Release/0.2.1 (#206)

* Skip test if creds are insufficient * Bump version * Increase response verification (#205) * Increase response verification * Add word
cyralinc · Oct 16, 2020 · 5e8910a · 5e8910a
1 parent 3b7c940
commit 5e8910a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ We use `docker-compose.yml` to quickly and easily provide you with a development
 To spin up an end-to-end development environment based in Docker:
 
 - Ensure you have [Docker](https://www.docker.com/) installed with Buildkit support (Docker 18.09 or higher)
-- In your local environment, run `$ aws configure` and add an access key and secret.
+- In your local environment, run `$ aws configure` and add an access key and a secret.
 - Run `$ make dc-build`. This will build the authenticator and development Docker images.
 - Run `$ docker-compose up`. This will run the authenticator with a Vault backend and will run test database servers (Postgres and MySQL).
 - In another window, `$ make dev`. This will start a shell in the development environment.

diff --git a/authenticator/main.go b/authenticator/main.go
@@ -12,7 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-const currentVersion = "0.2.0"
+const currentVersion = "0.2.1"
 
 func main() {
 	c, err := config.Parse()

diff --git a/authenticator/server/credmgrs/aws_secrets_manager_test.go b/authenticator/server/credmgrs/aws_secrets_manager_test.go
@@ -3,12 +3,14 @@
 package credmgrs
 
 import (
+	"fmt"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/cyralinc/approzium/authenticator/server/config"
 	"os"
+	"strings"
 	"testing"
 )
 
@@ -79,6 +81,12 @@ func TestAwsSecretsManager(t *testing.T) {
 	}
 	password, err := credMgr.Password(testLogEntry, identity)
 	if err != nil {
+		if strings.Contains(err.Error(), "not authorized") {
+			// The issue isn't with our code itself, it's that the creds we're using for
+			// testing aren't sufficient.
+			fmt.Println("insufficient authorization to run this test")
+			t.SkipNow()
+		}
 		t.Fatal(err)
 	}
 	if password != "asdfghjkl" {

diff --git a/authenticator/server/identity/aws.go b/authenticator/server/identity/aws.go
@@ -110,10 +110,20 @@ func (a *aws) executeGetCallerIdentity(signedGetCallerIdentity string, clientLan
 	}
 	defer resp.Body.Close()
 
+	if resp.Header.Get("Content-Type") != "text/xml" {
+		return "", fmt.Errorf("unsupported Content-Type header of %s", resp.Header.Get("Content-Type"))
+	}
+
 	respBody, _ := ioutil.ReadAll(resp.Body)
 	if resp.StatusCode != 200 {
 		return "", fmt.Errorf("received unexpected get caller identity response %d: %s", resp.StatusCode, respBody)
 	}
+	if strings.Contains(string(respBody), "{") || strings.Contains(string(respBody), "[") {
+		// Just to err on the side of caution, ensure that the body doesn't hold anything
+		// that might be JSON. This is to avoid the exploit described in
+		// https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-hashicorp-vault.html.
+		return "", fmt.Errorf("body appears to contain JSON: %s", string(respBody))
+	}
 
 	type GetCallerIdentityResponse struct {
 		IamArn string `xml:"GetCallerIdentityResult>Arn"`