Security improvement of the call of updateUes.php script (#139)

Author: BaranekD

composer.json

@@ -30,6 +30,11 @@
         "symfony/var-exporter": "^5.0",
         "phpseclib/phpseclib": "~3.0",
         "ext-curl": "*",
-        "ext-json": "*"
+        "ext-json": "*",
+        "ext-openssl": "*",
+        "web-token/jwt-key-mgmt": "^2.2",
+        "web-token/jwt-signature": "^2.2",
+        "web-token/jwt-signature-algorithm-rsa": "^2.2",
+        "web-token/jwt-checker": "^2.2"
     }
 }

config-templates/tables.sql

@@ -13,4 +13,14 @@ CREATE TABLE greyList (
 	reason VARCHAR(255),
 	INDEX (entityId),
 	PRIMARY KEY (entityId)
-);
+);
+
+CREATE TABLE scriptChallenges (
+    id VARCHAR(255) NOT NULL,
+    challenge VARCHAR(255) NOT NULL,
+    script VARCHAR(255) NOT NULL,
+    date DATETIME NOT NULL DEFAULT current_timestamp,
+    PRIMARY KEY (id)
+);
+
+CREATE INDEX idx_date on scriptChallenges (date);

hooks/hook_cron.php

@@ -0,0 +1,51 @@
+<?php
+
+use SimpleSAML\Logger;
+use SimpleSAML\Module\perun\DatabaseConnector;
+
+const TABLE_NAME = 'scriptChallenges';
+const DATE_COLUMN = 'date';
+
+/**
+ * Hook to run a cron job.
+ *
+ * @param array &$croninfo  Output
+ * @author Dominik Baranek <[email protected]>
+ */
+function challenges_hook_cron(&$croninfo)
+{
+    if ($croninfo['tag'] !== 'hourly') {
+        Logger::debug('cron [perun]: Skipping cron in cron tag [' . $croninfo['tag'] . '] ');
+        return;
+    }
+
+    Logger::info('cron [perun]: Running cron in cron tag [' . $croninfo['tag'] . '] ');
+
+    try {
+        $databaseConnector = new DatabaseConnector();
+        $conn = $databaseConnector->getConnection();
+
+        if ($conn !== null) {
+            $stmt = $conn->prepare(
+                'DELETE FROM ' . TABLE_NAME . ' WHERE ' . DATE_COLUMN . ' < (NOW() - INTERVAL 5 MINUTE)'
+            );
+
+            if (!$stmt) {
+                $conn->close();
+                Logger::error('cron [perun]: Error during preparing statement');
+                return;
+            }
+
+            $ex = $stmt->execute();
+
+            if ($ex === false) {
+                Logger::error('cron [perun]: Error while deleting old challenges from the database.');
+            }
+
+            $stmt->close();
+            $conn->close();
+        }
+    } catch (\Exception $e) {
+        $croninfo['summary'][] = 'Error while deleting old challenges from the database: ' . $e->getMessage();
+    }
+}

lib/Auth/Process/UpdateUserExtSource.php

@@ -2,14 +2,16 @@
 
 namespace SimpleSAML\Module\perun\Auth\Process;
 
+use Jose\Component\KeyManagement\JWKFactory;
+use Jose\Component\Core\AlgorithmManager;
+use Jose\Component\Signature\JWSBuilder;
+use Jose\Component\Signature\Serializer\CompactSerializer;
+use Jose\Component\Signature\Algorithm\RS512;
 use SimpleSAML\Auth\ProcessingFilter;
 use SimpleSAML\Error\Exception;
 use SimpleSAML\Logger;
 use SimpleSAML\Module;
-use SimpleSAML\Module\perun\AttributeUtils;
 use SimpleSAML\Module\perun\UpdateUESThread;
-use SimpleSAML\Configuration;
-use SimpleSAML\Module\perun;
 
 /**
  * Class sspmod_perun_Auth_Process_UpdateUserExtSource
@@ -23,6 +25,9 @@ class UpdateUserExtSource extends ProcessingFilter
 {
     private $attrMap;
     private $attrsToConversion;
+    private $pathToKey;
+
+    const SCRIPT_NAME = 'updateUes';
 
     public function __construct($config, $reserved)
     {
@@ -36,26 +41,77 @@ public function __construct($config, $reserved)
             );
         }
 
