admin/security: Add SCRAM username validation to create_user_handler

Includes simple validator against SASLNAME regex in scram_algorithm.cc
oleiman · Dec 1, 2023 · 75b0cb6 · 75b0cb6
1 parent 30ce6f1
commit 75b0cb6
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/src/v/redpanda/admin/security.cc b/src/v/redpanda/admin/security.cc
@@ -20,6 +20,7 @@
 #include "security/scram_credential.h"
 
 #include <seastar/coroutine/as_future.hh>
+#include <seastar/http/exception.hh>
 
 namespace {
 
@@ -172,6 +173,11 @@ admin_server::create_user_handler(std::unique_ptr<ss::http::request> req) {
     auto username = security::credential_user(doc["username"].GetString());
     validate_no_control(username(), string_conversion_exception{username()});
 
+    if (!security::validate_scram_username(username())) {
+        throw ss::httpd::bad_request_exception(
+          fmt::format("Invalid SCRAM username {{{}}}", username()));
+    }
+
     if (is_no_op_user_write(
           _controller->get_credential_store().local(), username, credential)) {
         vlog(

diff --git a/src/v/security/scram_algorithm.cc b/src/v/security/scram_algorithm.cc
@@ -42,6 +42,8 @@
 // NOLINTNEXTLINE
 #define SASLNAME "(?:" VALUE_SAFE_CHAR "|=2C|=3D)+"
 
+#define BARE_SASLNAME "(" SASLNAME ")"
+
 // value-char = value-safe-char / "="
 // value = 1*value-char
 // NOLINTNEXTLINE
@@ -187,6 +189,19 @@ parse_server_final(std::string_view message) {
     return server_final_match{.error = ss::sstring(spv(error))};
 }
 
+static std::optional<ss::sstring> parse_saslname(std::string_view message) {
+    static thread_local const re2::RE2 re(BARE_SASLNAME, re2::RE2::Quiet);
+    vassert(re.ok(), "saslname regex failure: {}", re.error());
+
+    re2::StringPiece username;
+
+    if (!re2::RE2::FullMatch(message, re, &username)) {
+        return std::nullopt;
+    }
+
+    return ss::sstring(spv(username));
+}
+
 namespace security {
 
 client_first_message::client_first_message(bytes_view data) {
@@ -343,4 +358,9 @@ server_final_message::server_final_message(bytes_view data) {
     _signature = std::move(match->signature);
 }
 
+bool validate_scram_username(std::string_view username) {
+    auto match = parse_saslname(username);
+    return match.has_value() && match.value() == username;
+}
+
 } // namespace security
diff --git a/src/v/security/scram_algorithm.h b/src/v/security/scram_algorithm.h
@@ -346,6 +346,8 @@ class scram_algorithm {
     }
 };
 
+bool validate_scram_username(std::string_view username);
+
 // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers)
 using scram_sha512 = scram_algorithm<hmac_sha512, hash_sha512, 130, 4096>;
-Original file line number
+Diff line change
@@ Expand Up / @@ -346,6 +346,8 @@ class scram_algorithm { @@
         }
     };
+    bool validate_scram_username(std::string_view username);
     // NOLINTNEXTLINE(cppcoreguidelines-avoid-magic-numbers)
     using scram_sha512 = scram_algorithm<hmac_sha512, hash_sha512, 130, 4096>;
@@ Expand Down @@