diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py index 9c8c704f..8c70a32e 100644 --- a/ospd_openvas/preferencehandler.py +++ b/ospd_openvas/preferencehandler.py @@ -32,6 +32,7 @@ OID_ESXI_AUTH = "1.3.6.1.4.1.25623.1.0.105058" OID_SNMP_AUTH = "1.3.6.1.4.1.25623.1.0.105076" OID_PING_HOST = "1.3.6.1.4.1.25623.1.0.100315" +OID_KRB5_AUTH = "1.3.6.1.4.1.25623.1.81.0" BOREAS_ALIVE_TEST = "ALIVE_TEST" BOREAS_ALIVE_TEST_PORTS = "ALIVE_TEST_PORTS" @@ -576,6 +577,11 @@ def prepare_scan_params_for_openvas(self, ospd_params: Dict[str, Dict]): if prefs_val: self.kbdb.add_scan_preferences(self.scan_id, prefs_val) + def disable_message(self, disabled: str) -> str: + """Return a string with the message for exclusive services.""" + disabled = f"Disabled {disabled}" + return disabled + ": KRB5 and SMB credentials are mutually exclusive." + def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: """Parse the credential dictionary. Arguments: @@ -585,10 +591,18 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: A list with the credentials in string format to be added to the redis KB. """ + cred_prefs_list = [] + krb5_set = False + smb_set = False for credential in credentials.items(): service = credential[0] cred_params = credentials.get(service) + if not cred_params: + logger.warning( + "No credentials parameter found for service %s", service + ) + continue cred_type = cred_params.get('type', '') username = cred_params.get('username', '') password = cred_params.get('password', '') @@ -659,12 +673,45 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: ) # Check servic smb elif service == 'smb': + if krb5_set: + self.errors.append(self.disable_message("SMB")) + continue + smb_set = True cred_prefs_list.append( f'{OID_SMB_AUTH}:1:entry:SMB login:|||{username}' ) cred_prefs_list.append( f'{OID_SMB_AUTH}:2:password:SMB password:|||{password}' ) + elif service == 'krb5': + if smb_set: + self.errors.append(self.disable_message("KRB5")) + continue + krb5_set = True + realm = cred_params.get('realm', '') + if not realm: + self.errors.append( + "Missing realm for Kerberos authentication." + ) + continue + kdc = cred_params.get('kdc', '') + if not kdc: + self.errors.append( + "Missing KDC for Kerberos authentication." + ) + continue + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:1:entry:KRB5 login:|||{username}' + ) + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:2:password:KRB5 password:|||{password}' + ) + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:3:entry:KRB5 realm:|||{realm}' + ) + cred_prefs_list.append( + f'{OID_KRB5_AUTH}:4:entry:KRB5 kdc:|||{kdc}' + ) # Check service esxi elif service == 'esxi': cred_prefs_list.append(