Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 896074

Summary:	CLI - user without access can call "system remove_deletion" command.
Product:	Red Hat Satellite	Reporter:	Hayk Hovsepyan <hhovsepy>
Component:	Hammer	Assignee:	Adam Price <adprice>
Status:	CLOSED DUPLICATE	QA Contact:	Katello QA List <katello-qa-list>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	Nightly	CC:	jomara, jsherril, kseifried, lzap, mmccune, omaciel
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-08-03 05:12:29 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	991318

Description Hayk Hovsepyan 2013-01-16 15:00:32 UTC

Description of problem:
When user without remove system permissions calls CLI command "system remove_deletion", it finishes successfully without any warning.

Version-Release number of selected component (if applicable):
katello-glue-candlepin-1.3.3-1.git.9.9377ddb.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-repos-1.3.2-1.el6.noarch
katello-configure-1.3.3-1.git.5.0f1d8f6.el6.noarch
katello-glue-foreman-1.3.3-1.git.9.9377ddb.el6.noarch
katello-agent-1.1.3-1.el6.noarch
katello-selinux-1.3.1-1.el6.noarch
katello-1.3.3-1.git.9.9377ddb.el6.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-cli-1.3.3-1.el6.noarch
katello-certs-tools-1.1.9-1.el6.noarch
katello-common-1.3.3-1.git.9.9377ddb.el6.noarch
katello-glue-pulp-1.3.3-1.git.9.9377ddb.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-common-1.3.3-1.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.Register a new system.
2.Create a user without rights to remove system (org or global).
3.From UI delete that system by admin user.
4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug.
  
Actual results:
System is removed when user has not permissions to remove it.

Expected results:
Error message should be thrown indicating that current user has not permission to call that command.

Comment 1 Lukas Zapletal 2013-01-22 12:14:41 UTC

Ok, this is the test we do in Katello:

      when :api_proxy_consumer_deletionrecord_delete_path
        if !User.consumer?
          consumer_gone, consumer_live = false
          begin
            Resources::Candlepin::Consumer.get params[:id] # check with candlepin if system is Gone, raises RestClient::Gone
            # a 200 means the system exists. the deletion record wont exist, but its
            # not a permissions error
            consumer_live = true
          rescue RestClient::Gone
            # the correct response is a 410, since the system has been deleted
            consumer_gone = true
          end
        end
        User.consumer? || consumer_gone || consumer_live

Obviously we pass non-consumer users which is a security issue (consumer_live is true).

@Jordan - can you please guide me what was the idea behind consumer_live variable?

Comment 2 Jordan OMara 2013-01-22 15:29:33 UTC

This code was modified to allow non-consumer access to the deletion record; IE letting a user directly remove a system's deletion record

the consumer_live means the system is currently active; consumer_gone means the system has been deleted (and thus should have a deletion record)

I think the issue is that if the user is NOT a consumer, we need to perform an additional check

1. load katello system object based on candlepin id,
2. ensure "system.editable?" for that system

Something like:

User.consumer? || (system.editable? && (consumer_gone || consumer_live))

Comment 3 Lukas Zapletal 2013-01-23 15:26:15 UTC

Nice catch!

Fixed:

https://github.com/Katello/katello/pull/1449

[root@bb ~]# katello --user nobody --pass nobody system remove_deletion --uuid d6e48043-46f1-4ee1-9eab-b4923a92a55b
User nobody is not allowed to access api/candlepin_proxies/delete

Comment 4 Hayk Hovsepyan 2013-01-29 16:29:08 UTC

Now for katello latest build when "admin" calls that command it says: "User admin is not allowed to access api/candlepin_proxies/delete".
Should not "Admin" user still have access to call "system remove_deletion"?

Comment 5 Hayk Hovsepyan 2013-04-16 09:27:12 UTC

Tested on revision:
katello-qpid-broker-key-pair-1.0-1.noarch
katello-all-1.4.1-1.git.9.ff9a101.el6.noarch
katello-repos-1.4.1-1.el6.noarch
katello-certs-tools-1.4.1-1.el6.noarch
katello-configure-1.4.1-1.el6.noarch
katello-glue-candlepin-1.4.1-1.git.9.ff9a101.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-cli-1.4.1-1.el6.noarch
katello-selinux-1.4.1-1.el6.noarch
katello-glue-pulp-1.4.1-1.git.9.ff9a101.el6.noarch
katello-agent-1.4.1-1.el6.noarch
katello-glue-elasticsearch-1.4.1-1.git.9.ff9a101.el6.noarch
katello-1.4.1-1.git.9.ff9a101.el6.noarch
katello-cli-common-1.4.1-1.el6.noarch
katello-common-1.4.1-1.git.9.ff9a101.el6.noarch
katello-qpid-client-key-pair-1.0-1.noarch

The main bug still exists:
1.Register a new system.
2.Create a user without rights to remove system (org or global).
3.Unregister that system.
4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug.

Comment 7 Adam Price 2013-07-29 21:29:22 UTC

https://github.com/Katello/katello/pull/2695

Comment 8 Kurt Seifried 2013-08-03 05:12:29 UTC

CLosing of duplicate of the tool generated tracking bugs (will create less problems then trying to convert this bug to a tracker).

*** This bug has been marked as a duplicate of bug 991634 ***