Opraven problem s prihlasovanim pri kolizi CN a AN

Zjednodusen kod autorizace

Opraven problem s prihlasovanim pri kolizi CN a AN
24c0761e · Michal Kostenec · 3c27ef6a · 24c0761e
Commit 24c0761e authored 12 years ago by Michal Kostenec
--- a/src/warden-server/lib/Warden.pm
+++ b/src/warden-server/lib/Warden.pm
@@ -121,6 +121,64 @@ sub getAltNames
 }
+#-------------------------------------------------------------------------------
+# authorizeClient - authorize client by CN,AN and source IP range
+#-------------------------------------------------------------------------------
+sub authorizeClient
+{
+    my ($alt_names, $ip, $service_type, $client_type, $function_name) = @_;
+    my $sth;
+    # obtain cidr based on rigth common name and alternate names, service and client_type
+    if($function_name eq 'saveNewEvent') {
+        $sth = $DBH->prepare_cached("SELECT hostname, ip_net_client, receive_own_events 
+                                    FROM clients WHERE hostname IN ($alt_names) AND service = ? AND client_type = ? 
+                                    ORDER BY SUBSTRING_INDEX(ip_net_client,'/', -1) DESC;");
+    }
+    elsif($function_name eq 'getNewEvents') {
+        $sth = $DBH->prepare_cached("SELECT hostname, ip_net_client, receive_own_events 
+                                    FROM clients WHERE hostname IN ($alt_names) AND type = ? AND client_type = ? 
+                                    ORDER BY SUBSTRING_INDEX(ip_net_client,'/', -1) DESC;");
+    }
+    if (!defined $sth) { die("Cannot prepare authorization statement in $function_name: $DBI::errstr\n")}
+    $sth->execute($service_type, $client_type);
+    my ($an, $cidr, $receive_own, $cidr_list);
+    my $correct_ip_source = 0;
+    my %ret;
+    while(($an, $cidr, $receive_own)  = $sth->fetchrow()) {
+        my $cidr_list = Net::CIDR::Lite-> new -> add($cidr);
+        $ret{'dns'} = $an;
+        $ret{'cidr'} = $cidr;
+        $ret{'receive_own'} = $receive_own;
+        if ($cidr_list->bin_find($ip)) {
+            $correct_ip_source = 1;
+            last;
+        }
+    };
+    # check if client is registered
+    if ($sth->rows == 0) {
+        write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names) - client is not registered");
+        die("Access denied - client is not registered at warden server!");
+        return undef;
+    }
+    # check if client has IP from registered CIDR
+    if (!$correct_ip_source) {
+        write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names) - access from bad subnet: " . $ret{'cidr'});
+        die("Access denied - access from unauthorized subnet!");
+        return undef;
+    }
+    return %ret;
+}
 ################################################################################
 # 				SOAP Functions
@@ -147,57 +205,38 @@ sub saveNewEvent
  # parse object (event) parameters
  my $service		= $data->{'SERVICE'};
  my $detected		= $data->{'DETECTED'};
-  my $type		= $data->{'TYPE'};
+  my $type		    = $data->{'TYPE'};
  my $source_type	= $data->{'SOURCE_TYPE'};
  my $source		= $data->{'SOURCE'};
  my $target_proto	= $data->{'TARGET_PROTO'};
  my $target_port	= $data->{'TARGET_PORT'};
  my $attack_scale 	= $data->{'ATTACK_SCALE'};
-  my $note		= $data->{'NOTE'};
+  my $note		    = $data->{'NOTE'};
  my $priority		= $data->{'PRIORITY'};
  my $timeout		= $data->{'TIMEOUT'};
-  # obtain cidr based on rigth common name and alternate names, service and client_type
+   my %client = authorizeClient($alt_names, $ip, $service, $client_type, 'saveNewEvent');
-  $sth = $DBH->prepare_cached("SELECT hostname, ip_net_client FROM clients WHERE hostname IN ($alt_names) AND service = ? AND client_type = ? LIMIT 1;");
+   if(defined %client) {
-  if (!defined $sth) {die("Cannot prepare authorization statement in saveNewEvent: $DBI::errstr\n")}
-  $sth->execute($service, $client_type);
-  my ($an, $cidr) = $sth->fetchrow();
-  # check if client is registered
-  if (!defined $cidr) {
-    write2log ("err", "Unauthorized access to saveNewEvent from: $ip (CN: $cn; AN: $an) - client is not registered");
-    die("Access denied - client is not registered at warden server!");
-  } else {
-    $cidr_list = Net::CIDR::Lite
-      -> new
-      -> add($cidr);
-  }
-  # check if client has IP from registered CIDR
-  if (!$cidr_list->bin_find($ip)) {
-    write2log ("err", "Unauthorized access to saveNewEvent from: $ip (CN: $cn; AN: $an) - access from bad subnet: $cidr");
-    die("Access denied - access from unauthorized subnet!");
-  } else {
    # insert new events into DB
    $sth=$DBH->prepare_cached("INSERT INTO events VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);");
    if (!defined $sth) {die("Cannot do insert statement in saveNewEvent: $DBI::errstr\n")}
-    $sth->execute(undef, $cn, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
+    $sth->execute(undef, $client{'dns'}, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
-    # log last inserted ID
+    ## log last inserted ID
