1729143 – Authorization bypasses when accessing task details

Bug 1729143 - Authorization bypasses when accessing task details

Summary: Authorization bypasses when accessing task details

Keywords:
Status:	CLOSED DUPLICATE of bug 1729149
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Tasks Plugin
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	Unspecified
Assignee:	Adam Ruzicka
QA Contact:	Jan Hutař
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-11 13:09 UTC by Adam Ruzicka
Modified:	2019-07-12 15:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-12 15:20:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	27275	0	None	None	None	2019-07-11 13:09:45 UTC

Description Adam Ruzicka 2019-07-11 13:09:44 UTC

A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task. I know UUIDs are tough to guess, but...

This was introduced in foreman-tasks@79a0e2cb5 [1], before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.

Steps to reproduce:
1) Have foreman with foreman-tasks >= 0.7.8
2) Trigger a couple of tasks
3) Create a user, assign no roles to the user
4.1) As the user, visit $foreman/foreman_tasks/tasks/$UUID, where $UUID is UUID of a task from 2)
4.2) As the user, visit $foreman/foreman_tasks/tasks/$UUID/sub_tasks, where $UUID is UUID of a task from 2) which has sub tasks
4.3) As the user, perform get request against $foreman/foreman_tasks/api/tasks/$UUID

Actual result:
In the UI, task details are shown. For task with sub tasks, sub tasks are shown on an index-like page.
In the API, details are provided.

Expected result:
In the UI, permission denied page is shown.
In the API , the request fails with either 403 or 404.

<pre>
# curl -u user:changeme -k https://localhost/foreman_tasks/api/tasks/f4211c3e-467f-405e-a70c-980d6c4d4e0f 2>/dev/null | ruby -e "require 'json'; puts JSON.pretty_generate(JSON.parse(STDIN.read))"
{
  "id": "f4211c3e-467f-405e-a70c-980d6c4d4e0f",
  "label": "Actions::RemoteExecution::RunHostJob",
  "pending": false,
  "action": "Remote action: Run sleep 60 on helpful-snipe.lxd",
  "username": "admin",
  "started_at": "2019-07-10 12:21:44 UTC",
  "ended_at": "2019-07-10 12:22:50 UTC",
  "state": "stopped",
  "result": "success",
  "progress": 1.0,
  "input": {
    "host": {
      "id": 1,
      "name": "helpful-snipe.lxd"
    },
    "job_category": "Commands",
    "description": "Run sleep 60",
    "delegated_action_id": 2,
    "locale": "en",
    "current_request_id": null,
    "current_timezone": "Europe/Prague",
    "current_user_id": 4,
    "current_organization_id": 1,
    "current_location_id": 2
  },
  "output": {
  },
  "humanized": {
    "action": "Remote action:",
    "input": "Run sleep 60 on helpful-snipe.lxd",
    "output": "Exit status: 0",
    "errors": [

    ]
  },
  "cli_example": null
}
</pre>

[1] - https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d

Comment 1 Adam Ruzicka 2019-07-11 13:09:47 UTC

Created from redmine issue http://projects.theforeman.org/issues/27275

Comment 4 Bryan Kearney 2019-07-11 14:00:46 UTC

Upstream bug assigned to aruzicka

Comment 5 Bryan Kearney 2019-07-11 14:00:47 UTC

Upstream bug assigned to aruzicka

Comment 6 Brad Buckingham 2019-07-12 15:20:36 UTC


*** This bug has been marked as a duplicate of bug 1729149 ***

Note You need to log in before you can comment on or make changes to this bug.