goiardi icon indicating copy to clipboard operation
goiardi copied to clipboard

Published 20 hours ago verified publisher icon ctdk

Non-admin client cannot fetch another user's public key

Open limitusus opened this issue 5 years ago • 2 comments
trafficstars

Is your feature request related to a problem? Please describe. I'm writing a test of my project using goiardi, where a client (c1) fetches the public key of another client (c2). Endpoint: clients/c2/keys/default In real chef-server, the test passes when c1 is non-admin, whereas in goiardi the test cannot pass, because one (non-admin) client cannot fetch another client's public key (returned 403) by this code. I have not yet understand chef-server's code, but I guess there might be an implementation difference between chef-server and goiardi.

Describe the solution you'd like It should be correct behaviour that non-admin client c1 can fetch c2's public key.

Describe alternatives you've considered For now, I'm testing with c1 admin in the test.

Additional context With chef-server, c1 can fetch c2's public key like following:

$ knife client show c1
admin:     false
chef_type: client
name:      c1
validator: false

$ knife client key show c2 default
client:          c2
expiration_date: infinity
name:            default
public_key:      -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY7Acmtj1Y68QBPz5RoV
(snip)
-----END PUBLIC KEY-----

limitusus avatar Mar 08 '20 07:03 limitusus

Apologies for the delay responding (lots going on, for a long time, blah blah blah).

This one will be an easy fix, but before I go and do so I do need to check around a bit and make sure that's not the expected behavior. There's a possibility that either it was the expected behavior under the open source Chef 11 Server or that it simply wasn't addressed in the tests.

Thanks!

ctdk avatar Apr 16 '20 07:04 ctdk

FYI: This breaks chef-vault:

  * chef_vault_secret[test] action create[2020-11-26T17:05:37+00:00] ERROR: ERROR: You received a 403 FORBIDDEN while requesting an clients key for testnode2.

If you are on Chef Server < 12.5:
  Clients do not have access to all public keys within their org.
  Either upgrade to Chef Server >= 12.5 or make this request using a user.

If you are on Chef Server == 12.5.0
  All clients and users have access to the public keys endpoint. Getting
  this error on 12.5.0 is unexpected regardless of what your
  public_key_read_access_group contains.

If you are on Chef Server > 12.5.1
  Has your public_key_read_access_group been modified? This group controls
  read access on public keys within your org. It defaults to the users
  and client groups, so all org actors should have permission unless
  the defaults have been changed.

tbe avatar Nov 26 '20 17:11 tbe