-    $sth = $DBH->prepare("SELECT last_insert_id()");
+    #$sth = $DBH->prepare("SELECT last_insert_id()");
-    if ( !defined $sth ) {die("Cannot prepare last ID statement in saveNewEvent: $DBI::errstr\n")}
+    #if ( !defined $sth ) {die("Cannot prepare last ID statement in saveNewEvent: $DBI::errstr\n")}
-    $sth->execute;
+    #$sth->execute;
-    my $id= $sth->fetchrow();
+    #my $id= $sth->fetchrow();
-    write2log ("info", "Stored new event (#$id) from $ip (CN: $cn; AN: $an)");
+    #write2log ("info", "Stored new event (#$id) from $ip (CN: $cn; AN: $an)");
-    if (! defined $id) {
+    #if (! defined $id) {
-      write2log ("err", "Event from $ip ($cn) was not save: INSERT INTO events VALUES (NULL,$cn,$service,$detected,$received,$type,$source_type,$source,$target_proto,$target_port,$attack_scale,$note,$priority,$timeout,$valid);");
+    #  write2log ("err", "Event from $ip ($cn) was not save: INSERT INTO events VALUES (NULL,$cn,$service,$detected,$received,$type,$source_type,$source,$target_proto,$target_port,$attack_scale,$note,$priority,$timeout,$valid);");
-      die("Event was not save at warden server - database return empty ID!");
+    #  die("Event was not save at warden server - database return empty ID!");
-      return 0;
+    #  return 0;
-    } else {
+    #} else {
      return 1;
-    }
+    # }
  }
 } # END of saveNewEvent
@@ -212,40 +251,21 @@ sub getNewEvents
  my ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout);
  # client network information
-  my $cn	= $ENV{'SSL_CLIENT_S_DN_CN'};
+  my $cn	    = $ENV{'SSL_CLIENT_S_DN_CN'};
  my $alt_names = getAltNames(undef);
-  my $ip	= $ENV{'REMOTE_ADDR'};
+  my $ip	    = $ENV{'REMOTE_ADDR'};
  my $client_type	= "r";	# incoming client MUST be sender
  # parse SOAP data object
-  my $requested_type	= $data->{'REQUESTED_TYPE'};
+  my $requested_type = $data->{'REQUESTED_TYPE'};
-  my $last_id		= $data->{'LAST_ID'};
+  my $last_id		 = $data->{'LAST_ID'};
-  # obtain cidr based on rigth common name, service and client_type
+  my %client = authorizeClient($alt_names, $ip, $requested_type, $client_type, 'getNewEvents');
-  $sth = $DBH->prepare_cached("SELECT hostname, receive_own_events, ip_net_client FROM clients WHERE hostname IN ($alt_names) AND type = ? AND client_type = ? LIMIT 1;");
+  if(defined %client) {
-  if (!defined $sth) {die("Cannot prepare authorization statement in getNewEvents: $DBI::errstr\n")}
-  $sth->execute($requested_type, $client_type);
-  my ($an, $receive_own_events, $cidr) = $sth->fetchrow();
-  # check if client is registered
-  if (!defined $cidr) {
-    write2log ("err", "Unauthorized access to getNewEvents from: $ip (CN: $cn; AN: $an) - client is not registered");
-    die("Access denied - client is not registered at warden server!");
-  } else {
-    $cidr_list = Net::CIDR::Lite
-      -> new
-      -> add($cidr);
-  }
-  # check if client has IP from registered CIDR
-  if (!$cidr_list->bin_find($ip)) {
-    write2log ("err", "Unauthorized access to getNewEvents from: $ip (CN: $cn; AN: $an) - access from bad subnet: $cidr");
-    die("Access denied - access from unathorized subnet!");
-  } else {
    # check if client want your own events or not
-    if ($receive_own_events eq 't') {
+    if ($client{'receive_own'} eq 't') {
      $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' ORDER BY id ASC;");
      if (!defined $sth) {die("Cannot prepare ROE statement in getNewEvents: $DBI::errstr\n")}
      $sth->execute($last_id, $requested_type);
@@ -268,19 +288,19 @@ sub getNewEvents
      $source	 	= $result[7];
      $target_proto	= $result[8];
      $target_port 	= $result[9];
-      $attack_scale 	= $result[10];
+      $attack_scale = $result[10];
      $note 		= $result[11];
      $priority 	= $result[12];
      $timeout	 	= $result[13];
      # create SOAP data object
      $event = SOAP::Data->name(event => \SOAP::Data->value(
-        SOAP::Data->name(ID		=> $id),
+        SOAP::Data->name(ID		    => $id),
        SOAP::Data->name(HOSTNAME	=> $hostname),
        SOAP::Data->name(SERVICE	=> $service),
        SOAP::Data->name(DETECTED	=> $detected),
        SOAP::Data->name(TYPE		=> $type),
-        SOAP::Data->name(SOURCE_TYPE	=> $source_type),
+        SOAP::Data->name(SOURCE_TYPE=> $source_type),
        SOAP::Data->name(SOURCE		=> $source),
        SOAP::Data->name(TARGET_PROTO	=> $target_proto),
        SOAP::Data->name(TARGET_PORT	=> $target_port),
@@ -296,9 +316,9 @@ sub getNewEvents
    # log sent ID of events
    if (scalar @events != 0) {
      if (scalar @ids == 1) {
-        write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN: $cn; AN: $an)");
+        write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN(AN): $alt_names)");
      } else {
-        write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN: $cn; AN: $an)");
+        write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN(AN): $alt_names)");
      }
    }
    return @events;