-19 15:30:04 -04:00
assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
assert(level); // If !level, the request should have already been denied.
return level !== 'readOnly';
};
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
// Exported so that tests can set this to 0 to avoid unnecessary test slowness.
exports.authnFailureDelayMs = 1000;
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
const preAuthorize = async (req, res, next) => {
const requireAdmin = req.path.toLowerCase().startsWith('/admin');
const locals = res.locals._webaccess = {requireAdmin, skip: false};
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
// ///////////////////////////////////////////////////////////////////////////////////////////////
// Step 1: Check the preAuthorize hook for early permit/deny (permit is only allowed for non-admin
// pages). If any plugin explicitly grants or denies access, skip the remaining steps. Plugins can
// use the preAuthzFailure hook to override the default 403 error.
// ///////////////////////////////////////////////////////////////////////////////////////////////
Changed the authentication mechanism to support hooks
2012-04-19 16:04:03 +02:00
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
let results;
const preAuthorizeNext = (...args) => { locals.skip = true; next(...args); };
try {
results = await aCallFirst('preAuthorize', {req, res, next: preAuthorizeNext},
// This predicate will cause aCallFirst to call the hook functions one at a time until one
// of them returns a non-empty list, with an exception: If the request is for an /admin
// page, truthy entries are filtered out before checking to see whether the list is empty.
// This prevents plugin authors from accidentally granting admin privileges to the general
// public.
(r) => (locals.skip || (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0)));
} catch (err) {
httpLogger.error(`Error in preAuthorize hook: ${err.stack || err.toString()}`);
if (!locals.skip) res.status(500).send('Internal Server Error');
return;
}
if (locals.skip) return;
if (requireAdmin) {
// Filter out all 'true' entries to prevent plugin authors from accidentally granting admin
// privileges to the general public.
results = results.filter((x) => !x);
}
if (results.length > 0) {
// Access was explicitly granted or denied. If any value is false then access is denied.
if (!results.every((x) => x)) {
// Access explicitly denied.
if (await aCallFirst0('preAuthzFailure', {req, res})) return;
// No plugin handled the pre-authentication authorization failure.
return res.status(403).send('Forbidden');
}
// Access explicitly granted.
locals.skip = true;
return next('route');
}
next();
};
const checkAccess = async (req, res, next) => {
const {locals: {_webaccess: {requireAdmin, skip}}} = res;
if (skip) return next('route');
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
// This helper is used in steps 2 and 4 below, so it may be called twice per access: once before
// authentication is checked and once after (if settings.requireAuthorization is true).
const authorize = async () => {
Fix read only pad access with authentication Before this commit, webaccess.checkAccess saved the authorization in user.padAuthorizations[padId] with padId being the read-only pad ID, however later stages, e.g. in PadMessageHandler, use the real pad ID for access checks. This led to authorization being denied. This commit fixes it by only storing and comparing the real pad IDs and not read-only pad IDs. This fixes test case "authn user readonly pad -> 200, ok" in src/tests/backend/specs/socketio.js.
2021-04-11 03:59:52 +02:00
const grant = async (level) => {
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
level = exports.normalizeAuthzLevel(level);
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
if (!level) return false;
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
const user = req.session.user;
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
if (user == null) return true; // This will happen if authentication is not required.
webaccess: Fix pad ID extraction for import and export paths
2020-10-01 21:29:38 -04:00
const encodedPadId = (req.path.match(/^\/p\/([^/]*)/) || [])[1];
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
if (encodedPadId == null) return true;
Fix read only pad access with authentication Before this commit, webaccess.checkAccess saved the authorization in user.padAuthorizations[padId] with padId being the read-only pad ID, however later stages, e.g. in PadMessageHandler, use the real pad ID for access checks. This led to authorization being denied. This commit fixes it by only storing and comparing the real pad IDs and not read-only pad IDs. This fixes test case "authn user readonly pad -> 200, ok" in src/tests/backend/specs/socketio.js.
2021-04-11 03:59:52 +02:00
let padId = decodeURIComponent(encodedPadId);
if (readOnlyManager.isReadOnlyId(padId)) {
// pad is read-only, first get the real pad ID
padId = await readOnlyManager.getPadId(padId);
if (padId == null) return false;
}
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
// The user was granted access to a pad. Remember the authorization level in the user's
// settings so that SecurityManager can approve or deny specific actions.
if (user.padAuthorizations == null) user.padAuthorizations = {};
security: Fix authz check for pad names with encoded characters Also: * Minor test cleanups (`function` instead of arrow functions, etc.). * Add a test for a case that was previously not covered.
