Mercurial > gemma
changeset 3515:c64c47ff2ab1 password
import: fix for passwordleakage. No passwords are received/sent if configuration is edited.
author | Thomas Junk <thomas.junk@intevation.de> |
---|---|
date | Wed, 29 May 2019 09:56:42 +0200 |
parents | 4d7b481e1d39 |
children | 5be5b54336ea |
files | client/src/components/importconfiguration/ScheduledImports.vue client/src/components/importconfiguration/types/Distancemarksvirtual.vue client/src/components/importconfiguration/types/Waterwaygauges.vue pkg/controllers/importconfig.go pkg/imports/config.go |
diffstat | 5 files changed, 60 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/client/src/components/importconfiguration/ScheduledImports.vue Tue May 28 17:12:02 2019 +0200 +++ b/client/src/components/importconfiguration/ScheduledImports.vue Wed May 29 09:56:42 2019 +0200 @@ -393,6 +393,7 @@ </button> <div> <button + v-if="!currentSchedule.id" @click="triggerManualImport" type="button" class="btn btn-sm btn-outline-info" @@ -568,6 +569,22 @@ return false; } }, + usernamePasswordFilled() { + if ( + this.isCredentialsRequired && + this.currentSchedule.id && + this.username + ) + return true; + if ( + this.isCredentialsRequired && + !this.currentSchedule.id && + this.username && + this.password + ) + return true; + return false; + }, isValid() { if (!this.import_) return false; if (this.isToleranceRequired && !this.tolerance) return false; @@ -576,8 +593,7 @@ if (this.isURLRequired && !this.url) return false; if (this.isSortbyRequired && !this.sortBy) return false; if (this.isFeatureTypeRequired && !this.featureType) return false; - if (this.isCredentialsRequired && (!this.username || !this.password)) - return false; + if (!this.usernamePasswordFilled) return false; if (this.import_ == this.$options.IMPORTTYPES.FAIRWAYDIMENSION) { if ( !this.LOS || @@ -856,12 +872,12 @@ config["tolerance"] = parseFloat(this.tolerance); } if (this.isCredentialsRequired) { - if (!this.username || !this.password) return; + if (!this.usernamePasswordFilled) return; config = { ...config, - user: this.username, - password: this.password + user: this.username }; + if (!this.currentSchedule.id) config["password"] = this.password; } if (this.import_ == this.$options.IMPORTTYPES.FAIRWAYDIMENSION) { if (
--- a/client/src/components/importconfiguration/types/Distancemarksvirtual.vue Tue May 28 17:12:02 2019 +0200 +++ b/client/src/components/importconfiguration/types/Distancemarksvirtual.vue Wed May 29 09:56:42 2019 +0200 @@ -59,7 +59,10 @@ <font-awesome-icon :icon="passwordVisible ? 'eye-slash' : 'eye'" /> </span> </div> - <div v-if="!password" class="d-flex flex-row"> + <div + v-if="!password && !this.currentSchedule.id" + class="d-flex flex-row" + > <small ><translate class="text-danger" >Please enter a Password</translate @@ -85,6 +88,8 @@ * Author(s): * Thomas Junk <thomas.junk@intevation.de> */ + +import { mapState } from "vuex"; export default { name: "distancemarksvirtual", props: ["url", "username", "password"], @@ -94,6 +99,10 @@ }; }, computed: { + ...mapState("importschedule", [ + "importScheduleDetailVisible", + "currentSchedule" + ]), showPassword() { if (this.passwordVisible) return "text"; return "password";
--- a/client/src/components/importconfiguration/types/Waterwaygauges.vue Tue May 28 17:12:02 2019 +0200 +++ b/client/src/components/importconfiguration/types/Waterwaygauges.vue Wed May 29 09:56:42 2019 +0200 @@ -59,7 +59,10 @@ <font-awesome-icon :icon="passwordVisible ? 'eye-slash' : 'eye'" /> </span> </div> - <div v-if="!password" class="d-flex flex-row"> + <div + v-if="!password && !this.currentSchedule.id" + class="d-flex flex-row" + > <small ><translate class="text-danger" >Please enter a Password</translate @@ -85,6 +88,9 @@ * Author(s): * Thomas Junk <thomas.junk@intevation.de> */ + +import { mapState } from "vuex"; + export default { name: "waterwaygauges", props: ["username", "password", "url"], @@ -94,6 +100,10 @@ }; }, computed: { + ...mapState("importschedule", [ + "importScheduleDetailVisible", + "currentSchedule" + ]), showPassword() { if (this.passwordVisible) return "text"; return "password";
--- a/pkg/controllers/importconfig.go Tue May 28 17:12:02 2019 +0200 +++ b/pkg/controllers/importconfig.go Wed May 29 09:56:42 2019 +0200 @@ -177,9 +177,19 @@ return } - what := ctor() + // Remove `password` from the attributes to be delivered to the client. + // Even a priviledged user shall not be able to see the password. + // (See config.ListAllPersistentConfigurationsContext() for the other + // place where this is done.) + filteredAttributes := make(common.Attributes) + for key, value := range cfg.Attributes { + if key != "password" { + filteredAttributes[key] = value + } + } - if err = cfg.Attributes.Unmarshal(what); err != nil { + what := ctor() + if err = filteredAttributes.Unmarshal(what); err != nil { return }
--- a/pkg/imports/config.go Tue May 28 17:12:02 2019 +0200 +++ b/pkg/imports/config.go Wed May 29 09:56:42 2019 +0200 @@ -269,7 +269,12 @@ if pc.Attributes == nil { pc.Attributes = common.Attributes{} } - pc.Attributes.Set(k.String, v.String) + // Prevent sending the `password` back to the client. + // (See importconfig.infoImportConfig() for the other place + // where this is done.) + if k.String != "password" { + pc.Attributes.Set(k.String, v.String) + } } }