Merge pull request #244 from davco01a/latest

pentest fixes
kabanero-io · Feb 4, 2021 · a5cc00a · a5cc00a
2 parents b76a3d6 + 9ee483f
commit a5cc00a
Showing 1 changed file with 53 additions and 14 deletions.
diff --git a/cmd/login.go b/cmd/login.go
@@ -88,7 +88,6 @@ func HandleTLSFLag(insecureTLS bool) {
 	if err != nil {
 		messageAndExit("There was a problem writing to the cli config")
 	}
-
 	if clientCert != "" {
 		cliConfig.Set(CertKey, clientCert)
 		err = cliConfig.WriteConfig()
@@ -101,7 +100,6 @@ func HandleTLSFLag(insecureTLS bool) {
 	if !insecureTLS && clientCert == "" {
 
 		fmt.Print("Are you sure you want to continue with an insecure connection to " + cliConfig.GetString(KabURLKey) + " (y/n): ")
-
 		reader := bufio.NewReader(os.Stdin)
 		char, _, err := reader.ReadRune()
 		if err != nil {
@@ -155,24 +153,54 @@ var loginCmd = &cobra.Command{
 	RunE: func(cmd *cobra.Command, args []string) error {
 		Debug.log("login called")
 		var err error
+		var ePass = ""
+		var eUser = ""
 
+		fmt.Println(ePass)
+		fmt.Println(eUser)
 		username, _ := cmd.Flags().GetString("username")
 		password, _ := cmd.Flags().GetString("password")
 
+		if username == "" {
+			fmt.Printf("Username:")
+			bytePwd, err := terminal.ReadPassword(int(syscall.Stdin))
+			if err != nil {
+				return err
+			}
+			eUser = base64.StdEncoding.EncodeToString(bytePwd)
+			for i := 0; i < len(bytePwd); i++ {
+				bytePwd[i] = 0
+			}
+			bytePwd = nil
+			if bytePwd == nil {
+				fmt.Print()
+			}
+			fmt.Println()
+		} else {
+			eUser = base64.StdEncoding.EncodeToString([]byte(username))
+		}
 		if password == "" {
 			fmt.Printf("Password:")
 			bytePwd, err := terminal.ReadPassword(int(syscall.Stdin))
 			if err != nil {
 				return err
 			}
-			password = strings.TrimSpace(string(bytePwd))
+			ePass = base64.StdEncoding.EncodeToString(bytePwd)
+			for i := 0; i < len(bytePwd); i++ {
+				bytePwd[i] = 0
+			}
+			bytePwd = nil
+			if bytePwd == nil {
+				fmt.Print()
+			}
 			fmt.Println()
+		} else {
+			ePass = base64.StdEncoding.EncodeToString([]byte(password))
 		}
 
 		var kabLoginURL string
 
 		viper.SetEnvPrefix("KABANERO")
-
 		if len(args) > 0 {
 			cliConfig.Set(KabURLKey, parseKabURL(args[0]))
 			err = cliConfig.WriteConfig()
@@ -188,14 +216,24 @@ var loginCmd = &cobra.Command{
 		HandleTLSFLag(InsecureTLS)
 
 		kabLoginURL = getRESTEndpoint("login")
-		ePass := base64.StdEncoding.EncodeToString([]byte(password))
-		eUser := base64.StdEncoding.EncodeToString([]byte(username))
-		requestBody, _ := json.Marshal(map[string]string{"000_ERG_TEN_TWENTY": eUser, "010_BOHM_THIRTY_FIVE": ePass})
 
+		requestBody, _ := json.Marshal(map[string]string{"000_ERG_TEN_TWENTY": eUser, "010_BOHM_THIRTY_FIVE": ePass})
 		resp, err := sendHTTPRequest("POST", kabLoginURL, requestBody)
 		if err != nil {
 			messageAndExit("login: Error on sendHTTPRequest:")
 		}
+		requestBody = nil
+		if requestBody == nil {
+			fmt.Print()
+		}
+		eUser = ""
+		if eUser == "" {
+			fmt.Print()
+		}
+		ePass = ""
+		if ePass == "" {
+			fmt.Print()
+		}
 
 		Debug.log("RESPONSE ", kabLoginURL, resp.StatusCode, http.StatusText(resp.StatusCode))
 		if resp.StatusCode == 404 {
@@ -210,20 +248,18 @@ var loginCmd = &cobra.Command{
 		}
 		key := security.Create32BKey((time.Now().String()))
 		cliConfig.Set("key", key)
-
 		encryptedJWT := security.EncryptString(data.JWT, key)
 		cliConfig.Set("jwt", encryptedJWT)
-
 		err = cliConfig.WriteConfig()
 		if err != nil {
 			return err
 		}
 		if cliConfig.GetString("jwt") == "" {
 			messageAndExit("Unable to validate user: " + username + " to " + cliConfig.GetString(KabURLKey))
 		}
-
+		key = ""
+		fmt.Println(key)
 		if !is06Compatible() {
-
 			url := getRESTEndpoint("logout")
 			resp, err := sendHTTPRequest("POST", url, nil)
 			if err != nil {
@@ -237,12 +273,14 @@ var loginCmd = &cobra.Command{
 				return err
 			}
 		} else {
-
 			fmt.Println("Logged in to Kabanero instance: " + cliConfig.GetString(KabURLKey))
 			Debug.log("Logged in to Kabanero instance: " + cliConfig.GetString(KabURLKey))
 		}
 		defer resp.Body.Close()
-
+		cliConfig = nil
+		if cliConfig == nil {
+			fmt.Print()
+		}
 		return nil
 	},
 }
@@ -252,7 +290,8 @@ func init() {
 
 	loginCmd.Flags().StringP("username", "u", "", "github username")
 
-	_ = loginCmd.MarkFlagRequired("username")
+	//_ = loginCmd.MarkFlagRequired("username") // possibly comment out to make username flad not required and add promot for username
+	//loginCmd.Flags().String("username", "u", "", "github username. If no username is provided, prompt will appear")
 	loginCmd.Flags().StringP("password", "p", "", "github password/PAT. If no password is provided, prompt will appear")
 	loginCmd.Flags().BoolVar(&InsecureTLS, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
 	loginCmd.Flags().StringVar(&clientCert, "certificate-authority", "", "Path to a cert file for the certificate authority")