DescriptionChristian Marineau
2017-03-06 16:20:36 UTC
Description of problem:
After settings a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.
Version-Release number of selected component (if applicable):
6.2.7
How reproducible:
100%
Steps to Reproduce:
1. Have repositories from more than 1 Product, by example:
Red Hat Enterprise Linux Server
Red Hat Satellite
Custom_Product
Optional -> You can also have 2 Organization and only allow 1 of them through the filter:
MyOrg
OtherOrg
2. Create a new role "Custom_bug_role"
3. Create the following 2 filters for that role
Filter 1
Resource type: Organization
Permission: view_organizations
Search filter: name = "MyOrg"
Filter 2
Resource type: Product and Repositories
Permission: view_products, edit_products, sync_products
Search filter: name = "Red Hat Enterprise Linux Server"
4. Create a test user and assign the custom role
Username: Test_bug_user
Role: Custom_bug_role
5. With hammer, list the repository using the test user credentials
A. Listing the repositories works as expected, only "Red Hat Enterprise Linux Server" repositories will be displayed:
# hammer -u Test_bug_user -p testbug repository list --organization MyOrg
[...]
33 | Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.1 | Red Hat Enterprise Linux Server | yum
27 | Red Hat Enterprise Linux 7 Server - Extras RPMs x86_64 | Red Hat Enterprise Linux Server | yum
[...]
B. Showing repository information using it's ID allows the user to see any repository (from any Product or any Organisation), this is not expected:
# hammer -u Test_bug_user -p testbug repository info --id 62
ID: 62
Name: Custom_Repo
Label: Custom_Repo
Organization: OtherOrg
Red Hat Repository: no
Content Type: yum
[...]
C. Uploading a package to a any repository is also possible using its ID (from any Product or any Organisation), this is not expected and it is a security issue:
# hammer -u Test_bug_user -p testbug repository upload-content --id 62 --path test.rpm
Successfully uploaded file 'test.rpm'.
It seems like when we specify --product --name --organization, the permission are applied correctly. However, it looks like using their id bypass this.
Actual results:
When using repository id, we can show info from any repository and upload new package to them.
Expected results:
Have the role filters applied on the resource whether we are using the name or the id
Additional info:
This has been identity as a security issue by the customer, as unexpected user can alter the repository content.
Description of problem: After settings a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id. Version-Release number of selected component (if applicable): 6.2.7 How reproducible: 100% Steps to Reproduce: 1. Have repositories from more than 1 Product, by example: Red Hat Enterprise Linux Server Red Hat Satellite Custom_Product Optional -> You can also have 2 Organization and only allow 1 of them through the filter: MyOrg OtherOrg 2. Create a new role "Custom_bug_role" 3. Create the following 2 filters for that role Filter 1 Resource type: Organization Permission: view_organizations Search filter: name = "MyOrg" Filter 2 Resource type: Product and Repositories Permission: view_products, edit_products, sync_products Search filter: name = "Red Hat Enterprise Linux Server" 4. Create a test user and assign the custom role Username: Test_bug_user Role: Custom_bug_role 5. With hammer, list the repository using the test user credentials A. Listing the repositories works as expected, only "Red Hat Enterprise Linux Server" repositories will be displayed: # hammer -u Test_bug_user -p testbug repository list --organization MyOrg [...] 33 | Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.1 | Red Hat Enterprise Linux Server | yum 27 | Red Hat Enterprise Linux 7 Server - Extras RPMs x86_64 | Red Hat Enterprise Linux Server | yum [...] B. Showing repository information using it's ID allows the user to see any repository (from any Product or any Organisation), this is not expected: # hammer -u Test_bug_user -p testbug repository info --id 62 ID: 62 Name: Custom_Repo Label: Custom_Repo Organization: OtherOrg Red Hat Repository: no Content Type: yum [...] C. Uploading a package to a any repository is also possible using its ID (from any Product or any Organisation), this is not expected and it is a security issue: # hammer -u Test_bug_user -p testbug repository upload-content --id 62 --path test.rpm Successfully uploaded file 'test.rpm'. It seems like when we specify --product --name --organization, the permission are applied correctly. However, it looks like using their id bypass this. Actual results: When using repository id, we can show info from any repository and upload new package to them. Expected results: Have the role filters applied on the resource whether we are using the name or the id Additional info: This has been identity as a security issue by the customer, as unexpected user can alter the repository content.