Project

General

Profile

Actions

Bug #18245

open

Enabling OAuth is too dangerous

Added by M T almost 8 years ago. Updated over 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
medium
Triaged:
Fixed in Releases:
Found in Releases:

Description

The current OAuth implementation in Foreman allows access to anybody with knowledge of two strings: OAuth consumer key and OAuth consumer secret.

In this sense, it is not any more secure than the typical username/password set of credentials.

But, in reality, it is a lot worse:
  1. Unlike personal passwords, which are never shown in clear text, both the key and the secret are visible to all current admins under FOREMAN/settings#Auth
  2. While personal passwords can be made to automatically expire (such as by using an external LDAP-server with stricter settings), the OAuth credentials are permanent
  3. If mapping of OAuth-requests to existing accounts is not enabled, using this method gives the REST API scripts admin-level access to Foreman -- having once observed the credentials, a hacker can delete or alter hosts in Foreman.
  4. If mapping of OAuth-requests to existing accounts is enabled (by specifying a separete request-header FOREMAN-USER), a script can freely impersonate any user -- which is even worse than anonymous admin-access. Once authenticated with the OAuth credentials, a script can gain any user's authorization...
The existing OAuth implementation should be redone to:
  • Allow only read-only access to OAuth-using scripts by default, if OAuth is enabled at all.
  • Allow admins to create multiple OAuth credential-pairs with different roles, limiting the capabilities of API-using scripts

Finally, OAuth or not, there should be a way to enable anonymous browsing/searching of Foreman data -- even if making any changes may still require a login. The current :login: true in settings.yaml is not granular enough.


Related issues 1 (0 open1 closed)

Related to Foreman - Feature #1301: Consider adding a per-user API keyClosedTimo GoebelActions
Actions

Also available in: Atom PDF