Bug 126577
| Summary: | Hosted should only validate satellite certs for 340 satellites or later | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Network | Reporter: | Ryan Bloom <rbb> |
| Component: | RHN/Backend | Assignee: | Mihai Ibanescu <mihai.ibanescu> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fanny Augustin <fmoquete> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rhn350 | CC: | mihai.ibanescu, rhn-bugs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-03-22 18:14:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 127673 | ||
|
Description
Ryan Bloom
2004-06-23 15:11:45 UTC
on dev now re-opening to track the code changes Part of the fix for this bug has to ensure that satellite sync will fail when the satellite cert has expired. This is fixed now, we only validate certs for version 3.4 or higher. Test plan: 1) Activate a satellite using an expired cert for satellite 3.2, make sure you can still sat sync. 2) Activate a satellite using a expired cert for satellite 3.4, make sure you can't sat sync. 3) Activate a satellite using a non-expired cert for satellite 3.4, make sure you can sat sync. couple of things: sat-sync will not work if the cert is removed, good thing because of our error checking capabilities in the ui now, I'm not allowed to put in a cert that is expired. the only way to test this is to insert a cert that will expire tomorrow and check it then. even after the cert has been removed and the sat can no longer sat-sync, I'm still able to log into the sat and use it. I think this is correct behavior. and lastly: since someone can use the satellite after it expires, whats to stop them from doing a disconnected sat-sync? If the satellite doesn't have a cert or if the cert is expired, you shouldn't be able to login to the satellite anymore, either through up2date or through the web ui. If you can, that is a bug. fanny, the new ui features won't allow you to put an expired cert on the sat. there is a 3.4 cert called expired. I recommend bumping up the the date to tomorrow and getting is signed then putting on a sat and waiting a day. You cannot login to the website, but you can perform a "satellite-sync --list-channel"... And you should not be able to do so with an experired cert. This was an invalid test (spoke to fanny already). We tested after moving the sat's date past the expiration day, but sat-sync is failed by hosted, so if hosted doesn't know the cert has expired, the sync will succeed. QA push. {ON_DEV,QA_READY} --> ON_QA
Actually, satsync is not properly syncing the cert. satellite-sync now properly syncs the cert. Fanny,I have deployed the fix on farm02 so you can go on with the testing. rhns version 3.6.1-18 btw... When the cert is expired you cannot satellite-sync, up2date, rhn_check, etc... Which are all valid things you cannot do when the cert is expired, however, you can still navigate the webUI (satellite) with no problem. I think the fix should prevent you for navigating the webUI. Fixed. The code was always getting the latest possible date from the database, but it needed to get the highest versioned cert, and get the expires for that date. ON_QA en masse for 2004-12-08 QA push Looks good on QA. Mass move from PROD_READY to CLOSED:CURRENTRELEASE |