Bug 1502752

Summary:	refresh manifest - proxy password with special character
Product:	Red Hat Satellite	Reporter:	Rainer Beyel <rbeyel>
Component:	Subscription Management	Assignee:	Justin Sherrill <jsherril>
Status:	CLOSED ERRATA	QA Contact:	jcallaha
Severity:	medium	Docs Contact:
Priority:	high
Version:	6.2.12	CC:	aagrawal, ajoseph, akarsale, asamad, bkearney, bmidwood, bscalio, dhlavacd, ehelms, hmore, kgaikwad, kkohli, ktordeur, mshimura, phess, rabajaj, suarora, takirby, will_darton, wpinheir
Target Milestone:	6.5.0	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	tfm-rubygem-katello-3.10.0.24-1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-05-14 12:36:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Rainer Beyel 2017-10-16 15:15:42 UTC

Description of problem:

The customers Satellite depends on a proxy (with authentication) to connect to the internet. The proxy password contains a '?' (question mark) which leads to an issue when refreshing the manifest. Same error when executed from Web-UI.

# hammer subscription refresh-manifest --organization org01
[Foreman] Password for admin: 
[............................................................................................................] [100%]
Error: bad component(expected user component): red?hat

production.log
...
2017-10-16 14:19:48  [app] [E] Error during manifest refresh: {"displayMessage"=>"bad component(expected user component): red?hat", "conflicts"=>["UNKNOWN"]}
...

The credentials were set with the following command - example from my test-environment:

# satellite-installer --katello-proxy-url http://192.168.81.74 --katello-proxy-port 3128 --katello-proxy-username rainer2 --katello-proxy-password "red?hat"

Steps to Reproduce:
1. Proxy password contains a '?' (question mark)
2. Configure Satellite with the proxy credentials
3. Try to refresh the manifest (CLI, Web-UI)

Actual results:
"...Error: bad component(expected user component):..."

Expected results:
Username/password is send to proxy, proxy authentication succeeds and manifest is refreshed.

Additional info:
Looking at the proxy (squid) debug logs, it seems the username/password is not transmitted to the proxy in this case. Passwords without special characters (e.g. '?) work as expected.

Comment 5 asamad 2017-12-13 21:32:30 UTC

Customer needs an update or fix for the issue.

Comment 16 Bryan Kearney 2019-02-12 19:02:58 UTC

Upstream bug assigned to jsherril

Comment 17 Bryan Kearney 2019-02-12 19:03:00 UTC

Upstream bug assigned to jsherril

Comment 18 Bryan Kearney 2019-02-13 19:02:00 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/16909 has been resolved.

Comment 21 jcallaha 2019-03-06 15:52:24 UTC

Test results in Satellite 6.5.0 Snap 18

-bash-4.2# satellite-installer --katello-proxy-url http://localhost --katello-proxy-port 50123 --katello-proxy-username jake --katello-proxy-password "Red@Hat"
Resetting puppet server version param...
Installing             Done                                               [100%] [...........................................................................................................]
  Success!
  * Satellite is running at https://my.sat.com

  * To install an additional Capsule on separate machine continue by running:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  * To upgrade an existing 6.4 Capsule to 6.5:
      Please see official documentation for steps and parameters to use when upgrading a 6.4 Capsule to 6.5.

  The full log is at /var/log/foreman-installer/satellite.log


-bash-4.2# view /etc/foreman/plugins/katello.yaml
...
  :cdn_proxy:
    :host: http://localhost
    :port: 50123
    :user: jake
    :password: Red@Hat

Comment 22 jcallaha 2019-03-07 19:43:04 UTC

Verified in Satellite 6.5.0 Snap 18

The manifest refresh completed successfully.

Additionally, the squid proxy's (non-satellite) access log shows good connections.

-bash-4.2# tail -f /var/log/squid/access.log 
1551987430.790    596 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987451.086    559 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987558.638    491 10.16.210.57 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987578.537    423 10.16.210.57 TCP_TUNNEL/200 9253 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987578.853    483 10.16.210.57 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987591.287    427 10.16.210.57 TCP_TUNNEL/200 2732 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987598.946   4084 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 741458 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987622.442    424 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987622.964    511 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -

Comment 25 errata-xmlrpc 2019-05-14 12:36:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222