Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users can mount blobs without having read access to the from repository #1286

Closed
lubosmj opened this issue May 19, 2023 · 0 comments · Fixed by #1340
Closed

Users can mount blobs without having read access to the from repository #1286

lubosmj opened this issue May 19, 2023 · 0 comments · Fixed by #1340
Assignees
@lubosmj
Labels
Issue prio-list

Comments

@lubosmj
Copy link
Member

lubosmj commented May 19, 2023

We verify just the access to the created to repository (

pulp_container/pulp_container/app/token_verification.py

Line 205 in 15aca2f

if _contains_accessible_actions(decoded_token, scope):
) and still allow performing blob mount without verifying read permissions to the from repository (

pulp_container/pulp_container/app/registry_api.py

Line 578 in 15aca2f

return (request.query_params.keys()) == {"from", "mount"}
).

The fix will need to be backported.
@lubosmj lubosmj mentioned this issue May 19, 2023
Merged
@lubosmj lubosmj added this to the 2.16 milestone May 26, 2023
@pulpbot pulpbot moved this to Free to take in RH Pulp Kanban board Jun 1, 2023
@lubosmj lubosmj self-assigned this Jul 20, 2023
@pulpbot pulpbot moved this from Free to take to In Progress in RH Pulp Kanban board Jul 20, 2023
lubosmj added a commit to lubosmj/pulp_container that referenced this issue Jul 20, 2023
@lubosmj
Check a list of scopes when verifying tokens
ad5618b 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286
@lubosmj lubosmj mentioned this issue Jul 20, 2023
Merged
@pulpbot pulpbot moved this from In Progress to Needs review in RH Pulp Kanban board Jul 20, 2023
lubosmj added a commit to lubosmj/pulp_container that referenced this issue Jul 21, 2023
@lubosmj
Check a list of scopes when verifying tokens
b101633 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286
lubosmj added a commit to lubosmj/pulp_container that referenced this issue Jul 21, 2023
@lubosmj
Check a list of scopes when verifying tokens
2a803c0 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286
lubosmj added a commit to lubosmj/pulp_container that referenced this issue Jul 21, 2023
@lubosmj
Check a list of scopes when verifying tokens
c9fa709 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286
lubosmj added a commit to lubosmj/pulp_container that referenced this issue Jul 21, 2023
@lubosmj
Check a list of scopes when verifying tokens
d23b907 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286
lubosmj added a commit that referenced this issue Jul 24, 2023
@lubosmj
Check a list of scopes when verifying tokens
6658b7e 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes #1286
patchback bot pushed a commit that referenced this issue Jul 24, 2023
@lubosmj @patchback
Check a list of scopes when verifying tokens
d8e26b8 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes #1286

(cherry picked from commit 6658b7e)
@patchback patchback bot mentioned this issue Jul 24, 2023
Merged
@pulpbot pulpbot moved this from Needs review to Done in RH Pulp Kanban board Jul 24, 2023
lubosmj added a commit to lubosmj/pulp_container that referenced this issue Jul 24, 2023
@lubosmj
Check a list of scopes when verifying tokens
cfd085b 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286

(cherry picked from commit 6658b7e)
@lubosmj lubosmj mentioned this issue Jul 24, 2023
Merged
ipanova pushed a commit that referenced this issue Jul 24, 2023
@lubosmj @ipanova
Check a list of scopes when verifying tokens
da49f4f 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes #1286

(cherry picked from commit 6658b7e)
ipanova pushed a commit that referenced this issue Jul 24, 2023
@lubosmj @ipanova
Check a list of scopes when verifying tokens
5737b8e 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes #1286

(cherry picked from commit 6658b7e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lubosmj lubosmj

Labels
Issue prio-list
Projects
No open projects
RH Pulp Kanban board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check a list of scopes when verifying tokens lubosmj/pulp_container
2 participants
@ipanova @lubosmj