1429590 – Managing repositories with their id via hammer does not respect the role filters

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1429590 - Managing repositories with their id via hammer does not respect the role filters

Summary: Managing repositories with their id via hammer does not respect the role filters

Keywords:
Status:	CLOSED DUPLICATE of bug 1410916
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Repositories
Sub Component:
Version:	6.2.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	Unspecified
Assignee:	Brad Buckingham
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2017-2662
TreeView+	depends on / blocked

Reported:	2017-03-06 16:20 UTC by Christian Marineau
Modified:	2019-06-13 21:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-11 16:07:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	18838	0	High	Duplicate	Managing repositories with their id via hammer does not respect the role filters	2020-08-27 10:35:42 UTC

Description Christian Marineau 2017-03-06 16:20:36 UTC

Description of problem:
After settings a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.

Version-Release number of selected component (if applicable):
6.2.7

How reproducible:
100%

Steps to Reproduce:
1. Have repositories from more than 1 Product, by example:
     Red Hat Enterprise Linux Server
     Red Hat Satellite
     Custom_Product 
   
   Optional -> You can also have 2 Organization and only allow 1 of them through the filter:
     MyOrg
     OtherOrg 

2. Create a new role "Custom_bug_role"

3. Create the following 2 filters for that role
   Filter 1
     Resource type: Organization
     Permission: view_organizations
     Search filter: name = "MyOrg"

   Filter 2
     Resource type: Product and Repositories
     Permission: view_products, edit_products, sync_products
     Search filter: name = "Red Hat Enterprise Linux Server"

4. Create a test user and assign the custom role
     Username: Test_bug_user
     Role: Custom_bug_role

5. With hammer, list the repository using the test user credentials
     A. Listing the repositories works as expected, only "Red Hat Enterprise Linux Server" repositories will be displayed:
       # hammer -u Test_bug_user -p testbug repository list --organization MyOrg
       [...]
       33 | Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.1           | Red Hat Enterprise Linux Server | yum
       27 | Red Hat Enterprise Linux 7 Server - Extras RPMs x86_64           | Red Hat Enterprise Linux Server | yum
       [...]
   
     B. Showing repository information using it's ID allows the user to see any repository (from any Product or any Organisation), this is not expected:
        # hammer -u Test_bug_user -p testbug repository info --id 62
          ID:                 62
          Name:               Custom_Repo
          Label:              Custom_Repo
          Organization:       OtherOrg
          Red Hat Repository: no
          Content Type:       yum
          [...]

     C. Uploading a package to a any repository is also possible using its ID (from any Product or any Organisation), this is not expected and it is a security issue:
        # hammer -u Test_bug_user -p testbug repository upload-content --id 62 --path test.rpm 
        Successfully uploaded file 'test.rpm'.

It seems like when we specify --product --name --organization, the permission are applied correctly. However, it looks like using their id bypass this.

Actual results:
When using repository id, we can show info from any repository and upload new package to them.

Expected results:
Have the role filters applied on the resource whether we are using the name or the id

Additional info:
This has been identity as a security issue by the customer, as unexpected user can alter the repository content.

Comment 2 Brad Buckingham 2017-03-08 14:51:21 UTC

Created redmine issue http://projects.theforeman.org/issues/18838 from this bug

Comment 3 Brad Buckingham 2017-03-08 15:12:59 UTC

Proposed PR upstream: https://github.com/Katello/katello/pull/6659

Comment 4 Djebran Lezzoum 2017-05-11 15:16:47 UTC

perhaps this has the same root cause with bug https://bugzilla.redhat.com/show_bug.cgi?id=1410916

Comment 5 Djebran Lezzoum 2017-05-11 16:07:19 UTC


*** This bug has been marked as a duplicate of bug 1410916 ***

Note You need to log in before you can comment on or make changes to this bug.