Merge branch 'conventions' into 'master'

rename authentication backends sections See merge request !98

Merge branch 'conventions' into 'master'
rename authentication backends sections See merge request !98
2c1b4bb7 · Benjamin "Ziirish" SANS · 7b2dc921 · c2802e48 · 2c1b4bb7 · 2c1b4bb7
Commit 2c1b4bb7 authored Jan 18, 2019 by Benjamin "Ziirish" SANS
19 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ burpui/RELEASE
 devel.sh
 *.egg*
 .tox
+.reports
 .coverage
 .coveragerc
 .ropeproject

--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,7 @@ Current

 - **BREAKING**: the *single* and *version* options within the ``[Global]`` section have been removed in favor of a new unified *backend* option
 - **BREAKING**: a change introduced by `#284 <https://git.ziirish.me/ziirish/burp-ui/issues/284>`_ may return wrong timestamps for backups made with burp-server <= 2.1.10 if your current burp-server is >= 2.1.10
+- **BREAKING**: the authentication backends section have been renamed with the ``:AUTH`` suffix
 - Add: new `audit logging <https://git.ziirish.me/ziirish/burp-ui/issues/260>`_ system
 - Add: new ``bui-monitor`` processes pool + ``async`` backend to parallelize some requests `#278 <https://git.ziirish.me/ziirish/burp-ui/issues/278>`_ 
 - Add: new `listen` and `listen_status` options in burp-2.2.10 `#279 <https://git.ziirish.me/ziirish/burp-ui/issues/279>`_ 

--- a/burpui/misc/auth/basic.py
+++ b/burpui/misc/auth/basic.py
@@ -11,7 +11,7 @@ class BasicLoader(BUIloader):
    """The :class:`burpui.misc.auth.basic.BasicLoader` class loads the *Basic*
    users.
    """
-    section = name = 'BASIC'
+    section = name = 'BASIC:AUTH'

    def __init__(self, app=None, handler=None):
        """:func:`burpui.misc.auth.basic.BasicLoader.__init__` loads users from

--- a/burpui/misc/auth/ldap.py
+++ b/burpui/misc/auth/ldap.py
@@ -12,25 +12,11 @@ except ImportError:
    raise ImportError('Unable to load \'ldap3\' module')


-def get_ssl_version(version):
-    SSL_SUPPORTED = ['SSLv2', 'SSLv3', 'SSLv23', 'TLSv1', 'TLSv1_1', 'TLSv1_2']
-    if version and version in SSL_SUPPORTED:
-        try:
-            return getattr(ssl, 'PROTOCOL_{}'.format(version))
-        except AttributeError:
-            idx = SSL_SUPPORTED.index(version) + 1
-            if idx == len(SSL_SUPPORTED):
-                return None
-            return get_ssl_version(SSL_SUPPORTED[idx])
-    else:
-        return None
-
-
 class LdapLoader(BUIloader):
    """The :class:`burpui.misc.auth.ldap.LdapLoader` handles searching for and
    binding as a :class:`burpui.misc.auth.ldap.LdapUser` user.
    """
-    section = name = 'LDAP'
+    section = name = 'LDAP:AUTH'

    def __init__(self, app=None, handler=None):
        """:func:`burpui.misc.auth.ldap.LdapLoader.__init__` establishes a
@@ -53,7 +39,6 @@ class LdapLoader(BUIloader):
                'base': None,
                'searchattr': 'uid',
                'validate': 'none',
-                'version': None,
                'cafile': None,
            }
        }
@@ -67,7 +52,6 @@ class LdapLoader(BUIloader):
            'binddn': 'binddn',
            'bindpw': 'bindpw',
            'validate': 'validate',
-            'version': 'version',
            'cafile': 'cafile'
        }
        conf.update_defaults(defaults)
@@ -88,9 +72,7 @@ class LdapLoader(BUIloader):
            self.validate = getattr(ssl, 'CERT_{}'.format(self.validate.upper()))
        else:
            self.validate = None
-        self.version = get_ssl_version(self.version)
-        if not self.version:
-            self.logger.warning('No SSL version chosen')
+        self.version = ssl.OP_NO_SSLv3
        self.users = []
        self.tls = None
        self.ssl = False
@@ -170,7 +152,7 @@ class LdapLoader(BUIloader):
                self.ldap.search(self.base, query, attributes=['cn', self.attr])
                r = self.ldap.response
            if not r:
-                raise Exception('no results')
+                raise ValueError('no results')
        except Exception as e:
            self.logger.error('Ooops, LDAP lookup failed: {0}'.format(str(e)))
            return None

