fortify / fcli

fcli is a command-line utility for interacting with various Fortify products
https://fortify.github.io/fcli/
Other
34 stars 22 forks source link

key encryption, sessions, correct usage? #347

Closed xakrurychle closed 1 year ago

xakrurychle commented 1 year ago

I just want to confirm whether my flow with using encryption is correct or not.

1) Basic token creation fcli ssc token create AutomationToken --user <user> --password <pass>

 Id   Username  Type             Rest token                                        Application token                     Terminal date                  Time remaining  Description
 343  krystof   AutomationToken  YTFkN2Q5ZWItZmYyZS00NmJiLTkyZjMtYWYyZWY0MDMwMmEx  a1d7d9eb-ff2e-46bb-92f3-af2ef40302a1  2024-06-28T12:50:37.840+00:00  365 days        Generated by 'fcli ssc token create' command

2) Encrypting the token obtained with command in step 1 fcli util crypto encrypt Value to encrypt: YTFkN2Q5ZWItZmYyZS00NmJiLTkyZjMtYWYyZWY0MDMwMmEx
Result Wn9UziTkm5g4T8qCBbJ+AvMvIbauWKE43woRvB5lzG+QkdgqA5Cw2N4oqVw+GUHSqBknJ4oZGpDekmH9LU6nidf9JrAI6+9Wa2SJW2XwuiMmB20qcmZVl838IJibaX33

3) Using encrypted token from step 2 to create encrypted session

fcli ssc session  login encryptedSession -t Wn9UziTkm5g4T8qCBbJ+AvMvIbauWKE43woRvB5lzG+QkdgqA5Cw2N4oqVw+GUHSqBknJ4oZGpDekmH9LU6nidf9JrAI6+9Wa2SJW2XwuiMmB20qcmZVl838IJibaX33 --url $url

4) Listing sessions fcli ssc session ls

Name              Type  Url                                                Created                  Expires                  Expired
 default           SSC   https://qa-st-c7-kho01.prgqa.hpecorp.net:8443/ssc  2023-06-29 09:52:48 UTC  2023-06-30 09:52:48 UTC  No
 encryptedSession  SSC   https://qa-st-c7-kho01.prgqa.hpecorp.net:8443/ssc  2023-06-29 12:57:18 UTC  N/A                      Unknown

5) Using default session fcli ssc app ls

 Id  Name                    Description
 2   Bill Payment Processor  Bill payments processing and support interfaces.
 7   fcliApp                 N/A
 1   Logistics               On-line automotive supply store.
 6   myApp                   N/A
 9   newNameApp              N/A
 4   RWI                     Riches Wealth International
 8   sscApp                  N/A
 5   Test App                N/A
 3   Web application         Application to demonstrate issue aging.

6) Using session created by encrypted key fcli ssc app ls --session encryptedSession

No data

com.fortify.cli.common.rest.unirest.UnexpectedHttpResponseException:
Request: GET https://qa-st-c7-kho01.prgqa.hpecorp.net:8443/ssc/api/v1/projects?limit=100:
Response: 401
Response Body:
{"message":"Authentication failed.","responseCode":401,"errorCode":-10301}
        at com.fortify.cli.common.rest.unirest.config.UnirestUnexpectedHttpResponseConfigurer$UnexpectedHttpResponseInterceptor.onResponse(UnirestUnexpectedHttpResponseConfigurer.java:36)
        at kong.unirest.CompoundInterceptor.lambda$onResponse$1(CompoundInterceptor.java:48)
        at java.base@17.0.7/java.util.ArrayList.forEach(ArrayList.java:1511)
        at kong.unirest.CompoundInterceptor.onResponse(CompoundInterceptor.java:48)
        at kong.unirest.apache.ApacheClient.request(ApacheClient.java:134)
        at kong.unirest.Client.request(Client.java:57)
        at kong.unirest.BaseRequest.request(BaseRequest.java:359)
        at kong.unirest.BaseRequest.asObject(BaseRequest.java:260)
        at com.fortify.cli.common.rest.paging.LinkHeaderPagingHelper.lambda$pagedRequest$0(LinkHeaderPagingHelper.java:32)
        at kong.unirest.BaseRequest.asPaged(BaseRequest.java:351)
        at com.fortify.cli.common.rest.paging.LinkHeaderPagingHelper.pagedRequest(LinkHeaderPagingHelper.java:32)
        at com.fortify.cli.common.rest.paging.LinkHeaderPagingHelper.pagedRequest(LinkHeaderPagingHelper.java:27)
        at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.writeRecords(StandardOutputWriter.java:138)
        at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.write(StandardOutputWriter.java:102)
        at com.fortify.cli.common.output.cli.mixin.AbstractOutputHelperMixin.write(AbstractOutputHelperMixin.java:68)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:31)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2104)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2539)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2531)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2493)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2351)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2495)
        at picocli.CommandLine.execute(CommandLine.java:2248)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:74)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:56)

