Project

General

Profile

Feature #21605

Make authentication extendable

Added by Marek Hulán about 2 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
SSL
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:

Description

Plugins can't easily extend authentications with their own means of authentication if SSL is used. The reason is that #authorize_with_ssl_client before block would always fail on SSL if no client is available. In REX there are use cases where REX core worker is authenticated differently (looking at serial number or using token). The authentication methods should not run if other authentication method already succeeded. That will also help to avoid running both trusted hosts and ssl auth methods that are built in proxy.


Related issues

Related to foreman-tasks - Bug #25001: CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution featureClosed
Blocks Foreman Remote Execution - Bug #17249: All in one setup does not work with regular SSL cert based authReady For Testing2016-11-07

Associated revisions

Revision 56f9095e (diff)
Added by Ivan Necas 9 months ago

Fixes #21605 - more authorization options

Before this change, when using authorization helpers, one got all or
nothing, without any chance to use the authorization just of a subset of
the requests.

This patch introduces `Sinatra::Authorization::Helpers` that provide
`do_authorize*` methods that are not wrapped in the before block. so that
they their usage is more flexible.

Revision 21642e60 (diff)
Added by Lukas Zapletal 9 months ago

Refs #21605 - remove rubocop metrics

History

#1 Updated by Marek Hulán about 2 years ago

  • Blocks Bug #17249: All in one setup does not work with regular SSL cert based auth added

#2 Updated by The Foreman Bot about 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/550 added

#3 Updated by Lukas Zapletal 10 months ago

  • Triaged changed from No to Yes
  • Status changed from Ready For Testing to New
  • Pull request deleted (https://github.com/theforeman/smart-proxy/pull/550)

The proposal was not considered good enough, the authorization mechanism needs a modular and plugin-friendly approach. https://github.com/theforeman/smart-proxy/pull/550

#4 Updated by Ivan Necas 9 months ago

  • Related to Bug #25001: CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature added

#5 Updated by The Foreman Bot 9 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/639 added

#6 Updated by Lukas Zapletal 9 months ago

  • Fixed in Releases 1.22.0 added

#7 Updated by Ivan Necas 9 months ago

  • Status changed from Ready For Testing to Closed

#8 Updated by The Foreman Bot 9 months ago

  • Pull request https://github.com/theforeman/smart-proxy/pull/641 added

Also available in: Atom PDF