Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-4845

Quay web interface should not divulge user existence and password mismatch

XMLWordPrintable

    • Important

      Quay 3.6.8 and Quay 3.7.11 configured with LDAP backend installed on OCP 4.8 divulge the following on web login : 

      • "user" existence with the following error :
        • Username not found
      • "password" mismatch with the following error : 
        • Invalid password

      A more secure environment should display : "Invalid Credential" if login/password fail the authentication mechanism. 

      Look like the solution here is to modify "data/users/externalldap.py" to return more general information. Some flags in the config.yaml might be useful to enable "debugging" on a non production system.

       

      Here is the useful part of the config.yaml used in this environment to enable reproduction if needed.

       

      ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
      AUTHENTICATION_TYPE: LDAP
      BUILDLOGS_REDIS:
        host: registry-quay-redis
        port: 6379
      DATABASE_SECRET_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      DB_CONNECTION_ARGS:
        autorollback: true
        threadlocals: true
      DB_URI: postgresql://registry-quay-database:xxxxxxxxxxxxxxxxxxxxxxxxxx@registry-quay-database:5432/quay-database
      DEFAULT_TAG_EXPIRATION: 2w
      DISTRIBUTED_STORAGE_CONFIG:
        local_us:
        - RHOCSStorage
        - access_key: xxxxxxxxxxxxxxxxxxxxxxxxxx
          bucket_name: quay-datastore-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
          hostname: s3.openshift-storage.svc.cluster.local
          is_secure: true
          port: 443
          secret_key: xxxxxxxxxxxxxxxxxxxxxxxxxxx
          storage_path: /datastorage/registry
      DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
      - local_us
      DISTRIBUTED_STORAGE_PREFERENCE:
      - local_us
      ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
      EXTERNAL_TLS_TERMINATION: true
      FEATURE_BUILD_SUPPORT: false
      FEATURE_DIRECT_LOGIN: true
      FEATURE_MAILING: false
      FEATURE_PROXY_STORAGE: true
      FEATURE_REPO_MIRROR: true
      FEATURE_SECURITY_NOTIFICATIONS: true
      FEATURE_SECURITY_SCANNER: true
      FEATURE_STORAGE_REPLICATION: false
      LDAP_ADMIN_DN: uid=quay-bind-user,cn=users,cn=accounts,dc=aaa,dc=bbb,dc=ccc,dc=ddd,dc=eee
      LDAP_ADMIN_PASSWD: quay
      LDAP_ALLOW_INSECURE_FALLBACK: false
      LDAP_BASE_DN:
      - dc=aaa
      - dc=bbb
      - dc=ccc
      - dc=ddd
      - dc=eee
      LDAP_EMAIL_ATTR: mail
      LDAP_UID_ATTR: uid
      LDAP_URI: ldaps://idm-service.apps.svc.cluster.local.bbb.ccc.ddd.eee:636
      LDAP_USER_FILTER: (memberof=cn=quayusers,cn=groups,cn=accounts,dc=aaa,dc=bbb,dc=ccc,dc=ddd,dc=eee)
      LDAP_USER_RDN:
      - cn=users
      - cn=accounts
      PREFERRED_URL_SCHEME: https
      REGISTRY_TITLE: Red Hat Quay
      REGISTRY_TITLE_SHORT: Red Hat Quay
      REPO_MIRROR_INTERVAL: 30
      REPO_MIRROR_TLS_VERIFY: true
      SECRET_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      SECURITY_SCANNER_INDEXING_INTERVAL: 30
      SECURITY_SCANNER_V4_ENDPOINT: http://registry-clair-app:80
      SECURITY_SCANNER_V4_NAMESPACE_WHITELIST:
      - admin
      SECURITY_SCANNER_V4_PSK: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      SERVER_HOSTNAME: quay.apps.mgmt2.aaa.bbb.ccc.ddd.eee
      SETUP_COMPLETE: true
      SUPER_USERS:
      - superuser
      TAG_EXPIRATION_OPTIONS:
      - 2w
      TEAM_RESYNC_STALE_TIME: 60m
      TESTING: false
      USER_EVENTS_REDIS:
        host: registry-quay-redis
        port: 6379

              rhn-support-ibazulic Ivan Bazulic
              rhn-support-jpeyrard Johann Peyrard
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: