better error handling, unauthenticated scan with malformed credentials

Kraemii · Kraemii · commit ae4ae2d094aa · 2021-05-11T14:35:57.000+02:00
diff --git a/ospd_openvas/daemon.py b/ospd_openvas/daemon.py
@@ -1266,7 +1266,7 @@ def exec_scan(self, scan_id: str):
         if not scan_prefs.prepare_credentials_for_openvas():
             error = (
                 'All authentifications contain errors.'
-                + 'Scan will get interrupted.'
+                + 'Starting unauthenticated scan instead.'
             )
             self.add_scan_error(
                 scan_id,
@@ -1275,8 +1275,8 @@ def exec_scan(self, scan_id: str):
                 value=error,
             )
             logger.error(error)
-            do_not_launch = True
-        for e in scan_prefs.errors:
+        errors = scan_prefs.get_error_messages()
+        for e in errors:
             error = 'Malformed credential. ' + e
             self.add_scan_error(
                 scan_id,
diff --git a/ospd_openvas/preferencehandler.py b/ospd_openvas/preferencehandler.py
@@ -115,6 +115,12 @@ def prepare_scan_id_for_openvas(self):
         """
         self.kbdb.add_scan_id(self.scan_id)
 
+    def get_error_messages(self) -> List:
+        """Returns the Error List and reset it"""
+        ret = self.errors
+        self.errors = []
+        return ret
+
     @property
     def target_options(self) -> Dict:
         """Return target options from Scan collection"""
@@ -599,18 +605,22 @@ def build_credentials_as_prefs(self, credentials: Dict) -> List[str]:
             # Check service ssh
             if service == 'ssh':
                 # For ssh check the Port
-                port = cred_params.get('port', '')
+                port = cred_params.get('port', '22')
                 if not port:
-                    self.errors.append("Port for SSH is missing.")
-                    continue
+                    port = '22'
+                    warning = (
+                        "Missing port number for ssh credentials."
+                        + " Using default port 22."
+                    )
+                    logger.warning(warning)
                 elif not port.isnumeric():
                     self.errors.append(
                         "Port for SSH '" + port + "' is not a valid number."
                     )
                     continue
-                elif int(port) > 65535:
+                elif int(port) > 65535 or int(port) < 1:
                     self.errors.append(
-                        "Port for SSH is out of range (0-65535): " + port
+                        "Port for SSH is out of range (1-65535): " + port
                     )
                     continue
                 # For ssh check the credential type
diff --git a/tests/test_preferencehandler.py b/tests/test_preferencehandler.py
@@ -364,9 +364,10 @@ def test_set_bad_service_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
-        self.assertIn("Unknown service type for credential: shh", p.errors)
+        self.assertIn("Unknown service type for credential: shh", e)
 
     @patch('ospd_openvas.db.KbDB')
     def test_set_bad_ssh_port_credentials(self, mock_kb):
@@ -387,9 +388,10 @@ def test_set_bad_ssh_port_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
-        self.assertIn("Port for SSH 'ab' is not a valid number.", p.errors)
+        self.assertIn("Port for SSH 'ab' is not a valid number.", e)
 
     @patch('ospd_openvas.db.KbDB')
     def test_missing_ssh_port_credentials(self, mock_kb):
@@ -410,8 +412,7 @@ def test_missing_ssh_port_credentials(self, mock_kb):
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
 
-        self.assertFalse(r)
-        self.assertIn("Port for SSH is missing.", p.errors)
+        self.assertTrue(r)
 
     @patch('ospd_openvas.db.KbDB')
     def test_ssh_port_out_of_range_credentials(self, mock_kb):
@@ -432,9 +433,10 @@ def test_ssh_port_out_of_range_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
-        self.assertIn("Port for SSH is out of range (0-65535): 65536", p.errors)
+        self.assertIn("Port for SSH is out of range (1-65535): 65536", e)
 
     @patch('ospd_openvas.db.KbDB')
     def test_bad_type_for_ssh_credentials(self, mock_kb):
@@ -455,14 +457,15 @@ def test_bad_type_for_ssh_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
         self.assertIn(
             "Unknown Credential Type for SSH: "
             + "ups"
             + ". Use 'up' for Username + Password"
             + " or 'usk' for Username + SSH Key.",
-            p.errors,
+            e,
         )
 
     @patch('ospd_openvas.db.KbDB')
@@ -483,13 +486,14 @@ def test_missing_type_for_ssh_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
         self.assertIn(
             "Missing Credential Type for SSH."
             + " Use 'up' for Username + Password"
             + " or 'usk' for Username + SSH Key.",
-            p.errors,
+            e,
         )
 
     @patch('ospd_openvas.db.KbDB')
@@ -513,12 +517,13 @@ def test_snmp_no_priv_alg_but_pw_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
         self.assertIn(
             "When no privacy algorithm is used, the privacy"
             + " password also has to be empty.",
-            p.errors,
+            e,
         )
 
     @patch('ospd_openvas.db.KbDB')
@@ -543,13 +548,14 @@ def test_snmp_unknown_priv_alg_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
         self.assertIn(
             "Unknows privacy algorithm used: "
             + "das"
             + ". Use 'aes', 'des' or '' (none).",
-            p.errors,
+            e,
         )
 
     @patch('ospd_openvas.db.KbDB')
@@ -571,12 +577,13 @@ def test_snmp_missing_auth_alg_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
         self.assertIn(
             "Missing authentification algorithm for SNMP."
             + " Use 'md5' or 'sha1'.",
-            p.errors,
+            e,
         )
 
     @patch('ospd_openvas.db.KbDB')
@@ -599,13 +606,14 @@ def test_snmp_unknown_auth_alg_credentials(self, mock_kb):
         p.scan_id = '456-789'
         p.kbdb.add_scan_preferences = MagicMock()
         r = p.prepare_credentials_for_openvas()
+        e = p.get_error_messages()
 
         self.assertFalse(r)
         self.assertIn(
             "Unknown authentification algorithm: "
             + "sha2"
             + ". Use 'md5' or 'sha1'.",
-            p.errors,
+            e,
         )
 
     @patch('ospd_openvas.db.KbDB')
