Bug 1176219 - subscription-manager repos --list with bad proxy options is silently using cache
Summary: subscription-manager repos --list with bad proxy options is silently using cache
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager
Version: 6.7
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: 6.9
Assignee: Kevin Howell
QA Contact: John Sefler
URL:
Whiteboard:
Depends On: 1298327
Blocks: rhsm-rhel68 1306005
TreeView+ depends on / blocked
 
Reported: 2014-12-19 17:42 UTC by John Sefler
Modified: 2017-03-21 10:53 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1306005 (view as bug list)
Environment:
Last Closed: 2017-03-21 10:53:27 UTC
Target Upstream Version:


Attachments (Terms of Use)
Unable to load repository (204.63 KB, image/png)
2016-11-04 15:15 UTC, Shwetha Kallesh
no flags Details


Links
System ID Priority Status Summary Last Updated
Github candlepin python-rhsm pull 183 None closed 1176219: Raise ProxyException in Restlib 2020-05-29 15:25:57 UTC
Github candlepin subscription-manager pull 1486 None closed 1176219: Error out if bad proxy settings detected 2020-05-29 15:25:56 UTC
Github candlepin subscription-manager pull 1493 None closed 1176219: Treat port as integer for GUI conn test 2020-05-29 15:25:56 UTC
Red Hat Bugzilla 1298327 None None None Never
Red Hat Bugzilla 1301215 None None None Never
Red Hat Bugzilla 1389794 None None None Never
Red Hat Product Errata RHSA-2017:0698 normal SHIPPED_LIVE Moderate: subscription-manager security, bug fix, and enhancement update 2017-03-21 12:39:12 UTC

Internal Links: 1298327 1301215 1389794

Description John Sefler 2014-12-19 17:42:25 UTC
Description of problem:
Prior to subscription-manager commit 69d62fce716fb30709acc6b67346029aeb85c302 calls to subscription-manager list --repos with bad proxy options whould fail with stderr "Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information." and an exitCode of 70 EX_SOFTWARE,

Now an explicit call with a bad proxy and/or bad credentials will appear successful since it is now using cache, but the user does not know it.  I believe this is deceptive when the user supplies erroneous proxy options.  See my suggestion below.


Version-Release number of selected component (if applicable):
[root@jsefler-os7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.37-1
subscription management rules: 5.13
subscription-manager: 1.13.12-1.el7
python-rhsm: 1.13.8-1.el7

How reproducible:


Steps to Reproduce:
After successfully registering and attaching a subscription that provides repos...

[root@jsefler-os7 ~]# subscription-manager repos --list --proxy=auto-services.usersys.redhat.com:3128 --proxyuser=bad-username --proxypassword=bad-password
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   awesomeos-x86_64
Repo Name: awesomeos-x86_64
Repo URL:  https://cdn.redhat.com/path/to/awesomeos/x86_64
Enabled:   0

[root@jsefler-os7 ~]# echo $?
0

It is not obvious to me why that succeed despite the erroneous proxy values I supplied.




Actual results:
Prior to subscription-manager-1.13.12-1, the result was "Network error, unable to connect to server. Please see /var/log/rhsm/rhsm.log for more information.".
The problem with the new results is that the user (knowingly or unintentionally) passed bad proxy options but got a successful reply for unknown reasons.  The rhsm.log contains...

2014-12-19 12:16:30,320 [ERROR] subscription-manager @cache.py:212 - Proxy connection failed: 407
2014-12-19 12:16:30,320 [WARNING] subscription-manager @cache.py:218 - Unable to reach server, using cached status.

Hence I see that cache is being used to report the results.


Expected results:
I think a better response would be to also report "Unable to reach server, using cached status." in the stderr as well as a non-zero exitCode in addition to the cached repos list.  Something like this...


# subscription-manager repos --list --proxy=auto-services.usersys.redhat.com:3128 --proxyuser=bad-username --proxypassword=bad-password
Unable to reach server, using cached status.
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   awesomeos-x86_64
Repo Name: awesomeos-x86_64
Repo URL:  https://cdn.redhat.com/path/to/awesomeos/x86_64
Enabled:   0

# echo $?
70

Comment 1 Adrian Likins 2015-01-12 19:12:16 UTC
What should the gui do in this case?  (user won't see stderr console output...)
How do we handle multiple disconnected requests?

I think my preference would be to warn once when we are "disconnected".
For cli, one line of warning to stderr[1], and for gui, pop up one warning
dialog.

For gui, it would be better ui to have some sort of "offline indicator", but
not sure it's worth the effort.



However, for this particular case... we sort of know that it was a Proxy error and not a generic network error. At least, we get a generic socket.error with a message that currently claims "Proxy connection failed". We could check for it in python-rhsm where we know we are attempting to connect to the proxy. 

But then again, if that was a bogus --serverurl, that would be more difficult to handle.

Comment 2 William Poteat 2015-01-16 15:23:14 UTC
Deferring to RHEL 6.7 cycle

Comment 5 Barnaby Court 2015-10-09 17:25:06 UTC
Command line is now printing an error. This needs to be addressed in the GUI.

Comment 6 Chris Snyder 2016-01-08 23:06:29 UTC
Both the gui and the command line throw an error for me when following the reproduction steps.

Comment 9 Chris Snyder 2016-04-26 18:03:46 UTC
Related commit in master that ensures the cli fails when there are bad proxy options used:


commit 7ce6801fc1cc38edcdeb75dfb5f0d1f8a6398c68
Author: William Poteat <wpoteat@redhat.com>
Date:   Tue Mar 1 13:30:41 2016 -0500

    1301215: Test proxy connection before making call
    1176219: Stop before cache is returned when using bad proxy options
    
    Uses socket connect as test for viability of proxy. Only checks when proxy
    settings are on the command line.

Comment 10 vritant 2016-07-12 22:15:05 UTC
The fix in 7ce6801fc1cc38edcdeb75dfb5f0d1f8a6398c68 simply logs a line in rhsm.log like "Attempted bad proxy: ...", and continues to respond with cached information.

This is usually lost in the logs, as evidenced in bug 1353821 .

We need to ignore cached information whenever proxy connection information is provided as command arguments.

Comment 11 Kevin Howell 2016-09-19 18:18:22 UTC
Added another PR (1493) to fix a bug I introduced w/ the PR for this BZ (1486).

Comment 13 Shwetha Kallesh 2016-11-04 10:41:17 UTC
[root@dhcp35-71 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.51.20-1
subscription management rules: 5.15.1
subscription-manager: 1.18.3-1.el6
python-rhsm: 1.18.4-1.el6



[root@dhcp35-71 ~]# subscription-manager repos --list
+----------------------------------------------------------+
    Available Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
Repo ID:   rhel-lb-for-rhel-6-server-eus-rpms
Repo Name: Red Hat Enterprise Linux Load Balancer (for RHEL 6 Server) - Extended Update Support (RPMs)
Repo URL:  https://cdn.redhat.com/content/eus/rhel/server/6/$releasever/$basearch/loadbalancer/os
Enabled:   1

Repo ID:   rhel-6-server-rhs-client-1-source-rpms
Repo Name: Red Hat Storage Native Client for RHEL 6 (Source RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel/server/6/$releasever/$basearch/rhs-client/source/SRPMS
Enabled:   0

Repo ID:   rhs-big-data-3-for-rhel-6-server-source-rpms
Repo Name: Red Hat Storage 3 Server Big Data (Source RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel/server/6/$releasever/$basearch/rhs-server-bigdata/3/source/SRPMS
Enabled:   0


Proxy coonection failed error is being thrown now


[root@dhcp35-71 ~]# subscription-manager repos --list --proxy=auto-services.usersys.redhat.com:3128 --proxyuser=bad-username --proxypassword=bad-password
Proxy connection failed, please check your settings.

Comment 14 Shwetha Kallesh 2016-11-04 15:14:37 UTC
GUI verification : 

Error dialog says "Unable to load repository data" , but doesnot convey that its due to the invalid proxy connection. Moving the bug back to new, would like the error message to be something like 

"Proxy connection failed,Unable to load repository data"

Please refer the attachment for the Actual error dialog

Comment 15 Shwetha Kallesh 2016-11-04 15:15:44 UTC
Created attachment 1217421 [details]
Unable to load repository

Comment 17 Chris Snyder 2016-11-07 15:52:18 UTC
Shwetha,

Please reopen comment 14 as a new bug. Please proceed with verifying this bug which is for the command line only.

Comment 18 Shwetha Kallesh 2016-11-08 03:59:59 UTC
Marking this bug as verified , opened a new bug for GUI

Comment 20 errata-xmlrpc 2017-03-21 10:53:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0698.html


Note You need to log in before you can comment on or make changes to this bug.