Bug 896074
| Summary: | CLI - user without access can call "system remove_deletion" command. | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Hayk Hovsepyan <hhovsepy> |
| Component: | Hammer | Assignee: | Adam Price <adprice> |
| Status: | CLOSED DUPLICATE | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | Nightly | CC: | jomara, jsherril, kseifried, lzap, mmccune, omaciel |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-08-03 05:12:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 991318 | ||
|
Description
Hayk Hovsepyan
2013-01-16 15:00:32 UTC
Ok, this is the test we do in Katello:
when :api_proxy_consumer_deletionrecord_delete_path
if !User.consumer?
consumer_gone, consumer_live = false
begin
Resources::Candlepin::Consumer.get params[:id] # check with candlepin if system is Gone, raises RestClient::Gone
# a 200 means the system exists. the deletion record wont exist, but its
# not a permissions error
consumer_live = true
rescue RestClient::Gone
# the correct response is a 410, since the system has been deleted
consumer_gone = true
end
end
User.consumer? || consumer_gone || consumer_live
Obviously we pass non-consumer users which is a security issue (consumer_live is true).
@Jordan - can you please guide me what was the idea behind consumer_live variable?
This code was modified to allow non-consumer access to the deletion record; IE letting a user directly remove a system's deletion record the consumer_live means the system is currently active; consumer_gone means the system has been deleted (and thus should have a deletion record) I think the issue is that if the user is NOT a consumer, we need to perform an additional check 1. load katello system object based on candlepin id, 2. ensure "system.editable?" for that system Something like: User.consumer? || (system.editable? && (consumer_gone || consumer_live)) Nice catch! Fixed: https://github.com/Katello/katello/pull/1449 [root@bb ~]# katello --user nobody --pass nobody system remove_deletion --uuid d6e48043-46f1-4ee1-9eab-b4923a92a55b User nobody is not allowed to access api/candlepin_proxies/delete Now for katello latest build when "admin" calls that command it says: "User admin is not allowed to access api/candlepin_proxies/delete". Should not "Admin" user still have access to call "system remove_deletion"? Tested on revision: katello-qpid-broker-key-pair-1.0-1.noarch katello-all-1.4.1-1.git.9.ff9a101.el6.noarch katello-repos-1.4.1-1.el6.noarch katello-certs-tools-1.4.1-1.el6.noarch katello-configure-1.4.1-1.el6.noarch katello-glue-candlepin-1.4.1-1.git.9.ff9a101.el6.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-cli-1.4.1-1.el6.noarch katello-selinux-1.4.1-1.el6.noarch katello-glue-pulp-1.4.1-1.git.9.ff9a101.el6.noarch katello-agent-1.4.1-1.el6.noarch katello-glue-elasticsearch-1.4.1-1.git.9.ff9a101.el6.noarch katello-1.4.1-1.git.9.ff9a101.el6.noarch katello-cli-common-1.4.1-1.el6.noarch katello-common-1.4.1-1.git.9.ff9a101.el6.noarch katello-qpid-client-key-pair-1.0-1.noarch The main bug still exists: 1.Register a new system. 2.Create a user without rights to remove system (org or global). 3.Unregister that system. 4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug. CLosing of duplicate of the tool generated tracking bugs (will create less problems then trying to convert this bug to a tracker). *** This bug has been marked as a duplicate of bug 991634 *** |