Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1094670

Summary: [redhat-support-plugin-rhev] plugin tries to access 3rd party urls
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: redhat-support-plugin-rhevAssignee: Spenser Shumaker <sshumake>
Status: CLOSED CANTFIX QA Contact: Spenser Shumaker <sshumake>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: acathrow, gklein, iheim, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-06 16:01:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screenshot none

Description Jiri Belka 2014-05-06 09:34:53 UTC 
Created attachment 892822 [details]
screenshot

Description of problem:
plugin tries to access 3rd party urls, this seems to me odd. one could imagine that network is setup with real security design (filtering outgoing access) thus this would either be blocked or it would cause alarms (i suppose *.redhat.com would be allowed for outgoing traffic).

see screenshot from noscript add-on for FF.

Version-Release number of selected component (if applicable):
redhat-support-plugin-rhev-3.4.0-3.el6ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. have noscript FF addon/or press F12 in FF/network tab and see which domains are accessed
2.
3.

Actual results:
3rd party domains are accessed (en25.com, eloqua.com, demandbase.com, google.com?)

Expected results:
only *.redhat.com should use. we cannot suppose both access to some 3rd party urls would be working and they won't produce network filtering alarms

Additional info:
Comment 1 Spenser Shumaker 2014-05-06 16:01:19 UTC 
The new code in the redhat-support-plugin-rhev allows for both cookie auth and basic auth with Red Hat.  When we detect a stale or invalid cookie we have to call Red Hat's log out service at "https://access.redhat.com/logout" to remove the cookie.  Calling this service it what calls the 3rd party URLs.

There is talk of converting our SSO to use SAML or oAuth.  This conversion should fix this problem.  Since there is nothing the plugin can do, I am closing as CANTFIX.