Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API requests from ws-agent to ws-master have the same authorization header #10243

Closed
vinokurig opened this issue Jul 2, 2018 · 0 comments
Closed

API requests from ws-agent to ws-master have the same authorization header #10243

vinokurig opened this issue Jul 2, 2018 · 0 comments
Labels
kind/bug Outline of a bug - must adhere to the bug report template. status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it.

Comments

@vinokurig
Copy link
Contributor

vinokurig commented Jul 2, 2018
edited
Loading

Description

If a workspace is shared with another user, all API requests from ws-agent to ws-master will be signed with the same machine token: https://github.com/eclipse/che/blob/5f4d4e2034b737df11a2c86d62f68677983ce825/wsagent/che-wsagent-core/src/main/java/org/eclipse/che/wsagent/server/AgentHttpJsonRequestFactory.java#L37
As machineToken is the same for all users in the workspace, all users authorize http-requests with the same token. So guest user makes requests as a workspace owner.

Reproduction Steps

  1. User A created an organization and added a workspace and shared it with User B
  2. User A generated a key, uploaded it to GitHub and added git committer name at Profile > Preferences > Git Committer
  3. User B doesn't have any SSH keys, goes to Git menu -> Remotes -> Push

Expected: User B should get an error because he doesn't have any Ssh keys.
Actual: User B receives an up-to-date message that means that he made the request to Github with Ssh keys from User A
OS and version:

Diagnostics:
@sleshchenko sleshchenko added kind/bug Outline of a bug - must adhere to the bug report template. status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it. team/platform labels Jul 2, 2018
@vinokurig vinokurig mentioned this issue Jul 2, 2018
Closed
@mshaposhnik mshaposhnik mentioned this issue Jul 3, 2018
Merged
@skabashnyuk skabashnyuk mentioned this issue Jul 4, 2018
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Outline of a bug - must adhere to the bug report template. status/open-for-dev An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mshaposhnik @sleshchenko @vinokurig