Bug 1817485

Summary: Invoked Receptor installation job shows plaintext password in user inputs
Product: Red Hat Satellite Reporter: Lukáš Hellebrandt <lhellebr>
Component: Ansible - Configuration ManagementAssignee: Marek Hulan <mhulan>
Status: CLOSED CURRENTRELEASE QA Contact: Lukáš Hellebrandt <lhellebr>
Severity: high Docs Contact:
Priority: high    
Version: 6.7.0CC: aruzicka, bkearney, mhulan, pcreech
Target Milestone: UnspecifiedKeywords: Security, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tfm-rubygem-foreman_remote_execution-2.0.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 19:09:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Hellebrandt 2020-03-26 12:33:08 UTC 
Description of problem:
After invoking a Configure Cloud Connector job, Receptor user credentials are shown in Job Invocation's "User Inputs" part which is accessible to any user with "Remote Execution User" role. This user can login as Receptor user, misusing whatever rights that user has.
Similar to bug 1814998.

Version-Release number of selected component (if applicable):
Sat 6.7 snap 17, NOT regression

How reproducible:
Deterministic

Steps to Reproduce:
1. Hosts -> Job Templates -> run Configure Cloud Connector
2. Select hosts, enter (required) satellite_user and satellite_password
3. As any user that can do it, open the job invocation

Actual results:
You can see satellite_user and satellite_password in plaintext

Expected results:
You shouldn't be able to get these values in any way through Satellite

Additional info:
It's expectable that the passwords are stored somewhere (e.g. database) and they can be accessed there
Comment 3 Marek Hulan 2020-04-02 19:58:27 UTC 
Created redmine issue https://projects.theforeman.org/issues/29465 from this bug
Comment 4 Bryan Kearney 2020-04-02 20:02:42 UTC 
Upstream bug assigned to mhulan
Comment 5 Bryan Kearney 2020-04-02 20:02:44 UTC 
Upstream bug assigned to mhulan
Comment 6 Bryan Kearney 2020-04-03 14:02:44 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29465 has been resolved.
Comment 7 Lukáš Hellebrandt 2020-04-06 15:36:43 UTC 
Verified with Sat 6.7 snap 20. Passwords are now asterisked-out on the job invocation page. Note that any user with create_invocation permission can still see the entered password by clicking Rerun a looking into source code but that is by design (user with this permission can do potentially more dangerous things).
Comment 8 Bryan Kearney 2020-04-14 19:09:17 UTC 
This was fixed in 6.7.