Skip to content

Commit

Permalink
Make sure SSO logins can handle duplicate usernames (OWASP#531)
Browse files Browse the repository at this point in the history
* Cleanup for PR

* Restore modified database test file

* Add setup IT

* Initialize string buffer

* Remake setup IT to test core database

* Use commons IO for auth file checking

* Set all db properties before setup

* Add teardown to dbprops

* Double negation fixed

* Make sure params are added to the right place

* Check return code of failing setup page

* Improve teardown

* Rename db props to mysql props

* Tests dynamically create db props file now

* Update unit tests to create db file

* All IT tests have to create mysql properties file

* Hunting for null pointer in SetupIT

* Disabling setup it tests for now

* Add error handling for db connection issues

* Add error handling for db connection issues

* Add saml dependency and metadata jsp

* Add demo saml files

* Add test for upper and lowercase username

* Test for long passwords

* Integration test for 160-char password

* Make sure IT tests dont' step on each others toes

* Add test for upper and lowercase username

* Test for long passwords

* Integration test for 160-char password

* Make sure IT tests dont' step on each others toes

* Fix naming of testUtils

* Add utf-8 username test

* Test for non-latin passwords

* Add argon2 dependency

* Test for duplicate usernames

* Add password change tests

* Catch more generic SQL exception

* Salted passwords with argon2

* Fix syntax error in core sql

* Reset userfind to upstream version

* Compute hash correctly in userAuth

* Add salted password to default sql

* Fix invalid update password logic

* Print debug info in authuser

* Add debugging to userCreate

* Install argon2 in travis

* More specific exception handling in userAuth

* Fix whitespace in travis.yml

* Add argon2 install to unit tests

* We need bionic because of libargon

* Move dist definition

* Don't throw exception if hash wasn't found

* Handle user suspensions

* Add very long username test

* Don't print hashes and passwords in log

* Ensure username is lowercase everywhere

* More specific username length testing

* Test username length with non-latin chars

* Make username more case-insensitive

* Use utf8 in database

* Fix problematic non latin tests

* More specific test for non-latin username

* Slightly shorter non-latin username

* Add db properties option

* Add support for utf8mb4 for emoji goodness

* Add emoji to unit tests

* Big utf8 means varchar can only be 191

* Separate testing for emoji usernames

* Fix missing slash in test db props

* Add more unicode stuff to mysql

* Disable emoji test for now

* Fix typo in sql injection database handler

* Remove extra whitespace

* Clear up some unused imports

* Ignore incomplete tests

* Add sonarcloud properties

* First attempt att registering users from SSO

* Cleaning up exception handling in unit and IT tests

* Disabling passwords for SSO logins

* Refactoring tests to reduce bad exception handling

* Handle SQL exceptions in test code

* Removing more bad exception handling

* Removed Exception e in testCSRF

* CSRF unit test can now pass

* Cleaned up most module IT tests

* Cleanup test setups and fix missed user creation in OpenAllModules

* More cleanup of IT exception handling

* Only deploy if it's the official repo

* Add coveralls

* Add codecov

* Refactoring travis yml

* Call codecov from travis

* Remove cobertura

* Remove coveralls

* Change jdk version

* Remove oraclejdk8 as travis doesn't support it

* Remove failing maving packages

* Refactoring travis yml

* Trying to reorder travis

* Remove jdk versions for now

* Remove unused parts of pom

* Revert to former yml

* Trying to revert pom.xml

* Add dependencies

* New travis again

* Trying multiple jdks

* Travis cleanup

* Add user from SSO

* Add SSO suspend tests

* Fix invalid SSO user handling

* Redone core.user table to fit SSO/SAML

* Change db format for SSO

* Set saml in quotes

* Set field to null in ssoName

* SSO default class handling

* Fix typo in sso user creation

* Check return value of userCreated

* Update test for SSO suspension

* Test user SSO delete

* Start to handle temporary usernames

* SAML can now change usernames

* Can change username on the fly

* Fix broken updateUsername test

* Set default value for change username

* VerifyTestUser ignored passwords, now fixed

* General SSO cleanup, moved from jsp to servlets

* Add sample saml properties

* Try to handle more generic saml keys, configurable via external file

* Cleaned up sso configuration, can now handle renames and robust sso on/off handling

