Bug 747725

Summary: OID regular expression matches too much
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: James Slagle <jslagle>
Component: RHUAAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: mkovacik
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0.1CC: igulina, kbidarka, sghai, tsanders
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Do not document
 Story Points: ---
Clone Of:
: 748993 (view as bug list) Environment:
Last Closed: 2017-03-01 22:07:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 746803, 748993    

Description James Slagle 2011-10-20 20:47:14 UTC 
There's a bug in our regular expression that we use for oid validation.

If you have a OID url like:
content/dist/rhel/rhui/server/6/$releasever/$basearch/os

That gets changed to the following regular expression string:
content/dist/rhel/rhui/server/6/.+?/.+?/os

This happens in oid_validation.py in _validate_url.

This resulting regular expression matches too much.  The intent is that any requested url that starts with content/dist/rhel/rhui/server/6/<release>/<arch>/os is allowed.  However, it will actually allow other urls like:
/pulp/repos//content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os

The arch regular expression ends up matching x86_64/mrg-g/2.0.  In fact, it will match any thing up to the os.

Example:
/home/jslagle $ python
Python 2.7.1 (r271:86832, Apr 12 2011, 16:15:16) 
[GCC 4.6.0 20110331 (Red Hat 4.6.0-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import re
>>> oid = 'content/dist/rhel/rhui/server/6/.+?/.+?/os'
>>> url = '/pulp/repos//content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os'
>>> re.search(oid, url)
<_sre.SRE_Match object at 0x7fb67fa54370>

And:
>>> url = '/pulp/repos//content/dist/rhel/rhui/server/6/6Server/x86_64/my/super/secret/repo/os'
>>> re.search(oid, url)
<_sre.SRE_Match object at 0x7fb67fa543d8>
Comment 1 James Slagle 2011-10-20 21:36:38 UTC 
Instead of using '.+?' to match the release and arch, it looks like instead we should be using '[^/]+'.  Using the latter, we'll basically match any character other than '/', which is what we want when matching the release and arch.

The problem with using '.+?' is that even though we've specified the '?', making the regex non-greedy, it will still match against as much of the string as needed to satisfy the regex.  Non-greedy doesn't mean only match up to the next character ('/' in this case), it means take the minimal amount of the string possible in order to satisfy the match.  The second usage of '.+?' will happily match as possible, such as 'x86_64/mrg-g/2.0' so that it can find a match and satisfy the regex.
Comment 2 James Slagle 2011-10-24 19:03:05 UTC 
Committed to pulp master and RHUI branch.

pulp master:
commit 06b17d5cf4d02be3f2bc75a36c30d9e6880c6c4d
Author: James Slagle <jslagle>
Date:   Mon Oct 24 14:56:43 2011 -0400

    747725 Fix regular expression during oid validation and add a test that uses

rhui: 948709966ff7bc3ec9a02f0d82dabeb7fbe97038


I also found another problem in that we were using re.search instead of re.match.  re.search will search the whole string instead of verifying that the requested uri *starts* with the oid url.  If you had a oid url like rhel/server/6, and a repo at /my/super/secret/repo/rhel/server/6, requests to that repo would have been allowed given that oid url.

Switching to re.match will ensure that the requested URI must start with the oid url.
Comment 4 James Slagle 2011-10-25 12:37:04 UTC 
Verification:

Make sure you have the MRG repos added and sync'd to your RHUI that match at least one of your base versions of RHEL.  For example, if you RHEL 6Server i386 sync'd, at MRG for 6Server i386.

Generate an entitlement certificate for the base RHEL 6 repo.  What we want to verify is that that certificate does *not* give you access to MRG.  You can generate a client config rpm for the MRG repos and point it at the entitlement certificate for the RHEL 6 repo.  Then verify that you are denied access to the MRG repos.  Another way to do it would be to just generate a client config rpm for the MRG repos as normal, but then edit the yum repo config file and point it at an entitlement certificate for the base RHEL 6 repo.

As this touches our repo auth code, it's probably a good idea to do some other general verification around this area, just verifying in general that the generated entitlement certificates do give you access to only what you asked for.
Comment 5 Sachin Ghai 2011-10-27 11:25:32 UTC 
To verify this defect, I generated a client config rpm for MRG repo as well as for RHUI2.0 repos. In both cases I'm getting "http 401 error while running yum operations on client.

[root@dhcp201-191 ~]# yum repolist
Loaded plugins: rhui-lb
https://dhcp201-170.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml: [Errno 14] HTTP Error 401 : https://dhcp201-170.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml 
Trying other mirror.
https://dhcp201-137.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml: [Errno 14] HTTP Error 401 : https://dhcp201-137.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml 
Trying other mirror.
repo id                         repo name                                 status
rhui-rhel-x86_64-6-rhui-2-rpms  Red Hat Update Infrastructure 2.0 (RPMs)  0
repolist: 0


[root@dhcp201-191 ~]# rpm -qi redhat-release-server| grep Version
Version     : 6Server                           Vendor: Red Hat, Inc.
[root@dhcp201-191 ~]# 


Repos are synched on RHUA as well as on both CDS nodes.

It could be a test configuration issue, however just wanted to confirm.
Comment 6 Kedar Bidarkar 2011-10-27 13:06:27 UTC 
Even I see the same issues.

[root@ip-10-6-49-175 noarch]# yum repolist
Loaded plugins: product-id, pulp-profile-update, rhui-lb, subscription-manager
Updating Red Hat repositories.

https://ip-10-46-213-61.ec2.internal/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 401"
Trying other mirror.
repo id                                                                         repo name                                                                                  status
rhui-rhel-x86_64-6-rhui-2-rpms                                                  Red Hat Update Infrastructure 2.0 (RPMs)                                                   0
repolist: 0
Comment 7 James Slagle 2011-10-27 16:10:43 UTC 
The OID urls in the content certificate might start with a / (slash), so I need to account for that in the regular expression matching.

committed to pulp rhui branch: 1beed29819cd1719f8d1c129771b872651ed3856
Comment 8 Sachin Ghai 2011-10-28 11:10:54 UTC 
Verified with RHUI Gold iso having version:

RHEL-6.1-RHUI-2.0.1-20111027.1-Server-x86_64-DVD1.iso


Now yum install operations are working fine, without http 401 error:

[root@dhcp201-191 ~]# ls
anaconda-ks.cfg  install.log.syslog
install.log      rh-client-config-rhel6-2.0-1.el6.noarch.rpm
[root@dhcp201-191 ~]# rpm -ivh rh-client-config-rhel6-2.0-1.el6.noarch.rpm 
Preparing...                                                            (100########################################### [100%]
   1:rh-client-config-rhel6                                             ( 16########################################### [100%]
[root@dhcp201-191 ~]# yum clean all
Loaded plugins: rhui-lb
Cleaning up Everything
[root@dhcp201-191 ~]# yum repolist
Loaded plugins: rhui-lb
rhui-rhel-6-server-rhui-rpms                         | 2.4 kB     00:00     
rhui-rhel-6-server-rhui-rpms/primary                 | 4.4 MB     00:00     
rhui-rhel-6-server-rhui-rpms                                      5489/5489
repo id                      repo name                                status
rhui-rhel-6-server-rhui-rpms Red Hat Enterprise Linux 6 Server from R 5,489
repolist: 5,489
[root@dhcp201-191 ~]# yum install zsh
Loaded plugins: rhui-lb
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package zsh.x86_64 0:4.3.10-4.1.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================
 Package
        Arch      Version             Repository                       Size
============================================================================
Installing:
 zsh    x86_64    4.3.10-4.1.el6      rhui-rhel-6-server-rhui-rpms    2.1 M

Transaction Summary
============================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 2.1 M
Installed size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
zsh-4.3.10-4.1.el6.x86_64.rpm                        | 2.1 MB     00:00     
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
rhui-rhel-6-server-rhui-rpms/gpgkey                  | 6.3 kB     00:00 ... 
Importing GPG key 0xFD431D51 "Red Hat, Inc. (release key 2) <security>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0 "Red Hat, Inc. (auxiliary key) <security>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing     : zsh-4.3.10-4.1.el6.x86_64                            1/1 

Installed:
  zsh.x86_64 0:4.3.10-4.1.el6                                               

Complete!
[root@dhcp201-191 ~]#
Comment 9 Sachin Ghai 2011-10-28 12:00:00 UTC 
MRG repos added that matches the rhel6 base version:

Last Refreshed: 17:43:35
(updated every 5 seconds, ctrl+c to exit)

Next Sync                    Last Sync                    Last Result         
------------------------------------------------------------------------------
MRG Grid from RHUI (RPMs) (6Server-i386)
10-28-2011 21:52             10-28-2011 15:53             Success    

MRG Grid from RHUI (RPMs) (6Server-x86_64)
10-28-2011 21:52             10-28-2011 15:53             Success    

Red Hat Enterprise Linux 6 Server from RHUI (RPMs) (6Server-x86_64)
10-28-2011 21:52             10-28-2011 16:23             Success    

Red Hat Update Infrastructure 2.0 (RPMs) (6Server-i386)
10-28-2011 21:52             10-28-2011 15:53             Success    

Red Hat Update Infrastructure 2.0 (RPMs) (6Server-x86_64)
10-28-2011 21:52             10-28-2011 15:53             Success    


                                  Connected: dhcp201-180.englab.pnq.redhat.com
------------------------------------------------------------------------------




Installed client config rpm of mrg repo:

[root@dhcp201-191 ~]# rpm -ivh rh-client-config-mrg-2.0-1.el6.noarch.rpm 
Preparing...                                                            (100########################################### [100%]
   1:rh-client-config-mrg                                               ( 16########################################### [100%]


[root@dhcp201-191 ~]# yum repolist
Loaded plugins: rhui-lb
repo id                                repo name                      status
rhui-rhel-6-server-rhui-grid-rpms      MRG Grid from RHUI (RPMs)      54
repolist: 54
[root@dhcp201-191 ~]# yum clean all
Loaded plugins: rhui-lb
Cleaning up Everything
[root@dhcp201-191 ~]# yum repolist
Loaded plugins: rhui-lb
rhui-rhel-6-server-rhui-grid-rpms                    | 2.2 kB     00:00     
rhui-rhel-6-server-rhui-grid-rpms/primary            |  16 kB     00:00     
rhui-rhel-6-server-rhui-grid-rpms                                     54/54
repo id                                repo name                      status
rhui-rhel-6-server-rhui-grid-rpms      MRG Grid from RHUI (RPMs)      54
repolist: 54
[root@dhcp201-191 ~]# 


installed client config rpm of mrg repo and point it at the entitlement cert for rhel6.

[root@dhcp201-191 ~]# cat  /etc/yum.repos.d/rh-cloud.repo 
[rhui-rhel-6-server-rhui-grid-rpms]
name=MRG Grid from RHUI (RPMs)
mirrorlist=https://dhcp201-136.englab.pnq.redhat.com/pulp/mirror//content/dist/rhel/rhui/server/6/$releasever/$basearch/mrg-g/2.0/os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify=1
sslcacert=/etc/pki/entitlement/ca.crt
#sslclientcert=/etc/pki/entitlement/product/content.crt
sslclientcert=/root/rhel6.crt
sslclientkey=/etc/pki/entitlement/key.pem

[root@dhcp201-191 ~]# 

[root@dhcp201-191 ~]# yum repolist
Loaded plugins: rhui-lb
https://dhcp201-187.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os/repodata/repomd.xml: [Errno 14] PYCURL ERROR 56 - ""
Trying other mirror.
https://dhcp201-136.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os/repodata/repomd.xml: [Errno 14] PYCURL ERROR 56 - ""
Trying other mirror.
repo id                                repo name                      status
rhui-rhel-6-server-rhui-grid-rpms      MRG Grid from RHUI (RPMs)      0
repolist: 0
[root@dhcp201-191 ~]#
Comment 10 James Slagle 2011-10-31 19:16:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 14 errata-xmlrpc 2017-03-01 22:07:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367