API requests from ws-agent to ws-master have the same authorization header #10243
Labels
kind/bug
Outline of a bug - must adhere to the bug report template.
status/open-for-dev
An issue has had its specification reviewed and confirmed. Waiting for an engineer to take it.
Description
If a workspace is shared with another user, all API requests from ws-agent to ws-master will be signed with the same machine token: https://github.com/eclipse/che/blob/5f4d4e2034b737df11a2c86d62f68677983ce825/wsagent/che-wsagent-core/src/main/java/org/eclipse/che/wsagent/server/AgentHttpJsonRequestFactory.java#L37
As
machineToken
is the same for all users in the workspace, all users authorize http-requests with the same token. So guest user makes requests as a workspace owner.Reproduction Steps
Expected: User B should get an error because he doesn't have any Ssh keys.
Actual: User B receives an
up-to-date
message that means that he made the request to Github with Ssh keys from User AOS and version:
Diagnostics:
The text was updated successfully, but these errors were encountered: