Bug 1451768

Summary: IPA /ipa/session/login_password route returns 400 even if content-type is specified
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: akasurde, mbabinsk, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-29 14:36:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipa_post.py none

Description Abhijeet Kasurde 2017-05-17 13:19:53 UTC 
Description of problem:
If user tries to login using IPA URL - /ipa/session/login_password using script it returns with 400. 


ipaurl = 'https://{0}/ipa/session/login_password'.format(self.server)
header = {'referer': ipaurl, 'Content-Type':'application/x-www-form-urlencoded', 'Accept': 'text/plain'}
login = {'user': self.user, 'password': self.password}
rv = self.session.post(ipaurl, headers=header, data=login, verify=self.sslverify)
print rv.status_code



IPA logs says - 
[:error] [pid 28654] ipa: INFO: 400 Bad Request: Content-Type must be application/x-www-form-urlencoded


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-11.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Use above code snippet.

Actual results:
Login fail with HTTP 400 error

Expected results:
Login should succeed
Comment 2 Martin Babinsky 2017-05-22 07:20:57 UTC 
Abhijeet,

can you plpease attach the full script you use to test password login? I assume that `self.server' points to some FQDN but it is hard to tell whether there is not something buggy written there.

It would also be nice if you could capture the exact request sent to the server in some debug output.
Comment 3 Abhijeet Kasurde 2017-05-22 14:00:00 UTC 
Please check the script attached. I am also facing same issue when I am using Ansible IPA user module.
Comment 4 Abhijeet Kasurde 2017-05-22 14:00:52 UTC 
Created attachment 1281048 [details]
ipa_post.py
Comment 5 Petr Vobornik 2017-05-25 15:38:24 UTC 
Could this bug be just dup of bug 1452215 - the form-based login fail due to SELinux. It was fixed in selinux-policy-3.13.1-152.el7 Might be worth to retry.
Comment 6 Petr Vobornik 2017-05-26 10:25:50 UTC 
Scratch comment 5.  ipa_post.py defines server by IP address. IPA server has redirection rule which redirects app to FQDN if not used. But the python-request does GET request and not POST which ends with error from login_password end point.

"POST /ipa/session/login_password HTTP/1.1" 301 283
"GET /ipa/session/login_password HTTP/1.1" 301 284 "https://10.34.58.158/ipa/session/login_password" "python-requests/2.10.0"
"GET /ipa/session/login_password HTTP/1.1" 400 155


When you change 
  i = ipa('10.10.10.1') 
to e.g. 
  i = ipa('test.example.com')


then it wil start to work.

Proposing to close as not a bug.