--- a/burpui/misc/auth/local.py
+++ b/burpui/misc/auth/local.py
@@ -12,7 +12,7 @@ class LocalLoader(BUIloader):
    """The :class:`burpui.misc.auth.local.LocalLoader` class loads the *Local*
    users.
    """
-    section = name = 'LOCAL'
+    section = name = 'LOCAL:AUTH'

    def __init__(self, app=None, handler=None):
        """:func:`burpui.misc.auth.Local.localLoader.__init__` loads users from

--- a/docs/advanced_usage.rst
+++ b/docs/advanced_usage.rst
@@ -509,7 +509,7 @@ Now you can add *ldap* specific options:
 ::

    # ldapauth specific options
-    [LDAP]
+    [LDAP:AUTH]
    # Backend priority. Higher is first
    priority = 50
    # LDAP host
@@ -524,13 +524,6 @@ Now you can add *ldap* specific options:
    #  - optional (not required, but validated if provided)
    #  - required (required and validated)
    validate = none
-    # SSL or TLS version to use, can be one of the following:
-    #  - SSLv2
-    #  - SSLv3
-    #  - SSLv23
-    #  - TLSv1
-    #  - TLSv1_1 (Available only with openssl version 1.0.1+, requires python 2.7.9 or higher)
-    version = TLSv1
    # the file containing the certificates of the certification authorities
    cafile = none
    # Attribute to use when searching the LDAP repository
@@ -573,7 +566,7 @@ Now you can add *basic* specific options:
    # basicauth specific options
    # Note: in case you leave this section commented, the default login/password
    # is admin/admin
-    [BASIC]
+    [BASIC:AUTH]
    # Backend priority. Higher is first
    priority = 100
    admin = pbkdf2:sha1:1000$12345678$password
@@ -608,7 +601,7 @@ Now you can add *local* specific options:
    # localauth specific options
    # Note: if not running as root, then burp-ui must be run as group 'shadow' to
    # allow PAM to work
-    [LOCAL]
+    [LOCAL:AUTH]
    # Backend priority. Higher is first
    priority = 0
    # List of local users allowed to login. If you don't set this setting, users

--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -27,6 +27,10 @@ v0.7.0
  `Backend options <advanced_usage.html#options>`__ for details).
  The drawback of enabling the ``deep_inspection`` is this requires some extra
  work that may slow down burp-ui.
+- **Breaking** - the authentication backends section have been renamed with the
+  ``:AUTH`` suffix (so ``BASIC`` becomes ``BASIC:AUTH``, etc.).
+  Please make sure you rename those sections accordingly so you won't be locked
+  out.

 v0.6.0
 ------

--- a/share/burpui/etc/burpui.sample.cfg
+++ b/share/burpui/etc/burpui.sample.cfg
@@ -223,7 +223,7 @@ max_bytes = 30 * 1024 * 1024
 rotate = 5

 ## ldapauth specific options
-#[LDAP]
+#[LDAP:AUTH]
 ## Backend priority. Higher is first
 #priority = 50
 ## LDAP host
@@ -238,13 +238,6 @@ rotate = 5
 ##  - optional (not required, but validated if provided)
 ##  - required (required and validated)
 #validate = none
-## SSL or TLS version to use, can be one of the following:
-##  - SSLv2
-##  - SSLv3
-##  - SSLv23
-##  - TLSv1
-##  - TLSv1_1 (Available only with openssl version 1.0.1+, requires python 2.7.9 or higher)
-#version = TLSv1
 ## the file containing the certificates of the certification authorities
 #cafile = none
 ## Attribute to use when searching the LDAP repository
@@ -265,7 +258,7 @@ rotate = 5
 ## basicauth specific options
 ## Note: in case you leave this section commented, the default login/password
 ## is admin/admin
-#[BASIC]
+#[BASIC:AUTH]
 ## Backend priority. Higher is first
 #priority = 100
 #admin = password
@@ -274,7 +267,7 @@ rotate = 5
 ## localauth specific options
 ## Note: if not running as root, then burp-ui must be run as group 'shadow' to
 ## allow PAM to work
-#[LOCAL]
+#[LOCAL:AUTH]
 ## Backend priority. Higher is first
 #priority = 0
 ## List of local users allowed to login. If you don't set this setting, users

--- a/tests/configs/test2.cfg
+++ b/tests/configs/test2.cfg
@@ -42,7 +42,7 @@ bconfsrv = /dev/null

 # Please DO NOT touch the following line
 # @salted@
-[BASIC]
+[BASIC:AUTH]
 priority = toto
 toto = pbkdf2:sha1:1000$HT0gMoYz$7540515e58f4ba54305664275a14ca5281c5d465
 admin = pbkdf2:sha1:1000$Dgq3Nimi$5befb4cf4c3a7da2549679732908df5f0298b016
--- a/tests/configs/test4.cfg
+++ b/tests/configs/test4.cfg
@@ -42,6 +42,6 @@ bconfsrv = /dev/null

 ## Please DO NOT touch the following line
 ## @salted@
-#[BASIC]
+#[BASIC:AUTH]
 #priority = 100
 #admin = pbkdf2:sha1:1000$CgUFdUCs$294cbaaba63ba59eb28e1a9a52263957478cd0e7
--- a/tests/configs/test6.cfg
+++ b/tests/configs/test6.cfg
@@ -46,7 +46,7 @@ bconfsrv = this-file-should-not-exist

 # Please DO NOT touch the following line
 # @salted@
-[BASIC]
+[BASIC:AUTH]
 admin = pbkdf2:sha1:1000$6pirc0vT$f9a6fb8b190d1c511aa9495dc18abb3dbd990d8f
 user1 = pbkdf2:sha1:1000$Qz7VdEqR$ecb2025e90516cb379c26d2e0a6b6e74cc6f8b9a


--- a/tests/configs/test7-1.cfg
+++ b/tests/configs/test7-1.cfg
@@ -46,7 +46,7 @@ bconfsrv = this-file-should-not-exist

 # Please DO NOT touch the following line
 # @salted@
-[BASIC]
+[BASIC:AUTH]
 admin = pbkdf2:sha1:1000$x0FYnJ8G$9a060c5939492f92a1889aa1a87a9647c3ec7a58
 user1 = pbkdf2:sha1:1000$Iq2TSyBv$a6c22de68d387946195323f9130029085b9a3707


--- a/tests/configs/test7-2.cfg
+++ b/tests/configs/test7-2.cfg
@@ -46,7 +46,7 @@ bconfsrv = this-file-should-not-exist

 # Please DO NOT touch the following line
 # @salted@
-[BASIC]
+[BASIC:AUTH]
 admin = pbkdf2:sha1:1000$NQcrMl1z$5687697aa1e2b4febe52741d50bd3265f3c7c99c
 user1 = pbkdf2:sha1:1000$vGGwkyTV$7fb645b398a160eb860add362b3e79ae00ab5c86


--- a/tests/configs/test7-3.cfg
+++ b/tests/configs/test7-3.cfg
@@ -44,7 +44,7 @@ bconfcli = this-file-should-not-exist
 # burp server configuration file used for the setting page
 bconfsrv = this-file-should-not-exist

-[BASIC]
+[BASIC:AUTH]
 admin = admin
 user1 = password


--- a/tests/configs/test7-4.cfg
+++ b/tests/configs/test7-4.cfg
@@ -77,7 +77,7 @@ bconfcli = this-file-should-not-exist
 # burp server configuration file used for the setting page
 bconfsrv = this-file-should-not-exist

-[BASIC]
+[BASIC:AUTH]
 admin = pbkdf2:sha1:1000$07Q0FeKW$eab0bc54b0d2e779081fe85c91ea84a50203d0bf
 user1 = pbkdf2:sha1:1000$hWYnkYoh$ba7521104d262bb8cca3095c33ae1a3f19dbb3c7


--- a/tests/configs/test7-5.cfg
+++ b/tests/configs/test7-5.cfg
@@ -77,7 +77,7 @@ bconfcli = this-file-should-not-exist
 # burp server configuration file used for the setting page
 bconfsrv = this-file-should-not-exist

-[BASIC]
+[BASIC:AUTH]
 admin = pbkdf2:sha1:1000$07Q0FeKW$eab0bc54b0d2e779081fe85c91ea84a50203d0bf
 user1 = pbkdf2:sha1:1000$hWYnkYoh$ba7521104d262bb8cca3095c33ae1a3f19dbb3c7


--- a/tests/configs/test8.cfg
+++ b/tests/configs/test8.cfg
@@ -77,7 +77,7 @@ bconfcli = this-file-should-not-exist
 # burp server configuration file used for the setting page
 bconfsrv = this-file-should-not-exist

-[BASIC]
+[BASIC:AUTH]
 admin = pbkdf2:sha1:1000$mv0bS5rd$f653a54f2edc321e8c320cf0b201ca36e3229349
 user1 = pbkdf2:sha1:1000$hsljcrD3$10b8ea6bf0c9129ec56fbe94bdc8811fb2399c3f


--- a/tests/configs/test_api_prefs.cfg
+++ b/tests/configs/test_api_prefs.cfg
@@ -46,7 +46,7 @@ bconfsrv = /dev/null

 ## Please DO NOT touch the following line
 ## @salted@
-#[BASIC]
+#[BASIC:AUTH]
 #priority = toto
 #toto = pbkdf2:sha1:1000$HT0gMoYz$7540515e58f4ba54305664275a14ca5281c5d465
 #admin = pbkdf2:sha1:1000$Dgq3Nimi$5befb4cf4c3a7da2549679732908df5f0298b016
--- a/tests/legacy/test_burpui.py
+++ b/tests/legacy/test_burpui.py
@@ -366,13 +366,13 @@ class BurpuiACLTestCase(TestCase):
            rv = self.login('admin', 'admin')
            response = self.client.get(url_for('api.auth_users'))
            response2 = self.client.get(url_for('api.auth_backends'))
-            self.assertEqual(sorted(response.json, key=lambda k: k['name']), sorted([{'id': 'admin', 'name': 'admin', 'backend': 'BASIC'}, {'id': 'user1', 'name': 'user1', 'backend': 'BASIC'}], key=lambda k: k['name']))
-            self.assertEqual(sorted(response2.json, key=lambda k: k['name']), sorted([{'add': True, 'del': True, 'name': 'BASIC', 'description': 'Uses the Burp-UI configuration file to load its rules.', 'priority': 100, 'type': 'authentication', 'mod': True}], key=lambda k: k['name']))
+            self.assertEqual(sorted(response.json, key=lambda k: k['name']), sorted([{'id': 'admin', 'name': 'admin', 'backend': 'BASIC:AUTH'}, {'id': 'user1', 'name': 'user1', 'backend': 'BASIC:AUTH'}], key=lambda k: k['name']))
+            self.assertEqual(sorted(response2.json, key=lambda k: k['name']), sorted([{'add': True, 'del': True, 'name': 'BASIC:AUTH', 'description': 'Uses the Burp-UI configuration file to load its rules.', 'priority': 100, 'type': 'authentication', 'mod': True}], key=lambda k: k['name']))

    def test_change_password(self):
        with self.client:
            rv = self.login('user1', 'password')
-            response = self.client.post(url_for('api.auth_users', name='user1'), data={'backend': 'BASIC', 'old_password': 'plop', 'password': 'toto'}, headers={'X-Language': 'en'})
+            response = self.client.post(url_for('api.auth_users', name='user1'), data={'backend': 'BASIC:AUTH', 'old_password': 'plop', 'password': 'toto'}, headers={'X-Language': 'en'})
            self.assert_status(response, 200)

    def test_config_render_ko(self):
@@ -484,7 +484,7 @@ class BurpuiRedisTestCase(TestCase):
            # create a second session
            rv = self.login('admin', 'admin')
            response = self.client.get(url_for('api.admin_me'))
-            self.assertEqual(response.json, {'id': 'admin', 'name': 'admin', 'backend': 'BASIC'})
+            self.assertEqual(response.json, {'id': 'admin', 'name': 'admin', 'backend': 'BASIC:AUTH'})
            sess = self.client.get(url_for('api.user_sessions'))
            self.assertGreater(len(sess.json), 0)
            self.assertIn('uuid', sess.json[0])