foreman
foreman copied to clipboard
Fixes #35473 - Add extlogin API endpoint
/users/extlogin endpoint is designed for UI interaction, thus using this endpoint to create a session to be used via API will fail with "Can't verify CSRF token authenticity" for any method except GET. We need to have a separate endpoint to create a proper session to be used via API.
- [ ] Requires https://github.com/theforeman/puppet-foreman/pull/1083
- [ ] Required by https://github.com/theforeman/hammer-cli-foreman/pull/605
I'd like to have it CPed into 3.3, but not sure if it's feasible...
I've tested these (and deps) patches on production setup via:
- curl -k -c cookies.txt -u : --negotiate https://foreman.ofedoren.example.com/api/users/extlogin [OK]
- curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X POST -d '{"architecture": { "name": "arch1" }}' -k https://foreman.ofedoren.example.com/api/architectures [OK]
- hammer auth login negotiate [OK]
- hammer architecture create --name arch2 [OK]
P.S. This is a suggested solution. One of the possible solutions could be introduced here only. We would need to somehow make sure that
https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/authentication.rb#L88-L92
works with hitting /users/extlogin
via API.
Issues: #35473
I have a conceptual question. We have CSRF protection on the normal extlogin
page, so that nobody can build a fake and abuse that (as the fake won't have the right token).
When we now introduce a CSRF-less api/extlogin
, wouldn't the attacker just use that as an entry point and be happy?
If the answer is yes, then we could also just disable CSRF on extlogin
? Or am I missing some integral part of the whole thing?
Isn't the csrf protection there to limit the damage an attacker can do if they manage to hijack an already existing session?
Yes, but wouldn't hitting /api/users/extlogin
in the current setup with an existing session "upgrade" said session to a CSRF-less one without further user interaction?
Okay, no, one can't upgrade a session to an API one. I shut up ;)
Not sure what's up with the tests [test integration] [test katello] [test unit]
@ekohl should we hold this until the puppet module is sorted out?
Also kicking off [test integration] once more
LGTM and I don't think it needs to wait for the Puppet changes.
It won't work without them in prod setups, but it also won't break and all we discussed in the Puppet PR was style, not the actual routes or anything that would influence the PR here.
Thank you @ofedoren & @evgeni !