Bug 678051

Summary: Authentication cannot handle consumer certificates
Product: [Retired] Pulp Reporter: Jay Dobies <jason.dobies>
Component: z_otherAssignee: Jason Connor <jconnor>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jortel, mmccune, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: Sprint 21   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-16 12:07:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 647488    

Description Jay Dobies 2011-02-16 16:03:17 UTC 
The change was made that all certs (consumer and admin) now have users. The user parsing code was reused from admin certs. However, that parsing code expects the user format to be admin:<username>:<id>. Consumer certs, however, only contain the ID of the consumer.

This basically means that no consumer certs will ever result in a valid authentication. I suspect we haven't seen this due to another bug in the CLI that prefers to send the admin cert if one is present over the consumer cert. So we're accidentally sending that and the server is accidentally parsing it correctly, giving the consumer access.
Comment 1 Jason Connor 2011-02-16 19:22:21 UTC 
Steps to reproduce:
1. install fresh pulp instance
2. log onto server and create consumer:
   pulp-client -u admin -p admin consumer create --id <consumer name>
3. try to run a command as the consumer:
   pulp-client repo list

You should see:
No repositories to list (or something similar, I forget the exact message)

If the fix has failed, you will see this traceback:
error: operation failed: Traceback (most recent call last):
  File "/home/jconnor/Workspace/pulp/src/pulp/server/webservices/controllers/base.py", line 52, in report_error
    return method(self, *args, **kwargs)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/compat.py", line 40, in _decorator
    return decorator(*args,**kwargs)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/webservices/controllers/base.py", line 98, in _auth_decorator
    user = check_ssl_cert(cert_pem)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/auth/authentication.py", line 145, in check_ssl_cert
    username, id = cert_generator.decode_admin_user(encoded_user)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/auth/cert_generator.py", line 211, in decode_admin_user
    raise PulpException('Invalid encoded admin user information [%s]' % encoded_string)
PulpException: 'Invalid encoded admin user information []'
Comment 2 Jason Connor 2011-02-16 19:23:18 UTC 
NOTE: DO NOT USE THE AUTH LOGIN COMMAND
pulp-admin auth login

This can circumvent the server-side bug.
Comment 3 Jeff Ortel 2011-02-16 20:08:52 UTC 
QE Build: 0.139
Comment 4 Preethi Thomas 2011-02-16 20:15:00 UTC 
[root@preethi ~]# rpm -q pulp
pulp-0.0.139-1.fc14.noarch

[root@preethi ~]# pulp-client -u admin -p admin consumer create --id=preethi
Successfully created consumer [ preethi ]

[root@preethi ~]# 
[root@preethi ~]# 
[root@preethi ~]# 
[root@preethi ~]# pulp-client repo list
No repositories available to list
Comment 5 Preethi Thomas 2011-02-16 20:50:54 UTC 
verified


[root@dell-pe1855-01 ~]# pulp-client -u admin -p admin consumer create --id=test
warning: this client is not registered; please register to continue
Successfully created consumer [ test ]

[root@dell-pe1855-01 ~]# pulp-client repo list
No repositories available to list
[root@dell-pe1855-01 ~]# rpm -q pulp
pulp-0.0.139-1.fc14.noarch
Comment 6 Preethi Thomas 2011-08-16 12:07:16 UTC 
Closing with Community Release 15

pulp-0.0.223-4.
Comment 7 Preethi Thomas 2011-08-16 12:20:57 UTC 
Closing with Community Release 15

pulp-0.0.223-4.