Bug 1122594

Summary: Security policies are not applied to git operations
Product: [Retired] JBoss BRMS Platform 6 Reporter: Anton Giertli <agiertli>
Component: Business CentralAssignee: Alexandre Porcelli <porcelli>
Status: CLOSED EOL QA Contact: Karel Suta <ksuta>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0.2CC: kverlaen, mbaluch, rruss
Target Milestone: ER3   
Target Release: 6.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 19:34:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1175682    
Bug Blocks:    

Description Anton Giertli 2014-07-23 14:49:14 UTC 
Description of problem:

You can execute git clone via ssh even with the user which has role 'user' assigned.

This directly contradicts with the Role definition in 
http://docs.jboss.org/jbpm/v6.0.1/userguide/wb.Workbench.html#wb.Roles

============
9.4.2.4. Business user

Daily user of the system to take actions on business tasks that are required for the processes to continue forward. Works primarily with the task lists.

Does process management
Handles tasks and dashboards
=========

I can easily push changes to the business assets even if I am only user/manager. This seems like a security policy violation.


Version-Release number of selected component (if applicable):
bpm 6.0.2

How reproducible:
always

Steps to Reproduce:
1. Create user via ./add-user.sh , set role 'user'
2. git clone ssh://user@localhost:8001/repository1

Actual results:
it is possible to perform git operation such as ssh clone, add, commit, push with only 'user' permission.

Expected results:
role 'user' shouldn't have the possibility to perform operations like git clone, push via ssh as it directly contradicts with the documented role definition.
Comment 2 Alexandre Porcelli 2014-11-28 21:02:23 UTC 
Fix pushed to master and 6.2.x

[kie-wb-common] 6.2.x http://github.com/droolsjbpm/kie-wb-common/commit/8a53e65e4
[kie-wb-common] master http://github.com/droolsjbpm/kie-wb-common/commit/47a5b0c4b

(still open as there's an issue on UF that basically doesn't use the new @IOSecurityAuthz instace)
Comment 3 Jonathan Fuerth 2014-11-28 22:49:22 UTC 
The UF bug is now fixed on 0.5.0-SNAPSHOT:

https://github.com/uberfire/uberfire/commit/221158cf8ed0654267ef3258b7f106800fa55be4
Comment 4 Sona Mala 2015-01-14 09:25:50 UTC 
I cannot verify this issue for 6.1.0 ER3. It seems that no body can clone a repository from business central via ssh. It blocks the verification of the security policy.

I was able to connect via ssh in 6.1.0 ER2 without problem. For ER3, I have got message which is described by BZ1175682.
Comment 5 Karel Suta 2015-03-09 10:04:28 UTC 
Verified on 6.1.0.ER6
Admin, analyst or developer roles can clone repository using SSH.
User and manager roles cannot clone repository using SSH.