Project

General

Profile

« Previous | Next » 

Revision 358ec5a3

Added by Dominic Cleal over 11 years ago

  • ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd

fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users

CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.

CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.

The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.

The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.

Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.

View differences:

test/functional/hosts_controller_test.rb
end
test "externalNodes should render correctly when format text/html is given" do
get :externalNodes, {:name => @host.name}
get :externalNodes, {:name => @host.name}, set_session_user
assert_response :success
assert_template :text => @host.info.to_yaml.gsub("\n","<br/>")
end
......
assert flash[:notice] == "Foreman now no longer manages the build cycle for #{@host.name}"
end
test 'when ":restrict_registered_puppetmasters" is false, HTTP requests should be able to get externalNodes' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = false
SETTINGS[:require_ssl] = false
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_response :success
end
test 'hosts with a registered smart proxy on should get externalNodes successfully' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = false
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_response :success
end
test 'hosts without a registered smart proxy on should not be able to get externalNodes' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = false
Resolv.any_instance.stubs(:getnames).returns(['another.host'])
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_equal 403, @response.status
end
test 'hosts with a registered smart proxy and SSL cert should get externalNodes successfully' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
@request.env['HTTPS'] = 'on'
@request.env['SSL_CLIENT_S_DN_CN'] = 'else.where'
@request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_response :success
end
test 'hosts without a registered smart proxy but with an SSL cert should not be able to get externalNodes' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
@request.env['HTTPS'] = 'on'
@request.env['SSL_CLIENT_S_DN_CN'] = 'another.host'
@request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_equal 403, @response.status
end
test 'hosts with an unverified SSL cert should not be able to get externalNodes' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
@request.env['HTTPS'] = 'on'
@request.env['SSL_CLIENT_S_DN_CN'] = 'else.where'
@request.env['SSL_CLIENT_VERIFY'] = 'FAILURE'
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_equal 403, @response.status
end
test 'when "require_ssl_puppetmasters" and "require_ssl" are true, HTTP requests should not be able to get externalNodes' do
User.current = nil
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
SETTINGS[:require_ssl] = true
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_equal 403, @response.status
end
test 'when "require_ssl_puppetmasters" is true and "require_ssl" is false, HTTP requests should be able to get externalNodes' do
User.current = nil
# since require_ssl_puppetmasters is only applicable to HTTPS connections, both should be set
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
SETTINGS[:require_ssl] = false
Resolv.any_instance.stubs(:getnames).returns(['else.where'])
get :externalNodes, {:name => @host.name, :format => "yml"}
assert_response :success
end
test 'authenticated users over HTTP should be able to get externalNodes' do
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
SETTINGS[:require_ssl] = false
Resolv.any_instance.stubs(:getnames).returns(['users.host'])
get :externalNodes, {:name => @host.name, :format => "yml"}, set_session_user
assert_response :success
end
test 'authenticated users over HTTPS should be able to get externalNodes' do
Setting[:restrict_registered_puppetmasters] = true
Setting[:require_ssl_puppetmasters] = true
SETTINGS[:require_ssl] = false
Resolv.any_instance.stubs(:getnames).returns(['users.host'])
@request.env['HTTPS'] = 'on'
get :externalNodes, {:name => @host.name, :format => "yml"}, set_session_user
assert_response :success
end
private
def initialize_host
User.current = users(:admin)

Also available in: Unified diff