1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-11-23 00:55:58 +01:00

Tighten user check.

Don't allow a user with a wildcard password entry to use the same
username as a user with a specific entry even at the same privilege
level.
This commit is contained in:
Juliusz Chroboczek 2021-02-06 23:30:45 +01:00
parent 91c161e548
commit c4e26b65b7
2 changed files with 116 additions and 18 deletions

View file

@ -681,17 +681,24 @@ func (g *Group) GetChatHistory() []ChatHistoryEntry {
} }
func matchClient(group string, c Challengeable, users []ClientCredentials) (bool, bool) { func matchClient(group string, c Challengeable, users []ClientCredentials) (bool, bool) {
matched := false
for _, u := range users {
if u.Username == c.Username() {
matched = true
if c.Challenge(group, u) {
return true, true
}
}
}
if matched {
return true, false
}
for _, u := range users { for _, u := range users {
if u.Username == "" { if u.Username == "" {
if c.Challenge(group, u) { if c.Challenge(group, u) {
return true, true return true, true
} }
} else if u.Username == c.Username() {
if c.Challenge(group, u) {
return true, true
} else {
return true, false
}
} }
} }
return false, false return false, false

View file

@ -23,36 +23,127 @@ func TestJSTime(t *testing.T) {
} }
} }
func TestDescriptionJSON(t *testing.T) { var descJSON = `
d := `
{ {
"op": [{"username": "jch","password": "topsecret"}], "op": [{"username": "jch","password": "topsecret"}],
"max-history-age": 10, "max-history-age": 10,
"allow-subgroups": true, "allow-subgroups": true,
"presenter": [ "presenter": [
{"user": "john", "password": "secret"}, {"username": "john", "password": "secret"},
{"username": "john", "password": "secret2"}
],
"other": [
{"username": "james", "password": "secret3"},
{"username": "peter", "password": "secret4"},
{} {}
] ]
}` }`
var dd description func TestDescriptionJSON(t *testing.T) {
err := json.Unmarshal([]byte(d), &dd) var d description
err := json.Unmarshal([]byte(descJSON), &d)
if err != nil { if err != nil {
t.Fatalf("unmarshal: %v", err) t.Fatalf("unmarshal: %v", err)
} }
ddd, err := json.Marshal(dd) dd, err := json.Marshal(d)
if err != nil { if err != nil {
t.Fatalf("marshal: %v", err) t.Fatalf("marshal: %v", err)
} }
var dddd description var ddd description
err = json.Unmarshal([]byte(ddd), &dddd) err = json.Unmarshal([]byte(dd), &ddd)
if err != nil { if err != nil {
t.Fatalf("unmarshal: %v", err) t.Fatalf("unmarshal: %v", err)
} }
if !reflect.DeepEqual(dd, dddd) { if !reflect.DeepEqual(d, ddd) {
t.Errorf("Got %v, expected %v", dddd, dd) t.Errorf("Got %v, expected %v", ddd, d)
} }
} }
type testClient struct {
username string
password string
}
func (c testClient) Username() string {
return c.username
}
func (c testClient) Challenge(g string, creds ClientCredentials) bool {
if creds.Password == nil {
return true
}
m, err := creds.Password.Match(c.password)
if err != nil {
return false
}
return m
}
type testClientPerm struct {
c testClient
p ClientPermissions
}
var badClients = []testClient{
testClient{"jch", "foo"},
testClient{"john", "foo"},
testClient{"james", "foo"},
}
var goodClients = []testClientPerm{
{
testClient{"jch", "topsecret"},
ClientPermissions{true, true, false},
},
{
testClient{"john", "secret"},
ClientPermissions{false, true, false},
},
{
testClient{"john", "secret2"},
ClientPermissions{false, true, false},
},
{
testClient{"james", "secret3"},
ClientPermissions{false, false, false},
},
{
testClient{"paul", "secret3"},
ClientPermissions{false, false, false},
},
}
func TestPermissions(t *testing.T) {
var d description
err := json.Unmarshal([]byte(descJSON), &d)
if err != nil {
t.Fatalf("unmarshal: %v", err)
}
for _, c := range badClients {
t.Run("bad " + c.Username(), func(t *testing.T) {
p, err := d.GetPermission("test", c)
if err != ErrNotAuthorised {
t.Errorf("GetPermission %v: %v %v", c, err, p)
}
})
}
for _, cp := range goodClients {
t.Run("good " + cp.c.Username(), func(t *testing.T) {
p, err := d.GetPermission("test", cp.c)
if err != nil {
t.Errorf("GetPermission %v: %v", cp.c, err)
} else if !reflect.DeepEqual(p, cp.p) {
t.Errorf("%v: got %v, expected %v",
cp.c, p, cp.p)
}
})
}
}