Skip to content

Commit

Permalink
Release v2023.11.02.1 (#1609)
Browse files Browse the repository at this point in the history
* Revert "test(login): fix login integration test (#1587)"

This reverts commit f1e012a.

* Revert "feat(security): encrypt login password (#1583)"

This reverts commit d010da5.

* update release version to 2023.11.02.1
  • Loading branch information
baurine authored Nov 2, 2023
1 parent 31ea86f commit 865955c
Show file tree
Hide file tree
Showing 12 changed files with 536 additions and 851 deletions.
32 changes: 1 addition & 31 deletions pkg/apiserver/user/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
package user

import (
"crypto/rsa"
"encoding/base64"
"encoding/json"
"errors"
Expand Down Expand Up @@ -36,9 +35,6 @@ type AuthService struct {

middleware *jwt.GinJWTMiddleware
authenticators map[utils.AuthType]Authenticator

RsaPublicKey *rsa.PublicKey
RsaPrivateKey *rsa.PrivateKey
}

type AuthenticateForm struct {
Expand Down Expand Up @@ -94,17 +90,10 @@ func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
secret = cryptopasta.NewEncryptionKey()
}

privateKey, publicKey, err := GenerateKey()
if err != nil {
log.Fatal("Failed to generate rsa key pairs", zap.Error(err))
}

service := &AuthService{
FeatureFlagNonRootLogin: featureFlags.Register("nonRootLogin", ">= 5.3.0"),
middleware: nil,
authenticators: map[utils.AuthType]Authenticator{},
RsaPrivateKey: privateKey,
RsaPublicKey: publicKey,
}

middleware, err := jwt.New(&jwt.GinJWTMiddleware{
Expand All @@ -122,16 +111,6 @@ func NewAuthService(featureFlags *featureflag.Registry) *AuthService {
if err != nil {
return nil, errorx.Decorate(err, "authenticate failed")
}
// TODO: uncomment it after thinking clearly
// if form.Type == 0 {
// // generate new rsa key pair for each sql auth login
// privateKey, publicKey, err := GenerateKey()
// // if generate successfully, replace the old key pair
// if err == nil {
// service.RsaPrivateKey = privateKey
// service.RsaPublicKey = publicKey
// }
// }
return u, nil
},
PayloadFunc: func(data interface{}) jwt.MapClaims {
Expand Down Expand Up @@ -299,8 +278,7 @@ func (s *AuthService) RegisterAuthenticator(typeID utils.AuthType, a Authenticat
}

type GetLoginInfoResponse struct {
SupportedAuthTypes []int `json:"supported_auth_types"`
SQLAuthPublicKey string `json:"sql_auth_public_key"`
SupportedAuthTypes []int `json:"supported_auth_types"`
}

// @ID userGetLoginInfo
Expand All @@ -320,16 +298,8 @@ func (s *AuthService) GetLoginInfoHandler(c *gin.Context) {
}
}
sort.Ints(supportedAuth)
// both work
// publicKeyStr, err := ExportPublicKeyAsString(s.rsaPublicKey)
publicKeyStr, err := DumpPublicKeyBase64(s.RsaPublicKey)
if err != nil {
rest.Error(c, err)
return
}
resp := GetLoginInfoResponse{
SupportedAuthTypes: supportedAuth,
SQLAuthPublicKey: publicKeyStr,
}
c.JSON(http.StatusOK, resp)
}
Expand Down
108 changes: 0 additions & 108 deletions pkg/apiserver/user/rsa_utils.go

This file was deleted.

13 changes: 3 additions & 10 deletions pkg/apiserver/user/sqlauth/sqlauth.go
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,7 @@ const typeID utils.AuthType = 0

type Authenticator struct {
user.BaseAuthenticator
tidbClient *tidb.Client
authService *user.AuthService
tidbClient *tidb.Client
}

func NewAuthenticator(tidbClient *tidb.Client) *Authenticator {
Expand All @@ -27,7 +26,6 @@ func NewAuthenticator(tidbClient *tidb.Client) *Authenticator {

func registerAuthenticator(a *Authenticator, authService *user.AuthService) {
authService.RegisterAuthenticator(typeID, a)
a.authService = authService
}

var Module = fx.Options(
Expand All @@ -36,12 +34,7 @@ var Module = fx.Options(
)

func (a *Authenticator) Authenticate(f user.AuthenticateForm) (*utils.SessionUser, error) {
plainPwd, err := user.Decrypt(f.Password, a.authService.RsaPrivateKey)
if err != nil {
return nil, user.ErrSignInOther.WrapWithNoMessage(err)
}

