Fix invalid simplified access control applied to subentries

Wildboar-Software · Mar 12, 2023 · 6852681 · 6852681
1 parent c698353
commit 6852681
Show file tree

Hide file tree

Showing 10 changed files with 53 additions and 9 deletions.
diff --git a/.github/workflows/meerkat.yml b/.github/workflows/meerkat.yml
@@ -807,7 +807,7 @@ jobs:
             --set enable_dsp=true \
             --set [email protected] \
             --set administrator_email_public=true \
-            --set vendor_version='2.4.3' \
+            --set vendor_version='2.4.4' \
             --set signing_required_for_chaining=false \
             --set tcp_timeout_in_seconds=300 \
             --set min_transfer_speed_bytes_per_minute=10 \

diff --git a/apps/meerkat-docs/docs/changelog-meerkat.md b/apps/meerkat-docs/docs/changelog-meerkat.md
@@ -1,5 +1,16 @@
 # Changelog for Meerkat DSA
 
+## Version 2.4.4
+
+**SECURITY UPDATE**
+
+- Fix use of `prescriptiveACI` to regulate subentries in simplified access
+  control.
+
+This security bug was introduced as a result of version 2.4.2. You were
+unaffected if you did not use versions 2.4.2 or 2.4.3, or if you never used
+simplified access control.
+
 ## Version 2.4.3
 
 Summary: small deviation introduced in which searches recurse one entry into

diff --git a/apps/meerkat-docs/docs/conformance.md b/apps/meerkat-docs/docs/conformance.md
@@ -1,7 +1,7 @@
 # Conformance
 
-In the statements below, the term "Meerkat DSA" refers to version 2.4.3 of
-Meerkat DSA, hence these statements are only claimed for version 2.4.3 of
+In the statements below, the term "Meerkat DSA" refers to version 2.4.4 of
+Meerkat DSA, hence these statements are only claimed for version 2.4.4 of
 Meerkat DSA.
 
 ## X.519 Conformance Statement

diff --git a/apps/meerkat/src/app/authz/accessControlSchemesThatUseASingleAdminPoint.ts b/apps/meerkat/src/app/authz/accessControlSchemesThatUseASingleAdminPoint.ts
@@ -0,0 +1,25 @@
+import {
+    simplifiedAccessControlScheme,
+} from "@wildboar/x500/src/lib/modules/BasicAccessControl/simplifiedAccessControlScheme.va";
+import {
+    rule_and_simple_access_control,
+} from "@wildboar/x500/src/lib/modules/BasicAccessControl/rule-and-simple-access-control.va";
+import { IndexableOID } from "@wildboar/meerkat-types";
+
+/**
+ * @summary The access control schemes that use a single admin point
+ * @description
+ *
+ * This is a set of stringified object identifiers in dot-delimited notation,
+ * each of which is an access control scheme that uses a single access control
+ * administrative point to make access control decisions.
+ *
+ * @constant
+ */
+export
+const accessControlSchemesThatUseASingleAdminPoint: Set<IndexableOID> = new Set([
+    simplifiedAccessControlScheme.toString(),
+    rule_and_simple_access_control.toString(),
+]);
+
+export default accessControlSchemesThatUseASingleAdminPoint;
diff --git a/apps/meerkat/src/app/authz/getACIItems.ts b/apps/meerkat/src/app/authz/getACIItems.ts
@@ -19,6 +19,7 @@ import {
 import { entryACI, prescriptiveACI, subentryACI } from "@wildboar/x500/src/lib/collections/attributes";
 import { attributeValueFromDB, DBAttributeValue } from "../database/attributeValueFromDB";
 import { Prisma } from "@prisma/client";
+import accessControlSchemesThatUseASingleAdminPoint from "./accessControlSchemesThatUseASingleAdminPoint";
 
 const AC_SUBENTRY: string = accessControlSubentry["&id"].toString();
 const AC_SPECIFIC: string = id_ar_accessControlSpecificArea.toString();
@@ -65,6 +66,7 @@ async function getACIItems (
         return [];
     }
     const AC_SCHEME: string = accessControlScheme.toString();
+    const useSingleAccessPoint: boolean = accessControlSchemesThatUseASingleAdminPoint.has(AC_SCHEME);
     const accessControlSubentries = relevantSubentries
         .filter((sub) => (
             sub.dse.objectClass.has(AC_SUBENTRY)
@@ -74,8 +76,14 @@ async function getACIItems (
                  * Subentries under the same admin point do not govern other
                  * subentries within that admin point, but those from superior
                  * admin points do.
+                 *
+                 * We don't do this check if using simplified access control,
+                 * because it only uses a single access point.
                  */
-                || (sub.immediateSuperior!.dse.id !== vertex?.dse.id)
+                || (
+                    (sub.immediateSuperior!.dse.id !== vertex?.dse.id)
+                    || useSingleAccessPoint
+                )
             )
         ))
         .reverse();

diff --git a/k8s/charts/meerkat-dsa/Chart.yaml b/k8s/charts/meerkat-dsa/Chart.yaml
@@ -3,7 +3,7 @@ name: meerkat-dsa
 description: X.500 Directory Server (DSA) and LDAP Server by Wildboar Software.
 type: application
 version: 2.10.0
-appVersion: 2.4.3
+appVersion: 2.4.4
 home: https://wildboarsoftware.com
 keywords:
   - directory

diff --git a/pkg/control b/pkg/control
@@ -1,5 +1,5 @@
 Package: meerkat-dsa
-Version: 2.4.3
+Version: 2.4.4
 Section: database
 Priority: optional
 Architecture: i386

diff --git a/pkg/docker-compose.yaml b/pkg/docker-compose.yaml
@@ -20,7 +20,7 @@ services:
     labels:
       author: Wildboar Software
       app: meerkat
-      version: "2.4.3"
+      version: "2.4.4"
     ports:
       - '1389:389/tcp' # LDAP TCP Port
       - '4632:4632/tcp' # IDM Socket

diff --git a/pkg/meerkat-dsa.rb b/pkg/meerkat-dsa.rb
@@ -2,7 +2,7 @@ class MeerkatDSA < Formula
     desc "X.500 Directory Server (DSA) and LDAP Server by Wildboar Software"
     homepage "https://github.com/Wildboar-Software/directory"
     url "https://github.com/Wildboar-Software/directory/archive/v1.1.0.tar.gz"
-    version = "2.4.3"
+    version = "2.4.4"
     # sha256 "e86694b2e15d8d4da2477c44e584fb5e860666787d010801199a0a77bcf28a2d"
 
     def install

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -1,6 +1,6 @@
 name: meerkat-dsa
 base: core20
-version: '2.4.3'
+version: '2.4.4'
 summary: X.500 Directory (DSA) and LDAP Server
 description: |
   Fully-featured X.500 directory server / directory system agent (DSA)