diff options
author | Martins Krisjanis <martins.krisjanis@zabbix.com> | 2022-02-25 12:11:21 +0300 |
---|---|---|
committer | Martins Krisjanis <martins.krisjanis@zabbix.com> | 2022-02-25 12:11:21 +0300 |
commit | 128565f28f16efa7ea48b639060bdeb753132d78 (patch) | |
tree | f92134f3483ae744ad4b484a08c862355a0c51d9 | |
parent | 81524b8a4ae13e6fee7fa2770759f6a2f95f9b57 (diff) | |
parent | 68f45efae725771a1935d2b6d4ec2e9289614782 (diff) |
..F.I..... [ZBXNEXT-7397] removed support for md5 user passwords
* commit '68f45efae725771a1935d2b6d4ec2e9289614782':
.D........ [ZBXNEXT-7397] updated changelog
.......... [ZBXNEXT-7397] converted test data user passwords to bcrypt hashes
........S. [ZBXNEXT-7397] added db patch to delete md5 user passwords from database
..F....... [ZBXNEXT-7397] removed support for md5 user passwords
-rw-r--r-- | ChangeLog.d/feature/ZBXNEXT-7397 | 1 | ||||
-rw-r--r-- | create/src/schema.tmpl | 2 | ||||
-rw-r--r-- | src/libs/zbxdbupgrade/dbupgrade.c | 4 | ||||
-rw-r--r-- | src/libs/zbxdbupgrade/dbupgrade_6010.c | 16 | ||||
-rw-r--r-- | ui/include/classes/api/services/CUser.php | 27 | ||||
-rw-r--r-- | ui/include/defines.inc.php | 3 | ||||
-rw-r--r-- | ui/tests/api_json/data/data_test.sql | 32 |
7 files changed, 34 insertions, 51 deletions
diff --git a/ChangeLog.d/feature/ZBXNEXT-7397 b/ChangeLog.d/feature/ZBXNEXT-7397 new file mode 100644 index 00000000000..b2419e1c88a --- /dev/null +++ b/ChangeLog.d/feature/ZBXNEXT-7397 @@ -0,0 +1 @@ +..F.I..... [ZBXNEXT-7397] removed support for md5 user passwords (asestakovs, mkrisjanis) diff --git a/create/src/schema.tmpl b/create/src/schema.tmpl index ef300d065fa..cef0f31b4ce 100644 --- a/create/src/schema.tmpl +++ b/create/src/schema.tmpl @@ -1936,4 +1936,4 @@ TABLE|dbversion|dbversionid| FIELD |dbversionid |t_id | |NOT NULL |0 FIELD |mandatory |t_integer |'0' |NOT NULL | FIELD |optional |t_integer |'0' |NOT NULL | -ROW |1 |6000000 |6000000 +ROW |1 |6010001 |6010001 diff --git a/src/libs/zbxdbupgrade/dbupgrade.c b/src/libs/zbxdbupgrade/dbupgrade.c index 80fb4470831..e1a454d2d47 100644 --- a/src/libs/zbxdbupgrade/dbupgrade.c +++ b/src/libs/zbxdbupgrade/dbupgrade.c @@ -782,7 +782,7 @@ extern zbx_dbpatch_t DBPATCH_VERSION(5030)[]; extern zbx_dbpatch_t DBPATCH_VERSION(5040)[]; extern zbx_dbpatch_t DBPATCH_VERSION(5050)[]; extern zbx_dbpatch_t DBPATCH_VERSION(6000)[]; -/*extern zbx_dbpatch_t DBPATCH_VERSION(6010)[];*/ +extern zbx_dbpatch_t DBPATCH_VERSION(6010)[]; static zbx_db_version_t dbversions[] = { {DBPATCH_VERSION(2010), "2.2 development"}, @@ -809,7 +809,7 @@ static zbx_db_version_t dbversions[] = { {DBPATCH_VERSION(5040), "5.4 maintenance"}, {DBPATCH_VERSION(5050), "6.0 development"}, {DBPATCH_VERSION(6000), "6.0 maintenance"}, -/* {DBPATCH_VERSION(6010), "6.2 development"},*/ + {DBPATCH_VERSION(6010), "6.2 development"}, {NULL} }; diff --git a/src/libs/zbxdbupgrade/dbupgrade_6010.c b/src/libs/zbxdbupgrade/dbupgrade_6010.c index fe3e568a8a6..3394e58ed0e 100644 --- a/src/libs/zbxdbupgrade/dbupgrade_6010.c +++ b/src/libs/zbxdbupgrade/dbupgrade_6010.c @@ -29,10 +29,18 @@ extern unsigned char program_type; #ifndef HAVE_SQLITE3 -/*static int DBpatch_6010000(void) +static int DBpatch_6010001(void) { - *** put first upgrade patch here *** -}*/ +#define ZBX_MD5_SIZE 32 + if (0 == (program_type & ZBX_PROGRAM_TYPE_SERVER)) + return SUCCEED; + + if (ZBX_DB_OK > DBexecute("update users set passwd='' where length(passwd)=%d", ZBX_MD5_SIZE)) + return FAIL; + + return SUCCEED; +#undef ZBX_MD5_SIZE +} #endif @@ -40,6 +48,6 @@ DBPATCH_START(6010) /* version, duplicates flag, mandatory flag */ -/*DBPATCH_ADD(6010001, 0, 1)*/ +DBPATCH_ADD(6010001, 0, 1) DBPATCH_END() diff --git a/ui/include/classes/api/services/CUser.php b/ui/include/classes/api/services/CUser.php index ade7db03260..ebaf6f959ca 100644 --- a/ui/include/classes/api/services/CUser.php +++ b/ui/include/classes/api/services/CUser.php @@ -1539,7 +1539,7 @@ class CUser extends CApiService { break; case ZBX_AUTH_INTERNAL: - if (!self::verifyPassword($user['password'], $db_user)) { + if (!password_verify($user['password'], $db_user['passwd'])) { self::exception(ZBX_API_ERROR_PERMISSIONS, _('Incorrect