Bug 806326 - [REST API] keys may be queried even with invalid credentials
Summary: [REST API] keys may be queried even with invalid credentials
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Pod
Version: 2.x
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: Krishna Raman
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-23 12:53 UTC by Andre Dietisheim
Modified: 2015-05-15 01:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-14 17:23:15 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andre Dietisheim 2012-03-23 12:53:17 UTC 
You can GET a users keys even with an invalid password:

curl -k -H "Accept: application/xml" --user "adietish:BADPASSWORD" https://openshift.redhat.com/broker/rest/user/keys -v

< HTTP/1.1 200 OK
< Date: Fri, 23 Mar 2012 12:50:52 GMT
< Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
< X-Runtime: 0.701383
< Cache-Control: max-age=0, private, must-revalidate
< X-UA-Compatible: IE=Edge,chrome=1
< ETag: "fdf594c569db32a4cefb930eb7c415e1"
< Status: 200
< Content-Type: application/xml; charset=utf-8
< Vary: Accept-Encoding,User-Agent
< ProxyTime: D=722319
< Connection: close
< Transfer-Encoding: chunked
< 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <type>keys</type>
  <status>ok</status>
  <messages/>
  <data>
    <key>
      <type>ssh-rsa</type>
      <content>AAAAB3NzaC1yc2EA
Comment 1 Krishna Raman 2012-05-07 08:40:05 UTC 
Can not reproduce. Tested using mongo auth plugin.
Comment 2 Xiaoli Tian 2012-05-07 10:02:18 UTC 
Verified it on devenv_1757:

Get keys with invalid password , will get Access denied.

curl  -k -H "Accept: application/xml" --user "xtian+test5:1234"  https://ec2-23-21-38-176.compute-1.amazonaws.com/broker/rest/user/keys   -X GET
HTTP Basic: Access denied.

Get keys with valid password, it works.

  <data>
    <key>
      <type>ssh-rsa</type>
      <content>AAAAB3NzaC1yc2EAAAADAQABAAABAQDsZrfSp0DE9B3fUF1HAEheRbVHzvMUMrBhys3216KWfMIHWrAWsnPM582L9pxmbguylR+ZZjf6ccHgbuKg9GUCk479u+jjnwSbumu0kSsydFJkVdynRx/mnGVahv4NqucKZphKv/VnVD66/uUwBIM3E7d91Y/OMZw06TKw6/sD5+Zn3dx8j4RO6NjiaFkLd42uXN7Q5zPD8uVhczgGYzO5OLcUdKjf3sr8eiU1Pwlxz8Jv8fD4NU1b0jtYZeSfqDPWcO3YyYzIr3y6EkLbFsNdk7aZzRmfVp3jZZ3HqEd6RjIh2yazjzXJjNuNvtqIh02fOpXgcz5ghohQByBjt9Vd</content>
      <links>
        <link>
Note You need to log in before you can comment on or make changes to this bug.