search

thycotic-ps / thycotic.secretserver

PowerShell module for automating with Thycotic Secret Server REST API
https://thycotic-ps.github.io/thycotic.secretserver
MIT License
68 stars 22 forks source link

New-TssSession: OAuthBody isn't URL encoded and some passwords will cause auth to fail #233

Closed randombuffalo closed 3 years ago

randombuffalo commented 3 years ago

Verified issue does not already exist?

Yes

What error did you receive

Passwords that contain special characters that are not URL valid will cause New-TssSession to return {"error":"Login Failed."} and count as a bad password attempt against the Secret Server account in use.

I believe the fix would be to URL encode the strings passed as the OAuth body here.

Changing the line 132 of New-TssSession to the following appears to correct the behavior:

$oauth2Body = "username=$($Credential.Username)&password=$([System.Web.HTTPUtility]::UrlEncode($Credential.GetNetworkCredential().Password))&grant_type=password"

Please run the command using -Verbose

No response

Provide a test case or steps to reproduce

Attempt to authenticate with a password with certain unsafe URL characters. # or '&' have shown to reproduce this issue thus far.

Example passwords: Oo57A&5srfAdo@ Oo57A5srfAdo@& G*z2X1oluL31jD&#

Expected behavior

valid passwords should authenticate without error.

What Edition of Secret Server?

Other

What version of Secret Server

10.9

What PowerShell host was used when producing this error

Windows PowerShell (powershell)

PowerShell Host Version

Name Value

PSVersion 5.1.14393.4583
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.4583
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

wsmelton commented 3 years ago

The password used for OAuth2 does not go through ULR encoding as it is part of the body/arguments for the request and not the URL itself. The allowed passwords is based on the Local User Password Configuration but to date has accepted any special character that a keyboard can type.

Import-Module C:\temp\modules\Thycotic.SecretServer\0.52.0\Thycotic.SecretServer.psd1 -PassThru
$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'P@ssword${123}' -AsPlainText -Force))
$session = New-TssSession -SecretServer http://rc/SecretServer -Credential $cred
Show-TssCurrentUser -TssSession $session

image

randombuffalo commented 3 years ago

@wsmelton thanks for the first look here. That is interesting you didn't run into the issue. Did you try a password that ends with # or { as well?

wsmelton commented 3 years ago

Sure did (see below screenshot).

image

randombuffalo commented 3 years ago

Okay, I'm am but a lowly user of the Secret Server instance at my organization so I will see if I can get a test account to really wrench around with.

Maybe worth mentioning for the issue's sake, both accounts were domain accounts that ran into this issue.

wsmelton commented 3 years ago

Verified with domain accounts as well.

If this is an account that is accessing the UI successfully I can't really see how it would not work in PowerShell credential.

image

wsmelton commented 3 years ago

If you find any more details out on the failure and it pinpoints to still be the module you can reopen this (and update the original post) or just open a new one.

randombuffalo commented 3 years ago

@wsmelton I was able to test further today and verify that indeed certain passwords will not work with the PowerShell module. Changing the password to a URL-Encoded string before saving it to the $oauth2Body variable on Line 132 has shown to allow passwords with unsafe URL characters to successfully authenticate to the REST API.

I changed the line to the following:

$oauth2Body = "username=$($Credential.Username)&password=$([System.Web.HTTPUtility]::UrlEncode($Credential.GetNetworkCredential().Password))&grant_type=password"

Could you please re-open this issue if you are able to re-produce this? I've added some example passwords to the issue.

wsmelton commented 3 years ago

Fix will be out this week.

Changes tested successfully with the following passwords:

Import-Module .\src\Thycotic.SecretServer.psd1
$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'Oo57A&5srfAdo@' -AsPlainText -Force))
New-TssSession http://rc/SecretServer $cred

$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'Oo57A5srfAdo@&' -AsPlainText -Force))
New-TssSession http://rc/SecretServer $cred

$cred = [pscredential]::new('testappaccount',(ConvertTo-SecureString 'G*z2X1oluL31jD&#' -AsPlainText -Force))
New-TssSession http://rc/SecretServer $cred