user name or password or account is temporarily blocked.') ); @@ -1594,31 +1594,6 @@ class CUser extends CApiService { } /** - * @param string $password User-specified password. - * @param array $db_user Saved user profile. - * @param string $db_user['passwd'] Saved password hash. - * @param int $db_user['userid'] User id. - * - * @return bool - */ - private static function verifyPassword($password, array $db_user) { - if (strlen($db_user['passwd']) > ZBX_MD5_SIZE) { - return password_verify($password, $db_user['passwd']); - } - - if (hash_equals($db_user['passwd'], md5($password))) { - DB::update('users', [ - 'values' => ['passwd' => password_hash($password, PASSWORD_BCRYPT, ['cost' => ZBX_BCRYPT_COST])], - 'where' => ['userid' => $db_user['userid']] - ]); - - return true; - } - - return false; - } - - /** * Method is ONLY for internal use! * Login user by username. Return array with user data. * diff --git a/ui/include/defines.inc.php b/ui/include/defines.inc.php index f27aceec582..3076f526b26 100644 --- a/ui/include/defines.inc.php +++ b/ui/include/defines.inc.php @@ -22,7 +22,7 @@ define('ZABBIX_VERSION', '6.2.0alpha1'); define('ZABBIX_API_VERSION', '6.2.0'); define('ZABBIX_EXPORT_VERSION', '6.2'); -define('ZABBIX_DB_VERSION', 6000000); +define('ZABBIX_DB_VERSION', 6010001); define('DB_VERSION_SUPPORTED', 0); define('DB_VERSION_LOWER_THAN_MINIMUM', 1); @@ -35,7 +35,6 @@ define('ZABBIX_COPYRIGHT_FROM', '2001'); define('ZABBIX_COPYRIGHT_TO', '2022'); define('ZBX_BCRYPT_COST', 10); -define('ZBX_MD5_SIZE', 32); define('ZBX_SESSION_NAME', 'zbx_session'); // Session cookie name for Zabbix front-end. diff --git a/ui/tests/api_json/data/data_test.sql b/ui/tests/api_json/data/data_test.sql index 5141b249a37..cd673582f05 100644 --- a/ui/tests/api_json/data/data_test.sql +++ b/ui/tests/api_json/data/data_test.sql @@ -56,11 +56,11 @@ INSERT INTO usrgrp (usrgrpid, name) VALUES (19, 'API user group delete3'); INSERT INTO usrgrp (usrgrpid, name) VALUES (20, 'API user group in actions'); INSERT INTO usrgrp (usrgrpid, name) VALUES (21, 'API user group in scripts'); INSERT INTO usrgrp (usrgrpid, name) VALUES (22, 'API user group in configuration'); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (4, 'zabbix-admin', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (5, 'zabbix-user', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 1, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (6, 'user-in-one-group', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (7, 'user-in-two-groups', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (8, 'api-user', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (4, 'zabbix-admin', '$2a$10$PmEcvov/w84R3sShOV4rX.xJd81bwgaK4o0SfoiSxop2ol7PPGsOi', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (5, 'zabbix-user', '$2a$10$w8oiYEgP3Fy4XuPIE5VCiO2j5snJEopKfTCYa3DC7bNL83ldKlPRS', 0, 0, 'en_US', '30s', 1, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (6, 'user-in-one-group', '$2a$10$mTYvfZskz3369zQaYLogHuSUMQ11YSEOZtua2NFSL3/.T6kQ/bNaG', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (7, 'user-in-two-groups', '$2a$10$GiBCQXAPeTCPR9rEQ/YodOmE7mqvXjYwbEkZLGP7iWU/fzKcB9yF6', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (8, 'api-user', '$2a$10$NyZQvuelvUVqpCDYb7cOy.pEewNe9U0MK0ZIdjJeupYbgHU6G7Iea', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (6, 8, 4); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (8, 14, 4); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (9, 15, 6); @@ -75,13 +75,13 @@ INSERT INTO scripts (scriptid, name, command, host_access, usrgrpid, groupid, de UPDATE config SET alert_usrgrpid = 22 WHERE configid = 1; -- users -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (9, 'api-user-for-update', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (10, 'api-user-delete', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (11, 'api-user-delete1', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (12, 'api-user-delete2', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (13, 'api-user-action', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (14, 