craton

User can create resources in another project

Bug #1628917 reported by Ian Cordasco
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
craton
Fix Released
High
Ian Cordasco
craton newton-rc "n-rc"

Bug Description

Using 2e1a40ec92df95c0b6bedd7990d0bae172fe0c9e in craton, if you build the docker container and run it and then attach, e.g.,

    docker exec -it <container-id-from-docker-ps> bash

You can then add a new project:

    # mysql -u root
    MariaDB [(none)]> use craton;
    MariaDB [craton]> insert into projects (created_at, updated_at, name) values (NOW(), NOW(), "is_secure?");
    MariaDB [craton]> select * from projects;
    +---------------------+---------------------+----+-------------------------+------------+
    | created_at | updated_at | id | variable_association_id | name |
    +---------------------+---------------------+----+-------------------------+------------+
    | 2016-09-29 12:50:05 | 2016-09-29 12:50:05 | 1 | NULL | demo |
    | 2016-09-29 12:51:40 | 2016-09-29 12:51:40 | 2 | NULL | is_secure? |
    +---------------------+---------------------+----+-------------------------+------------+
    2 rows in set (0.00 sec)

With that new project you can now create regions:

    # curl -ivv -H 'X-Auth-Token: demo' -H 'X-Auth-User: demo' -H 'X-Auth-Project: 1' http://localhost:8080/v1/regions -XPOST -d '{"name":"lol","project_id":2}' -H "Content-Type: application/json"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying ::1...
* connect to ::1 port 8080 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /v1/regions HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.47.0
> Accept: */*
> X-Auth-Token: demo
> X-Auth-User: demo
> X-Auth-Project: 1
> Content-Type: application/json
> Content-Length: 29
>
* upload completely sent off: 29 out of 29 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
HTTP/1.0 200 OK
< Date: Thu, 29 Sep 2016 12:55:22 GMT
Date: Thu, 29 Sep 2016 12:55:22 GMT
< Server: WSGIServer/0.2 CPython/3.5.2
Server: WSGIServer/0.2 CPython/3.5.2
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 56
Content-Length: 56
< x-openstack-request-id: req-851d1362-b207-479e-b8de-6539ba9d755d
x-openstack-request-id: req-851d1362-b207-479e-b8de-6539ba9d755d

<
{"id": 2, "name": "lol", "note": null, "project_id": 2}
* Closing connection 0

In other words, users who should only be able to create resources in their given project (in this case project-id 1) can create resources for other projects.

Revision history for this message
Ian Cordasco (icordasc) wrote :

For what it's worth, I believe we should start following the processes laid out by the OpenStack VMT even though we're a tiny project just to get practice in using them: http://docs.openstack.org/project-team-guide/vulnerability-management.html

Revision history for this message
Ian Cordasco (icordasc) wrote :

Linked the wrong thing: https://security.openstack.org/vmt-process.html

Sulochan Acharya (sulochan-acharya)
Changed in craton:
status: Triaged → Confirmed
milestone: none → newton-rc
Ian Cordasco (icordasc)
information type: Private Security → Public Security
Ian Cordasco (icordasc)
Changed in craton:
assignee: nobody → Ian Cordasco (icordasc)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to craton (master)

Reviewed: https://review.openstack.org/386646
Committed: https://git.openstack.org/cgit/openstack/craton/commit/?id=1a858f2d2e1f3afa7879cefd0c85639cc009a5b2
Submitter: Jenkins
Branch: master

commit 1a858f2d2e1f3afa7879cefd0c85639cc009a5b2
Author: Ian Cordasco <email address hidden>
Date: Mon Oct 10 14:32:38 2016 -0500

    Simplify usage of project_ids in headers and body

    Previously, we were requiring X-Auth-Project headers for authentication
    and a project_id attribute in JSON bodies. This allows for several
    things.

    Closes-bug: 1628845
    Closes-bug: 1628917
    Change-Id: I40d0e8b6a3260ff11c493268c8a0553eba62512b

Changed in craton:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.