Bug 1025890

Summary: content sync via authenticated proxy using digest_pw method fails
Product: Red Hat Satellite Reporter: Corey Welton <cwelton>
Component: PulpAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Roman Plevka <rplevka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.2CC: bkearney, bmbouter, daviddavis, dkliban, ggainey, ipanova, mhrivnak, mmccune, pcreech, rchan, rplevka, ttereshc
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1116898 (view as bug list) Environment:
Last Closed: 2018-03-23 16:23:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1116898    
Bug Blocks: 950746, 1033011, 1131719    

Description Corey Welton 2013-11-01 20:20:07 UTC 
Description of problem:
When syncing through a proxy using the digest_pw method of authentication in squid, sync fails with an access denied -- despite the proxy apparently working otherwise for other traffic.  

Note that ncsa auth method seems to be ok.

Version-Release number of selected component (if applicable):
Satellite-6.0.2-RHEL-6-20131101.0

How reproducible:


Steps to Reproduce:
1.  Configure a squid proxy using digest_pw auth

COMMENT OUT ("#") the following line in /etc/squid/squid.conf to assure we're not bypassing auth.

http_access allow localnet

ADD the following lines to /etc/squid/squid.conf in the access section

auth_param digest program /usr/lib64/squid/digest_pw_auth  -c /etc/squid/passwords
auth_param digest realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

EXECUTE the following
# htdigest -c /etc/squid/passwords proxy katello
(provide password for user 'katello' twice)

RESTART squid
# service squid restart
(if you want, assure your proxy works by pointing a browser to it - you should be forced to authenticate with katello/katello username/passwd

2. katello-configure --proxy-url http://yourproxy.example.com --proxy-port 3128 --proxy-user katello --proxy-pass katello
3.  Attempt to sync repo content

Actual results:

1383336473.313      0 10.16.96.134 TCP_DENIED/407 4254 GET http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml - NONE/- text/html
1383336495.477      0 10.16.96.134 TCP_DENIED/407 4254 GET http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml - NONE/- text/html


Expected results:

Successful sync

Additional info:

Here's an example of the same content working with an ncsa auth method in squid

1383336589.341     66 10.16.96.134 TCP_MISS/200 1543 GET http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml katello DIRECT/74.125.226.229 application/xml
1383336589.424     36 10.16.96.134 TCP_MISS/200 1767 GET http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/filelists.xml.gz katello DIRECT/74.125.226.229 application/xml
1383336589.448     58 10.16.96.134 TCP_MISS/200 1038 GET http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/other.xml.gz katello DIRECT/74.125.226.229 application/xml
1383336589.451     61 10.16.96.134 TCP_MISS/200 2524 GET http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/primary.xml.gz katello DIRECT/74.125.226.229 application/xml
Comment 1 Corey Welton 2013-11-01 20:20:54 UTC 
pulp-server-2.3.0-0.26.beta.el6sat.noarch
Comment 8 Brian Bouterse 2015-03-05 21:30:22 UTC 
*** Bug 1116898 has been marked as a duplicate of this bug. ***
Comment 9 pulp-infra@redhat.com 2015-12-22 22:01:15 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 10 pulp-infra@redhat.com 2016-02-01 20:31:14 UTC 
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
Comment 11 pulp-infra@redhat.com 2016-02-02 20:01:10 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 12 pulp-infra@redhat.com 2016-02-11 20:01:23 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 13 Bryan Kearney 2016-02-15 18:23:43 UTC 
Should be fixed with Pulp 2.8, moving this to POST.
Comment 15 pulp-infra@redhat.com 2016-03-11 14:01:21 UTC 
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.
Comment 18 Tanya Tereshchenko 2018-03-23 16:23:38 UTC 
https://pulp.plan.io/issues/469#note-28
Comment 19 pulp-infra@redhat.com 2018-03-23 16:38:17 UTC 
The Pulp upstream bug status is at CLOSED - WONTFIX. Updating the external tracker on this bug.