2020-09-24 13:59:07 -04:00
user.padAuthorizations[padId] = level;
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
return true;
security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.
2020-09-11 19:26:26 -04:00
};
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
const isAuthenticated = req.session && req.session.user;
Fix read only pad access with authentication Before this commit, webaccess.checkAccess saved the authorization in user.padAuthorizations[padId] with padId being the read-only pad ID, however later stages, e.g. in PadMessageHandler, use the real pad ID for access checks. This led to authorization being denied. This commit fixes it by only storing and comparing the real pad IDs and not read-only pad IDs. This fixes test case "authn user readonly pad -> 200, ok" in src/tests/backend/specs/socketio.js.
2021-04-11 03:59:52 +02:00
if (isAuthenticated && req.session.user.is_admin) return await grant('create');
webaccess: Move pre-authn authz check to a separate hook Before this change, the authorize hook was invoked twice: once before authentication and again after (if settings.requireAuthorization is true). Now pre-authentication authorization is instead handled by a new preAuthorize hook, and the authorize hook is only invoked after the user has authenticated. Rationale: Without this change it is too easy to write an authorization plugin that is too permissive. Specifically: * If the plugin does not check the path for /admin then a non-admin user might be able to access /admin pages. * If the plugin assumes that the user has already been authenticated by the time the authorize function is called then unauthenticated users might be able to gain access to restricted resources. This change also avoids calling the plugin's authorize function twice per access, which makes it easier for plugin authors to write an authorization plugin that is easy to understand. This change may break existing authorization plugins: After this change, the authorize hook will no longer be able to authorize non-admin access to /admin pages. This is intentional. Access to admin pages should instead be controlled via the `is_admin` user setting, which can be set in the config file or by an authentication plugin. Also: * Add tests for the authenticate and authorize hooks. * Disable the authentication failure delay when testing.
2020-08-23 16:56:28 -04:00
const requireAuthn = requireAdmin || settings.requireAuthentication;
Fix read only pad access with authentication Before this commit, webaccess.checkAccess saved the authorization in user.padAuthorizations[padId] with padId being the read-only pad ID, however later stages, e.g. in PadMessageHandler, use the real pad ID for access checks. This led to authorization being denied. This commit fixes it by only storing and comparing the real pad IDs and not read-only pad IDs. This fixes test case "authn user readonly pad -> 200, ok" in src/tests/backend/specs/socketio.js.
2021-04-11 03:59:52 +02:00
if (!requireAuthn) return await grant('create');
if (!isAuthenticated) return await grant(false);
if (requireAdmin && !req.session.user.is_admin) return await grant(false);
if (!settings.requireAuthorization) return await grant('create');
return await grant(await aCallFirst0('authorize', {req, res, next, resource: req.path}));
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
More general basic auth
2012-04-19 14:25:12 +02:00
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
// ///////////////////////////////////////////////////////////////////////////////////////////////
// Step 2: Try to just access the thing. If access fails (perhaps authentication has not yet
// completed, or maybe different credentials are required), go to the next step.
// ///////////////////////////////////////////////////////////////////////////////////////////////
if (await authorize()) return next();
// ///////////////////////////////////////////////////////////////////////////////////////////////
// Step 3: Authenticate the user. (Or, if already logged in, reauthenticate with different
// credentials if supported by the authn scheme.) If authentication fails, give the user a 401
// error to request new credentials. Otherwise, go to the next step. Plugins can use the
// authnFailure hook to override the default error handling behavior (e.g., to redirect to a login
// page).
// ///////////////////////////////////////////////////////////////////////////////////////////////
if (settings.users == null) settings.users = {};
const ctx = {req, res, users: settings.users, next};
// If the HTTP basic auth header is present, extract the username and password so it can be given
// to authn plugins.
const httpBasicAuth =
req.headers.authorization && req.headers.authorization.search('Basic ') === 0;
if (httpBasicAuth) {
const userpass =
Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(':');
ctx.username = userpass.shift();
ctx.password = userpass.join(':');
}
if (!(await aCallFirst0('authenticate', ctx))) {
// Fall back to HTTP basic auth.
