Project

General

Profile

Actions

Bug #33670

closed

Pulp smart proxy plugin expose credentials on dev setup

Added by Lukas Zapletal almost 3 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Foreman Proxy Content
Target version:
Fixed in Releases:
Found in Releases:

Description

Today I was poking around Smart Proxies, and realized the
smart_proxy_pulp [1] plugin exposes the pulpcore credentials via it's
API [2]. It doesn't affect our default deployments, as we use
certificate authentication, but still an issue IMHO.

# curl --silent --cert /etc/foreman/client_cert.pem --key
/etc/foreman/client_key.pem
https://pipe-katello-server-nightly-centos7.yatsu.example.com:9090/v2/features
| jq .pulpcore.settings
{
  "pulp_url": "https://pipe-katello-server-nightly-centos7.yatsu.example.com",
  "mirror": false,
  "content_app_url":
"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/content",
  "username": null,
  "password": null,
  "client_authentication": [
    "client_certificate" 
  ],
  "rhsm_url": "https://localhost/rhsm" 
}

The API itself is protected by cert auth in production installs, but
the data is also stored unencrypted in the database:

foreman=# select * from smart_proxy_features where settings like '%password%';
 smart_proxy_id | feature_id | id | capabilities |

                                                       settings

----------------+------------+----+--------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------
              1 |          4 |  1 | ---         +|
{"pulp_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com","mirror":false,"content_app_url":"https://pipe-katello-server-nightly-centos7.yatsu.example.com/pulp/con
tent","username":null,"password":null,"client_authentication":["client_certificate"],"rhsm_url":"https://localhost/rhsm"}
                |            |    | - ansible   +|
                |            |    | - certguard +|
                |            |    | - container +|
                |            |    | - core      +|
                |            |    | - deb       +|
                |            |    | - file      +|
                |            |    | - rpm       +|
                |            |    |              |

I think the plugin should just not `expose_setting :password`, as
there is really no reason for Foreman to know the password.

This was reported by Evgeni on our security list. Thank you.

Actions

Also available in: Atom PDF