Bug 806326

Summary: [REST API] keys may be queried even with invalid credentials
Product: OKD Reporter: Andre Dietisheim <adietish>
Component: PodAssignee: Krishna Raman <kraman>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 2.xCC: mfisher, mpatel, qgong, xcoulon, xtian
Target Milestone: ---Keywords: Security, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-14 17:23:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andre Dietisheim 2012-03-23 12:53:17 UTC
You can GET a users keys even with an invalid password:

curl -k -H "Accept: application/xml" --user "adietish:BADPASSWORD" https://openshift.redhat.com/broker/rest/user/keys -v

< HTTP/1.1 200 OK
< Date: Fri, 23 Mar 2012 12:50:52 GMT
< Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
< X-Runtime: 0.701383
< Cache-Control: max-age=0, private, must-revalidate
< X-UA-Compatible: IE=Edge,chrome=1
< ETag: "fdf594c569db32a4cefb930eb7c415e1"
< Status: 200
< Content-Type: application/xml; charset=utf-8
< Vary: Accept-Encoding,User-Agent
< ProxyTime: D=722319
< Connection: close
< Transfer-Encoding: chunked
< 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <type>keys</type>
  <status>ok</status>
  <messages/>
  <data>
    <key>
      <type>ssh-rsa</type>
      <content>AAAAB3NzaC1yc2EA

Comment 1 Krishna Raman 2012-05-07 08:40:05 UTC
Can not reproduce. Tested using mongo auth plugin.

Comment 2 Xiaoli Tian 2012-05-07 10:02:18 UTC
Verified it on devenv_1757:

Get keys with invalid password , will get Access denied.

curl  -k -H "Accept: application/xml" --user "xtian+test5:1234"  https://ec2-23-21-38-176.compute-1.amazonaws.com/broker/rest/user/keys   -X GET
HTTP Basic: Access denied.

Get keys with valid password, it works.

  <data>
    <key>
      <type>ssh-rsa</type>
      <content>AAAAB3NzaC1yc2EAAAADAQABAAABAQDsZrfSp0DE9B3fUF1HAEheRbVHzvMUMrBhys3216KWfMIHWrAWsnPM582L9pxmbguylR+ZZjf6ccHgbuKg9GUCk479u+jjnwSbumu0kSsydFJkVdynRx/mnGVahv4NqucKZphKv/VnVD66/uUwBIM3E7d91Y/OMZw06TKw6/sD5+Zn3dx8j4RO6NjiaFkLd42uXN7Q5zPD8uVhczgGYzO5OLcUdKjf3sr8eiU1Pwlxz8Jv8fD4NU1b0jtYZeSfqDPWcO3YyYzIr3y6EkLbFsNdk7aZzRmfVp3jZZ3HqEd6RjIh2yazjzXJjNuNvtqIh02fOpXgcz5ghohQByBjt9Vd</content>
      <links>
        <link>