search

ctdk / goiardi

A Chef server written in Go, able to run entirely in memory, with optional persistence with saving the in-memory data to disk or using MySQL or Postgres as the data storage backend. Docs: http://goiardi.readthedocs.io/en/latest/index.html
http://goiardi.gl
Apache License 2.0
280 stars 39 forks source link

Non-admin client cannot fetch another user's public key #66

Open limitusus opened 4 years ago

limitusus commented 4 years ago

Is your feature request related to a problem? Please describe. I'm writing a test of my project using goiardi, where a client (c1) fetches the public key of another client (c2). Endpoint: clients/c2/keys/default In real chef-server, the test passes when c1 is non-admin, whereas in goiardi the test cannot pass, because one (non-admin) client cannot fetch another client's public key (returned 403) by this code. I have not yet understand chef-server's code, but I guess there might be an implementation difference between chef-server and goiardi.

Describe the solution you'd like It should be correct behaviour that non-admin client c1 can fetch c2's public key.

Describe alternatives you've considered For now, I'm testing with c1 admin in the test.

Additional context With chef-server, c1 can fetch c2's public key like following:

$ knife client show c1
admin:     false
chef_type: client
name:      c1
validator: false

$ knife client key show c2 default
client:          c2
expiration_date: infinity
name:            default
public_key:      -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY7Acmtj1Y68QBPz5RoV
(snip)
-----END PUBLIC KEY-----
ctdk commented 4 years ago

Apologies for the delay responding (lots going on, for a long time, blah blah blah).

This one will be an easy fix, but before I go and do so I do need to check around a bit and make sure that's not the expected behavior. There's a possibility that either it was the expected behavior under the open source Chef 11 Server or that it simply wasn't addressed in the tests.

Thanks!

tbe commented 4 years ago

FYI: This breaks chef-vault:

  * chef_vault_secret[test] action create[2020-11-26T17:05:37+00:00] ERROR: ERROR: You received a 403 FORBIDDEN while requesting an clients key for testnode2.

If you are on Chef Server < 12.5:
  Clients do not have access to all public keys within their org.
  Either upgrade to Chef Server >= 12.5 or make this request using a user.

If you are on Chef Server == 12.5.0
  All clients and users have access to the public keys endpoint. Getting
  this error on 12.5.0 is unexpected regardless of what your
  public_key_read_access_group contains.

If you are on Chef Server > 12.5.1
  Has your public_key_read_access_group been modified? This group controls
  read access on public keys within your org. It defaults to the users
  and client groups, so all org actors should have permission unless
  the defaults have been changed.