security: fix CVE 2022 46172 (#4275)

* fallback to current user in user_write, add flag to disable user creation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update api and web ui

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update default flows

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add cve post to website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-12-23 14:12:58 +01:00 committed by Jens Langhammer
parent 44bf9a890e
commit 47d79ac28c
No known key found for this signature in database
17 changed files with 167 additions and 25 deletions

View file

@ -15,6 +15,7 @@ class UserWriteStageSerializer(StageSerializer):
fields = StageSerializer.Meta.fields + [ fields = StageSerializer.Meta.fields + [
"create_users_as_inactive", "create_users_as_inactive",
"create_users_group", "create_users_group",
"can_create_users",
"user_path_template", "user_path_template",
] ]

View file

@ -0,0 +1,21 @@
# Generated by Django 4.1.4 on 2022-12-22 14:30
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_stages_user_write", "0005_userwritestage_user_path_template"),
]
operations = [
migrations.AddField(
model_name="userwritestage",
name="can_create_users",
field=models.BooleanField(
default=True,
help_text="When set, this stage can create users. If not enabled and no user is available, stage will fail.",
),
),
]

View file

@ -13,6 +13,16 @@ class UserWriteStage(Stage):
"""Writes currently pending data into the pending user, or if no user exists, """Writes currently pending data into the pending user, or if no user exists,
creates a new user with the data.""" creates a new user with the data."""
can_create_users = models.BooleanField(
default=True,
help_text=_(
(
"When set, this stage can create users. "
"If not enabled and no user is available, stage will fail."
)
),
)
create_users_as_inactive = models.BooleanField( create_users_as_inactive = models.BooleanField(
default=False, default=False,
help_text=_("When set, newly created users are inactive and cannot login."), help_text=_("When set, newly created users are inactive and cannot login."),

View file

@ -1,10 +1,9 @@
"""Write stage logic""" """Write stage logic"""
from typing import Any from typing import Any, Optional
from django.contrib import messages
from django.contrib.auth import update_session_auth_hash from django.contrib.auth import update_session_auth_hash
from django.db import transaction from django.db import transaction
from django.db.utils import IntegrityError from django.db.utils import IntegrityError, InternalError
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
@ -47,7 +46,7 @@ class UserWriteStageView(StageView):
"""Wrapper for post requests""" """Wrapper for post requests"""
return self.get(request) return self.get(request)
def ensure_user(self) -> tuple[User, bool]: def ensure_user(self) -> tuple[Optional[User], bool]:
"""Ensure a user exists""" """Ensure a user exists"""
user_created = False user_created = False
path = self.executor.plan.context.get( path = self.executor.plan.context.get(
@ -55,7 +54,11 @@ class UserWriteStageView(StageView):
) )
if path == "": if path == "":
path = User.default_path() path = User.default_path()
if not self.request.user.is_anonymous:
self.executor.plan.context.setdefault(PLAN_CONTEXT_PENDING_USER, self.request.user)
if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context: if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
if not self.executor.current_stage.can_create_users:
return None, False
self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = User( self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = User(
is_active=not self.executor.current_stage.create_users_as_inactive, is_active=not self.executor.current_stage.create_users_as_inactive,
path=path, path=path,
@ -110,11 +113,14 @@ class UserWriteStageView(StageView):
a new user is created.""" a new user is created."""
if PLAN_CONTEXT_PROMPT not in self.executor.plan.context: if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
message = _("No Pending data.") message = _("No Pending data.")
messages.error(request, message)
self.logger.debug(message) self.logger.debug(message)
return self.executor.stage_invalid() return self.executor.stage_invalid(message)
data = self.executor.plan.context[PLAN_CONTEXT_PROMPT] data = self.executor.plan.context[PLAN_CONTEXT_PROMPT]
user, user_created = self.ensure_user() user, user_created = self.ensure_user()
if not user:
message = _("No user found and can't create new user.")
self.logger.info(message)
return self.executor.stage_invalid(message)
# Before we change anything, check if the user is the same as in the request # Before we change anything, check if the user is the same as in the request
# and we're updating a password. In that case we need to update the session hash # and we're updating a password. In that case we need to update the session hash
# Also check that we're not currently impersonating, so we don't update the session # Also check that we're not currently impersonating, so we don't update the session
@ -137,9 +143,9 @@ class UserWriteStageView(StageView):
user.ak_groups.add(self.executor.current_stage.create_users_group) user.ak_groups.add(self.executor.current_stage.create_users_group)
if PLAN_CONTEXT_GROUPS in self.executor.plan.context: if PLAN_CONTEXT_GROUPS in self.executor.plan.context:
user.ak_groups.add(*self.executor.plan.context[PLAN_CONTEXT_GROUPS]) user.ak_groups.add(*self.executor.plan.context[PLAN_CONTEXT_GROUPS])
except (IntegrityError, ValueError, TypeError) as exc: except (IntegrityError, ValueError, TypeError, InternalError) as exc:
self.logger.warning("Failed to save user", exc=exc) self.logger.warning("Failed to save user", exc=exc)
return self.executor.stage_invalid() return self.executor.stage_invalid(_("Failed to save user"))
user_write.send(sender=self, request=request, user=user, data=data, created=user_created) user_write.send(sender=self, request=request, user=user, data=data, created=user_created)
# Check if the password has been updated, and update the session auth hash # Check if the password has been updated, and update the session auth hash
if should_update_session: if should_update_session:

