diff --git a/README.md b/README.md index 1e453710..31faff88 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ We use `docker-compose.yml` to quickly and easily provide you with a development To spin up an end-to-end development environment based in Docker: - Ensure you have [Docker](https://www.docker.com/) installed with Buildkit support (Docker 18.09 or higher) -- In your local environment, run `$ aws configure` and add an access key and secret. +- In your local environment, run `$ aws configure` and add an access key and a secret. - Run `$ make dc-build`. This will build the authenticator and development Docker images. - Run `$ docker-compose up`. This will run the authenticator with a Vault backend and will run test database servers (Postgres and MySQL). - In another window, `$ make dev`. This will start a shell in the development environment. diff --git a/authenticator/main.go b/authenticator/main.go index 9814bcb2..621985c0 100644 --- a/authenticator/main.go +++ b/authenticator/main.go @@ -12,7 +12,7 @@ import ( log "github.com/sirupsen/logrus" ) -const currentVersion = "0.2.0" +const currentVersion = "0.2.1" func main() { c, err := config.Parse() diff --git a/authenticator/server/credmgrs/aws_secrets_manager_test.go b/authenticator/server/credmgrs/aws_secrets_manager_test.go index 3d719170..d8f3f279 100644 --- a/authenticator/server/credmgrs/aws_secrets_manager_test.go +++ b/authenticator/server/credmgrs/aws_secrets_manager_test.go @@ -3,12 +3,14 @@ package credmgrs import ( + "fmt" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/secretsmanager" "github.com/cyralinc/approzium/authenticator/server/config" "os" + "strings" "testing" ) @@ -79,6 +81,12 @@ func TestAwsSecretsManager(t *testing.T) { } password, err := credMgr.Password(testLogEntry, identity) if err != nil { + if strings.Contains(err.Error(), "not authorized") { + // The issue isn't with our code itself, it's that the creds we're using for + // testing aren't sufficient. + fmt.Println("insufficient authorization to run this test") + t.SkipNow() + } t.Fatal(err) } if password != "asdfghjkl" { diff --git a/authenticator/server/identity/aws.go b/authenticator/server/identity/aws.go index 80db8059..cd78b8e2 100644 --- a/authenticator/server/identity/aws.go +++ b/authenticator/server/identity/aws.go @@ -110,10 +110,20 @@ func (a *aws) executeGetCallerIdentity(signedGetCallerIdentity string, clientLan } defer resp.Body.Close() + if resp.Header.Get("Content-Type") != "text/xml" { + return "", fmt.Errorf("unsupported Content-Type header of %s", resp.Header.Get("Content-Type")) + } + respBody, _ := ioutil.ReadAll(resp.Body) if resp.StatusCode != 200 { return "", fmt.Errorf("received unexpected get caller identity response %d: %s", resp.StatusCode, respBody) } + if strings.Contains(string(respBody), "{") || strings.Contains(string(respBody), "[") { + // Just to err on the side of caution, ensure that the body doesn't hold anything + // that might be JSON. This is to avoid the exploit described in + // https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-hashicorp-vault.html. + return "", fmt.Errorf("body appears to contain JSON: %s", string(respBody)) + } type GetCallerIdentityResponse struct { IamArn string `xml:"GetCallerIdentityResult>Arn"`