Bug 1919979 - [RFE] Global Registration: Allow invalidating all JWT registration tokens for a user
Summary: [RFE] Global Registration: Allow invalidating all JWT registration tokens for...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Registration
Version: 6.9.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-25 13:59 UTC by Kenny Tordeurs
Modified: 2023-07-07 00:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 34246 0 Normal New Allow invalidating all JWT tokens for a user 2022-01-12 09:56:40 UTC
Red Hat Knowledge Base (Solution) 5767701 0 None None None 2021-02-02 16:45:59 UTC

Description Kenny Tordeurs 2021-01-25 13:59:13 UTC 
Description:
Need steps on how to invalidate a token that might have been generated with a very long expiration time.

Additional info:
A token was generated for a user with a lifetime of '9999999999999999999999999' 

Possible steps:
Disabling the user might be sufficient for disabling the token but this should be documented.
Comment 1 Marek Hulan 2021-02-02 15:57:18 UTC 
In 6.9, there won't be a built-in way, but we can provide a KCS with the following instructions to invalidate all user's JWTs. Let's assume there's a user with login admin who generated at least one registration command. Therefore it has a jwt_secret stored in our database that is used to decode/verify the token. To invalidate all registration commands (or more precisely all JWT ever generated for this user) perform the following.

On the Satellite server:
1. run `foreman-rake console`
2. User.find_by_login('admin').jwt_secret.destroy
3. you should see the JWT printed out and the console expecting another command, type `exit`

If you instead see NoMethodError: undefined method `destroy' for nil:NilClass, it means the user didn't have the JWT secret stored. Meaning they either didn't render any registration command or their secret was already deleted. For debugging purposes, you can simply run User.find_by_login('admin').jwt_secret and see if the secret exists or not. nil means it does not exist.

I'm keeping this open as an RFE for future versions though. In 6.10 the JWT will be scoped for registration purposes only, however we may still consider adding a way to reset the secret to the application. I'd suggest to backlog.

Kenny, would you be able to create such KCS based on the information provided here?
Comment 4 Kenny Tordeurs 2021-04-12 07:05:30 UTC 
KCS shipped live -> https://access.redhat.com/solutions/5767701
Comment 5 Leos Stejskal 2022-01-12 09:56:40 UTC 
Created redmine issue https://projects.theforeman.org/issues/34246 from this bug
Comment 6 Brad Buckingham 2022-09-02 20:25:18 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 7 Brad Buckingham 2022-09-05 22:56:27 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Note You need to log in before you can comment on or make changes to this bug.