Fixes #15490 - adding view_host filter and improving error messages #2428
Conversation
| @@ -317,7 +317,7 @@ | |||
| :externalNodes, :pxe_config, :storeconfig_klasses, :auto_complete_search, :bmc, | |||
| :runtime, :resources, :templates, :overview, :nics], | |||
| :dashboard => [:OutOfSync, :errors, :active], | |||
| :unattended => [:template, :provision], | |||
| :unattended => [:template, :provision] + TemplateKind.all.map(&:name).map(&:to_sym), | |||
There was a problem hiding this comment.
avoid double map, TemplateKind.all.map { |kind| kind.name.to_sym }
There was a problem hiding this comment.
also I'd prefer using some hard list (maybe just put this into constant https://github.com/theforeman/foreman/blob/develop/db/seeds.d/07-config_templates.rb#L9),
- one reason is that if plugin introduces new kind it should also map it's own permission, this would allow to review any custom template kind with view_host permission
- second is that this is required in initializer https://github.com/theforeman/foreman/blob/develop/config/initializers/foreman.rb#L1 and it's good to avoid using AR there
|
In redmine issue you've mentioned |
|
Yeah, changed my mind because it looks like |
lzap
force-pushed
the
unattended-perms-10689
branch
from
ea3fd32
to
36d0f89
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
|
Fixed, what you think? |
lzap
force-pushed
the
unattended-perms-10689
branch
from
36d0f89
to
ef1bdb1
Compare
|
Fixed failing tests. FYI these were expecting incorrect behavior. If you test this, the controller errors out with "Undefined method: layout" error because actually layout is not usable with this particular controller. |
| @@ -312,12 +312,13 @@ | |||
| pc_ajax_actions = [:parameters] | |||
| subnets_ajax_actions = [:freeip] | |||
| tasks_ajax_actions = [:show] | |||
| template_kinds = [:PXELinux, :PXEGrub, :iPXE, :provision, :finish, :script, :user_data, :ZTP] | |||
There was a problem hiding this comment.
could you deduplicate this list? https://github.com/theforeman/foreman/blob/develop/db/seeds.d/07-config_templates.rb#L9
just put it into a constant somewhere in TemplateKind and use it in both places?
|
Other than the duplication issue seems all right, I'll continue with testing when it's resolved. |
|
@lzap bump? |
lzap
force-pushed
the
unattended-perms-10689
branch
from
ef1bdb1
to
a344b46
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
|
Done! diff --git a/app/models/template_kind.rb b/app/models/template_kind.rb
index 7c1e5a9..d647c1c 100644
--- a/app/models/template_kind.rb
+++ b/app/models/template_kind.rb
@@ -6,4 +6,8 @@ class TemplateKind < ActiveRecord::Base
has_many :os_default_templates
validates :name, :presence => true, :uniqueness => true
scoped_search :on => :name
+
+ def self.predefined
+ [:PXELinux, :PXEGrub, :iPXE, :provision, :finish, :script, :user_data, :ZTP]
+ end
end
diff --git a/app/services/foreman/access_permissions.rb b/app/services/foreman/access_permissions.rb
index a732de6..9b4488a 100644
--- a/app/services/foreman/access_permissions.rb
+++ b/app/services/foreman/access_permissions.rb
@@ -318,13 +318,12 @@ Foreman::AccessControl.map do |permission_set|
pc_ajax_actions = [:parameters]
subnets_ajax_actions = [:freeip]
tasks_ajax_actions = [:show]
- template_kinds = [:PXELinux, :PXEGrub, :iPXE, :provision, :finish, :script, :user_data, :ZTP]
map.permission :view_hosts, {:hosts => [:index, :show, :errors, :active, :out_of_sync, :disabled, :pending, :vm,
:externalNodes, :pxe_config, :storeconfig_klasses, :auto_complete_search, :bmc,
:runtime, :resources, :templates, :overview, :nics],
:dashboard => [:OutOfSync, :errors, :active],
- :unattended => [:template, :provision] + template_kinds,
+ :unattended => [:template, :provision] + TemplateKind.predefined,
:"api/v1/hosts" => [:index, :show, :status],
:"api/v2/hosts" => [:index, :show, :status, :vm_compute_attributes],
:"api/v2/interfaces" => [:index, :show], |
|
Could you please also use |
|
Why did you choose to use class method instead of constant? This will be harder to extend if we need it (only with alias_method_chain), if it was an array in constant, one could push to that array. |
|
Right, added and rebased on top of develop. |
|
On re-reviewing this, it seems the issue has already been fixed in b1997f5 when I refactored the controller in the same way that was suggested in the #10689 comments. Previewing templates as a non-admin user works fine. It does though mean we're vulnerable in develop to the security issue I mentioned at #2428 (comment), so this needs addressing. I've filed this as http://projects.theforeman.org/issues/15490, and updated foreman-security + requested a CVE. What I'd like to do is:
Sorry for the ticket change, but I'd like to be absolutely clear about what this is fixing. |
| @@ -351,7 +351,7 @@ | |||
| :externalNodes, :pxe_config, :storeconfig_klasses, :auto_complete_search, :bmc, | |||
| :runtime, :resources, :templates, :overview, :nics], | |||
| :dashboard => [:OutOfSync, :errors, :active], | |||
| :unattended => [:host_template, :hostgroup_template], | |||
| :unattended => [:host_template, :hostgroup_template] + TemplateKind.default_template_labels.keys.collect(&:to_sym), | |||
There was a problem hiding this comment.
This shouldn't be necessary now, since the action is always going to be either :host_template or :hostgroup_template - the routing changed in b1997f5 to route the template kinds to a single action.
|
I'd like to add, that given the security issue, please let me know if you don't plan to update this PR to fix it and instead, I'll patch it myself - rather than leave it months again. |
|
@lzap if you could please update this soon to fix the security issue, or let me know if you don't plan to. |
|
@domcleal had a huge github backlog and noticed just now. I can start tomorrow with this. |
lzap
changed the title
lzap
force-pushed
the
unattended-perms-10689
branch
from
8811e1d
to
991c3e9
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
lzap
force-pushed
the
unattended-perms-10689
branch
from
991c3e9
to
cd5ab4d
Compare
|
There were the following issues with the commit message:
If you don't have a ticket number, please create an issue in Redmine, selecting the appropriate project. More guidelines are available in Coding Standards or on the Foreman wiki. This message was auto-generated by Foreman's prprocessor |
|
Amended all your last comments, rebased and pushed. |
Users who are logged in with permissions to view some hosts are able to preview provisioning templates for any host by specifying its hostname in the URL, as the specific view_hosts permissions and filters aren't checked. If the organization or location features are enabled, the user will still be restricted to their associated orgs/locs. This can disclose configuration information about the host, including root password hashes if used in preseed/kickstart templates.
lzap
force-pushed
the
unattended-perms-10689
branch
from
cd5ab4d
to
8fcf31a
Compare
theforeman-bot
added
Needs re-review
Needs testing
and removed
Waiting on contributor
labels
Fixing both missing permissions and incorrect error message.