Bug 1459254

Summary:	Content-type mix prevent Kerberos authentication
Product:	[oVirt] ovirt-engine-sdk-python	Reporter:	Fabrice Bacchella <fabrice.bacchella>
Component:	General	Assignee:	Ondra Machacek <omachace>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Gonza <grafuls>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	4.1.4	CC:	bugs, juan.hernandez, mperina, oourfali, stirabos
Target Milestone:	ovirt-4.1.3	Flags:	rule-engine: ovirt-4.1+ pstehlik: testing_ack+
Target Release:	4.1.5
Hardware:	Unspecified
OS:	All
Whiteboard:
Fixed In Version:	python-ovirt-engine-sdk4-4.1.5	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-07-06 13:18:34 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Infra	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Fabrice Bacchella 2017-06-06 16:01:52 UTC

I'm using the kerberos authentication from Apache instead of from ovirt. It was working well util the 4.1.4 release.

When I'm debug the request I see:

>  POST /ovirt-engine/sso/oauth/token-http-auth HTTP/1.1
<  HTTP/1.1 401 Unauthorized
<  Content-Type: text/html; charset=iso-8859-1
>  POST /ovirt-engine/sso/oauth/token-http-auth HTTP/1.1
>  Authorization: Negotiate <SPNEGO blob>
<  HTTP/1.1 200 OK
<  Content-Type: application/json

but I get a:
The response content type 'text/html; charset=iso-8859-1' isn't the expected JSON

Indeed, if I print the returned headers in

    def _check_content_type(self, expected_re, expected_name, headers):

I get:
['HTTP/1.1 401 Unauthorized\r', ..., 'Content-Type: text/html; charset=iso-8859-1\r',...'HTTP/1.1 200 OK\r','Content-Type: application/json\r']

The headers array is a merge of both set of headers. So it's all wrong as self._get_header_value(headers, 'content-type') return the first occurence of 'content-type' and so check_json_content_type fails.

Comment 1 Gonza 2017-06-21 14:05:37 UTC

Tried with:
python-ovirt-engine-sdk4-4.2.1-1.a1.20170607gitdec2258.el7.centos.x86_64

Headers are still merged.
[
'HTTP/1.1 401 Unauthorized\r', 
'Date: Wed, 21 Jun 2017 14:00:42 GMT\r', 
'Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0\r', 
'WWW-Authenticate: Negotiate\r', 
'Content-Length: 163\r', 
'Content-Type: text/html; charset=iso-8859-1\r', 
'\r', 
'HTTP/1.1 200 OK\r', 
'Date: Wed, 21 Jun 2017 14:00:42 GMT\r', 
'Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0\r', 
'WWW-Authenticate: Negotiate xxxxxxxxx\r', 
'Set-Cookie: JSESSIONID=xxxxxxxxx; path=/ovirt-engine/sso; secure; HttpOnly\r', 
'Set-Cookie: locale=en_US; path=/; HttpOnly; Max-Age=2147483647; Expires=Mon, 09-Jul-2085 17:14:49 GMT\r', 
'X-XSS-PROTECTION: 1; MODE=BLOCK\r', 
'X-CONTENT-TYPE-OPTIONS: NOSNIFF\r', 
'X-FRAME-OPTIONS: SAMEORIGIN\r', 
'Content-Type: application/json\r', 
'Content-Length: 316\r', 
'Vary: Accept-Encoding\r', 
'\r', 
'']

Comment 2 Red Hat Bugzilla Rules Engine 2017-06-21 14:05:46 UTC

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 3 Ondra Machacek 2017-06-21 14:27:10 UTC

Please try with python-ovirt-engine-sdk4-4.1.5.
python-ovirt-engine-sdk4-4.2.1-1.a1.20170607gitdec2258.el7.centos.x86_64 doesn't contain the fix.

Comment 4 Gonza 2017-06-22 08:36:03 UTC

Verified with:
python-ovirt-engine-sdk4-4.1.5-1.el7ev.x86_64

HEADERS:
[
	'HTTP/1.1 200 OK\r', 
	'Date: Thu, 22 Jun 2017 08:33:45 GMT\r', 
	'Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0\r', 
	'Set-Cookie: locale=en_US; path=/; HttpOnly; Max-Age=2147483647; Expires=Tue, 10-Jul-2085 11:47:52 GMT\r', 
	'X-XSS-PROTECTION: 1; MODE=BLOCK\r', 
	'X-CONTENT-TYPE-OPTIONS: NOSNIFF\r', 
	'X-FRAME-OPTIONS: SAMEORIGIN\r', 
	'Content-Type: application/json\r', 
	'Content-Length: 310\r', 
	'Vary: Accept-Encoding\r',
]