Bug 126577 - Hosted should only validate satellite certs for 340 satellites or later
Summary: Hosted should only validate satellite certs for 340 satellites or later
Alias: None
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Backend   
(Show other bugs)
Version: rhn350
Hardware: All Linux
Target Milestone: ---
Assignee: Mihai Ibanescu
QA Contact: Fanny Augustin
Depends On:
Blocks: rhn360sat
TreeView+ depends on / blocked
Reported: 2004-06-23 15:11 UTC by Ryan Bloom
Modified: 2007-04-18 17:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-03-22 18:14:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Ryan Bloom 2004-06-23 15:11:45 UTC
The existing code in the satellite validates that the cert is still
valid when a satellite logs in.  That works for 340 satellites, but it
will fail for previous satellites, because their certs aren't using
the format that the python code understands.  We need to only do the
check for 340 satellites or later.

This will require a new column in rhnSatelliteInfo, Version and a
script to populate version from the certs in the existing database.
Once that column is added, the code should be changed to respect the
version column.

Comment 1 Peter Jones 2004-07-06 19:10:48 UTC
on dev now

Comment 2 Ryan Bloom 2004-07-07 15:50:49 UTC
re-opening to track the code changes

Comment 3 Fanny Augustin 2004-07-07 15:55:04 UTC
Part of the fix for this bug has to ensure that satellite sync will
fail when the satellite cert has expired. 

Comment 4 Ryan Bloom 2004-07-08 20:04:37 UTC
This is fixed now, we only validate certs for version 3.4 or higher.

Test plan:  
1)  Activate a satellite using an expired cert for satellite 3.2, make
sure you can still sat sync.

2)  Activate a satellite using a expired cert for satellite 3.4, make
sure you can't sat sync.

3)  Activate a satellite using a non-expired cert for satellite 3.4,
make sure you can sat sync.

Comment 5 Matt Jamison 2004-08-02 02:26:13 UTC
couple of things:

sat-sync will not work if the cert is removed, good thing
because of our error checking capabilities in the ui now, I'm not
allowed to put in a cert that is expired.  the only way to test this
is to insert a cert that will expire tomorrow and check it then.

even after the cert has been removed and the sat can no longer
sat-sync, I'm still able to log into the sat and use it.  I think this
is correct behavior.

and lastly: since someone can use the satellite after it expires,
whats to stop them from doing a disconnected sat-sync?  

Comment 6 Ryan Bloom 2004-08-02 12:34:46 UTC
If the satellite doesn't have a cert or if the cert is expired, you
shouldn't be able to login to the satellite anymore, either through
up2date or through the web ui.  If you can, that is a bug.

Comment 7 Matt Jamison 2004-08-05 15:58:38 UTC
fanny, the new ui features won't allow you to put an expired cert on
the sat.  there is a 3.4 cert called expired.  I recommend bumping up
the the date to tomorrow and getting is signed then putting on a sat
and waiting a day.

Comment 8 Fanny Augustin 2004-08-24 15:47:49 UTC
You cannot login to the website, but you can perform a "satellite-sync
--list-channel"...  And you should not be able to do so with an
experired cert.

Comment 9 Ryan Bloom 2004-08-24 17:00:42 UTC
This was an invalid test (spoke to fanny already).  We tested after
moving the sat's date past the expiration day, but sat-sync is failed
by hosted, so if hosted doesn't know the cert has expired, the sync
will succeed.

Comment 10 Todd Warner 2004-10-21 16:16:53 UTC
QA push. {ON_DEV,QA_READY} --> ON_QA

Comment 11 Mihai Ibanescu 2004-12-01 20:33:42 UTC
Actually, satsync is not properly syncing the cert.

Comment 12 Mihai Ibanescu 2004-12-01 21:54:44 UTC
satellite-sync now properly syncs the cert.
Fanny,I have deployed the fix on farm02 so you can go on with the testing.

Comment 13 Mihai Ibanescu 2004-12-01 21:55:31 UTC
rhns version 3.6.1-18 btw...

Comment 14 Fanny Augustin 2004-12-06 15:56:44 UTC
When the cert is expired you cannot satellite-sync, up2date,
rhn_check, etc...  Which are all valid things you cannot do when the
cert is expired, however, you can still navigate the webUI (satellite)
with no problem.  I think the fix should prevent you for navigating
the webUI.

Comment 15 Ryan Bloom 2004-12-06 17:31:57 UTC
Fixed.  The code was always getting the latest possible date from the
database, but it needed to get the highest versioned cert, and get the
expires for that date.

Comment 16 Todd Warner 2004-12-08 18:21:14 UTC
ON_QA en masse for 2004-12-08 QA push

Comment 17 Fanny Augustin 2004-12-08 19:01:43 UTC
Looks good on QA.

Comment 18 Todd Warner 2005-03-22 18:14:14 UTC

Note You need to log in before you can comment on or make changes to this bug.