+        if (!isset($config['pathToKey'])) {
+            throw new Exception(
+                'perun:UpdateUserExtSource: missing mandatory configuration option \'pathToKey\'.'
+            );
+        }
+
         if (isset($config['arrayToStringConversion'])) {
             $this->attrsToConversion = (array)$config['arrayToStringConversion'];
         } else {
             $this->attrsToConversion = [];
         }
 
         $this->attrMap = (array)$config['attrMap'];
+        $this->pathToKey = $config['pathToKey'];
     }
 
     public function process(&$request)
     {
+        $id = uniqid("", true);
+
+        $dataChallenge = [
+            'id' => $id,
+            'scriptName' => self::SCRIPT_NAME
+        ];
+
+        $json = json_encode($dataChallenge);
+
+        $curlChallenge = curl_init();
+        curl_setopt($curlChallenge, CURLOPT_POSTFIELDS, $json);
+        curl_setopt($curlChallenge, CURLOPT_URL, Module::getModuleURL('perun/getChallenge.php'));
+        curl_setopt($curlChallenge, CURLOPT_RETURNTRANSFER, true);
+
+        $challenge = curl_exec($curlChallenge);
+
+        if (empty($challenge)) {
+            Logger::error('Retrieving the challenge was not successful.');
+            return;
+        }
+
+        $jwk = JWKFactory::createFromKeyFile($this->pathToKey);
+        $algorithmManager = new AlgorithmManager([new RS512()]);
+        $jwsBuilder = new JWSBuilder($algorithmManager);
+
         $data = [
             'attributes' => $request['Attributes'],
             'attrMap' => $this->attrMap,
             'attrsToConversion' => $this->attrsToConversion,
             'perunUserId' => $request['perun']['user']->getId()
         ];
 
-        $cmd = 'curl -X POST -H "Content-Type: application/json" -d \'' . json_encode($data) . '\' ' .
-               Module::getModuleURL('perun/updateUes.php') . ' > /dev/null &';
+        $payload = json_encode([
+            'iat' => time(),
+            'nbf' => time(),
+            'exp' => time() + 300,
+            'challenge' => $challenge,
+            'id' => $id,
+            'data' => $data
+        ]);
+
+        $jws = $jwsBuilder
+            ->create()
+            ->withPayload($payload)
+            ->addSignature($jwk, ['alg' => 'RS512'])
+            ->build();
+
+        $serializer = new CompactSerializer();
+        $token = $serializer->serialize($jws, 0);
+
+        $cmd = 'curl -X POST -H "Content-Type: application/json" -d ' . escapeshellarg($token) . ' ' .
+            escapeshellarg(Module::getModuleURL('perun/updateUes.php')) . ' > /dev/null &';
+
         exec($cmd);
     }
 }

