Bug 1122594 - Security policies are not applied to git operations
Summary: Security policies are not applied to git operations
Keywords:
Status: VERIFIED
Alias: None
Product: JBoss BRMS Platform 6
Classification: Retired
Component: Business Central
Version: 6.0.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ER3
: 6.1.0
Assignee: Alexandre Porcelli
QA Contact: Karel Suta
URL:
Whiteboard:
Depends On: 1175682
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-23 14:49 UTC by Anton Giertli
Modified: 2017-11-30 18:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Anton Giertli 2014-07-23 14:49:14 UTC
Description of problem:

You can execute git clone via ssh even with the user which has role 'user' assigned.

This directly contradicts with the Role definition in 
http://docs.jboss.org/jbpm/v6.0.1/userguide/wb.Workbench.html#wb.Roles

============
9.4.2.4. Business user

Daily user of the system to take actions on business tasks that are required for the processes to continue forward. Works primarily with the task lists.

Does process management
Handles tasks and dashboards
=========

I can easily push changes to the business assets even if I am only user/manager. This seems like a security policy violation.


Version-Release number of selected component (if applicable):
bpm 6.0.2

How reproducible:
always

Steps to Reproduce:
1. Create user via ./add-user.sh , set role 'user'
2. git clone ssh://user@localhost:8001/repository1

Actual results:
it is possible to perform git operation such as ssh clone, add, commit, push with only 'user' permission.

Expected results:
role 'user' shouldn't have the possibility to perform operations like git clone, push via ssh as it directly contradicts with the documented role definition.

Comment 2 Alexandre Porcelli 2014-11-28 21:02:23 UTC
Fix pushed to master and 6.2.x

[kie-wb-common] 6.2.x http://github.com/droolsjbpm/kie-wb-common/commit/8a53e65e4
[kie-wb-common] master http://github.com/droolsjbpm/kie-wb-common/commit/47a5b0c4b

(still open as there's an issue on UF that basically doesn't use the new @IOSecurityAuthz instace)

Comment 3 Jonathan Fuerth 2014-11-28 22:49:22 UTC
The UF bug is now fixed on 0.5.0-SNAPSHOT:

https://github.com/uberfire/uberfire/commit/221158cf8ed0654267ef3258b7f106800fa55be4

Comment 4 Sona Mala 2015-01-14 09:25:50 UTC
I cannot verify this issue for 6.1.0 ER3. It seems that no body can clone a repository from business central via ssh. It blocks the verification of the security policy.

I was able to connect via ssh in 6.1.0 ER2 without problem. For ER3, I have got message which is described by BZ1175682.

Comment 5 Karel Suta 2015-03-09 10:04:28 UTC
Verified on 6.1.0.ER6
Admin, analyst or developer roles can clone repository using SSH.
User and manager roles cannot clone repository using SSH.


Note You need to log in before you can comment on or make changes to this bug.