Bug 2158526

Summary: Future execution corner case can bypass input validation in the new rex wizard
Product: Red Hat Satellite Reporter: Peter Ondrejka <pondrejk>
Component: Remote ExecutionAssignee: Maria <magaphon>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.13.0CC: aruzicka, magaphon, pcreech
Target Milestone: 6.14.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman_remote_execution-9.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-08 14:18:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
snap 11 state
none
6.14 state none

Description Peter Ondrejka 2023-01-05 16:23:21 UTC 
Description of problem:
It is possible to create a job pending in "No data available" state, using future execution settings in new job wizard

Version-Release number of selected component (if applicable):
6.13 snap 3

How reproducible:
always

Steps to Reproduce:
1. Define a rex job using a new UI
2. Select future execution
3. In the Future execution step, clear the "Starts at" field. For "Starts before" pick current date from the date picker -- in the time field, current time is automatically selected and the input validation correctly shows a warning. Increase the time by one minute.
4. Move to the Review step and wait one minute. When the current time matches the time set in step 3, hit Run

Actual results:
The job is started, remains in no data available status (screen 1)

Expected results:
The job is not run

Additional info:
In step 4 above, if we wait one more minute, the job is not started and "Internal server error" is reported (btw. there could be a nicer message). So it seems that validation upon execution catches current_time > start_before but not current_time = start_before
Comment 3 Adam Ruzicka 2023-02-23 14:33:46 UTC 
Created attachment 1945917 [details]
snap 11 state

On snap 10, I'm observing slightly different behavior. There is no ISE when the job gets triggered. I admit, the user experience isn't exactly great, but it is not as broken as described in #0. I'd consider this an edge case and while it would be nice to have it somehow covered, I wouldn't hold 6.13 for this.
Comment 4 Brad Buckingham 2023-02-23 17:11:38 UTC 
Peter,

Can you review/respond to the feedback in comment 3? 
Do you agree not a blocker for 6.13?

Thanks!
Comment 5 Peter Ondrejka 2023-03-01 13:57:17 UTC 
Hello, I didn't propose this as a blocker, ack to comment 3
Comment 8 Peter Ondrejka 2023-06-13 12:55:24 UTC 
Created attachment 1970657 [details]
6.14 state
Comment 9 Peter Ondrejka 2023-06-13 12:58:27 UTC 
Verified on Sat 6.14 sn 1, the ISE no longer occurs, executing a job after start before date is now prevented even when user stays idle in the wizard for a while (screenshot attached)
Comment 12 errata-xmlrpc 2023-11-08 14:18:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6818