search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.39k stars 164 forks source link

CAS authorization issue with port 443 #14

Closed gchetrick closed 5 years ago

gchetrick commented 5 years ago

When you install using 443 as the port for the application it pops an error about the application not being authorized with CAS.

The URL is re-written (at least in chrome) to remove the port declaration :443 (as expected). When this is passed to the CAS portion it errors because it is missing the :443 however it is expected in the vectr-443.json file for the serviceId.

"serviceId" : "https://vectr.totesnotredteam.com:443/sra-purpletools-webui/app\\?client_name=CasClient",

It looks like this is built in the vectr-shared-methods.sh script. to just auto append the port that is defined at install time. If you remove the :443 from the vectr-443.json file it fixes the error.

Should be able to modify the vectr-shared-methods.sh script to ignore the port if it is 443 or 80?

Thanks!

gchetrick commented 5 years ago

Guess I'm not sure that it is created in the vectr-shared-methods - looks like this line in vectr-deploy.sh is the on

local SERVICE_FILE_WRITE=$(writeCasServiceJsonFile "$ENV_VECTR_HOSTNAME" "$ENV_VECTR_PORT" "$ENV_CAS_DIR/services" "$CAS_SERVICE_FILE_NAME")

line 807

thebleucheese commented 5 years ago

Hey great catch, thanks! Yeah this will be fixed in the writeCasServiceJsonFile function I think.

Line 754 in vectr-shared-methods.sh is what does this: SERVICE_DATA=$(sed "s/8081/$VECTR_PORT/g" <<<"$SERVICE_DATA")

I'll add some logic to change how this works if the port is 443. I don't think port 80 will be an issue because CAS only supports HTTPS, in which case the browser should hang on to the specified port.

thebleucheese commented 5 years ago

I added a fix to the installer, it's up on master

ssnkhan commented 5 years ago

Thanks for raising; having the same issue. Does the release need to be updated too @thebleucheese ?

thebleucheese commented 5 years ago

None of the application code required changing to correct this, it's just a deployment issue. If you download a new copy of vectr-shared-methods.sh you should be able to install to 443 without problems.

Alternatively, you can manually fix the cas service file yourself. They're json files located in /app/cas/services/* Modifying these files to remove ":443" from the end of the serviceId should fix the issue. You'll probably want to restart the tomcat container just to verify that CAS is picking up the change. Let us know if you continue running into the same problem.

ssnkhan commented 5 years ago

@thebleucheese Thanks for you help. I am using the latest release, with a self-signed certificate.I am accessing the portal over Port 8801, at https://localhost:8081/sra-purpletools-webui/app/#/.

When signing in, the URL in the address bar shows https://localhost:8081/cas/login?service=https%3A%2F%2Flocalhost%3A8081%2Fsra-purpletools-webui%2Fapp%3Fclient_name%3DCasClient, however I am almost immediately redirected to https://localhost:8081/sra-purpletools-webui/app/#/auth/login with the following error Invalid service ticket. It was either unrecognized or has expired.

If I happen to change the address bar URL to https://localhost:8081/cas/login?service= then I am presented with the following error Hi, admin. You have successfully logged into the SRA SSO. However, you are seeing this page because CAS does not know about your target destination and how to get you there.

I have checked my vectro-8801.json file which appears to be correct, as follows:

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "https://localhost:8081/sra-purpletools-webui/app\\?client_name=CasClient",
  "name": "VECTR",
  "id": 8081,
  "theme": "sra-theme",
  "attributeReleasePolicy": {
    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "accessStrategy": {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled": true,
    "ssoEnabled": false
  }
}

I am struggling to see what might be causing the issues. Any help appreciated!

ssnkhan commented 5 years ago

Ignore me -- I missed the scripted install method!

arkrwn commented 5 years ago

Ignore me -- I missed the scripted install method!

Wich script you've missed ? cause i'm having the same problem.

ssnkhan commented 5 years ago

@arkwrn Follow the installation guide here - https://github.com/SecurityRiskAdvisors/VECTR/wiki/Installation#vectr-installation-instructions

arkrwn commented 5 years ago

@arkwrn Follow the installation guide here - https://github.com/SecurityRiskAdvisors/VECTR/wiki/Installation#vectr-installation-instructions

I've already follow the instuctions and still get the same error

ssnkhan commented 5 years ago

@arkwrn Might be helpful to include details of your setup, and the specific error message.