1502752 – refresh manifest - proxy password with special character

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1502752 - refresh manifest - proxy password with special character

Summary: refresh manifest - proxy password with special character

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Subscription Management
Sub Component:
Version:	6.2.12
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	6.5.0
Assignee:	Justin Sherrill
QA Contact:	jcallaha
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-16 15:15 UTC by Rainer Beyel
Modified:	2024-06-13 20:49 UTC (History)
CC List:	20 users (show)
Fixed In Version:	tfm-rubygem-katello-3.10.0.24-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-14 12:36:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	16909	0	Normal	Closed	Issue with Password having special character '@'	2021-01-26 18:19:00 UTC
Red Hat Product Errata	RHSA-2019:1222	0	None	None	None	2019-05-14 12:36:49 UTC

Description Rainer Beyel 2017-10-16 15:15:42 UTC

Description of problem:

The customers Satellite depends on a proxy (with authentication) to connect to the internet. The proxy password contains a '?' (question mark) which leads to an issue when refreshing the manifest. Same error when executed from Web-UI.

# hammer subscription refresh-manifest --organization org01
[Foreman] Password for admin: 
[............................................................................................................] [100%]
Error: bad component(expected user component): red?hat

production.log
...
2017-10-16 14:19:48  [app] [E] Error during manifest refresh: {"displayMessage"=>"bad component(expected user component): red?hat", "conflicts"=>["UNKNOWN"]}
...

The credentials were set with the following command - example from my test-environment:

# satellite-installer --katello-proxy-url http://192.168.81.74 --katello-proxy-port 3128 --katello-proxy-username rainer2 --katello-proxy-password "red?hat"

Steps to Reproduce:
1. Proxy password contains a '?' (question mark)
2. Configure Satellite with the proxy credentials
3. Try to refresh the manifest (CLI, Web-UI)

Actual results:
"...Error: bad component(expected user component):..."

Expected results:
Username/password is send to proxy, proxy authentication succeeds and manifest is refreshed.

Additional info:
Looking at the proxy (squid) debug logs, it seems the username/password is not transmitted to the proxy in this case. Passwords without special characters (e.g. '?) work as expected.

Comment 5 asamad 2017-12-13 21:32:30 UTC

Customer needs an update or fix for the issue.

Comment 16 Bryan Kearney 2019-02-12 19:02:58 UTC

Upstream bug assigned to jsherril

Comment 17 Bryan Kearney 2019-02-12 19:03:00 UTC

Upstream bug assigned to jsherril

Comment 18 Bryan Kearney 2019-02-13 19:02:00 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/16909 has been resolved.

Comment 21 jcallaha 2019-03-06 15:52:24 UTC

Test results in Satellite 6.5.0 Snap 18

-bash-4.2# satellite-installer --katello-proxy-url http://localhost --katello-proxy-port 50123 --katello-proxy-username jake --katello-proxy-password "Red@Hat"
Resetting puppet server version param...
Installing             Done                                               [100%] [...........................................................................................................]
  Success!
  * Satellite is running at https://my.sat.com

  * To install an additional Capsule on separate machine continue by running:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  * To upgrade an existing 6.4 Capsule to 6.5:
      Please see official documentation for steps and parameters to use when upgrading a 6.4 Capsule to 6.5.

  The full log is at /var/log/foreman-installer/satellite.log


-bash-4.2# view /etc/foreman/plugins/katello.yaml
...
  :cdn_proxy:
    :host: http://localhost
    :port: 50123
    :user: jake
    :password: Red@Hat

Comment 22 jcallaha 2019-03-07 19:43:04 UTC

Verified in Satellite 6.5.0 Snap 18

The manifest refresh completed successfully.

Additionally, the squid proxy's (non-satellite) access log shows good connections.

-bash-4.2# tail -f /var/log/squid/access.log 
1551987430.790    596 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987451.086    559 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987558.638    491 10.16.210.57 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987578.537    423 10.16.210.57 TCP_TUNNEL/200 9253 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987578.853    483 10.16.210.57 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987591.287    427 10.16.210.57 TCP_TUNNEL/200 2732 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987598.946   4084 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 741458 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987622.442    424 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987622.964    511 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -

Comment 25 errata-xmlrpc 2019-05-14 12:36:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222

Note You need to log in before you can comment on or make changes to this bug.

aagrawal
ajoseph
akarsale
asamad
bkearney
bmidwood
bscalio
dhlavacd
ehelms
hmore
kgaikwad
kkohli
ktordeur
mshimura
phess
rabajaj
suarora
takirby
will_darton
wpinheir