'api-user-map', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (15, 'api-user-for-unblock', '5fce1b3e34b520afeffb37ce08c7cd66', 0, '15m', 'en_US', '30s', 2, 'default', 5, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (9, 'api-user-for-update', '$2a$10$dP76CSji4ozQxSxLQeUGc.sJgSPuwN8b4pjnKIoOeQXts2Wm86ige', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (10, 'api-user-delete', '$2a$10$8ioYyO/Xkyhx64W.z0B3YONQ7.s2zqMRqhkYt/z6S9.MkqEYsWCOq', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (11, 'api-user-delete1', '$2a$10$NU0MhxghxIbvCen5pBY.WuC9eYpqYS2mE8P6dQIMC00yhlalXhUWO', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (12, 'api-user-delete2', '$2a$10$t.cDXioxmkgwEigzPU0aQejc8rAfjt6ZxY6WIllrN0IpEH4pp3I/K', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (13, 'api-user-action', '$2a$10$w6u3jruB673s5A/Qrg7VZOFof/yuARrPQYpZk7xbSTw7O/wgSw9Sq', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (14, 'api-user-map', '$2a$10$1uCgmg.SoVtN98NTt/815./E/mFIdJH2r3aF1RFY1QwmFVlnbCXTK', 0, '15m', 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (15, 'api-user-for-unblock', '$2a$10$/a5lFsoEm56b01q1uAoM8ecSmazNhrYbidYeBibtRzUxbIgmIAvR.', 0, '15m', 'en_US', '30s', 2, 'default', 5, 0, 50); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (12, 14, 9); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (13, 14, 10); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (14, 14, 11); @@ -202,7 +202,7 @@ INSERT INTO opcommand (operationid, scriptid) VALUES (33, 11); -- scripts / inherited hostgroups INSERT INTO usrgrp (usrgrpid,name) VALUES (90000,'90000 Eur group write except one'); -INSERT INTO users (userid,username,passwd,roleid) VALUES (90000,'90000','5fce1b3e34b520afeffb37ce08c7cd66',2); +INSERT INTO users (userid,username,passwd,roleid) VALUES (90000,'90000','$2a$10$Hr7Z1FX/x9OPhdUu9.5CL.XyL9IKPiVcoxJgGbtIHc3.Svk/awB5q',2); INSERT INTO users_groups (id,usrgrpid,userid) VALUES (90000,90000,90000); INSERT INTO hosts (hostid,host,name,status,description) VALUES (90020,'90020','90020',0,''); INSERT INTO hosts (hostid,host,name,status,description) VALUES (90021,'90021','90021',0,''); @@ -345,8 +345,8 @@ INSERT INTO interface_snmp (interfaceid, version, bulk, community) values (99004 -- autoregistration action INSERT INTO usrgrp (usrgrpid, name) VALUES (47, 'User group for action delete'); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (53, 'action-user', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 1, 'default', 0, 0, 50); -INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (54, 'action-admin', '5fce1b3e34b520afeffb37ce08c7cd66', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (53, 'action-user', '$2a$10$gFL5ORa/Ml0VBDGraHI3tuE1WuiKOX8ef497bAfzNiSXUx4Vrrn.y', 0, 0, 'en_US', '30s', 1, 'default', 0, 0, 50); +INSERT INTO users (userid, username, passwd, autologin, autologout, lang, refresh, roleid, theme, attempt_failed, attempt_clock, rows_per_page) VALUES (54, 'action-admin', '$2a$10$P8CZ/rs94pLp177hh27KheWKAKa6GXZLFhOE8ymd/QlEKT2FDngZe', 0, 0, 'en_US', '30s', 2, 'default', 0, 0, 50); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (87, 47, 53); INSERT INTO users_groups (id, usrgrpid, userid) VALUES (88, 47, 54); INSERT INTO actions (actionid, name, eventsource, evaltype, status, esc_period) VALUES (91, 'API Autoregistration action', 2, 0, 0, '1h'); @@ -1516,7 +1516,7 @@ INSERT INTO token (tokenid, userid, name, description) VALUES (19, 5, 'update-us INSERT INTO token (tokenid, userid, name, description) VALUES (20, 5, 'update-user-4', ''); INSERT INTO token (tokenid, userid, name, description) VALUES (21, 5, 'update-user-5', ''); INSERT INTO token (tokenid, userid, name, description) VALUES (22, 5, 'update-user-6', ''); -INSERT INTO users (userid,username,passwd,roleid) VALUES (20,'token-creator','5fce1b3e34b520afeffb37ce08c7cd66',2); +INSERT INTO users (userid,username,passwd,roleid) VALUES (20,'token-creator','$2a$10$tskhDKjeMa8h8zRCHkVSk.CPbZg./ERPgxsuwbFFP8HVh3oIbUo42',2); INSERT INTO users_groups (id,usrgrpid,userid) VALUES (90020,90000,20); INSERT INTO token (tokenid, userid, creator_userid, name, description) VALUES (23, 5, 20, 'delete-user-6', ''); |