Bind cache entries also contain the app marker now #24

fredreichbier · 2017-06-28T18:10:39Z

This makes it impossible to abuse the bind cache
to authenticate to another app using the same credentials.

Closes #20

This makes it impossible to abuse the bind cache to authenticate to another app using the same credentials. Closes #20

fredreichbier · 2017-06-28T18:11:46Z

This also fixes another potential issue:
Prior to this commit, Bind requests which were handled by the bind cache were automatically authenticated as the service user in any case (not respecting the bind-service-account config option).

fredreichbier · 2017-06-28T18:13:54Z

pi_ldapproxy/proxy.py

-                        if self.factory.bind_service_account:
-                            yield self.bind_service_account()
-                            self.bound = True
+            if self.factory.is_bind_cached(request.dn, app_marker, request.auth):


This is potentially inefficient because it resolves the username in any case before checking if the (DN, app marker, password) tuple is contained in the bind cache.
But this is also a security feature if the user was removed in the meantime :)

I think some people, who optimze away all ldap requests will not like this.
May be we can make this configurable - one day (undocumented) ;-)

I guess so! :) I opened #25 to keep track of that.

cornelinux · 2017-06-29T17:08:38Z

pi_ldapproxy/bindcache.py

        self._cache = {}

-    def add_to_cache(self, dn, password):
+    def add_to_cache(self, dn, app_marker, password):


What is good pythonian?
Would we one day define a cacheObject instead of a tuple, which has the attributes

dn

app_markes

password

and then define comparison methods?

Hmm, good question! I'd probably go for something like def add_to_cache(self, cache_object, password), where cache_object=(dn, app_marker). Simply because it is no problem to print cache_object to the log, whereas we should never print password to the log :)

cornelinux · 2017-06-29T17:10:21Z

pi_ldapproxy/proxy.py

-                        if self.factory.bind_service_account:
-                            yield self.bind_service_account()
-                            self.bound = True
+            if self.factory.is_bind_cached(request.dn, app_marker, request.auth):


I think some people, who optimze away all ldap requests will not like this.
May be we can make this configurable - one day (undocumented) ;-)

Bind cache entries also contain the app marker now

c4b0d8a

This makes it impossible to abuse the bind cache to authenticate to another app using the same credentials. Closes #20

fredreichbier commented Jun 28, 2017

View reviewed changes

cornelinux reviewed Jun 29, 2017

View reviewed changes

fredreichbier merged commit 8fb6049 into master Jun 29, 2017

fredreichbier deleted the 20/cache-app-marker branch June 29, 2017 17:32

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bind cache entries also contain the app marker now #24

Bind cache entries also contain the app marker now #24

fredreichbier commented Jun 28, 2017

fredreichbier commented Jun 28, 2017

fredreichbier Jun 28, 2017

cornelinux Jun 29, 2017

fredreichbier Jun 29, 2017

cornelinux Jun 29, 2017

fredreichbier Jun 29, 2017

cornelinux Jun 29, 2017

Bind cache entries also contain the app marker now #24

Bind cache entries also contain the app marker now #24

Conversation

fredreichbier commented Jun 28, 2017

fredreichbier commented Jun 28, 2017

fredreichbier Jun 28, 2017

Choose a reason for hiding this comment

cornelinux Jun 29, 2017

Choose a reason for hiding this comment

fredreichbier Jun 29, 2017

Choose a reason for hiding this comment

cornelinux Jun 29, 2017

Choose a reason for hiding this comment

fredreichbier Jun 29, 2017

Choose a reason for hiding this comment

cornelinux Jun 29, 2017

Choose a reason for hiding this comment