Project

General

Profile

Actions

Bug #9775

closed

CR encryption key not loaded before it's checked, encryption is disabled

Added by Dominic Cleal about 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

In Foreman 1.8/nightlies, since #4478, the compute resource password encryption key isn't being used and so CR passwords are stored and loaded only in plain text.

The key is stored in an initialiser (config/initializers/encryption_key.rb, locally generated during package installation) which should be loaded before the Encryptable concern is loaded. The Encryptable concern is a no-op if the key isn't initialised already.

#4478 added config/initializers/apipie.rb which is calling ComputeResource.providers, leading to earlier loading of Encryptable (used in ComputeResource), before the encryption key initialiser is reached (as 'apipie' < 'encryption_key').

Thanks to Daniel Lobato Garcia for reporting this to .


Related issues 3 (0 open3 closed)

Related to Foreman - Feature #4478: API docs need to be localizedClosedMartin Bacovsky02/27/2014Actions
Related to Foreman - Feature #2424: encrypt compute resource passwordClosedJoseph Magen04/24/2013Actions
Has duplicate Foreman - Bug #9771: undefined method `encryptable_fields' during db migrateClosedDominic Cleal03/15/2015Actions
Actions #1

Updated by Dominic Cleal about 9 years ago

Daniel adds:

  • `foreman-rake security:generate_encryption_key` doesn't run by
    default because of the permissions set by the installer. `Permission
    denied - /usr/share/foreman/config/initializers/encryption_key.rb`

This works correctly during package installation, it's just a post-install issue that prevents you re-running it. I'll file this separately as it's a low priority and impact bug.

Before 1.8, I think we should address this. I've naively renamed the
initializer to 0_encrypted_key.rb and it fixes the issue. Before 1.8:

  • We should document Compute Resource encryption through
    EncryptionKey in the manual.
  • There should be tests for the tasks that deal with this.
  • Tests for should ensure the initializer runs before the concern is
    loaded.

Renaming the initialiser certainly works, though as it's a locally created file then we'll need to handle this in packaging somehow - a bit messy. Renaming the apipie initialiser might be easier!

Actions #2

Updated by Dominic Cleal about 9 years ago

#9771 is caused by the same issue I believe. The Encryptable concern isn't being loaded due to the initialiser reordering, so the encrypt rake task is failing as the concern methods aren't present.

Actions #4

Updated by Dominic Cleal about 9 years ago

  • Description updated (diff)
  • Private changed from Yes to No
Actions #5

Updated by Dominic Cleal about 9 years ago

Actions #6

Updated by Dominic Cleal about 9 years ago

  • Has duplicate Bug #9771: undefined method `encryptable_fields' during db migrate added
Actions #7

Updated by Dominic Cleal about 9 years ago

  • Related to Feature #2424: encrypt compute resource password added
Actions #8

Updated by Daniel Lobato Garcia about 9 years ago

Can confirm #9771 is completely related, as when I make the initializer load earlier it does work.

Actions #9

Updated by Dominic Cleal about 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal
Actions #10

Updated by The Foreman Bot about 9 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2248 added
  • Pull request deleted ()
Actions #11

Updated by Og Maciel about 9 years ago

  • Bugzilla link set to 1204914
Actions #12

Updated by Dominic Cleal about 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF