Bug 126577 - Hosted should only validate satellite certs for 340 satellites or later
Hosted should only validate satellite certs for 340 satellites or later
Status: CLOSED CURRENTRELEASE
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Backend (Show other bugs)
rhn350
All Linux
medium Severity medium
: ---
: ---
Assigned To: Mihai Ibanescu
Fanny Augustin
:
Depends On:
Blocks: rhn360sat
  Show dependency treegraph
 
Reported: 2004-06-23 11:11 EDT by Ryan Bloom
Modified: 2007-04-18 13:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-22 13:14:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ryan Bloom 2004-06-23 11:11:45 EDT
The existing code in the satellite validates that the cert is still
valid when a satellite logs in.  That works for 340 satellites, but it
will fail for previous satellites, because their certs aren't using
the format that the python code understands.  We need to only do the
check for 340 satellites or later.

This will require a new column in rhnSatelliteInfo, Version and a
script to populate version from the certs in the existing database.
Once that column is added, the code should be changed to respect the
version column.
Comment 1 Peter Jones 2004-07-06 15:10:48 EDT
on dev now
Comment 2 Ryan Bloom 2004-07-07 11:50:49 EDT
re-opening to track the code changes
Comment 3 Fanny Augustin 2004-07-07 11:55:04 EDT
Part of the fix for this bug has to ensure that satellite sync will
fail when the satellite cert has expired. 
Comment 4 Ryan Bloom 2004-07-08 16:04:37 EDT
This is fixed now, we only validate certs for version 3.4 or higher.

Test plan:  
1)  Activate a satellite using an expired cert for satellite 3.2, make
sure you can still sat sync.

2)  Activate a satellite using a expired cert for satellite 3.4, make
sure you can't sat sync.

3)  Activate a satellite using a non-expired cert for satellite 3.4,
make sure you can sat sync.
Comment 5 Matt Jamison 2004-08-01 22:26:13 EDT
couple of things:

sat-sync will not work if the cert is removed, good thing
 
because of our error checking capabilities in the ui now, I'm not
allowed to put in a cert that is expired.  the only way to test this
is to insert a cert that will expire tomorrow and check it then.

even after the cert has been removed and the sat can no longer
sat-sync, I'm still able to log into the sat and use it.  I think this
is correct behavior.

and lastly: since someone can use the satellite after it expires,
whats to stop them from doing a disconnected sat-sync?  
Comment 6 Ryan Bloom 2004-08-02 08:34:46 EDT
If the satellite doesn't have a cert or if the cert is expired, you
shouldn't be able to login to the satellite anymore, either through
up2date or through the web ui.  If you can, that is a bug.
Comment 7 Matt Jamison 2004-08-05 11:58:38 EDT
fanny, the new ui features won't allow you to put an expired cert on
the sat.  there is a 3.4 cert called expired.  I recommend bumping up
the the date to tomorrow and getting is signed then putting on a sat
and waiting a day.
Comment 8 Fanny Augustin 2004-08-24 11:47:49 EDT
You cannot login to the website, but you can perform a "satellite-sync
--list-channel"...  And you should not be able to do so with an
experired cert.
Comment 9 Ryan Bloom 2004-08-24 13:00:42 EDT
This was an invalid test (spoke to fanny already).  We tested after
moving the sat's date past the expiration day, but sat-sync is failed
by hosted, so if hosted doesn't know the cert has expired, the sync
will succeed.
Comment 10 Todd Warner 2004-10-21 12:16:53 EDT
QA push. {ON_DEV,QA_READY} --> ON_QA
Comment 11 Mihai Ibanescu 2004-12-01 15:33:42 EST
Actually, satsync is not properly syncing the cert.
Comment 12 Mihai Ibanescu 2004-12-01 16:54:44 EST
satellite-sync now properly syncs the cert.
Fanny,I have deployed the fix on farm02 so you can go on with the testing.
Comment 13 Mihai Ibanescu 2004-12-01 16:55:31 EST
rhns version 3.6.1-18 btw...
Comment 14 Fanny Augustin 2004-12-06 10:56:44 EST
When the cert is expired you cannot satellite-sync, up2date,
rhn_check, etc...  Which are all valid things you cannot do when the
cert is expired, however, you can still navigate the webUI (satellite)
with no problem.  I think the fix should prevent you for navigating
the webUI.
Comment 15 Ryan Bloom 2004-12-06 12:31:57 EST
Fixed.  The code was always getting the latest possible date from the
database, but it needed to get the highest versioned cert, and get the
expires for that date.
Comment 16 Todd Warner 2004-12-08 13:21:14 EST
ON_QA en masse for 2004-12-08 QA push
Comment 17 Fanny Augustin 2004-12-08 14:01:43 EST
Looks good on QA.
Comment 18 Todd Warner 2005-03-22 13:14:14 EST
Mass move from PROD_READY to CLOSED:CURRENTRELEASE

Note You need to log in before you can comment on or make changes to this bug.