7) Creating named and not encrypted session to double check --session flag itself is working fcli ssc session login notDefault --url $url --user <user> --password <password>

 Name        Type  Url                                                Created                  Expires                  Expired  Action
 notDefault  SSC   https://qa-st-c7-kho01.prgqa.hpecorp.net:8443/ssc  2023-06-29 13:00:22 UTC  2023-06-30 13:00:22 UTC  No       CREATED

[qaprague@qa-st-c7-kho01 fcli_v3]$ fcli ssc app ls --session notDefault

 Id  Name                    Description
 2   Bill Payment Processor  Bill payments processing and support interfaces.
 7   fcliApp                 N/A
 1   Logistics               On-line automotive supply store.
 6   myApp                   N/A
 9   newNameApp              N/A
 4   RWI                     Riches Wealth International
 8   sscApp                  N/A
 5   Test App                N/A
 3   Web application         Application to demonstrate issue aging.

Here I know for sure that --session works if not using encrypted session. The question is if there is something wrong with my flow and how I created the session using the ecrypted token?

fcli ssc token create AutomationToken --user krystof --password admin > notCryptedSession.key [qaprague@qa-st-c7-kho01 fcli_v3]$ cat notCryptedSession.key Id Username Type Rest token Application token Terminal date Time remaining Description 345 krystof AutomationToken MDk4MTUxM2YtNDI3OC00ZThkLTljNmEtYmM0ZWEyNGZiYWQw 0981513f-4278-4e8d-9c6a-bc4ea24fbad0 2024-06-28T13:16:25.290+00:00 365 days Generated by 'fcli ssc token create' command

[qaprague@qa-st-c7-kho01 fcli_v3]$

fcli ssc session  login notEncryptedSession -t MDk4MTUxM2YtNDI3OC00ZThkLTljNmEtYmM0ZWEyNGZiYWQw  --url $url
Name                 Type  Url                                                Created                  Expires  Expired  Action
 notEncryptedSession  SSC   https://qa-st-c7-kho01.prgqa.hpecorp.net:8443/ssc  2023-06-29 13:17:09 UTC  N/A      Unknown  CREATED

[qaprague@qa-st-c7-kho01 fcli_v3]$ fcli ssc app ls --session notEncryptedSession

Id  Name                    Description
 2   Bill Payment Processor  Bill payments processing and support interfaces.
 7   fcliApp                 N/A
 1   Logistics               On-line automotive supply store.
 6   myApp                   N/A
 9   newNameApp              N/A
 4   RWI                     Riches Wealth International
 8   sscApp                  N/A
 5   Test App                N/A
 3   Web application         Application to demonstrate issue aging.

At this step I know that using NOT crypted token the flow works too… What else would I be using encrypted key for? My assumption is that the key from -t option is part of GET/POST/UPDATE requests and if someone can sniff the traffic, they would see the plain value, therefore the reason for using -t <encrypted>, but using the encrypted session fails, although it was allowed to be created in the first place.

Maybe my flow is wrong since step 3, in that case is there no check that user is using proper key format/lenght etc to disqualify creation of the session in the first place?

rsenden commented 1 year ago

Hi, what makes you think that you can use an encrypted token on the login command? The help output for the crypto commands only mention some specific fcli commands where encryption would be useful, and the login commands are not mentioned.

image

Maybe the confusion comes from the help output for the fcli ssc session login command, which states hat either an encoded or decoded token can be provided? This corresponds to the terminology used in the SSC web UI, and 'encoded' is not the same as 'encrypted'. The fcli ssc token create command names this as Rest token and Application token; fcli accepts either one of these to be passed to the login command. Maybe we should make more clear that 'encoded' and 'decoded' correspond to 'Rest token' and 'Application token'?

The SSC session login command indeed doesn't currently validate the token as there is no SSC API endpoint for token validation, although we do plan on at least checking that the token is in a valid format (see #168 , #197 and #295). After resolving #295, you would receive an error message stating that the token is not in a valid format if you attempt using an encrypted token.

As for the concern about sniffing the traffic, that's why SSC should only be accessible over HTTPS. SSC doesn't support encrypted tokens, so fcli can't send any encrypted tokens.

xakrurychle commented 1 year ago

OK, best case scenario would have been me stopping at step 3, once the issue #295 will be implemented, it's all good. The confusion in deed came from the encoded and decoded terminology within SSC.

rsenden commented 1 year ago

@xakrurychle Thanks for the feedback, closing this issue then as duplicate of #295