Bug 1348594

Summary: [Release Candidate] validation skipped on azure when subscription id is populated
Product: Red Hat CloudForms Management Engine Reporter: Colin Arnott <carnott>
Component: ProvidersAssignee: Daniel Berger <dberger>
Status: CLOSED CURRENTRELEASE QA Contact: Jeff Teehan <jteehan>
Severity: high Docs Contact:
Priority: high    
Version: 5.6.0CC: benglish, cpelland, dberger, dclarizi, hkataria, jfrey, jhardy, jteehan, mpovolny, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: provider:azure:ui
Fixed In Version: 5.7.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1351678 (view as bug list) Environment:
Last Closed: 2017-01-11 19:57:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1351678    

Description Colin Arnott 2016-06-21 14:20:56 UTC
Description of problem:
on the azure provider: if any text is in the subscription field, all validation is skipped

Version-Release number of selected component (if applicable):
cfme-5.6.0.{8,11}

How reproducible:
trivial

Steps to Reproduce:
0. add an azure provider
1. enter any text the following fields:
 a. Tenant ID
 b. Subscription ID
 c. Client ID
 d. Client Key

Actual results:
The form returns: "Credential validation was successful"
On EMS refresh:
~~~
Error - 7 Minutes Ago
[] {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid cli... 
~~~

Expected results:
The form returns: "Credential validation was not successful: Incorrect credentials - check your Azure Client ID and Client Key"

You enter valid credentials,
The form returns: "Credential validation was successful"
On EMS refresh:
~~~
Success - 7 Minutes Ago
~~~

Additional info:
~~~
[----] E, [2016-06-21T09:34:07.032642 #14207:7881420] ERROR -- : MIQ(ManageIQ::Providers::Azure::CloudManager::EventCatcher::Runner#start_event_monitor) EMS [] as [affcbef5-422f-4157-a631-975eeda3d08c] Event Monitor Thread aborted because [{"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: c7feeb07-fff5-4f82-984a-fb5abd38926b\r\nCorrelation ID: c457f4ed-f791-431b-ae21-64bdc56ae6d7\r\nTimestamp: 2016-06-21 13:34:06Z","error_codes":[70002,50012],"timestamp":"2016-06-21 13:34:06Z","trace_id":"c7feeb07-fff5-4f82-984a-fb5abd38926b","correlation_id":"c457f4ed-f791-431b-ae21-64bdc56ae6d7"}]
[----] E, [2016-06-21T09:34:07.032788 #14207:7881420] ERROR -- : [Azure::Armrest::UnauthorizedException]: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: c7feeb07-fff5-4f82-984a-fb5abd38926b\r\nCorrelation ID: c457f4ed-f791-431b-ae21-64bdc56ae6d7\r\nTimestamp: 2016-06-21 13:34:06Z","error_codes":[70002,50012],"timestamp":"2016-06-21 13:34:06Z","trace_id":"c7feeb07-fff5-4f82-984a-fb5abd38926b","correlation_id":"c457f4ed-f791-431b-ae21-64bdc56ae6d7"}  Method:[rescue in block in start_event_monitor]
[----] E, [2016-06-21T09:34:07.032879 #14207:7881420] ERROR -- : /opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:437:in `raise_api_exception'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:385:in `rescue in rest_execute'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:383:in `rest_execute'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:393:in `rest_post'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:43:in `fetch_token'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:34:in `token'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:181:in `fetch_subscription_id'
/opt/rh/cfme-gemset/gems/azure-armrest-0.2.6/lib/azure/armrest/armrest_service.rb:162:in `configure'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:65:in `create_event_service'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:61:in `connection'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:34:in `get_events'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/stream.rb:25:in `each_batch'
/var/www/miq/vmdb/app/models/manageiq/providers/azure/cloud_manager/event_catcher/runner.rb:13:in `monitor_events'
/var/www/miq/vmdb/app/models/manageiq/providers/base_manager/event_catcher/runner.rb:112:in `block in start_event_monitor'
/opt/rh/cfme-gemset/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `call'
/opt/rh/cfme-gemset/gems/logging-1.8.2/lib/logging/diagnostic_context.rb:323:in `block in create_with_logging_context'
~~~

Comment 2 Daniel Berger 2016-06-21 15:24:59 UTC
This appears to be a UI issue where the credentials are not actually getting validated at all if any text is put into the subscription ID field.

I did a few UI tests.

First, I left the subscription ID field blank, and put valid credentials in for the client ID, client key, and tenant ID. I pressed the validate button and it validated successfully as expected.

Second, with the same credentials as above, I also put "asdf" (invalid credentials) in the subscription ID field and hit "validate". The validation was successful, but should not have been.

Third, I put "asdf" in the subscription ID field, and deliberately mangled the client ID credentials, then pressed the validate button. It still validated successfully, but should not have.

Lastly, I removed all text from the subscription ID field, and deliberately mangled the client ID credentials, then pressed the validate button. It did not validate successfully, as expected.

This combination of tests, in my opinion, confirms that validation is not happening if any data is placed in the subscription ID field. The code within the verify_credentials method in the manager_mixin.rb file looks alright to me, so I believe this is strictly a UI issue.

Comment 4 Daniel Berger 2016-06-21 17:04:51 UTC
Upon further review, this is an issue with the way we handle validation on the backend.  Internally we were relying on the fetch_subscription_id method within the azure-armrest gem to raise an error, but it only does that if no subscription_id is provided.

We will need to improve the validation on our end.

Comment 5 Jeff Teehan 2016-06-21 17:35:43 UTC
I'll take the qe job on this one.

Took a look at it.  If you enter an invalid subscription, it doesn't warn you, but on the backend, it does grab the default subscription and continues to work fine, just as if the user left the field blank.  A user would only have a problem if they had two or more subscriptions and entered an incorrect value for the non-default subscription.  This is an odd field as it shouldn't be validated if no value is enter, and should be validated when a value is entered.

Comment 6 Daniel Berger 2016-06-22 17:43:05 UTC
https://github.com/ManageIQ/manageiq/pull/9365

Comment 7 Jeff Teehan 2016-09-22 17:16:26 UTC
This is all fixed up in 5.7.0.2  Moving to verified.

Added Polarion test case id