const {[ctx.username]: {password} = {}} = settings.users;
if (!httpBasicAuth || password == null || password !== ctx.password) {
httpLogger.info(`Failed authentication from IP ${req.ip}`);
if (await aCallFirst0('authnFailure', {req, res})) return;
if (await aCallFirst0('authFailure', {req, res, next})) return;
// No plugin handled the authentication failure. Fall back to basic authentication.
res.header('WWW-Authenticate', 'Basic realm="Protected Area"');
// Delay the error response for 1s to slow down brute force attacks.
await new Promise((resolve) => setTimeout(resolve, exports.authnFailureDelayMs));
res.status(401).send('Authentication Required');
return;
webaccess: Restructure for readability and future changes * Improve the comment describing how the access check works. * Move the `authenticate` logic to where it is used so that people don't have to keep jumping back and forth to understand how the access check works. * Break up the three steps to reduce the number of indentation levels and improve readability. This should also make it easier to implement and review planned future changes.
2020-08-28 21:03:45 -04:00
}
webaccess: Asyncify `checkAccess`
2020-11-18 17:31:18 -05:00
settings.users[ctx.username].username = ctx.username;
// Make a shallow copy so that the password property can be deleted (to prevent it from
// appearing in logs or in the database) without breaking future authentication attempts.
req.session.user = {...settings.users[ctx.username]};
delete req.session.user.password;
}
if (req.session.user == null) {
httpLogger.error('authenticate hook failed to add user settings to session');
return res.status(500).send('Internal Server Error');
}
const {username = '<no username>'} = req.session.user;
httpLogger.info(`Successful authentication from IP ${req.ip} for user ${username}`);
// ///////////////////////////////////////////////////////////////////////////////////////////////
// Step 4: Try to access the thing again. If this fails, give the user a 403 error. Plugins can
// use the authzFailure hook to override the default error handling behavior (e.g., to redirect to
// a login page).
// ///////////////////////////////////////////////////////////////////////////////////////////////
if (await authorize()) return next();
if (await aCallFirst0('authzFailure', {req, res})) return;
if (await aCallFirst0('authFailure', {req, res, next})) return;
// No plugin handled the authorization failure.
res.status(403).send('Forbidden');
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
Moved webaccess
2012-02-25 13:38:09 +01:00
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
/**
* Express middleware that allows plugins to explicitly grant/deny access via the `preAuthorize`
* hook before `checkAccess` is run. If access is explicitly granted:
* - `next('route')` will be called, which can be used to bypass later checks
express: Skip express-session middleware if pre-authorized
2021-12-18 17:00:02 -05:00
* - `nextRouteIfPreAuthorized` will simply call `next('route')`
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
* - `checkAccess` will simply call `next('route')`
*/
exports.preAuthorize = (req, res, next) => {
preAuthorize(req, res, next).catch((err) => next(err || new Error(err)));
};
express: Skip express-session middleware if pre-authorized
2021-12-18 17:00:02 -05:00
/**
* Express middleware that simply calls `next('route')` if the request has been explicitly granted
* access by `preAuthorize` (otherwise it calls `next()`). This can be used to bypass later checks.
*/
exports.nextRouteIfPreAuthorized = (req, res, next) => {
if (res.locals._webaccess.skip) return next('route');
next();
};
express: Check access before `expressConfigure` middleware There are no guarantees about the order of execution of hook functions, which means that a plugin's `expressConfigure` hook function could theoretically register a handler/middleware before the access check middleware is registered. If that happens, the plugin's handler would run before the access check, which would be bad. Avoid the problem by explicitly installing the `webaccess.checkAccess` middleware before running the `expressConfigure` hook.
2021-12-18 01:05:31 -05:00
/**
* Express middleware to authenticate the user and check authorization. Must be installed after the
webaccess: Move `preAuthorize` to its own middleware
2021-12-18 16:30:17 -05:00
* express-session middleware. If the request is pre-authorized, this middleware simply calls
* `next('route')`.
express: Check access before `expressConfigure` middleware There are no guarantees about the order of execution of hook functions, which means that a plugin's `expressConfigure` hook function could theoretically register a handler/middleware before the access check middleware is registered. If that happens, the plugin's handler would run before the access check, which would be bad. Avoid the problem by explicitly installing the `webaccess.checkAccess` middleware before running the `expressConfigure` hook.
2021-12-18 01:05:31 -05:00
*/
exports.checkAccess = (req, res, next) => {
checkAccess(req, res, next).catch((err) => next(err || new Error(err)));
webaccess: Add semicolons after statements
2020-08-25 16:44:44 -04:00
};
Reference in a new issue Copy permalink