lib/ScriptsUtils.php

@@ -0,0 +1,133 @@
+<?php
+
+
+namespace SimpleSAML\Module\perun;
+
+
+class ScriptsUtils
+{
+    const CHALLENGES_TABLE_NAME = 'scriptChallenges';
+    const CHALLENGE = 'challenge';
+
+    public static function generateChallenge($connection, $challenge, $id, $scriptName): bool
+    {
+        if ($connection === null || empty($challenge)) {
+            Logger::error('Perun:ScriptsUtils: Error while creating a challenge');
+            http_response_code(500);
+            return false;
+        }
+
+        $stmt = $connection->prepare(
+            'INSERT INTO ' . self::CHALLENGES_TABLE_NAME . ' (id, challenge, script) VALUES (?, ?, ?)'
+        );
+
+        if ($stmt) {
+            $stmt->bind_param('sss', $id, $challenge, $scriptName);
+            $ex = $stmt->execute();
+
+            if ($ex === false) {
+                Logger::error('Perun:ScriptsUtils: Error while creating a challenge');
+                http_response_code(500);
+                return false;
+            }
+
+            $stmt->close();
+        } else {
+            Logger::error('Perun:ScriptsUtils: Error during preparing statement');
+            http_response_code(500);
+            return false;
+        }
+
+        return true;
+    }
+
+    public static function readChallengeFromDb($connection, $id)
+    {
+        if ($connection === null) {
+            http_response_code(500);
+            return null;
+        }
+
+        if (empty($id)) {
+            http_response_code(400);
+            return null;
+        }
+
+        $stmt = $connection->prepare('SELECT challenge FROM ' . self::CHALLENGES_TABLE_NAME . ' WHERE id=?');
+
+        if (!$stmt) {
+            Logger::error('Perun:ScriptsUtils: Error during preparing statement');
+            http_response_code(500);
+            return null;
+        }
+
+        $stmt->bind_param('s', $id);
+        $ex = $stmt->execute();
+
+        if ($ex === false) {
+            Logger::error('Perun:ScriptsUtils: Error while getting the challenge from the database.');
+            http_response_code(500);
+            return null;
+        }
+
+        $challengeDb = $stmt->get_result()->fetch_assoc()[self::CHALLENGE];
+        $stmt->close();
+
+        return $challengeDb;
+    }
+
+    public static function checkAccess($connection, $challenge, $challengeDb): bool
+    {
+        if ($connection === null) {
+            http_response_code(500);
+            return false;
+        }
+
+        if (empty($challenge) || empty($challengeDb)) {
+            http_response_code(400);
+            return false;
+        }
+
+        if (!hash_equals($challengeDb, $challenge)) {
+            Logger::error('Perun:ScriptsUtils: Hashes are not equal.');
+            http_response_code(401);
+            return false;
+        }
+
+        return true;
+    }
+
+    public static function deleteChallengeFromDb($connection, $id): bool
+    {
+        if ($connection === null) {
+            http_response_code(500);
+            return false;
+        }
+
+        if (empty($id)) {
+            http_response_code(400);
+            return false;
+        }
+
+        $stmt = $connection->prepare('DELETE FROM ' . self::CHALLENGES_TABLE_NAME . ' WHERE id=?');
+
+        if ($stmt) {
+            $stmt->bind_param('s', $id);
+            $ex = $stmt->execute();
+
+            if ($ex === false) {
+                Logger::error('Perun:ScriptsUtils: Error while deleting the challenge from the database.');
+                http_response_code(500);
+                return false;
+            }
+
+            $stmt->close();
+        } else {
+            Logger::error('Perun:ScriptsUtils: Error during preparing statement');
+            http_response_code(500);
+            return false;
+        }
+
+        return true;
+    }
+}

www/getChallenge.php

@@ -0,0 +1,51 @@
+<?php
+
+use SimpleSAML\Module\perun\DatabaseConnector;
+use SimpleSAML\Logger;
+use SimpleSAML\Module\perun\ScriptsUtils;
+
+$entityBody = file_get_contents('php://input');
+$body = json_decode($entityBody, true);
+
+if ($body === false) {
+    Logger::error('Perun.getChallenge: Received invalid json.');
+    http_response_code(400);
+    exit;
+}
+
+if (empty($body['id'] || strlen($body['id']) > 30 || !ctype_print($body['id']))) {
+    Logger::error('Perun.getChallenge: Invalid id');
+    http_response_code(400);
+    exit;
+}
+
+if (empty($body['scriptName']) || strlen($body['scriptName']) > 255 || !ctype_print($body['scriptName'])) {
+    http_response_code(400);
+    Logger::error('Perun.getChallenge: Invalid scriptName');
+    exit;
+}
+
+$id = $body['id'];
+$scriptName = $body['scriptName'];
+
+const RANDOM_BYTES_LENGTH = 32;
+const TABLE_NAME = 'scriptChallenges';
+
+try {
+    $challenge = hash('sha256', random_bytes(RANDOM_BYTES_LENGTH));
+} catch (Exception $ex) {
+    Logger::error('Perun.getChallenge: Error while generating a challenge');
+    http_response_code(500);
+    exit;
+}
+
+$databaseConnector = new DatabaseConnector();
+$conn = $databaseConnector->getConnection();
+$generateChallengeSucceeded = ScriptsUtils::generateChallenge($conn, $challenge, $id, $scriptName);
+$conn->close();
+
+if (!$generateChallengeSucceeded) {
+    exit;
+}
+
+echo $challenge;