Bug 1828549

Summary:	Manifest Certificate Exposed by Unprivileged User
Product:	Red Hat Satellite	Reporter:	myoder
Component:	Users & Roles	Assignee:	Jonathon Turel <jturel>
Status:	CLOSED ERRATA	QA Contact:	Peter Ondrejka <pondrejk>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.6.0	CC:	egolov, jturel, mhulan, swadeley
Target Milestone:	6.8.0	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	tfm-rubygem-katello-3.16.0-0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-10-27 13:02:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description myoder 2020-04-27 20:04:44 UTC

Description of problem:

User with only "Discover Reader" role enabled, is able to get private key for manifest/organization when they authenitcate to the Satellite WEb UI, and then manually navigate to this endpoint:

  http://satellite.example.com/katello/api/v2/organizations/1 

A json output is printed to the screen which includes the private and public key for what I believe is the manifest associated with that organization.  I have grabbed part of the json, and removed the public and private certs, and also hanged the org name and manifest name to ORGANIZATION-NAME and MANIFEST-NAME respectively:

    "name": "ORGANIZATION-NAME",
   "owner_details": {
       "autobindDisabled": false,
       "contentAccessMode": "entitlement",
       "contentAccessModeList": "entitlement",
       "contentPrefix": "/ORGANIZATION-NAME/$env",
       "created": "2020-04-03T16:16:09+0000",
       "defaultServiceLevel": null,
       "displayName": "ORGANIZATION-NAME",
       "href": "/owners/ORGANIZATION-NAME",
       "id": "8a8080887140d389017140d4085f0001",
       "key": "ORGANIZATION-NAME",
       "lastRefreshed": "2020-04-04T00:04:44+0000",
       "logLevel": null,
       "parentOwner": null,
       "updated": "2020-04-04T00:04:44+0000",
       "upstreamConsumer": {
           "apiUrl": "https://subscription.rhsm.redhat.com/subscription/consumers/",
           "contentAccessMode": null,
           "created": "2020-04-04T00:04:28+0000",
           "id": "8a8080887140d38901714280c81a005d",
           "idCert": {
               "cert": "-----BEGIN CERTIFICATE----***REMOVED***-----END CERTIFICATE-----\n",
               "created": "2020-04-03T23:51:05+0000",
               "id": "8a8080887140d38901714280c80e005c",
               "key": "-----BEGIN RSA PRIVATE KEY----***REMOVED***-----END RSA PRIVATE KEY-----\n",
               "serial": {
                   "collected": false,
                   "created": "2020-04-03T23:51:05+0000",
                   "expiration": "2021-04-03T23:51:05+0000",
                   "id": 6867080507192518295,
                   "revoked": false,
                   "serial": 6867080507192518295,
                   "updated": "2020-04-04T00:04:28+0000"
               },
               "updated": "2020-04-04T00:04:28+0000"
           },
           "name": "MANIFEST-NAME",
           "ownerId": "8a8080887140d389017140d4085f0001",
           "type": {
               "id": "8a8080887140d38901714280c7640006",
               "label": "satellite",
               "manifest": true
           },
           "updated": "2020-04-04T00:04:28+0000",
           "uuid": "4aa39171-de7c-4936-bfd9-b06b27000581",
           "webUrl": "access.redhat.com/management/subscription_allocations/"
       },
       "virt_who": true
   },
Version-Release number of selected component (if applicable):
Satellite 6.6.2-1

How reproducible:
Always

Steps to Reproduce:
1. Create user with "Discover Reader" role
2. Have that user log in to the Satellite Web UI
3. Open a new tab, and manually navigate to https://satellite.example.com/katello/api/v2/organizations/1

Actual results:
Private and public key are exposed to end user

Expected results:
User should see private and public key.  Also, private key should not be exposed.

Additional info:

Comment 3 Marek Hulan 2020-04-28 10:12:03 UTC

I think Jonathon had already somewhere a BZ, the org API shouldn't be exposing the private key, Jonathon any more insights to this? Thanks

Comment 4 Jonathon Turel 2020-04-28 12:52:13 UTC

Connecting redmine issue https://projects.theforeman.org/issues/29146 from this bug

Comment 5 Jonathon Turel 2020-04-28 12:54:05 UTC

Thank you for the report. The good news is that this has already been fixed in our upstream repositories - I've linked the upstream issue report. I would expect this fix to be included as part of Satellite 6.8

Comment 6 Bryan Kearney 2020-04-28 14:07:44 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/29146 has been resolved.

Comment 7 Peter Ondrejka 2020-06-02 08:49:33 UTC

Verified on Sat 6.8 snap 2, these credentials are no longer exposed for any user

Comment 10 errata-xmlrpc 2020-10-27 13:02:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366