Bug 749536

Summary: incorrect oauth string for requests with multiple parameters having same name
Product: [Retired] Pulp Reporter: Tomas Strachota <tstrachota>
Component: z_otherAssignee: Jason Connor <jconnor>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: mmccune, tsanders
Target Milestone: ---Keywords: Triaged
Target Release: Sprint 30   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-25 14:13:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tomas Strachota 2011-10-27 11:47:55 UTC 
Description of problem:

If oauth is enabled, authentication fails when trying to make a request with multiple parameters that have same name.
Eg. /repositories/?_intersect=groupid&groupid=product:1319641168168&groupid=env:1

According to log, oauth base string is calculated incorrectly:

pulp.server.auth.authentication:ERROR: authentication:214 error verifying OAuth signature: Invalid signature. Expected signature base string: GET&https%3A%2F%2Flocalhost%2Fpulp%2Fapi%2Frepositories%2F&_intersect%3Dgroupid%26groupid%3Dproduct%3A1319641168168%26oauth_consumer_key%3Dkatello%26oauth_nonce%3DHXxQnvo0H3f9kfEctEI3iFoQylDNIlnsZ4NMC1DsnI%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1319706227%26oauth_version%3D1.0

In this case it uses only the first groupid parameter and ignores the rest. Everything works fine for requests with only one groupid.
Comment 1 Tomas Strachota 2011-10-27 11:56:35 UTC 
According to my investigation I guess the problem is in python oauth implementation.

Function _split_url_string in 
http://oauth.googlecode.com/svn/code/python/oauth/oauth.py parses the query parameters and saves them into a hash.
Comment 2 Jason Connor 2011-12-05 16:59:23 UTC 
We've solved this by going to a patched version of oauth2: 1.5.170
Comment 3 Jeff Ortel 2011-12-15 20:18:07 UTC 
build: 0.255
Comment 4 Jason Connor 2012-01-16 20:46:50 UTC 
testing
1. add oauth credential to admin
2. use curl or wget to fetch the url http://localhost/pulp/api/tasks/?state=waiting&state=running along with the oauth credentials
3. success: list of task in the waiting or running state
   failure: authentication failure
Comment 5 Preethi Thomas 2012-05-17 14:11:37 UTC 
verified
Comment 6 Preethi Thomas 2012-05-25 14:13:59 UTC 
Pulp v1.1 Release