View file

@ -1,6 +1,4 @@
"""write tests""" """write tests"""
import string
from random import SystemRandom
from unittest.mock import patch from unittest.mock import patch
from django.urls import reverse from django.urls import reverse
@ -14,6 +12,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
from authentik.flows.tests import FlowTestCase from authentik.flows.tests import FlowTestCase
from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
from authentik.flows.views.executor import SESSION_KEY_PLAN from authentik.flows.views.executor import SESSION_KEY_PLAN
from authentik.lib.generators import generate_key
from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
from authentik.stages.user_write.models import UserWriteStage from authentik.stages.user_write.models import UserWriteStage
from authentik.stages.user_write.stage import PLAN_CONTEXT_GROUPS, UserWriteStageView from authentik.stages.user_write.stage import PLAN_CONTEXT_GROUPS, UserWriteStageView
@ -32,12 +31,11 @@ class TestUserWriteStage(FlowTestCase):
) )
self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2) self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
self.source = Source.objects.create(name="fake_source") self.source = Source.objects.create(name="fake_source")
self.user = create_test_admin_user()
def test_user_create(self): def test_user_create(self):
"""Test creation of user""" """Test creation of user"""
password = "".join( password = generate_key()
SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8)
)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PROMPT] = { plan.context[PLAN_CONTEXT_PROMPT] = {
@ -66,9 +64,7 @@ class TestUserWriteStage(FlowTestCase):
def test_user_update(self): def test_user_update(self):
"""Test update of existing user""" """Test update of existing user"""
new_password = "".join( new_password = generate_key()
SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(8)
)
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = User.objects.create( plan.context[PLAN_CONTEXT_PENDING_USER] = User.objects.create(
username="unittest", email="test@goauthentik.io" username="unittest", email="test@goauthentik.io"
@ -142,6 +138,49 @@ class TestUserWriteStage(FlowTestCase):
component="ak-stage-access-denied", component="ak-stage-access-denied",
) )
def test_authenticated_no_user(self):
"""Test user in session and none in plan"""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
self.client.force_login(self.user)
session = self.client.session
plan.context[PLAN_CONTEXT_PROMPT] = {
"username": "foo",
"attribute_some-custom-attribute": "test",
"some_ignored_attribute": "bar",
}
session[SESSION_KEY_PLAN] = plan
session.save()
response = self.client.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
self.user.refresh_from_db()
self.assertEqual(self.user.username, "foo")
def test_no_create(self):
"""Test can_create_users set to false"""
self.stage.can_create_users = False
self.stage.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
session = self.client.session
plan.context[PLAN_CONTEXT_PROMPT] = {
"username": "foo",
"attribute_some-custom-attribute": "test",
"some_ignored_attribute": "bar",
}
session[SESSION_KEY_PLAN] = plan
session.save()
response = self.client.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertStageResponse(
response,
self.flow,
component="ak-stage-access-denied",
)
@patch( @patch(
"authentik.flows.views.executor.to_stage_response", "authentik.flows.views.executor.to_stage_response",
TO_STAGE_RESPONSE_MOCK, TO_STAGE_RESPONSE_MOCK,

View file

@ -45,6 +45,8 @@ entries:
name: default-password-change-write name: default-password-change-write
id: default-password-change-write id: default-password-change-write
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: false
- identifiers: - identifiers:
order: 0 order: 0
stage: !KeyOf default-password-change-prompt stage: !KeyOf default-password-change-prompt

View file

@ -57,6 +57,8 @@ entries:
name: default-source-enrollment-write name: default-source-enrollment-write
id: default-source-enrollment-write id: default-source-enrollment-write
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: true
- attrs: - attrs:
re_evaluate_policies: true re_evaluate_policies: true
identifiers: identifiers:

View file

@ -109,6 +109,8 @@ entries:
model: authentik_policies_expression.expressionpolicy model: authentik_policies_expression.expressionpolicy
- identifiers: - identifiers:
name: default-user-settings-write name: default-user-settings-write
attrs:
can_create_users: false
id: default-user-settings-write id: default-user-settings-write
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
- attrs: - attrs:

View file

@ -102,6 +102,8 @@ entries:
identifiers: identifiers:
name: default-password-change-write name: default-password-change-write
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: false
- attrs: - attrs:
evaluate_on_plan: true evaluate_on_plan: true
invalid_response_action: retry invalid_response_action: retry

