anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0c10869e2657a2723784f6c7236f723aea7da0f2
DECNET/decnet/web/auth.py
anti 245975a6dd fix(security): close LOW ASVS findings — env bypass, SSE/deployment authz, CN fail-close, password byte-limit, exception leaks, BUG-12..16 
Auth/session (V2.1.7, V4.1.5, V4.1.6, V2.1.4/V2.1.5):
- env secret validation no longer bypassed by attacker-injectable PYTEST* env;
  gated on explicit DECNET_TESTING=1 (set only in conftest).
- must_change_password now enforced on the SSE header-JWT path, not just ticket mint.
- GET /system/deployment-mode requires viewer auth (was leaking role + topology size).
- CreateUser/ResetUser passwords min_length=12; passwords >72 bytes rejected
  explicitly instead of bcrypt silently truncating.

Swarm ingestion (V9.1.3, BUG-16):
- Log listener hard-rejects peers with unparseable/empty cert CN (fail closed,
  ingests nothing) instead of tagging 'unknown'.
- Shutdown handlers no longer swallow real errors (narrowed to CancelledError).

Info leakage (V7.1.2, V14.1.2):
- Exception text sanitized on swarm-update, health, tarpit, realism, file-drop,
  blank-topology endpoints (raw tc/docker stderr, DB/Docker errors logged
  server-side, generic detail returned). pyproject license corrected to AGPL-3.0.

Correctness (BUG-12..16):
- BUG-12 atomic credential upsert (UNIQUE constraint + IntegrityError retry,
  consistent principal_key canonicalization).
- BUG-13 rule-tail watermark uses >= with seen-id dedup (no same-second drop).
- BUG-14 worker wake cleared before wait (no lost wake during tick).
- BUG-15 intel gather tolerates an unexpected provider raise.
- BUG-16 see above.

Already-closed (verified, no change): V2.1.6, V5.1.3, V9.1.2. Accept-risk +
documented: V2.1.8 cache window, V3.1.3 idle timeout. Tests added for every fix;
unanimous adversarial review after two refute-fix rounds.
2026-06-10 13:27:14 -04:00

72 lines
3.0 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
import asyncio
from datetime import datetime, timedelta, timezone
from typing import Optional, Any
import jwt
import bcrypt
from decnet.env import DECNET_JWT_SECRET, DECNET_JWT_EXP_MINUTES
SECRET_KEY: str = DECNET_JWT_SECRET
ALGORITHM: str = "HS256"
# Live constant — sourced from env DECNET_JWT_EXP_MINUTES (default 240 / 4 h).
# Idle/inactivity timeout is intentionally not implemented: jti denylist covers
# explicit logout and the 4 h absolute TTL bounds the worst-case exposure window.
# Accept-risk: LOW / pre-v1 — revisit at v1 when user-facing session UX lands.
ACCESS_TOKEN_EXPIRE_MINUTES: int = DECNET_JWT_EXP_MINUTES
# Pinned issuer/audience/type so a token signed with DECNET_JWT_SECRET for any
# OTHER purpose (or by a future co-tenant of the secret) is not accepted by the
# dashboard verifier. Issuance stamps these; _decode_payload requires + verifies
# them. Keep these two modules in lockstep — they are a single trust contract.
JWT_ISSUER: str = "decnet"
JWT_AUDIENCE: str = "decnet-dashboard"
JWT_TYPE: str = "access"
def verify_password(plain_password: str, hashed_password: str) -> bool:
# [:72] is a defensive safety-net against bcrypt silent truncation.
# Validated callers already reject >72-byte passwords via field_validator,
# so this slice is unreachable for well-formed input.
return bcrypt.checkpw(
plain_password.encode("utf-8")[:72],
hashed_password.encode("utf-8")
)
def get_password_hash(password: str) -> str:
# Use a cost factor of 12 (default for passlib/bcrypt).
# [:72] is a defensive safety-net; field_validator rejects >72-byte input
# before it reaches this function.
_salt: bytes = bcrypt.gensalt(rounds=12)
_hashed: bytes = bcrypt.hashpw(password.encode("utf-8")[:72], _salt)
return _hashed.decode("utf-8")
async def averify_password(plain_password: str, hashed_password: str) -> bool:
# bcrypt is CPU-bound and ~250ms/call; keep it off the event loop.
return await asyncio.to_thread(verify_password, plain_password, hashed_password)
async def ahash_password(password: str) -> str:
return await asyncio.to_thread(get_password_hash, password)
def create_access_token(data: dict[str, Any], expires_delta: Optional[timedelta] = None) -> str:
_to_encode: dict[str, Any] = data.copy()
_expire: datetime
if expires_delta:
_expire = datetime.now(timezone.utc) + expires_delta
else:
_expire = datetime.now(timezone.utc) + timedelta(minutes=15)
_to_encode.update({"exp": _expire})
_to_encode.update({"iat": datetime.now(timezone.utc)})
# Pin issuer / audience / token-type so the verifier can reject tokens
# minted for any other purpose with the same shared secret.
_to_encode.setdefault("iss", JWT_ISSUER)
_to_encode.setdefault("aud", JWT_AUDIENCE)
_to_encode.setdefault("typ", JWT_TYPE)
_encoded_jwt: str = jwt.encode(_to_encode, SECRET_KEY, algorithm=ALGORITHM)
return _encoded_jwt
Reference in New Issue View Git Blame Copy Permalink