writeable, err := user.VerifySQLUser(a.tidbClient, f.Username, plainPwd)
writeable, err := user.VerifySQLUser(a.tidbClient, f.Username, f.Password)
if err != nil {
if errorx.Cast(err) == nil {
return nil, user.ErrSignInOther.WrapWithNoMessage(err)
Expand All @@ -59,7 +52,7 @@ func (a *Authenticator) Authenticate(f user.AuthenticateForm) (*utils.SessionUse
Version: utils.SessionVersion,
HasTiDBAuth: true,
TiDBUsername: f.Username,
TiDBPassword: plainPwd,
TiDBPassword: f.Password,
DisplayName: f.Username,
IsShareable: true,
IsWriteable: writeable,
Expand Down
2 changes: 1 addition & 1 deletion release-version
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# This file specifies the TiDB Dashboard internal version, which will be printed in `--version`
# and UI. In release branch, changing this file will result in publishing a new version and tag.
2023.09.21.1
2023.11.02.1
3 changes: 1 addition & 2 deletions tests/integration/info/info_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,7 @@ func (s *testInfoSuite) getTokenBySQLRoot() string {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "root"
pwd, _ := user.Encrypt("", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = ""

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand Down
45 changes: 6 additions & 39 deletions tests/integration/user/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,7 @@ func (s *testUserSuite) TestLoginWithNotExistUser() {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "not_exist"
pwd, _ := user.Encrypt("aaa", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = "aaa"

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand All @@ -110,8 +109,7 @@ func (s *testUserSuite) TestLoginWithWrongPassword() {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "dashboardAdmin"
pwd, _ := user.Encrypt("123456789", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = "123456789"

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand All @@ -127,8 +125,7 @@ func (s *testUserSuite) TestLoginWithInsufficientPrivs() {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "dashboardAdmin-2"
pwd, _ := user.Encrypt("12345678", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = "12345678"

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand All @@ -145,8 +142,7 @@ func (s *testUserSuite) TestLoginWithSufficientPrivs() {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "dashboardAdmin"
pwd, _ := user.Encrypt("12345678", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = "12345678"

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand Down Expand Up @@ -181,8 +177,7 @@ func (s *testUserSuite) TestLoginWithWrongPasswordForRoot() {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "root"
pwd, _ := user.Encrypt("aaa", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = "aaa"

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand All @@ -198,8 +193,7 @@ func (s *testUserSuite) TestLoginWithCorrectPasswordForRoot() {
param := make(map[string]interface{})
param["type"] = 0
param["username"] = "root"
pwd, _ := user.Encrypt("", s.authService.RsaPublicKey)
param["password"] = pwd
param["password"] = ""

jsonByte, _ := json.Marshal(param)
req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
Expand All @@ -216,33 +210,6 @@ func (s *testUserSuite) TestLoginWithCorrectPasswordForRoot() {
s.Require().Nil(err)
}

// TODO: uncomment it after thinking clearly
// func (s *testUserSuite) TestLoginWithSamePayloadTwice() {
// param := make(map[string]interface{})
// param["type"] = 0
// param["username"] = "root"
// pwd, _ := user.Encrypt("", s.authService.RsaPublicKey)
// param["password"] = pwd

// // success at the first time
// jsonByte, _ := json.Marshal(param)
// req, _ := http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
// c, w := util.TestReqWithHandlers(req, s.authService.LoginHandler)

// s.Require().Len(c.Errors, 0)
// s.Require().Equal(200, c.Writer.Status())
// s.Require().Equal(200, w.Code)

// // fail at the second time
// req, _ = http.NewRequest(http.MethodPost, "/user/login", bytes.NewReader(jsonByte))
// c, w = util.TestReqWithHandlers(req, s.authService.LoginHandler)

// s.Require().Contains(c.Errors.Last().Err.Error(), "authenticate failed")
// s.Require().Contains(c.Errors.Last().Err.Error(), "crypto/rsa: decryption error")
// s.Require().Equal(401, c.Writer.Status())
// s.Require().Equal(401, w.Code)
// }

func (s *testUserSuite) TestLoginInfo() {
req, _ := http.NewRequest(http.MethodGet, "/user/login_info", nil)
c, w := util.TestReqWithHandlers(req, s.authService.GetLoginInfoHandler)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,6 @@
* @interface UserGetLoginInfoResponse
*/
export interface UserGetLoginInfoResponse {
/**
*
* @type {string}
* @memberof UserGetLoginInfoResponse
*/
'sql_auth_public_key'?: string;
/**
*
* @type {Array<number>}
Expand Down
3 changes: 0 additions & 3 deletions ui/packages/tidb-dashboard-client/swagger/spec.json
Original file line number Diff line number Diff line change
Expand Up @@ -5776,9 +5776,6 @@
"user.GetLoginInfoResponse": {
"type": "object",
"properties": {
"sql_auth_public_key": {
"type": "string"
},
"supported_auth_types": {
"type": "array",
"items": {
Expand Down
1 change: 0 additions & 1 deletion ui/packages/tidb-dashboard-for-op/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
"compare-versions": "^5.0.1",
"eventemitter2": "^6.4.5",
"i18next": "^23.2.9",
"jsencrypt": "^3.3.2",
"nprogress": "^0.2.0",
"rc-animate": "^3.1.0",
"react": "^17.0.2",
Expand Down
Loading

0 comments on commit 865955c

Please sign in to comment.