Saturday, October 21, 2017

Keycloak

Sadly there is not even a wikipedia entry, apart this short section https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations "Federated SSO (LDAP and Active Directory), standard protocols (OpenID Connect, OAuth 2.0 and SAML 2.0) for Web, clustering and single sign on"

How to setup a Keycloak server:
http://blog.keycloak.org/2015/10/getting-started-with-keycloak.html

I have done the "Standalone installation" on Windows and it works without a glitch.
The official documentation is here http://www.keycloak.org/docs/latest/getting_started/index.html - tidy and condensed.

How to secure a REST application with the previously setup Keycloak server
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html

except that the link is broken and I got the repo from "git clone https://github.com/redhat-developer/redhat-sso-quickstarts.git" and cd redhat-sso-quickstarts and cd service-jee-jaxrs. Running mvn package now fails because of the missing keycloak.json file in the config folder.

I follow the instructions here https://github.com/redhat-developer/redhat-sso-quickstarts/tree/7.0.x/service-jee-jaxrs to create a config\keycloak.json file . Only after creating this file you can run mvn package and build the service.war.

I start a standalone wildfly at 8080, do mvn install wildfly:deploy and I get Unknown authentication mechanism KEYCLOAK

This because in my app the web.xml contains <login-config><auth-method>KEYCLOAK</auth-method></login-config>
If I change it to BASIC and redeploy, then hit http://localhost:8080/service/public , it all works. But I need KEYCLOAK!




Here https://stackoverflow.com/questions/27253559/keycloak-unknown-authentication-mechanism they explain how to configure Wildfly for KEYCLOAK.

I download the client adapter for Wildfly http://www.keycloak.org/downloads.html, the file is keycloak-wildfly-adapter-dist-3.3.0.CR2.zip and I unzip it in the WLIDFLY_HOME folder, so as to merge it to the existing bin and modules folders. Then I run:

jboss-cli.bat -c --file=adapter-install.cli


This adds

<security-domain name="keycloak">
 <authentication>
  <login-module code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
 </authentication>
</security-domain>



but it still doesn't work, same error "Unknown authentication mechanism KEYCLOAK"...

strange, in Wildfly console I can see Configuration: Subsystems Subsystem: Security Security Domain: keycloak

However, I see the message "Extension module org.keycloak.keycloak-adapter-subsystem not found"... so I run also this

jboss-cli.bat -c --file=adapter-install.cli

and restart everything and it works!

Some valuable KEYCLOAK tutorials:




Detailed configuration instructions here http://www.keycloak.org/docs/latest/getting_started/topics/secure-jboss-app/download-quickstarts.html

Quickstarts available here https://github.com/keycloak/keycloak-quickstarts








Friday, October 20, 2017

Configure Jenkins to run the OWASP Security Check plugin

First make sure that your Jenkins installation is configured with Maven 3.5

You should also install the "OWASP Dependency-Check Plugin" plugin - for this, go to the "manage Jenkins", "manage plugins" and you should find it in the "available plugins" (if not, probably you have to download the hpi files, and copy them in the "plugins" directory under the Jenkins home folder... see my previous post on which plugin files are needed ).

create a Maven project:

webgoat_maven

Source Code Manamegent: Git

Repository URL = https://github.com/WebGoat/WebGoat.git

Branch specifier = */develop

Remove all "build triggers"

Pre-Steps : leave empty

Build/Root POM = pom.xml

Goals and Options = package -DskipTests=true

Post Steps (run regardless...) = Invoke OWASP dependency check analysis
click on "advanced", enable "Generate optional HTML report" and "Generate optional vulnerability report (HTML)"

Post-build Actions: add "Publish OWASP dependency check results"
click on "advanced", set 5 in the "failed" (red circle) "Priority high" column.... so the build will fail if there are more than 5 highly vulnerable components.



In the console output of the build, you should see something like this:

[DependencyCheck] OWASP Dependency-Check Plugin v3.0.0
[DependencyCheck] Executing Dependency-Check with the following options:
[DependencyCheck]  -name = Pierre
[DependencyCheck]  -scanPath = /path/to/workspace/Pierre
[DependencyCheck]  -outputDirectory = /path/to/workspace/Pierre
[DependencyCheck]  -dataDirectory = /path/to/workspace/Pierre/dependency-check-data
[DependencyCheck]  -dataMirroringType = none
[DependencyCheck]  -isQuickQueryTimestampEnabled = true
[DependencyCheck]  -jarAnalyzerEnabled = true
[DependencyCheck]  -nspAnalyzerEnabled = true
[DependencyCheck]  -composerLockAnalyzerEnabled = true
[DependencyCheck]  -pythonDistributionAnalyzerEnabled = true
[DependencyCheck]  -pythonPackageAnalyzerEnabled = true
[DependencyCheck]  -rubyBundlerAuditAnalyzerEnabled = true
[DependencyCheck]  -rubyGemAnalyzerEnabled = true
[DependencyCheck]  -cocoaPodsAnalyzerEnabled = true
[DependencyCheck]  -swiftPackageManagerAnalyzerEnabled = true
[DependencyCheck]  -archiveAnalyzerEnabled = true
[DependencyCheck]  -assemblyAnalyzerEnabled = true
[DependencyCheck]  -centralAnalyzerEnabled = true
[DependencyCheck]  -nuspecAnalyzerEnabled = true
[DependencyCheck]  -nexusAnalyzerEnabled = false
[DependencyCheck]  -autoconfAnalyzerEnabled = true
[DependencyCheck]  -cmakeAnalyzerEnabled = true
[DependencyCheck]  -opensslAnalyzerEnabled = true
[DependencyCheck]  -showEvidence = true
[DependencyCheck]  -formats = XML HTML VULN 
[DependencyCheck]  -autoUpdate = true
[DependencyCheck]  -updateOnly = false





If the "jarAnalyzerEnabled" is not true, then something is wrong.


If you see "org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data..... Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Unable to resolve domain 'nvd.nist.gov' " , most likely you are behind a proxy. You can still build the h2 DB - containing all the vulnerabilities feed - and provide it offline to the Jenkins job. But to build this DB you must run the job on a computer connected to internet, then look in the workspace for a db.h2 file.
This configuration is to be done in "Invoke OWASP dependency check analysis", then "advanced" and set "Data directory" to the folder where you have copied the h2 db file. Also, check the "Disable NVD auto-update" flag.

If this still fails with this error, then I really don't know where the issue is, probably AGAIN a proxy problem as also explained here https://github.com/jeremylong/DependencyCheck/issues/932:

[DependencyCheck] Message: Could not connect to Central search. Analysis failed.
[DependencyCheck] org.owasp.dependencycheck.analyzer.exception.AnalysisException: Could not connect to Central search. Analysis failed.
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:244)
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:137)
[DependencyCheck]  at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
[DependencyCheck]  at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
[DependencyCheck]  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck]  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[DependencyCheck]  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[DependencyCheck]  at java.lang.Thread.run(Thread.java:745)
[DependencyCheck] Caused by: java.io.IOException: Finally failed connecting to Central search. Giving up after 5 tries.
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:288)
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency(CentralAnalyzer.java:198)
[DependencyCheck]  ... 7 more


[DependencyCheck] Caused by: java.net.UnknownHostException: search.maven.org
[DependencyCheck]  at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
[DependencyCheck]  at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
[DependencyCheck]  at java.net.Socket.connect(Socket.java:589)
[DependencyCheck]  at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[DependencyCheck]  at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
[DependencyCheck]  at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
[DependencyCheck]  at sun.net.www.http.HttpClient.(HttpClient.java:211)
[DependencyCheck]  at sun.net.www.http.HttpClient.New(HttpClient.java:308)
[DependencyCheck]  at sun.net.www.http.HttpClient.New(HttpClient.java:326)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
[DependencyCheck]  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
[DependencyCheck]  at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1(CentralSearch.java:127)
[DependencyCheck]  at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts(CentralAnalyzer.java:266)






one can try to set -Danalyzer.central.enabled=false
(see https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck.properties ) and/or enable proxy for https://search.maven.org/solrsearch/select


It's nice to read https://jeremylong.github.io/DependencyCheck/general/internals.html on how the analyzer works.


The NVD (National Vulnerability Database) CVE (Common Vulnerabilities and Exposures) feeds are here https://nvd.nist.gov/vuln/data-feeds. They contain the Common Platform Enumeration CPE catalog of all known vulnerabilities and Common Weakness Enumeration (CWE) .




VirtualBox shared folder on Linux Centos guest and Windows host

my main Linux user is "centos".

in VirtualBox, right-click on your VM, Settings, Shared Folder, create an entry with Folder Path = d:\pierre\pvshared and Folder Name = pvshared , check "auto-mount" and "make permanent"

Make sure you have the latest VBoxAdditions installed:

cd /run/media/centos/VBOXADDITIONS_5.1.30_118389/
sudo ./autorun.sh

#group vboxsf should already exist, so this should fail:
sudo groupadd vboxsf
sudo usermod -a -G vboxsf centos

reboot!

login again with your user (centos)

id
uid=1000(centos) gid=1000(centos) groups=1000(centos),983(vboxsf) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

cd /media/sf_pvshared
touch pippo.txt

you should see the file pippo.txt on your d:\pierre\pvshared folder in Windows

I have also done

sudo chmod 777 /media/sf_pvshared

but I don't think it's required once the centos user is assigned to vboxsf group