Bug #9775
closed
CR encryption key not loaded before it's checked, encryption is disabled
Added by Dominic Cleal over 9 years ago.
Updated about 6 years ago.
Description
In Foreman 1.8/nightlies, since #4478, the compute resource password encryption key isn't being used and so CR passwords are stored and loaded only in plain text.
The key is stored in an initialiser (config/initializers/encryption_key.rb, locally generated during package installation) which should be loaded before the Encryptable concern is loaded. The Encryptable concern is a no-op if the key isn't initialised already.
#4478 added config/initializers/apipie.rb which is calling ComputeResource.providers, leading to earlier loading of Encryptable (used in ComputeResource), before the encryption key initialiser is reached (as 'apipie' < 'encryption_key').
Thanks to Daniel Lobato Garcia for reporting this to foreman-security@googlegroups.com.
Daniel adds:
- `foreman-rake security:generate_encryption_key` doesn't run by
default because of the permissions set by the installer. `Permission
denied - /usr/share/foreman/config/initializers/encryption_key.rb`
This works correctly during package installation, it's just a post-install issue that prevents you re-running it. I'll file this separately as it's a low priority and impact bug.
Before 1.8, I think we should address this. I've naively renamed the
initializer to 0_encrypted_key.rb and it fixes the issue. Before 1.8:
- We should document Compute Resource encryption through
EncryptionKey in the manual.
- There should be tests for the tasks that deal with this.
- Tests for should ensure the initializer runs before the concern is
loaded.
Renaming the initialiser certainly works, though as it's a locally created file then we'll need to handle this in packaging somehow - a bit messy. Renaming the apipie initialiser might be easier!
#9771 is caused by the same issue I believe. The Encryptable concern isn't being loaded due to the initialiser reordering, so the encrypt rake task is failing as the concern methods aren't present.
- Description updated (diff)
- Private changed from Yes to No
- Has duplicate Bug #9771: undefined method `encryptable_fields' during db migrate added
- Related to Feature #2424: encrypt compute resource password added
Can confirm #9771 is completely related, as when I make the initializer load earlier it does work.
- Status changed from New to Assigned
- Assignee set to Dominic Cleal
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2248 added
- Pull request deleted (
- Bugzilla link set to 1204914
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by