New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #32257 - use trusted hosts to authorize clients #80
Conversation
Wait, isn't this effectlively allowing all of the endpoints defined in here to be only accessible by Foreman? note that managed hosts upload their reports These still needs to be accessible by anyone with valid certificate (issued by trusted CA) |
Yes, exactly what @ares said:
Either the verification with trusted hosts needs to ignore the endpoints for client or we could move the endpoints for a client into a separate file. |
Yes, I was hoping that @xprazak2 can guide me on which endpoints need to be authorized like that. Is there some key I can use? Perhaps I can lookup all calls that OpenSCAP plugin does and add trusted hosts: https://github.com/theforeman/foreman_openscap/tree/master/app/lib/proxy_api I hope there are no endpoints shared by both clients and Foreman. |
After spending some time, I think that client nodes only use I am unable to run tests locally for some reason, a weird error appears and I am not sure what rake is trying to tell me:
|
d9063d0
to
00db9e3
Compare
Its very unfortunate but Rack does not allow mapping via regular expression and since |
@@ -25,6 +25,13 @@ class Api < ::Sinatra::Base | |||
include ::Proxy::Log | |||
helpers ::Proxy::Helpers | |||
authorize_with_ssl_client | |||
CLIENT_PATHS = Rexexp.compile(%r{/arf/\d+}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be Regexp
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cannot get tests running locally :-(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had:
rake test
/usr/local/rvm/rubies/ruby-2.7.2/bin/ruby -w -I"lib:.:lib:test" /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb "test/fetch_scap_api_test.rb" "test/fetch_tailoring_api_test.rb" "test/get_report_xml_html_test.rb" "test/post_report_api_test.rb" "test/scap_content_parser_api_test.rb" "test/script_class_test.rb" "test/spool_forwarder_test.rb"
/root/smart_proxy_openscap/lib/smart_proxy_openscap/fetch_file.rb:56: warning: method redefined; discarding old clean_store_folder
/root/smart_proxy_openscap/lib/smart_proxy_openscap/fetch_file.rb:23: warning: previous definition of clean_store_folder was here
/root/smart_proxy_openscap/lib/smart_proxy_openscap/content_parser.rb:18: warning: assigned but unused variable - e
/root/smart_proxy_openscap/lib/smart_proxy_openscap/profiles_parser.rb:25: warning: assigned but unused variable - result
Traceback (most recent call last):
14: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:5:in `<main>'
13: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:5:in `select'
12: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:17:in `block in <main>'
11: from /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb:17:in `require'
10: from /root/smart_proxy_openscap/test/script_class_test.rb:2:in `<top (required)>'
9: from /root/smart_proxy_openscap/test/script_class_test.rb:2:in `require'
8: from /root/smart_proxy_openscap/lib/smart_proxy_openscap/arf_html.rb:1:in `<top (required)>'
7: from /root/smart_proxy_openscap/lib/smart_proxy_openscap/arf_html.rb:1:in `require'
6: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap.rb:3:in `<top (required)>'
5: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap.rb:3:in `require'
4: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap/openscap.rb:5:in `<top (required)>'
3: from /usr/local/rvm/gems/ruby-2.7.2/gems/openscap-0.4.9/lib/openscap/openscap.rb:7:in `<module:OpenSCAP>'
2: from /usr/local/rvm/gems/ruby-2.7.2/gems/ffi-1.15.0/lib/ffi/library.rb:99:in `ffi_lib'
1: from /usr/local/rvm/gems/ruby-2.7.2/gems/ffi-1.15.0/lib/ffi/library.rb:99:in `map'
/usr/local/rvm/gems/ruby-2.7.2/gems/ffi-1.15.0/lib/ffi/library.rb:145:in `block in ffi_lib': Could not open library 'libopenscap.so.8': libopenscap.so.8: cannot open shared object file: No such file or directory. (LoadError)
Could not open library 'libopenscap.so.25': libopenscap.so.25: cannot open shared object file: No such file or directory.
Could not open library 'openscap': openscap: cannot open shared object file: No such file or directory.
Could not open library 'libopenscap.so': libopenscap.so: cannot open shared object file: No such file or directory
rake aborted!
Command failed with status (1): [ruby -w -I"lib:.:lib:test" /usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/lib/rake/rake_test_loader.rb "test/fetch_scap_api_test.rb" "test/fetch_tailoring_api_test.rb" "test/get_report_xml_html_test.rb" "test/post_report_api_test.rb" "test/scap_content_parser_api_test.rb" "test/script_class_test.rb" "test/spool_forwarder_test.rb" ]
/usr/local/rvm/gems/ruby-2.7.2/gems/rake-13.0.3/exe/rake:27:in `<top (required)>'
/usr/local/rvm/gems/ruby-2.7.2/bin/ruby_executable_hooks:24:in `eval'
/usr/local/rvm/gems/ruby-2.7.2/bin/ruby_executable_hooks:24:in `<main>'
Tasks: TOP => test
(See full trace by running task with --trace)
yum install openscap
helped.
Additional endpoints that client needs to access are the ones for downloading content file and tailoring file. |
00db9e3
to
3999f6b
Compare
Thanks! |
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
https://access.redhat.com/security/cve/CVE-2021-20290