* Roles are now assigned via SAML

* Update sso links

* Fix db syntax

* Db options are now mandatory

* Test suites create db props with utf8 support

* Dynamic creation of mongodb props file for tests

* Disable emoji username test for now

* Create parent directories for tests

* Fix comments from @markdenihan

* Revert to upstream travis yml

* Setter and getter test for cheat sheet setting

* Save cheat sheet status to db

* Can now read cheat sheet status from db

* Refactor cheat sheet methods

* Install argon2 in travis

* Correct syntax in cheat sheet load and save

* Set and get module layout

* Change tourny to tournament

* Re-do nosql IT module setup

* Set module layout to db

* More specific tests for module layout db

* More specific tests for module layout db 2

* Feeback status saved to db

* Save registration status to db

* Save scoreboard status in db

* Load and save scoreboard data from db

* Module layouts working

* Public scoreboard done

* Fix failed scoreboard test

* Fix failing feedback tests

* Dont say failed unless failed

* Add more debugging to feedback tests

* Update enablefeedback setting in sql

* More debugging for scoreboard IT failures

* Log more data from load scoreboard status

* Dont clear scoreboard class with open layout

* Dont clear scoreboard class with admin layout

* More debugging for null pointer tracing

* Debug logging for db props creation in tests

* Add countdown handling class

* Debug mongo db loading

* Show when mongo db is loaded

* Even more debug logging

* Hunting NPE in mongo

* Even more debugs plz

* Fixed the bug

* Wrote timestamp set get tests

* Tests for countdownhandler

* Improve debug logging for failing tests

* Fix typo that removed timestamp

* Countdown built into the stored procedures

* More tests for countdown

* Add start time to countdown

* Validate start and end conditions

* Add js countdown timer

* Fix merge

* Countdown shows on index page

* Cleanup module IT tests

* Start and Lock countdowns work

* Remove unused imports

* Handle NPE in GetModule

* Code cleanup

* Check for null moduleid

* Remove most of fileinputproperties

* Fix unit tests

* Cleanup sql injection db loader

* Can now override database settings from web UI

* Some login cleanup

* Set cookie path in saml

* Remove debug info

* Remove extra property from mongo

* Make sure html is lowercase

* Optimize performance in scoreboard

* Optimize performance in registration logic

* Show two countdowns

* Replace rage faces with fruit

* Spelling of crypto

* Upgrade sql stored procedure to support db options

* Only filter XSS3 twice

* Change the admin session cookie to be easier to find

* Correct the sso metadata logger argument

* De-duplicate usernames!

* Unit test for de-duplication of sso usernames

* Add more tests to duplicate sso usernames

* Fix bug in de-duplication

* Fix utf-8 scoreboard usernames

* Forgot to add assignments properties

* Fix classID for SSO logins

* Make more servlets utf-8 compatible

* Cache module layout in memory

* Cache cheat status in memory

* Fix challenge connection urls

* Set correct key in db options

* Fix direct object bank registration

* Set correct SHA2 lengths

* Save default class info to db

* Change log statement in setter

* Load default class when doing account registration

* Fix wrong order of submitted and expected keys in logs

* Scoreboard can be viewed publicly

* Allow a public scoreboard

* Fixing database bug in SQL injection 6

Fixed a bug where the database provided an incorrect answer key. 
_Because of bad luck with commit c57fed8 where all "256" values were replaced by "191"_

* Encode new username before reading, prevent XSS

* Bump argon2 version down to 2.2

Co-authored-by: Adrien B <[email protected]>
  • Loading branch information
etnoy and Theadri1900 authored Sep 14, 2020
1 parent 35e5d82 commit 147d0e3
Show file tree
Hide file tree
Showing 171 changed files with 16,479 additions and 13,528 deletions.
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,6 @@
/.settings/
.settings/
docker/*/*.sql
docker/*/*.sql-e
docker/*/*.sql-esrc
src/main/resources/onelogin.saml.properties
src/main/resources/sso.properties
Empty file added .sonarcloud.properties
Empty file.
4 changes: 2 additions & 2 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@ jobs:
services:
- mysql
- docker
dist: bionic
language: java
dist: bionic
script: mvn verify -DskipUTs=true -DmongoDocker -B
before_install:
- mvn -Pdocker validate
- sudo apt-get -y install libargon2-0
- stage: deploy
if: fork = false
name: Deploy to Dockerhub
dist: bionic
language: generic
provider: script
skip_cleanup: true
Expand Down
Loading

0 comments on commit 147d0e3

Please sign in to comment.