Bug 2079376

Summary: Request to remove hardcoded repo prefix "/pulp/content" from the Auth service/certificate verification service
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: anujmaurya
Component: CDSAssignee: RHUI Bug List <rhui-bugs>
Status: CLOSED ERRATA QA Contact: Radek Bíba <rbiba>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: gtanzill, manikroy, mathapli, mminar, sisatia, sskracic
Target Milestone: 4.1.1Keywords: Rebase, Triaged
Target Release: 4.x   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-19 13:03:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description anujmaurya 2022-04-27 13:14:53 UTC 
Description of problem:
At present in RHUI 3, MS is using repo paths with prefix "pulp/repos" as a prefix of rhui repos. SO as to enable the migration of exiting client requests with the same content certificate, we need to call RHUI 4 CDS. We tried rewriting uri to "/pulp/content" in the nginx config but the auth service running on RHUI4 is checking "HTTP_X_ORIGINAL_URI" to get the repo path and then matches with the content certificate. Because of this, even after having the same content.crt file RHUI CDS is not able to authenticate the https requests with any URIs other than those starting with "pulp/content".

Version-Release number of selected component (if applicable):
rhui-tools-4.1.0.6-1.el8ui.noarch
rhui-installer-4.1.0.4-1.el8ui.noarch
rhui-tools-libs-4.1.0.6-1.el8ui.noarch


How reproducible:
Always

Steps to Reproduce:
1. Install RHUI 4
2. Hit RHUI 4 CDS with yum command with RHUI 3 client packages on azure or curl with repo path starting with /pulp/repos 


Actual results:
Getting 403 access denied
022-04-20 08:13:14,308 [1676943] [WARNING] Access DENIED to 52.183.63.106 for /pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml: Requested path is not a subpath of a path in the client certificate.

Expected results:
200 success since using the same content cert in rhui CDS.

Additional info:

The workaround is to configure NGinx to return "301 permanently moved" from RHUI CDS and then yum can make a call with pulp/content/ path.
Comment 5 errata-xmlrpc 2022-07-19 13:03:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHUI 4.1.1 release - Security Fixes and Enhancement Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5602