Fixes #32257 - use trusted hosts to authorize clients #80
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Wait, isn't this effectlively allowing all of the endpoints defined in here to be only accessible by Foreman? note that managed hosts upload their reports These still needs to be accessible by anyone with valid certificate (issued by trusted CA) |
|
Yes, exactly what @ares said: Either the verification with trusted hosts needs to ignore the endpoints for client or we could move the endpoints for a client into a separate file. |
Yes, I was hoping that @xprazak2 can guide me on which endpoints need to be authorized like that. Is there some key I can use? Perhaps I can lookup all calls that OpenSCAP plugin does and add trusted hosts: https://github.com/theforeman/foreman_openscap/tree/master/app/lib/proxy_api I hope there are no endpoints shared by both clients and Foreman. |
|
After spending some time, I think that client nodes only use I am unable to run tests locally for some reason, a weird error appears and I am not sure what rake is trying to tell me: |
lzap
force-pushed
the
cve-trusted-hosts-32257
branch
2 times, most recently
from
d9063d0
to
00db9e3
Compare
|
Its very unfortunate but Rack does not allow mapping via regular expression and since |
xprazak2
reviewed
Apr 15, 2021
| @@ -25,6 +25,13 @@ class Api < ::Sinatra::Base | |||
| include ::Proxy::Log | |||
| helpers ::Proxy::Helpers | |||
| authorize_with_ssl_client | |||
| CLIENT_PATHS = Rexexp.compile(%r{/arf/\d+}) | |||
There was a problem hiding this comment.
I cannot get tests running locally :-(
There was a problem hiding this comment.
I had:
rake test
/usr/local/rvm/rubies/ruby-2.7.2/bin/ruby -w -I"lib:.:lib:test" /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb "test/fetch_scap_api_test.rb" "test/fetch_tailoring_api_test.rb" "test/get_report_xml_html_test.rb" "test/post_report_api_test.rb" "test/scap_content_parser_api_test.rb" "test/script_class_test.rb" "test/spool_forwarder_test.rb"
/root/smart_proxy_openscap/lib/smart_proxy_openscap/fetch_file.rb:56: warning: method redefined; discarding old clean_store_folder
/root/smart_proxy_openscap/lib/smart_proxy_openscap/fetch_file.rb:23: warning: previous definition of clean_store_folder was here
/root/smart_proxy_openscap/lib/smart_proxy_openscap/content_parser.rb:18: warning: assigned but unused variable - e
/root/smart_proxy_openscap/lib/smart_proxy_openscap/profiles_parser.rb:25: warning: assigned but unused variable - result
Traceback (most recent call last):
14: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:5:in `<main>'
13: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:5:in `select'
12: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:17:in `block in <main>'
11: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:17:in `require'
10: from /root/smart_proxy_openscap/test/script_class_test.rb:2:in `<top (required)>'
9: from /root/smart_proxy_openscap/test/script_class_test.rb:2:in `require'
8: from /root/smart_proxy_openscap/lib/smart_proxy_openscap/arf_html.rb:1:in `<top (required)>'
7: from /root/smart_proxy_openscap/lib/smart_proxy_openscap/arf_html.rb:1:in `require'
6: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap.rb:3:in `<top (required)>'
5: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap.rb:3:in `require'
4: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap/openscap.rb:5:in `<top (required)>'
3: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap/openscap.rb:7:in `<module:OpenSCAP>'
2: from /usr/local/rvm/gems/ruby-2.7.2/gems/ffi-1.15.0/lib/ffi/library.rb:99:in `ffi_lib'
1: from /usr/local/rvm/gems/ruby-2.7.2/gems/ffi-1.15.0/lib/ffi/library.rb:99:in `map'
/usr/local/rvm/gems/ruby-2.7.2/gems/ffi-1.15.0/lib/ffi/library.rb:145:in `block in ffi_lib': Could not open library 'libopenscap.so.8': libopenscap.so.8: cannot open shared object file: No such file or directory. (LoadError)
Could not open library 'libopenscap.so.25': libopenscap.so.25: cannot open shared object file: No such file or directory.
Could not open library 'openscap': openscap: cannot open shared object file: No such file or directory.
Could not open library 'libopenscap.so': libopenscap.so: cannot open shared object file: No such file or directory
rake aborted!
Command failed with status (1): [ruby -w -I"lib:.:lib:test" /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb "test/fetch_scap_api_test.rb" "test/fetch_tailoring_api_test.rb" "test/get_report_xml_html_test.rb" "test/post_report_api_test.rb" "test/scap_content_parser_api_test.rb" "test/script_class_test.rb" "test/spool_forwarder_test.rb" ]
/usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/exe/rake:27:in `<top (required)>'
/usr/local/rvm/gems/ruby-2.7.2/bin/ruby_executable_hooks:24:in `eval'
/usr/local/rvm/gems/ruby-2.7.2/bin/ruby_executable_hooks:24:in `<main>'
Tasks: TOP => test
(See full trace by running task with --trace)
yum install openscap helped.
|
Additional endpoints that client needs to access are the ones for downloading content file and tailoring file. |
lzap
force-pushed
the
cve-trusted-hosts-32257
branch
from
00db9e3
to
3999f6b
Compare
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
https://access.redhat.com/security/cve/CVE-2021-20290