Bug 760377

Summary: 401 Error during post request
Product: [Retired] CloudForms Cloud Engine Reporter: dgao
Component: aeolus-configserverAssignee: Greg Blomquist <gblomqui>
Status: CLOSED CURRENTRELEASE QA Contact: dgao
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, deltacloud-maint, whayutin
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 760592 (view as bug list) Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 760592    

Description dgao 2011-12-05 23:24:37 UTC
Automation uses httpclient in conjuncture of signpost (oauth lib) to make requests to configserver. For regular GET request, the server was able to authorized and return the proper information. For POST or PUT, it returns a 401 Unauthorized error while using the same consumer key/secret.

After speaking w/ the dev, it sounds like conductor does not take the entire header and generate the hash and signature. Instead it omits the "data=..." section. 

As a result, because the automation includes the data section when it generate the hash and signature, it fails verification on configserver side.

Comment 1 Greg Blomquist 2011-12-06 14:52:56 UTC
The correct behavior according to oauth standards is to include the entire post body payload when generating the signature in the HTTP request.  However, Conductor is using the RestClient ruby library with a request preprocessor that signs the request via oauth prior to sending the request.  Either the way Conductor is using the RestClient library, or the library itself, is not including the entire post body when signing the request.  Namely, it's not including the "data=..." part of the post body payload when generating the oauth signature.

The workaround on the server side (i.e., inside of configserver) is to omit the "data=..." part of the post body when validating the signature.  The security implications here are minimal, since there is a timestamp as well as other oauth headers included in the signed value.  

The major downside to this approach is that it is non-standard.  Which leads right back to David's comment about test automation failing.

Comment 2 Greg Blomquist 2011-12-16 16:59:41 UTC
https://fedorahosted.org/pipermail/aeolus-devel/2011-December/007547.html
and
https://fedorahosted.org/pipermail/aeolus-devel/2011-December/007549.html

RPM versions:

 * aeolus-configserver-0.4.4-2

(the conductor patch still needs to be reviewed, accepted, pushed, and built)

Comment 3 wes hayutin 2012-01-03 17:42:01 UTC
adding ce-sprint-next bugs to ce-sprint

Comment 4 dgao 2012-01-12 21:25:34 UTC
Fixed in the below build of audrey client and configserver:

aeolus-audrey-agent-0.4.3-1.el6.noarch.rpm                                  
aeolus-configserver-0.4.5-1.el6.noarch.rpm