Bug #9775
Updated by Dominic Cleal over 9 years ago
*This issue is currently embargoed, but will likely become public soon. Please do not discuss outside of this ticket or the foreman-security mailing list until the private status changes.*
In Foreman 1.8/nightlies, since #4478, the compute resource password encryption key isn't being used and so CR passwords are stored and loaded only in plain text.
The key is stored in an initialiser (config/initializers/encryption_key.rb, locally generated during package installation) which should be loaded before the Encryptable concern is loaded. The Encryptable concern is a no-op if the key isn't initialised already.
#4478 added config/initializers/apipie.rb which is calling @ComputeResource.providers@, leading to earlier loading of Encryptable (used in ComputeResource), before the encryption key initialiser is reached (as 'apipie' < 'encryption_key').
Thanks to Daniel Lobato Garcia for reporting this to foreman-security@googlegroups.com.