Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AI PRP: Apache airflow default credential tester #526

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.DefaultCredentials;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.Top100Passwords;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.tester.CredentialTester;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.airflow.AirflowCredentialTester;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.grafana.GrafanaCredentialTester;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.hydra.HydraCredentialTester;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.jenkins.JenkinsCredentialTester;
Expand Down Expand Up @@ -67,6 +68,7 @@ protected void configurePlugin() {

Multibinder<CredentialTester> credentialTesterBinder =
Multibinder.newSetBinder(binder(), CredentialTester.class);
credentialTesterBinder.addBinding().to(AirflowCredentialTester.class);
credentialTesterBinder.addBinding().to(JenkinsCredentialTester.class);
credentialTesterBinder.addBinding().to(MlFlowCredentialTester.class);
credentialTesterBinder.addBinding().to(MysqlCredentialTester.class);
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
/*
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.airflow;
joernNNN marked this conversation as resolved.
Show resolved Hide resolved

import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.tsunami.common.net.http.HttpRequest.get;
import static com.google.tsunami.common.net.http.HttpRequest.post;

import com.google.common.collect.ImmutableList;
import com.google.common.flogger.GoogleLogger;
import com.google.protobuf.ByteString;
import com.google.tsunami.common.data.NetworkServiceUtils;
import com.google.tsunami.common.net.http.HttpClient;
import com.google.tsunami.common.net.http.HttpHeaders;
import com.google.tsunami.common.net.http.HttpResponse;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.tester.CredentialTester;
import com.google.tsunami.proto.NetworkService;
import java.io.IOException;
import java.net.HttpCookie;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.inject.Inject;

/** Credential tester specifically for airflow. */
public final class AirflowCredentialTester extends CredentialTester {
private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
private final HttpClient httpClient;

private static final String AIRFLOW_SERVICE = "airflow";
private static final Pattern CSRF_PATTERN =
Pattern.compile("(var CSRF = |var csrfToken = )[\"']([\\w-.]+)[\"']");

@Inject
AirflowCredentialTester(HttpClient httpClient) {
this.httpClient = checkNotNull(httpClient).modify().setFollowRedirects(false).build();
}

@Override
public String name() {
return "AirflowCredentialTester";
}

@Override
public String description() {
return "Airflow credential tester.";
}

@Override
public boolean canAccept(NetworkService networkService) {
return NetworkServiceUtils.getWebServiceName(networkService).equals(AIRFLOW_SERVICE);
}

@Override
public boolean batched() {
return true;
}

@Override
public ImmutableList<TestCredential> testValidCredentials(
NetworkService networkService, List<TestCredential> credentials) {
// Always return 1st weak credential to gracefully handle no auth configured case, where we
// return empty credential instead of all the weak credentials
return credentials.stream()
.filter(cred -> isAirflowAccessible(networkService, cred))
.findFirst()
.map(ImmutableList::of)
.orElseGet(ImmutableList::of);
}

private boolean isAirflowAccessible(NetworkService networkService, TestCredential credential) {
// sending the first request to retrieve a valid CSRF token and a valid session cookie
Map<String, String> results = getFreshCsrfTokenAndSessionCookie(networkService);
if (results == null) {
return false;
}
String freshSessionCookieValue = results.get("freshSessionCookieValue");
String freshCsrfToken = results.get("freshCsrfToken");

String rootUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService);
String loginUrl = rootUrl + "login/";
try {
HttpResponse response =
this.httpClient.send(
post(loginUrl)
.setHeaders(
HttpHeaders.builder()
.addHeader("Content-Type", "application/x-www-form-urlencoded")
.addHeader("Cookie", String.format("session=%s", freshSessionCookieValue))
.build())
.setRequestBody(
ByteString.copyFrom(
String.format(
"csrf_token=%s&username=%s&password=%s",
freshCsrfToken,
credential.username(),
credential.password().orElse("")),
StandardCharsets.UTF_8))
.build(),
networkService);
return response.status().isRedirect()
&& response.headers().get("Location").isPresent()
&& response.headers().get("Location").get().equals("/home")
&& response.headers().get("Set-Cookie").isPresent()
&& response.headers().get("Set-Cookie").get().contains("session=");
} catch (IOException e) {
logger.atWarning().withCause(e).log("Unable to query '%s'.", loginUrl);
return false;
}
}

private Map<String, String> getFreshCsrfTokenAndSessionCookie(NetworkService networkService) {
String rootUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService);
Map<String, String> results = new HashMap<>();

HttpResponse firstResponse;
try {
firstResponse =
this.httpClient.send(get(rootUrl + "login/").withEmptyHeaders().build(), networkService);
} catch (IOException e) {
logger.atWarning().withCause(e).log("Failed to send request.");
return null;
}

if (firstResponse.bodyString().isEmpty()
|| firstResponse.headers().get("Set-Cookie").isEmpty()) {
return null;
}
List<HttpCookie> parsedCookies =
HttpCookie.parse(firstResponse.headers().get("Set-Cookie").get());
String freshSessionCookieValue = null;
for (HttpCookie cookie : parsedCookies) {
if (cookie.getName().equals("session")) {
freshSessionCookieValue = cookie.getValue();
}
}
if (freshSessionCookieValue == null) {
return null;
}
results.put("freshSessionCookieValue", freshSessionCookieValue);

Matcher m = CSRF_PATTERN.matcher(firstResponse.bodyString().get());
if (!m.find()) {
return null;
}
String freshCsrfToken = m.group(2);
results.put("freshCsrfToken", freshCsrfToken);
return results;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,9 @@ service_default_credentials {
default_usernames: "default"
default_passwords: ""
}

service_default_credentials {
service_name: "airflow"
default_usernames: "airflow"
default_passwords: "airflow"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
/*
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.testers.airflow;
joernNNN marked this conversation as resolved.
Show resolved Hide resolved

import static com.google.common.truth.Truth.assertThat;
import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort;
import static java.nio.charset.StandardCharsets.UTF_8;

import com.google.common.collect.ImmutableList;
import com.google.inject.Guice;
import com.google.tsunami.common.net.http.HttpClientModule;
import com.google.tsunami.common.net.http.HttpStatus;
import com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.TestCredential;
import com.google.tsunami.proto.NetworkService;
import com.google.tsunami.proto.ServiceContext;
import com.google.tsunami.proto.Software;
import com.google.tsunami.proto.WebServiceContext;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.Optional;
import javax.inject.Inject;
import okhttp3.mockwebserver.Dispatcher;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
import okhttp3.mockwebserver.RecordedRequest;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

/** Tests for {@link AirflowCredentialTester}. */
@RunWith(JUnit4.class)
public class AirflowCredentialTesterTest {
@Inject private AirflowCredentialTester tester;
private MockWebServer mockWebServer;
private static final TestCredential WEAK_CRED_1 =
TestCredential.create("airflow", Optional.of("airflow"));
private static final TestCredential WRONG_CRED_1 =
TestCredential.create("admin", Optional.of("admin"));
private static final ServiceContext.Builder airflowServiceContext =
ServiceContext.newBuilder()
.setWebServiceContext(
WebServiceContext.newBuilder().setSoftware(Software.newBuilder().setName("airflow")));

@Before
public void setup() {
mockWebServer = new MockWebServer();
Guice.createInjector(new HttpClientModule.Builder().build()).injectMembers(this);
}

@Test
public void detect_weakCredentialsExists_returnsWeakCredentials() throws Exception {
startMockWebServer();
NetworkService targetNetworkService =
NetworkService.newBuilder()
.setNetworkEndpoint(
forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort()))
.setServiceName("http")
.setServiceContext(airflowServiceContext)
.setSoftware(Software.newBuilder().setName("http"))
.build();

assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1)))
.containsExactly(WEAK_CRED_1);
mockWebServer.shutdown();
}

@Test
public void detect_weakCredentialsExist_returnsAllWeakCredentials() throws Exception {
startMockWebServer();
NetworkService targetNetworkService =
NetworkService.newBuilder()
.setNetworkEndpoint(
forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort()))
.setServiceName("http")
.setServiceContext(airflowServiceContext)
.build();

assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WEAK_CRED_1)))
.containsExactly(WEAK_CRED_1);

mockWebServer.shutdown();
}

@Test
public void detect_noWeakCredentials_returnsNoCredentials() throws Exception {
startMockWebServer();
NetworkService targetNetworkService =
NetworkService.newBuilder()
.setNetworkEndpoint(
forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort()))
.setServiceName("http")
.setServiceContext(airflowServiceContext)
.build();

assertThat(tester.testValidCredentials(targetNetworkService, ImmutableList.of(WRONG_CRED_1)))
.isEmpty();

mockWebServer.shutdown();
}

private void startMockWebServer() throws IOException {
mockWebServer.setDispatcher(new AirflowDispatcher());
mockWebServer.start();
mockWebServer.url("/");
}

static final class AirflowDispatcher extends Dispatcher {
@Override
public MockResponse dispatch(RecordedRequest recordedRequest) {

if (recordedRequest.getPath().startsWith("/login/")
&& recordedRequest.getMethod().equals("POST")
&& recordedRequest.getHeader("Content-Type").equals("application/x-www-form-urlencoded")
&& recordedRequest.getHeader("Cookie").equals("session=aCookie")) {
ByteArrayOutputStream body = new ByteArrayOutputStream();
try {
recordedRequest.getBody().writeTo(body);
} catch (IOException e) {
throw new RuntimeException(e);
}
if (body.toString(UTF_8).contains("csrf_token=a.CSRF.Token")
&& body.toString(UTF_8).contains("username=airflow")
&& body.toString(UTF_8).contains("password=airflow")) {
return new MockResponse()
.setResponseCode(302)
.setHeader("Location", "/home")
.setHeader("Set-Cookie", "session=someCookies");
}
} else if (recordedRequest.getPath().startsWith("/login/")
&& recordedRequest.getMethod().equals("GET")) {
return new MockResponse()
.setHeader("Set-Cookie", "session=aCookie")
.setHeader("Content-Type", "application/x-www-form-urlencoded")
.setBody("var csrfToken = 'a.CSRF.Token';");
}
return new MockResponse().setResponseCode(HttpStatus.UNAUTHORIZED.code());
}
}
}
Loading