yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #5849 from savonarola/dashboard-login-security 

fix(dashboard rest api): improve auth method security
This commit is contained in:
Zaiming (Stone) Shi 2021-09-30 07:29:38 +02:00 committed by GitHub
parent 004160af56 40850d981d
commit ec89781cc4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/run_fvt_tests.yaml vendored
View File

@ -273,7 +273,7 @@ jobs:
make make
make install make install
- name: run relup test - name: run relup test
timeout-minutes: 20 timeout-minutes: 30
run: | run: |
set -e -x -u set -e -x -u
if [ -n "$OLD_VSNS" ]; then if [ -n "$OLD_VSNS" ]; then

2
lib-ce/emqx_dashboard/src/emqx_dashboard.app.src
View File

@ -1,6 +1,6 @@
{application, emqx_dashboard, {application, emqx_dashboard,
[{description, "EMQ X Web Dashboard"}, [{description, "EMQ X Web Dashboard"},
{vsn, "4.3.4"}, % strict semver, bump manually! {vsn, "4.3.5"}, % strict semver, bump manually!
{modules, []}, {modules, []},
{registered, [emqx_dashboard_sup]}, {registered, [emqx_dashboard_sup]},
{applications, [kernel,stdlib,mnesia,minirest]}, {applications, [kernel,stdlib,mnesia,minirest]},

4
lib-ce/emqx_dashboard/src/emqx_dashboard.appup.src
View File

@ -1,6 +1,6 @@
%% -*- mode: erlang -*- %% -*- mode: erlang -*-
{VSN, {VSN,
[ {<<"4.3.[0-3]">>, [ {<<"4.3.[0-4]">>,
%% load all plugins %% load all plugins
%% NOTE: this depends on the fact that emqx_dashboard is always %% NOTE: this depends on the fact that emqx_dashboard is always
%% the last application gets upgraded %% the last application gets upgraded
@ -10,7 +10,7 @@
]}, ]},
{<<".*">>, []} {<<".*">>, []}
], ],
[ {<<"4.3.[0-3]">>, [ {<<"4.3.[0-4]">>,
[ {apply, {emqx_rule_engine, load_providers, []}} [ {apply, {emqx_rule_engine, load_providers, []}}
, {restart_application, emqx_dashboard} , {restart_application, emqx_dashboard}
, {apply, {emqx_plugins, load, []}} , {apply, {emqx_plugins, load, []}}

4
lib-ce/emqx_dashboard/src/emqx_dashboard_admin.erl
View File

@ -168,10 +168,10 @@ check(Username, Password) ->
[#mqtt_admin{password = <<Salt:4/binary, Hash/binary>>}] -> [#mqtt_admin{password = <<Salt:4/binary, Hash/binary>>}] ->
case Hash =:= md5_hash(Salt, Password) of case Hash =:= md5_hash(Salt, Password) of
true -> ok; true -> ok;
false -> {error, <<"Password Error">>} false -> {error, <<"Username/Password error">>}
end; end;
[] -> [] ->
{error, <<"Username Not Found">>} {error, <<"Username/Password error">>}
end. end.
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------

7
lib-ce/emqx_dashboard/test/emqx_dashboard_SUITE.erl
View File

@ -49,7 +49,7 @@ all() ->
groups() -> groups() ->
[{overview, [sequence], [t_overview]}, [{overview, [sequence], [t_overview]},
{admins, [sequence], [t_admins_add_delete]}, {admins, [sequence], [t_admins_add_delete]},
{rest, [sequence], [t_rest_api]}, {rest, [sequence], [t_rest_api, t_auth_exhaustive_attack]},
{cli, [sequence], [t_cli]} {cli, [sequence], [t_cli]}
]. ].
@ -98,6 +98,11 @@ t_rest_api(_Config) ->
]], ]],
ok. ok.
t_auth_exhaustive_attack(_Config) ->
{ok, Res0} = http_post("auth", #{<<"username">> => <<"invalid_login">>, <<"password">> => <<"newpwd">>}),
{ok, Res1} = http_post("auth", #{<<"username">> => <<"admin">>, <<"password">> => <<"invalid_password">>}),
?assertEqual(Res0, Res1).
t_cli(_Config) -> t_cli(_Config) ->
[mnesia:dirty_delete({mqtt_admin, Admin}) || Admin <- mnesia:dirty_all_keys(mqtt_admin)], [mnesia:dirty_delete({mqtt_admin, Admin}) || Admin <- mnesia:dirty_all_keys(mqtt_admin)],
emqx_dashboard_cli:admins(["add", "username", "password"]), emqx_dashboard_cli:admins(["add", "username", "password"]),