Skip to content

Commit

Permalink
Regex change for domainName field
Browse files Browse the repository at this point in the history
  • Loading branch information
EC2 Default User authored and EC2 Default User committed Jan 23, 2024
1 parent 66a59e5 commit 2a5a4d6
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 4 deletions.
35 changes: 33 additions & 2 deletions api/src/gmsa_service.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ bool isValidDomain(const std::string& value)
{

// Regex to check valid domain name.
std::regex pattern("^[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9](?:\\.[a-zA-Z]{2,})+$");
std::regex pattern("^(?!-)[A-Za-z0-9-]+([\\\\-\\\\.]{1}[a-z0-9]+)*\\\\.[A-Za-z]{2,6}$");

// If the domain name
// is empty return false
Expand Down Expand Up @@ -479,6 +479,15 @@ class CredentialsFetcherImpl final
// only add the ticket info if the parsing is successful
if ( parse_result == 0 )
{
std::string secretsArn =
krb_ticket_arns->credential_domainless_user_arn;
if(secretsArn.empty())
{
err_msg = "ERROR: invalid secrets manager arn";
std::cout << getCurrentTime() << '\t' << err_msg
<< std::endl;
break;
}
// retrieve domainless user credentials
std::tuple<std::string, std::string, std::string> userCreds =
retrieve_credspec_from_secrets_manager(
Expand Down Expand Up @@ -869,6 +878,16 @@ class CredentialsFetcherImpl final
// only add the ticket info if the parsing is successful
if ( parse_result == 0 )
{
std::string secretsArn =
krb_ticket_arns->credential_domainless_user_arn;
if(secretsArn.empty())
{
err_msg = "ERROR: invalid secrets manager arn";
std::cout << getCurrentTime() << '\t' << err_msg
<< std::endl;
break;
}

// retrieve domainless user credentials
std::tuple<std::string, std::string, std::string> userCreds =
retrieve_credspec_from_secrets_manager(
Expand Down Expand Up @@ -898,13 +917,15 @@ class CredentialsFetcherImpl final
"credentials should not be more than 256 charaters";
std::cout << getCurrentTime() << '\t' << err_msg
<< std::endl;
break;
}
}
else
{
err_msg = "ERROR: invalid domainName/username";
std::cout << getCurrentTime() << '\t' << err_msg
<< std::endl;
break;
}
}
}
Expand Down Expand Up @@ -1375,14 +1396,24 @@ class CredentialsFetcherImpl final
!contains_invalid_characters_in_ad_account_name(username))
{
if ( !username.empty() && !password.empty() && !domain.empty() && username.length() < INPUT_CREDENTIALS_LENGTH && password.length() <
INPUT_CREDENTIALS_LENGTH )
INPUT_CREDENTIALS_LENGTH && create_domainless_krb_request_.credspec_contents_size() > 0)
{
create_domainless_krb_reply_.set_lease_id( lease_id );
for ( int i = 0;
i < create_domainless_krb_request_.credspec_contents_size(); i++ )
{
std::string credspecContent = create_domainless_krb_request_
.credspec_contents( i );
if(credspecContent.empty())
{
err_msg = "Error: credentialspec content shouldn't be empty "
"formatted";
std::cout << getCurrentTime() << '\t' << err_msg << std::endl;
break;
}
creds_fetcher::krb_ticket_info* krb_ticket_info =
new creds_fetcher::krb_ticket_info;

int parse_result = parse_cred_spec(
create_domainless_krb_request_.credspec_contents( i ),
krb_ticket_info );
Expand Down
9 changes: 8 additions & 1 deletion auth/kerberos/src/krb.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1126,13 +1126,20 @@ std::string retrieve_secret_from_ecs_config(std::string ecs_variable_name)

while ( std::getline( config_file, line ) )
{
// TBD: Error handling for incorrectly formatted /etc/ecs/ecs.config
results = split_string(line, '=');
std::string key = results[0];
std::string value = results[1];
if ( ecs_variable_name.compare( key ) == 0 )
{
value.erase( std::remove( value.begin(), value.end(), '"' ), value.end() );

if( contains_invalid_characters_in_ad_account_name(value))
{
std::cout << getCurrentTime() << '\t' << "invalid domain controller name" <<
std::endl;
return "";
}

return value;
}
}
Expand Down
10 changes: 9 additions & 1 deletion common/daemon.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,10 +85,17 @@ namespace creds_fetcher
{
if ( level >= log_level )
{
sd_journal_print( level, fmt, logs... );
std::string logFmt = fmt;
for (int i = 0; logFmt[i] != '\0'; ++i) {
if (logFmt[i] == '\n') {
logFmt[i] = ' '; // Replace '\n' with space
}
}
sd_journal_print( level, logFmt.c_str(), logs... );
}
}


void init_file_logger ()
{
std::string log_file_path = LOG_FILE_PATH;
Expand Down Expand Up @@ -203,6 +210,7 @@ bool contains_invalid_characters_in_credentials( const std::string& value );
int RunGrpcServer( std::string unix_socket_dir, std::string krb_file_path,
creds_fetcher::CF_logger& cf_logger, volatile sig_atomic_t* shutdown_signal,
std::string aws_sm_secret_name );
bool contains_invalid_characters_in_ad_account_name( const std::string& value );

int parse_cred_spec( std::string credspec_data, creds_fetcher::krb_ticket_info* krb_ticket_info );

Expand Down

0 comments on commit 2a5a4d6

Please sign in to comment.