Skip to content

fix: exit reset password request before passwords are compared #13856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions coderd/coderd.go
Original file line number Diff line number Diff line change
Expand Up @@ -1018,6 +1018,7 @@ func New(options *Options) *API {
})
r.Put("/appearance", api.putUserAppearanceSettings)
r.Route("/password", func(r chi.Router) {
r.Use(httpmw.RateLimit(options.LoginRateLimit, time.Minute))
r.Put("/", api.putUserPassword)
})
// These roles apply to the site wide permissions.
Expand Down
4 changes: 2 additions & 2 deletions coderd/httpmw/authz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ func TestAsAuthzSystem(t *testing.T) {
t.Parallel()
userActor := coderdtest.RandomRBACSubject()

base := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
base := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
actor, ok := dbauthz.ActorFromContext(r.Context())
assert.True(t, ok, "actor should exist")
assert.True(t, userActor.Equal(actor), "actor should be the user actor")
Expand Down Expand Up @@ -80,7 +80,7 @@ func TestAsAuthzSystem(t *testing.T) {
mwAssertUser,
)
r.Handle("/", base)
r.NotFound(func(writer http.ResponseWriter, request *http.Request) {
r.NotFound(func(http.ResponseWriter, *http.Request) {
assert.Fail(t, "should not hit not found, the route should be correct")
})
})
Expand Down
3 changes: 1 addition & 2 deletions coderd/notifications/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,13 @@ import (
"testing"
"time"

"github.com/coder/serpent"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"golang.org/x/xerrors"

"cdr.dev/slog"
"cdr.dev/slog/sloggers/slogtest"

"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbgen"
"github.com/coder/coder/v2/coderd/database/dbmem"
Expand All @@ -24,6 +22,7 @@ import (
"github.com/coder/coder/v2/coderd/notifications/dispatch"
"github.com/coder/coder/v2/coderd/notifications/types"
"github.com/coder/coder/v2/testutil"
"github.com/coder/serpent"
)

func TestBufferedUpdates(t *testing.T) {
Expand Down
5 changes: 5 additions & 0 deletions coderd/users.go
Original file line number Diff line number Diff line change
Expand Up @@ -913,6 +913,11 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
defer commitAudit()
aReq.Old = user

if !api.Authorize(r, policy.ActionUpdatePersonal, user) {
httpapi.ResourceNotFound(rw)
return
}

if !httpapi.Read(ctx, rw, r, &params) {
return
}
Expand Down
38 changes: 38 additions & 0 deletions coderd/users_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"github.com/stretchr/testify/require"
"golang.org/x/exp/slices"
"golang.org/x/sync/errgroup"
"golang.org/x/xerrors"

"github.com/coder/coder/v2/coderd/audit"
"github.com/coder/coder/v2/coderd/coderdtest"
Expand Down Expand Up @@ -826,6 +827,7 @@ func TestUpdateUserPassword(t *testing.T) {
})
require.NoError(t, err, "member should login successfully with the new password")
})

t.Run("MemberCanUpdateOwnPassword", func(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
Expand Down Expand Up @@ -853,6 +855,7 @@ func TestUpdateUserPassword(t *testing.T) {
require.Len(t, auditor.AuditLogs(), numLogs)
require.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[numLogs-1].Action)
})

t.Run("MemberCantUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
t.Parallel()
client := coderdtest.New(t, nil)
Expand All @@ -867,6 +870,41 @@ func TestUpdateUserPassword(t *testing.T) {
})
require.Error(t, err, "member should not be able to update own password without providing old password")
})

t.Run("AuditorCantTellIfPasswordIncorrect", func(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
adminClient := coderdtest.New(t, &coderdtest.Options{Auditor: auditor})

adminUser := coderdtest.CreateFirstUser(t, adminClient)

auditorClient, _ := coderdtest.CreateAnotherUser(t, adminClient,
adminUser.OrganizationID,
rbac.RoleAuditor(),
)

_, memberUser := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
numLogs := len(auditor.AuditLogs())

ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()

err := auditorClient.UpdateUserPassword(ctx, memberUser.ID.String(), codersdk.UpdateUserPasswordRequest{
Password: "MySecurePassword!",
})
numLogs++ // add an audit log for user update

require.Error(t, err, "auditors shouldn't be able to update passwords")
var httpErr *codersdk.Error
require.True(t, xerrors.As(err, &httpErr))
// ensure that the error we get is "not found" and not "bad request"
require.Equal(t, http.StatusNotFound, httpErr.StatusCode())

require.Len(t, auditor.AuditLogs(), numLogs)
require.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[numLogs-1].Action)
require.Equal(t, int32(http.StatusNotFound), auditor.AuditLogs()[numLogs-1].StatusCode)
})

t.Run("AdminCanUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
Expand Down
Loading