Foreman smart class variables available to without the need for any sort of authentication

ebrose · April 17, 2020, 5:16pm

Problem:
We’ve found that while using smart class variables, a user that does not have access to view the key/pair values in the foreman UI. Can view the plain text version of the ‘secrets’ without any sort of authentication viewing the nodes yaml file using the foreman UI.

example if I, as an admin, log into our foremen UI and create a smart class parameter, apply that parameter to a class and a node.
Someone without any sort foreman role or even login can not view the UI.
https://<our_foreman_host>/variable_lookup_keys
returns to the login authentication page.
but that same person can access a node that has that puppet class and see the plain text results of the smart class parameter secret, even if its hidden, just by accessing the node yaml
https://<our_foreman_host>/hosts/<example_node>/externalNodes?name=<example_node>

Expected outcome:
the yaml should not be available to view the smart class secrets without authentication.

Foreman and Proxy versions:
Version 1.15.3

Other relevant data:
node yaml example

---
classes:
  test_erb: 
parameters:
  puppetmaster: ''
  domainname: ----
  organization: General
  organization_title: General
  root_pw: 
  foreman_env: dev_erb_test
  owner_name: ----
  owner_email: ----
  ssh_authorized_keys: []
  foreman_users:
    admin:
      firstname: ----
      lastname: -----
      mail: -----
      description: ''
      fullname: ----
      name: ----
      ssh_authorized_keys: []
  foreman_subnets: []
  foreman_interfaces:
  - ip: 
    ip6: 
    mac: 
    name: <example_node>
    attrs: {}
    virtual: false
    link: true
    identifier: ethernet0 2
    managed: true
    primary: true
    provision: true
    subnet: 
    subnet6: 
    tag: 
    attached_to: 
    type: Interface
  foreman_config_groups: []
  **param_erb_test: test123**
environment: dev_erb_test

tbrisker · April 19, 2020, 9:45am

Welcome @ebrose!

Are you sure the user you are testing with has no permissions assigned to it?
Foreman 1.15 is very old - the currently supported versions are 1.24 and 2.0. It is very possible this has changed in the ~3 years since 1.15.3 was released. I would highly recommend planning your upgrade to a supported foreman version as soon as possible.
I was not able to confirm this in a current version - only a user that has view permissions for the specific host, or a connection from an authenticated smart proxy should be able to see the enc output. You might also want to make sure the restrict_registered_smart_proxies setting is set to true (as is the default) - if it is set to false, this endpoint will be indeed available without authentication.

If you can reproduce this issue in a current version, please contact the Foreman security team via email to ensure it is properly addressed.

ebrose · April 21, 2020, 12:40am

Thank you @tbrisker!
I will try and get a dev environment up to the latest release and validate too.
much appreciate you taking the time to investigate it too.
Regards and thanks for the email link in case we see the same issue.
Cheers
Eric

ebrose · April 21, 2020, 12:42am

Yes @tbrisker we validated with several users and several browsers (incognito modes too)
and all we are able to see the node yaml URL while not being about to see the params in foreman UI whether they had a login or not
Refards,
Eric

tbrisker · April 21, 2020, 6:09am

what is the value of restrict_registered_smart_proxies setting? Were the connection without login done from a separate host that has no proxy on it or was it e.g. localhost?

ebrose · April 21, 2020, 12:16pm

Hey @tbrisker
it was set to false.
Restrict registered smart proxies No
i will read up and ask co-workers if there are any known issues to setting this to true.

Thanks again!
Regards,
Eric