Bug 815757 - User without proper permissions can identify invalid resources in ResourceManager.getXX
User without proper permissions can identify invalid resources in ResourceMan...
Status: CLOSED WONTFIX
Product: JBoss Operations Network
Classification: JBoss
Component: CLI (Show other bugs)
JON 3.1.0
Unspecified Unspecified
unspecified Severity medium
: ---
: JON 3.2.0
Assigned To: RHQ Project Maintainer
Mike Foley
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-24 09:03 EDT by Viet Nguyen
Modified: 2013-10-17 12:10 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 802504
Environment:
Last Closed: 2013-10-17 12:10:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test case (324 bytes, text/javascript)
2012-04-24 09:11 EDT, Viet Nguyen
no flags Details

  None (edit)
Description Viet Nguyen 2012-04-24 09:03:16 EDT
How reproducible:
always

Steps to Reproduce:
1. Create a user without any roles.  
2. Log in
2. call ResourceManager.getResource(0)

  
Actual results:
ResourceNotFoundException: A Resource with id 0 does not exist in inventory


Expected results:
PermissionException 

Additional info:
Comment 1 Viet Nguyen 2012-04-24 09:11:05 EDT
Created attachment 579849 [details]
test case
Comment 2 Mike Foley 2012-04-30 12:02:17 EDT
triaged 4/30/2012 by loleary, ccrouch, mfoley
Comment 3 Jay Shaughnessy 2013-10-14 17:16:25 EDT

Suggest this be closed, it's working as expected.  It is not a permission exception to try and view a resource.  Everyone has view privilege.  If you can't actually see it then it is basically a ResourceNotFound, whether it exists or not.
Comment 4 Heiko W. Rupp 2013-10-16 04:30:50 EDT
While I tend to close this, I can see Viet's point.
This is with a user that only has access rights to a group of 2 resources:

test@localhost:7080$ ResourceManager.getResource(0)
org.rhq.enterprise.server.resource.ResourceNotFoundException: [Warning] A Resource with id 0 does not exist in inventory.
ResourceManager.getResource(0)
^

test@localhost:7080$ ResourceManager.getResource(10001)
org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=test]] does not have permission to view resource [10001]
ResourceManager.getResource(10001)
^

Here resource with id 0 does not exist, while the user can't access the one with 10001.
In scenarios like username/password, the rule is e.g. not to expose information on login failure if the username is valid or not, so that than attacker can't use that information to narrow the attack path.

In above example, we might internally catch the PermissionException and return a ResourceNotFound one. 

But then that will probably break existing scripts.
Comment 5 Jay Shaughnessy 2013-10-17 12:10:21 EDT
I see the semantic difference as well.  Although given that this is not a customer issue and changing the behavior could be interpreted as an API breakage, I'm closing as Won't Fix.

Note You need to log in before you can comment on or make changes to this bug.