Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make sure SSO logins can handle duplicate usernames (OWASP#531)
* Cleanup for PR * Restore modified database test file * Add setup IT * Initialize string buffer * Remake setup IT to test core database * Use commons IO for auth file checking * Set all db properties before setup * Add teardown to dbprops * Double negation fixed * Make sure params are added to the right place * Check return code of failing setup page * Improve teardown * Rename db props to mysql props * Tests dynamically create db props file now * Update unit tests to create db file * All IT tests have to create mysql properties file * Hunting for null pointer in SetupIT * Disabling setup it tests for now * Add error handling for db connection issues * Add error handling for db connection issues * Add saml dependency and metadata jsp * Add demo saml files * Add test for upper and lowercase username * Test for long passwords * Integration test for 160-char password * Make sure IT tests dont' step on each others toes * Add test for upper and lowercase username * Test for long passwords * Integration test for 160-char password * Make sure IT tests dont' step on each others toes * Fix naming of testUtils * Add utf-8 username test * Test for non-latin passwords * Add argon2 dependency * Test for duplicate usernames * Add password change tests * Catch more generic SQL exception * Salted passwords with argon2 * Fix syntax error in core sql * Reset userfind to upstream version * Compute hash correctly in userAuth * Add salted password to default sql * Fix invalid update password logic * Print debug info in authuser * Add debugging to userCreate * Install argon2 in travis * More specific exception handling in userAuth * Fix whitespace in travis.yml * Add argon2 install to unit tests * We need bionic because of libargon * Move dist definition * Don't throw exception if hash wasn't found * Handle user suspensions * Add very long username test * Don't print hashes and passwords in log * Ensure username is lowercase everywhere * More specific username length testing * Test username length with non-latin chars * Make username more case-insensitive * Use utf8 in database * Fix problematic non latin tests * More specific test for non-latin username * Slightly shorter non-latin username * Add db properties option * Add support for utf8mb4 for emoji goodness * Add emoji to unit tests * Big utf8 means varchar can only be 191 * Separate testing for emoji usernames * Fix missing slash in test db props * Add more unicode stuff to mysql * Disable emoji test for now * Fix typo in sql injection database handler * Remove extra whitespace * Clear up some unused imports * Ignore incomplete tests * Add sonarcloud properties * First attempt att registering users from SSO * Cleaning up exception handling in unit and IT tests * Disabling passwords for SSO logins * Refactoring tests to reduce bad exception handling * Handle SQL exceptions in test code * Removing more bad exception handling * Removed Exception e in testCSRF * CSRF unit test can now pass * Cleaned up most module IT tests * Cleanup test setups and fix missed user creation in OpenAllModules * More cleanup of IT exception handling * Only deploy if it's the official repo * Add coveralls * Add codecov * Refactoring travis yml * Call codecov from travis * Remove cobertura * Remove coveralls * Change jdk version * Remove oraclejdk8 as travis doesn't support it * Remove failing maving packages * Refactoring travis yml * Trying to reorder travis * Remove jdk versions for now * Remove unused parts of pom * Revert to former yml * Trying to revert pom.xml * Add dependencies * New travis again * Trying multiple jdks * Travis cleanup * Add user from SSO * Add SSO suspend tests * Fix invalid SSO user handling * Redone core.user table to fit SSO/SAML * Change db format for SSO * Set saml in quotes * Set field to null in ssoName * SSO default class handling * Fix typo in sso user creation * Check return value of userCreated * Update test for SSO suspension * Test user SSO delete * Start to handle temporary usernames * SAML can now change usernames * Can change username on the fly * Fix broken updateUsername test * Set default value for change username * VerifyTestUser ignored passwords, now fixed * General SSO cleanup, moved from jsp to servlets * Add sample saml properties * Try to handle more generic saml keys, configurable via external file * Cleaned up sso configuration, can now handle renames and robust sso on/off handling * Roles are now assigned via SAML * Update sso links * Fix db syntax * Db options are now mandatory * Test suites create db props with utf8 support * Dynamic creation of mongodb props file for tests * Disable emoji username test for now * Create parent directories for tests * Fix comments from @markdenihan * Revert to upstream travis yml * Setter and getter test for cheat sheet setting * Save cheat sheet status to db * Can now read cheat sheet status from db * Refactor cheat sheet methods * Install argon2 in travis * Correct syntax in cheat sheet load and save * Set and get module layout * Change tourny to tournament * Re-do nosql IT module setup * Set module layout to db * More specific tests for module layout db * More specific tests for module layout db 2 * Feeback status saved to db * Save registration status to db * Save scoreboard status in db * Load and save scoreboard data from db * Module layouts working * Public scoreboard done * Fix failed scoreboard test * Fix failing feedback tests * Dont say failed unless failed * Add more debugging to feedback tests * Update enablefeedback setting in sql * More debugging for scoreboard IT failures * Log more data from load scoreboard status * Dont clear scoreboard class with open layout * Dont clear scoreboard class with admin layout * More debugging for null pointer tracing * Debug logging for db props creation in tests * Add countdown handling class * Debug mongo db loading * Show when mongo db is loaded * Even more debug logging * Hunting NPE in mongo * Even more debugs plz * Fixed the bug * Wrote timestamp set get tests * Tests for countdownhandler * Improve debug logging for failing tests * Fix typo that removed timestamp * Countdown built into the stored procedures * More tests for countdown * Add start time to countdown * Validate start and end conditions * Add js countdown timer * Fix merge * Countdown shows on index page * Cleanup module IT tests * Start and Lock countdowns work * Remove unused imports * Handle NPE in GetModule * Code cleanup * Check for null moduleid * Remove most of fileinputproperties * Fix unit tests * Cleanup sql injection db loader * Can now override database settings from web UI * Some login cleanup * Set cookie path in saml * Remove debug info * Remove extra property from mongo * Make sure html is lowercase * Optimize performance in scoreboard * Optimize performance in registration logic * Show two countdowns * Replace rage faces with fruit * Spelling of crypto * Upgrade sql stored procedure to support db options * Only filter XSS3 twice * Change the admin session cookie to be easier to find * Correct the sso metadata logger argument * De-duplicate usernames! * Unit test for de-duplication of sso usernames * Add more tests to duplicate sso usernames * Fix bug in de-duplication * Fix utf-8 scoreboard usernames * Forgot to add assignments properties * Fix classID for SSO logins * Make more servlets utf-8 compatible * Cache module layout in memory * Cache cheat status in memory * Fix challenge connection urls * Set correct key in db options * Fix direct object bank registration * Set correct SHA2 lengths * Save default class info to db * Change log statement in setter * Load default class when doing account registration * Fix wrong order of submitted and expected keys in logs * Scoreboard can be viewed publicly * Allow a public scoreboard * Fixing database bug in SQL injection 6 Fixed a bug where the database provided an incorrect answer key. _Because of bad luck with commit c57fed8 where all "256" values were replaced by "191"_ * Encode new username before reading, prevent XSS * Bump argon2 version down to 2.2 Co-authored-by: Adrien B <[email protected]>
- Loading branch information