View file

@ -95,7 +95,8 @@ entries:
name: default-enrollment-user-write name: default-enrollment-user-write
id: default-enrollment-user-write id: default-enrollment-user-write
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
attrs: {} attrs:
can_create_users: true
- identifiers: - identifiers:
target: !KeyOf flow target: !KeyOf flow
stage: !KeyOf default-enrollment-prompt-first stage: !KeyOf default-enrollment-prompt-first

View file

@ -114,6 +114,7 @@ entries:
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
attrs: attrs:
create_users_as_inactive: true create_users_as_inactive: true
can_create_users: true
- identifiers: - identifiers:
target: !KeyOf flow target: !KeyOf flow
stage: !KeyOf default-enrollment-prompt-first stage: !KeyOf default-enrollment-prompt-first

View file

@ -63,6 +63,8 @@ entries:
name: default-recovery-user-write name: default-recovery-user-write
id: default-recovery-user-write id: default-recovery-user-write
model: authentik_stages_user_write.userwritestage model: authentik_stages_user_write.userwritestage
attrs:
can_create_users: false
- identifiers: - identifiers:
name: default-recovery-identification name: default-recovery-identification
id: default-recovery-identification id: default-recovery-identification

View file

@ -24574,6 +24574,10 @@ paths:
operationId: stages_user_write_list operationId: stages_user_write_list
description: UserWriteStage Viewset description: UserWriteStage Viewset
parameters: parameters:
- in: query
name: can_create_users
schema:
type: boolean
- in: query - in: query
name: create_users_as_inactive name: create_users_as_inactive
schema: schema:
@ -35042,6 +35046,10 @@ components:
format: uuid format: uuid
nullable: true nullable: true
description: Optionally add newly created users to this group. description: Optionally add newly created users to this group.
can_create_users:
type: boolean
description: When set, this stage can create users. If not enabled and no
user is available, stage will fail.
user_path_template: user_path_template:
type: string type: string
PatchedWebAuthnDeviceRequest: PatchedWebAuthnDeviceRequest:
@ -38248,6 +38256,10 @@ components:
format: uuid format: uuid
nullable: true nullable: true
description: Optionally add newly created users to this group. description: Optionally add newly created users to this group.
can_create_users:
type: boolean
description: When set, this stage can create users. If not enabled and no
user is available, stage will fail.
user_path_template: user_path_template:
type: string type: string
required: required:
@ -38276,6 +38288,10 @@ components:
format: uuid format: uuid
nullable: true nullable: true
description: Optionally add newly created users to this group. description: Optionally add newly created users to this group.
can_create_users:
type: boolean
description: When set, this stage can create users. If not enabled and no
user is available, stage will fail.
user_path_template: user_path_template:
type: string type: string
required: required:

View file

@ -59,6 +59,21 @@ export class UserWriteStageForm extends ModelForm<UserWriteStage, string> {
<ak-form-group .expanded=${true}> <ak-form-group .expanded=${true}>
<span slot="header"> ${t`Stage-specific settings`} </span> <span slot="header"> ${t`Stage-specific settings`} </span>
<div slot="body" class="pf-c-form"> <div slot="body" class="pf-c-form">
<ak-form-element-horizontal name="canCreateUsers">
<div class="pf-c-check">
<input
type="checkbox"
class="pf-c-check__input"
?checked=${first(this.instance?.canCreateUsers, false)}
/>
<label class="pf-c-check__label">
${t`Can create users`}
</label>
</div>
<p class="pf-c-form__helper-text">
${t`When enabled, this stage has the ability to create new users. If no user is available in the flow with this disabled, the stage will fail.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="createUsersAsInactive"> <ak-form-element-horizontal name="createUsersAsInactive">
<div class="pf-c-check"> <div class="pf-c-check">
<input <input

View file

@ -98,13 +98,6 @@ export class UserSettingsFlowExecutor extends AKElement implements StageHost {
if (!this.flowSlug) { if (!this.flowSlug) {
return; return;
} }
new FlowsApi(DEFAULT_CONFIG)
.flowsInstancesExecuteRetrieve({
slug: this.flowSlug || "",
})
.then(() => {
this.nextChallenge();
});
}); });
} }

View file

@ -0,0 +1,25 @@
# CVE-2022-46172
## Existing Authenticated Users can Create Arbitrary Accounts
### Summary
Any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also have carry over consequences to other applications being how these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations.
### Patches
authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue.
### Impact
This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
### Details
This vulnerability has already been submitted over email, this security advisory serves as formalization towards broader information dissemination. This vulnerability pertains to the user context used in the default-user-settings-flow. /api/v3/flows/instances/default-user-settings-flow/execute/
### For more information
If you have any questions or comments about this advisory:
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

View file

@ -290,7 +290,11 @@ module.exports = {
title: "Security", title: "Security",
slug: "security", slug: "security",
}, },
items: ["security/policy", "security/CVE-2022-46145"], items: [
"security/policy",
"security/CVE-2022-46145",
"security/CVE-2022-46172",
],
}, },
], ],
}; };