From 205ba37e9fab4edcfcecfbe7a9f7fd512f6a81f4 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Mon, 18 Nov 2024 09:18:54 +0000 Subject: [PATCH] Verifies if smb and krb5 are set. Based on the differences when to use krb5 and when to use smb within the feed both are mutualy exclusive. Either use smb, when you have a older system, or krb5 but not both. --- ospd_openvas/preferencehandler.py | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py index bb8abced..3c5963bc 100644 --- a/ospd_openvas/preferencehandler.py +++ b/ospd_openvas/preferencehandler.py @@ -32,7 +32,6 @@ OID_ESXI_AUTH = "1.3.6.1.4.1.25623.1.0.105058" OID_SNMP_AUTH = "1.3.6.1.4.1.25623.1.0.105076" OID_PING_HOST = "1.3.6.1.4.1.25623.1.0.100315" -# TODO: check me, check me, check me OID_KRB5_AUTH = "1.3.6.1.4.1.25623.1.81.0" BOREAS_ALIVE_TEST = "ALIVE_TEST" @@ -588,11 +587,15 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: added to the redis KB. """ cred_prefs_list = [] + krb5_set = False + smb_set = False for credential in credentials.items(): service = credential[0] cred_params = credentials.get(service) if not cred_params: - logger.warning("No credentials parameter found for service %s", service) + logger.warning( + "No credentials parameter found for service %s", service + ) continue cred_type = cred_params.get('type', '') username = cred_params.get('username', '') @@ -664,6 +667,12 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: ) # Check servic smb elif service == 'smb': + if krb5_set: + self.errors.append( + "Kerberos and SMB credentials are mutually exclusive." + ) + continue + smb_set = True cred_prefs_list.append( f'{OID_SMB_AUTH}:1:entry:SMB login:|||{username}' ) @@ -671,13 +680,23 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: f'{OID_SMB_AUTH}:2:password:SMB password:|||{password}' ) elif service == 'krb5': + if smb_set: + self.errors.append( + "Kerberos and SMB credentials are mutually exclusive." + ) + continue + krb5_set = True realm = cred_params.get('realm', '') if not realm: - self.errors.append("Missing realm for Kerberos authentication.") + self.errors.append( + "Missing realm for Kerberos authentication." + ) continue kdc = cred_params.get('kdc', '') if not kdc: - self.errors.append("Missing KDC for Kerberos authentication.") + self.errors.append( + "Missing KDC for Kerberos authentication." + ) continue cred_prefs_list.append( f'{OID_KRB5_AUTH}:1:entry:KRB5 login:|||{username}' @@ -688,7 +707,6 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: cred_prefs_list.append( f'{OID_KRB5_AUTH}:3:entry:KRB5 realm:|||{realm}' ) - #TODO: add multiple kdcs cred_prefs_list.append( f'{OID_KRB5_AUTH}:4:entry:KRB5 kdc:|||{kdc}' )