providers/oauth2: inconsistent client secret generation (#5241)

* use simpler char set for client secret Signed-off-by: Jens Langhammer <jens@goauthentik.io> * also adjust radius Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use similar logic in web to generate ids and secrets Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dont use math.random Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-04-13 15:06:28 +02:00
parent 7841720acf
commit 6a74fa11c6
18 changed files with 74 additions and 69 deletions
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -1,6 +1,6 @@
 import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first, randomString } from "@goauthentik/common/utils";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -203,7 +203,10 @@ export class OAuth2ProviderFormPage extends ModelForm<OAuth2Provider, number> {
                    >
                        <input
                            type="text"
-                            value="${first(this.instance?.clientId, randomString(40))}"
+                            value="${first(
+                                this.instance?.clientId,
+                                randomString(40, ascii_letters + digits),
+                            )}"
                            class="pf-c-form-control"
                            required
                        />
@ -215,7 +218,10 @@ export class OAuth2ProviderFormPage extends ModelForm<OAuth2Provider, number> {
                    >
                        <input
                            type="text"
-                            value="${first(this.instance?.clientSecret, randomString(128))}"
+                            value="${first(
+                                this.instance?.clientSecret,
+                                randomString(128, ascii_letters + digits),
+                            )}"
                            class="pf-c-form-control"
                        />
                    </ak-form-element-horizontal>
--- a/web/src/admin/providers/radius/RadiusProviderForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderForm.ts
@ -1,6 +1,6 @@
 import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first, randomString } from "@goauthentik/common/utils";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import { rootInterface } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -98,22 +98,25 @@ export class RadiusProviderFormPage extends ModelForm<RadiusProvider, number> {
                </ak-search-select>
                <p class="pf-c-form__helper-text">${t`Flow used for users to authenticate.`}</p>
            </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${t`Shared secret`}
-                ?required=${true}
-                name="sharedSecret"
-            >
-                <input
-                    type="text"
-                    value="${first(this.instance?.sharedSecret, randomString(128))}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>

            <ak-form-group .expanded=${true}>
                <span slot="header"> ${t`Protocol settings`} </span>
                <div slot="body" class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${t`Shared secret`}
+                        ?required=${true}
+                        name="sharedSecret"
+                    >
+                        <input
+                            type="text"
+                            value="${first(
+                                this.instance?.sharedSecret,
+                                randomString(128, ascii_letters + digits),
+                            )}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`Client Networks`}
                        ?required=${true}
--- a/web/src/admin/sources/plex/PlexSourceForm.ts
+++ b/web/src/admin/sources/plex/PlexSourceForm.ts
@ -2,7 +2,7 @@ import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
 import { UserMatchingModeToLabel } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import { PlexAPIClient, PlexResource, popupCenterScreen } from "@goauthentik/common/helpers/plex";
-import { first, randomString } from "@goauthentik/common/utils";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import { rootInterface } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -51,7 +51,7 @@ export class PlexSourceForm extends ModelForm<PlexSource, string> {

    get defaultInstance(): PlexSource | undefined {
        return {
-            clientId: randomString(40),
+            clientId: randomString(40, ascii_letters + digits),
        } as PlexSource;
    }

--- a/web/src/common/utils.ts
+++ b/web/src/common/utils.ts
@ -83,10 +83,23 @@ export function hexEncode(buf: Uint8Array): string {
        .join("");
 }

-export function randomString(len: number): string {
-    const arr = new Uint8Array(len / 2);
-    window.crypto.getRandomValues(arr);
-    return hexEncode(arr);
+// Taken from python's string module
+export const ascii_lowercase = "abcdefghijklmnopqrstuvwxyz";
+export const ascii_uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+export const ascii_letters = ascii_lowercase + ascii_uppercase;
+export const digits = "0123456789";
+export const hexdigits = digits + "abcdef" + "ABCDEF";
+export const octdigits = "01234567";
+export const punctuation = "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
+
+export function randomString(len: number, charset: string): string {
+    const chars = [];
+    const array = new Uint8Array(len);
+    self.crypto.getRandomValues(array);
+    for (let index = 0; index < len; index++) {
+        chars.push(charset[Math.floor(charset.length * (array[index] / Math.pow(2, 8)))]);
+    }
+    return chars.join("");
 }

 export function dateTimeLocal(date: Date): string {
--- a/web/src/elements/forms/SearchSelect.ts
+++ b/web/src/elements/forms/SearchSelect.ts
@ -1,5 +1,5 @@
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
-import { groupBy, randomString } from "@goauthentik/common/utils";
+import { ascii_letters, digits, groupBy, randomString } from "@goauthentik/common/utils";
 import { AKElement } from "@goauthentik/elements/Base";
 import { PreventFormSubmit } from "@goauthentik/elements/forms/Form";

@ -89,7 +89,7 @@ export class SearchSelect<T> extends AKElement {
                });
        });
        this.observer.observe(this);
-        this.dropdownUID = `dropdown-${randomString(10)}`;
+        this.dropdownUID = `dropdown-${randomString(10, ascii_letters + digits)}`;
    }

    toForm(): unknown {