From 05aaa355a4f33b115f0111f6c4cfda8b2632f570 Mon Sep 17 00:00:00 2001
From: Jan Mach <jan.mach@cesnet.cz>
Date: Wed, 13 May 2020 17:18:19 +0200
Subject: [PATCH] Improved application security by changing the defaultness of
 auth_dev module.

The auth_dev authentication module was accidentaly enabled by default in configuration file shipped with Mentat packages. It was changed at some point locally during development and the change was accidentally committed. The documentation was missing the warning about disabling it during installation in production deployment. This is fixed now.
---
 conf/mentat-hawat.py.conf           |  2 +-
 doc/sphinx/_doclib/installation.rst | 11 ++++++++++-
 hawat.local.conf                    | 29 +++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/conf/mentat-hawat.py.conf b/conf/mentat-hawat.py.conf
index 533824ab..945804d7 100644
--- a/conf/mentat-hawat.py.conf
+++ b/conf/mentat-hawat.py.conf
@@ -40,7 +40,7 @@ ENABLED_BLUEPRINTS = [
     'vial.blueprints.changelogs',
 
     'hawat.blueprints.auth_env',
-    'hawat.blueprints.auth_dev',
+    #'hawat.blueprints.auth_dev',
     'hawat.blueprints.auth_pwd',
     'hawat.blueprints.home',
     'hawat.blueprints.reports',
diff --git a/doc/sphinx/_doclib/installation.rst b/doc/sphinx/_doclib/installation.rst
index f934c3c2..1784ef19 100644
--- a/doc/sphinx/_doclib/installation.rst
+++ b/doc/sphinx/_doclib/installation.rst
@@ -618,7 +618,10 @@ ready for deployment out of the box:
     a2ensite site_mentat.conf
 
     # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
-    # Step 5: Change default SECRET_KEY in /etc/mentat/mentat-hawat.py.conf:
+    # Step 5: In file /etc/mentat/mentat-hawat.py.conf change default SECRET_KEY and
+    # in production deployment make sure, that ENABLED_BLUEPRINTS key does not
+    # contain 'hawat.blueprints.auth_dev', or that is is commented out. Otherwise
+    # you would enable anyone impersonate any other user without password.
     # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
     vim /etc/mentat/mentat-hawat.py.conf
 
@@ -634,6 +637,12 @@ ready for deployment out of the box:
     # (please adjust the attributes, do not simply copy and paste):
     mentat-dbmngr.py --command user-add login=superman "fullname=Clark Kent" email=kent@dailyplanet.com "organization=Daily Planet, inc." roles=user,admin
 
+.. warning::
+
+    Please make sure you have read step 5 in the recipe above. The :ref:`section-hawat-plugin-auth-dev`
+    authentication module in particular is a HUGE security risk when enabled in production
+    installation and accessible from network.
+
 .. warning::
 
     For demonstration purposes Mentat package ships with preconfigured ``htpasswd``
diff --git a/hawat.local.conf b/hawat.local.conf
index ee83f975..0ccecb0e 100644
--- a/hawat.local.conf
+++ b/hawat.local.conf
@@ -5,3 +5,32 @@ MAIL_DEFAULT_SENDER = 'mentat@cesnet.cz'
 HAWAT_LOG_DEFAULT_LEVEL = 'debug'
 HAWAT_LOG_FILE = '/var/tmp/mentat-hawat.py.log'
 HAWAT_LOG_FILE_LEVEL = 'debug'
+ENABLED_BLUEPRINTS = [
+    'vial.blueprints.auth',
+    'vial.blueprints.auth_api',
+    'vial.blueprints.design_bs3',
+    'vial.blueprints.devtools',
+    'vial.blueprints.changelogs',
+
+    'hawat.blueprints.auth_env',
+    'hawat.blueprints.auth_dev',
+    'hawat.blueprints.auth_pwd',
+    'hawat.blueprints.home',
+    'hawat.blueprints.reports',
+    'hawat.blueprints.events',
+    'hawat.blueprints.hosts',
+    'hawat.blueprints.timeline',
+    'hawat.blueprints.dnsr',
+    #'hawat.blueprints.pdnsr',
+    'hawat.blueprints.geoip',
+    #'hawat.blueprints.nerd',
+    'hawat.blueprints.whois',
+    'hawat.blueprints.performance',
+    'hawat.blueprints.status',
+    'hawat.blueprints.dbstatus',
+    'hawat.blueprints.users',
+    'hawat.blueprints.groups',
+    'hawat.blueprints.settings_reporting',
+    'hawat.blueprints.filters',
+    'hawat.blueprints.networks',
+]
-- 
GitLab