Bug 806298

Summary: [REST API]: GET'ing domain with bad credentials returns 404
Product: OKD Reporter: Andre Dietisheim <adietish>
Component: PodAssignee: Krishna Raman <kraman>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 2.xCC: lnader, mfisher, mpatel, xcoulon, xtian
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-13 18:32:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andre Dietisheim 2012-03-23 11:45:06 UTC
If I do a GET on a specific domain i have while using erroneous credentials I get 404:

curl -v -k -H "Accept: application/xml" --user "adietish:BADPW" https://openshift.redhat.com/broker/rest/domains/1329997507457 -X GET


< HTTP/1.1 404 Not Found
< Date: Fri, 23 Mar 2012 11:42:33 GMT
< Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
< X-Runtime: 0.945164
< Cache-Control: no-cache
< X-UA-Compatible: IE=Edge,chrome=1
< Status: 404
< Content-Type: application/xml; charset=utf-8
< Vary: Accept-Encoding,User-Agent
< ProxyTime: D=968946
< Connection: close
< Transfer-Encoding: chunked
< 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <type nil="true"></type>
  <status>not_found</status>
  <messages>
    <message>
      <exit-code>127</exit-code>
      <field nil="true"></field>
      <text>Domain 1329997507457 not found.</text>
      <severity>error</severity>
    </message>
  </messages>
  <data nil="true"></data>
  <version>1.0</version>
</response>

I would have expected the response code 403

Comment 1 Andre Dietisheim 2012-03-23 11:46:37 UTC
The very same request (to the same existing domain) while using valid credentials, lists the expected informations.

Comment 2 Lili Nader 2012-03-24 02:52:31 UTC
since this is on production the authentication should be failing and routing the user to login or return a 401.

Comment 3 Andre Dietisheim 2012-03-26 13:43:09 UTC
switched severity to urgent since we cannot differentiate if a user has no domain or he's simply not authorized

Comment 4 Krishna Raman 2012-03-27 04:22:06 UTC
5764b5c849d19492c7186cf5d3bd66dfd564e955

Comment 5 Xiaoli Tian 2012-03-29 08:55:41 UTC
(In reply to comment #4)
> 5764b5c849d19492c7186cf5d3bd66dfd564e955

Test this on devenv_1679, configure the instance to integrated environment (which will require authentication for user),

Access with invalid password will return access denied
curl -k -H 'Accept: application/xml' --user 'xtian+test5:invalidpwd' https://$instancedns/broker/rest/domains/doms6 -X GET
HTTP Basic: Access denied.

Access with valid password but non-exist domain:
curl -k -H 'Accept: application/xml' --user 'xtian+test5:validpwd' https://$instancedns/broker/rest/domains/doms7 -X GET
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <type nil="true"></type>
  <data>
    <datum nil="true"></datum>
  </data>
  <messages>
    <message>
      <exit-code>127</exit-code>
      <severity>error</severity>
      <text>Domain doms7 not found.</text>
      <field nil="true"></field>
    </message>
  </messages>
  <status>not_found</status>
  <version>1.0</version>
</response>

Comment 6 Xiaoli Tian 2012-03-29 13:03:41 UTC
*** Bug 806293 has been marked as a duplicate of this bug. ***

Comment 7 Andre Dietisheim 2012-03-29 13:09:33 UTC
looks perfect, thanks!