Bug 1879221

Summary: [Assisted-4.6][Staging] assisted-service API does not prevent a request with another user's credentials from setting cluster installation progress
Product: OpenShift Container Platform Reporter: nshidlin <nshidlin>
Component: assisted-installerAssignee: Fred Rolland <frolland>
assisted-installer sub component: assisted-service QA Contact: Yuri Obshansky <yobshans>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: alazar, aos-bugs, frolland
Version: 4.6Keywords: TestBlocker
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: OCP-Metal-juke-4
Fixed In Version: OCP-Metal-v1.0.10.2 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-18 17:58:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nshidlin 2020-09-15 17:21:53 UTC 
Description of problem:
request:

method POST

url: "https://api.stage.openshift.com/api/assisted-install/v1/clusters/{cluster_id}/actions/complete_installation

X-Secret-Key: another user's pull secret

body:{ "is_success": true }

when cluster is in state "installing" repose:

409  "no condition passed to run transition CompleteInstallation from state installing"

when cluster was in state "finalizing" the request was accepted and set the cluster state to "installed"

I would expect the response in both cases to be 404 "record not found"

Version-Release number of selected component (if applicable):
{
    "release_tag": "v1.0.9.2-ds",
    "versions": {
        "assisted-ignition-generator": "quay.io/ocpmetal/assisted-ignition-generator:v1.0.9.2",
        "assisted-installer": "registry-proxy.engineering.redhat.com/rh-osbs/openshift4-assisted-installer-rhel8:v4.6.0-16",
        "assisted-installer-controller": "registry-proxy.engineering.redhat.com/rh-osbs/openshift4-assisted-installer-reporter-rhel8:v4.6.0-12",
        "assisted-installer-service": "quay.io/app-sre/assisted-service:b2bb440",
        "discovery-agent": "registry-proxy.engineering.redhat.com/rh-osbs/openshift4-assisted-installer-agent-rhel8:v4.6.0-12",
        "image-builder": "quay.io/app-sre/assisted-iso-create:b2bb440"
    }
}

How reproducible:
every time

Steps to Reproduce:
1. Create Cluster
2. Generate and dowload ISO
3. Boot nodes into ISO
4. Start Cluster installation
5. Make the following API request (substituting the cluster_id):
url: "https://api.stage.openshift.com/api/assisted-install/v1/clusters/{cluster_id}/actions/complete_installation
"

X-Secret-Key: another user's pull secret

body:{ "is_success": true }
6. Make the same request when the cluster is in state finalizing

Actual results:
when cluster is in state "installing" repose:

409  "no condition passed to run transition CompleteInstallation from state installing"

when cluster was in state "finalizing" the request was accepted and set the cluster state to "installed"

Expected results:
Request is rejected 404 "record not found"

Additional info:
Comment 1 Fred Rolland 2020-09-16 08:47:02 UTC 
https://github.com/openshift/assisted-service/pull/374
Comment 2 nshidlin 2020-09-18 06:44:58 UTC 
Verified on staging:
{
    "release_tag": "v1.0.9.4-ds",
    "versions": {
        "assisted-ignition-generator": "quay.io/ocpmetal/assisted-ignition-generator:v1.0.9.3",
        "assisted-installer": "registry-proxy.engineering.redhat.com/rh-osbs/openshift4-assisted-installer-rhel8:v4.6.0-18",
        "assisted-installer-controller": "registry-proxy.engineering.redhat.com/rh-osbs/openshift4-assisted-installer-reporter-rhel8:v4.6.0-14",
        "assisted-installer-service": "quay.io/app-sre/assisted-service:b793c52",
        "discovery-agent": "registry-proxy.engineering.redhat.com/rh-osbs/openshift4-assisted-installer-agent-rhel8:v4.6.0-15",
        "image-builder": "quay.io/app-sre/assisted-iso-create:b793c52"
    }
}
Comment 5 errata-xmlrpc 2021-01-18 17:58:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.6.12 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0037