From 07ce9ba30bcc2b2ee13ccdb284fb3e12ec932c96 Mon Sep 17 00:00:00 2001 From: Jordan Reimer Date: Tue, 28 Feb 2023 12:26:10 -0700 Subject: [PATCH] Identity manager secure context fallback (#19403) * adds check for isSecureContext in identity-manager and falls back to incrementing ids * adds uuid package to replace crypto.randomUUID * adds test for okta number challenge nonce value validation --- ui/app/components/auth-form.js | 3 +- ui/app/utils/identity-manager.js | 9 +++--- ui/package.json | 3 +- .../integration/components/auth-form-test.js | 32 +++++++++++++++++++ ui/tests/unit/serializers/cluster-test.js | 14 ++++++++ ui/yarn.lock | 5 +++ 6 files changed, 60 insertions(+), 6 deletions(-) create mode 100644 ui/tests/unit/serializers/cluster-test.js diff --git a/ui/app/components/auth-form.js b/ui/app/components/auth-form.js index 48df029f7..3eb77e9ea 100644 --- a/ui/app/components/auth-form.js +++ b/ui/app/components/auth-form.js @@ -8,6 +8,7 @@ import { computed } from '@ember/object'; import { supportedAuthBackends } from 'vault/helpers/supported-auth-backends'; import { task, timeout } from 'ember-concurrency'; import { waitFor } from '@ember/test-waiters'; +import { v4 as uuidv4 } from 'uuid'; const BACKENDS = supportedAuthBackends(); @@ -307,7 +308,7 @@ export default Component.extend(DEFAULTS, { } // add nonce field for okta backend if (backend.type === 'okta') { - data.nonce = crypto.randomUUID(); + data.nonce = uuidv4(); // add a default path of okta if it doesn't exist to be used for Okta Number Challenge if (!data.path) { data.path = 'okta'; diff --git a/ui/app/utils/identity-manager.js b/ui/app/utils/identity-manager.js index 756fd1cae..4a11c019c 100644 --- a/ui/app/utils/identity-manager.js +++ b/ui/app/utils/identity-manager.js @@ -1,3 +1,5 @@ +import { v4 as uuidv4 } from 'uuid'; + // manage a set of unique ids export default class { constructor() { @@ -12,11 +14,10 @@ export default class { * @public */ fetch() { - let uuid = crypto.randomUUID(); - // odds are incredibly low that we'll run into a duplicate using crypto.randomUUID() - // but just to be safe... + let uuid = uuidv4(); + // odds are incredibly low that we'll run into a duplicate but just to be safe... while (this.ids.has(uuid)) { - uuid = crypto.randomUUID(); + uuid = uuidv4(); } this.ids.add(uuid); return uuid; diff --git a/ui/package.json b/ui/package.json index a1bd52758..314c0bdf3 100644 --- a/ui/package.json +++ b/ui/package.json @@ -256,6 +256,7 @@ "highlight.js": "^10.4.1", "js-yaml": "^3.13.1", "lodash": "^4.17.13", - "node-notifier": "^8.0.1" + "node-notifier": "^8.0.1", + "uuid": "^9.0.0" } } diff --git a/ui/tests/integration/components/auth-form-test.js b/ui/tests/integration/components/auth-form-test.js index 9d2084931..d09283138 100644 --- a/ui/tests/integration/components/auth-form-test.js +++ b/ui/tests/integration/components/auth-form-test.js @@ -10,6 +10,7 @@ import sinon from 'sinon'; import Pretender from 'pretender'; import { create } from 'ember-cli-page-object'; import authForm from '../../pages/components/auth-form'; +import { validate } from 'uuid'; const component = create(authForm); @@ -314,4 +315,35 @@ module('Integration | Component | auth form', function (hooks) { server.shutdown(); }); + + test('it should set nonce value as uuid for okta method type', async function (assert) { + assert.expect(1); + + const server = new Pretender(function () { + this.post('/v1/auth/okta/login/foo', (req) => { + const { nonce } = JSON.parse(req.requestBody); + assert.true(validate(nonce), 'Nonce value passed as uuid for okta login'); + return [ + 200, + { 'content-type': 'application/json' }, + JSON.stringify({ + auth: { + client_token: '12345', + }, + }), + ]; + }); + this.get('/v1/sys/internal/ui/mounts', this.passthrough); + }); + + this.set('cluster', EmberObject.create({})); + await render(hbs``); + + await component.selectMethod('okta'); + await component.username('foo'); + await component.password('bar'); + await component.login(); + + server.shutdown(); + }); }); diff --git a/ui/tests/unit/serializers/cluster-test.js b/ui/tests/unit/serializers/cluster-test.js new file mode 100644 index 000000000..daff99c39 --- /dev/null +++ b/ui/tests/unit/serializers/cluster-test.js @@ -0,0 +1,14 @@ +import { module, test } from 'qunit'; +import { setupTest } from 'ember-qunit'; +import { validate } from 'uuid'; + +module('Unit | Serializer | cluster', function (hooks) { + setupTest(hooks); + + test('it should generate ids for replication attributes', async function (assert) { + const serializer = this.owner.lookup('serializer:cluster'); + const data = {}; + serializer.setReplicationId(data); + assert.true(validate(data.id), 'UUID is generated for replication attribute'); + }); +}); diff --git a/ui/yarn.lock b/ui/yarn.lock index e5a6b8a2f..19776c2ca 100644 --- a/ui/yarn.lock +++ b/ui/yarn.lock @@ -18579,6 +18579,11 @@ uuid@^8.3.0, uuid@^8.3.2: resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2" integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg== +uuid@^9.0.0: + version "9.0.0" + resolved "https://registry.yarnpkg.com/uuid/-/uuid-9.0.0.tgz#592f550650024a38ceb0c562f2f6aa435761efb5" + integrity sha512-MXcSTerfPa4uqyzStbRoTgt5XIe3x5+42+q1sDuy3R5MDk66URdLMOZe5aPX/SQd+kuYAh0FdP/pO28IkQyTeg== + v8-compile-cache@^2.0.3, v8-compile-cache@^2.3.0: version "2.3.0" resolved "https://registry.yarnpkg.com/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz#2de19618c66dc247dcfb6f99338035d8245a2cee"