Bug 1502752 - refresh manifest - proxy password with special character
Summary: refresh manifest - proxy password with special character
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Subscription Management
Version: 6.2.12
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: 6.5.0
Assignee: Justin Sherrill
QA Contact: jcallaha
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-16 15:15 UTC by Rainer Beyel
Modified: 2021-12-10 15:20 UTC (History)
20 users (show)

Fixed In Version: tfm-rubygem-katello-3.10.0.24-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-14 12:36:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 16909 0 Normal Closed Issue with Password having special character '@' 2021-01-26 18:19:00 UTC
Red Hat Product Errata RHSA-2019:1222 0 None None None 2019-05-14 12:36:49 UTC

Description Rainer Beyel 2017-10-16 15:15:42 UTC 
Description of problem:

The customers Satellite depends on a proxy (with authentication) to connect to the internet. The proxy password contains a '?' (question mark) which leads to an issue when refreshing the manifest. Same error when executed from Web-UI.

# hammer subscription refresh-manifest --organization org01
[Foreman] Password for admin: 
[............................................................................................................] [100%]
Error: bad component(expected user component): red?hat

production.log
...
2017-10-16 14:19:48  [app] [E] Error during manifest refresh: {"displayMessage"=>"bad component(expected user component): red?hat", "conflicts"=>["UNKNOWN"]}
...

The credentials were set with the following command - example from my test-environment:

# satellite-installer --katello-proxy-url http://192.168.81.74 --katello-proxy-port 3128 --katello-proxy-username rainer2 --katello-proxy-password "red?hat"

Steps to Reproduce:
1. Proxy password contains a '?' (question mark)
2. Configure Satellite with the proxy credentials
3. Try to refresh the manifest (CLI, Web-UI)

Actual results:
"...Error: bad component(expected user component):..."

Expected results:
Username/password is send to proxy, proxy authentication succeeds and manifest is refreshed.

Additional info:
Looking at the proxy (squid) debug logs, it seems the username/password is not transmitted to the proxy in this case. Passwords without special characters (e.g. '?) work as expected.
Comment 5 asamad 2017-12-13 21:32:30 UTC 
Customer needs an update or fix for the issue.
Comment 16 Bryan Kearney 2019-02-12 19:02:58 UTC 
Upstream bug assigned to jsherril
Comment 17 Bryan Kearney 2019-02-12 19:03:00 UTC 
Upstream bug assigned to jsherril
Comment 18 Bryan Kearney 2019-02-13 19:02:00 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/16909 has been resolved.
Comment 21 jcallaha 2019-03-06 15:52:24 UTC 
Test results in Satellite 6.5.0 Snap 18

-bash-4.2# satellite-installer --katello-proxy-url http://localhost --katello-proxy-port 50123 --katello-proxy-username jake --katello-proxy-password "Red@Hat"
Resetting puppet server version param...
Installing             Done                                               [100%] [...........................................................................................................]
  Success!
  * Satellite is running at https://my.sat.com

  * To install an additional Capsule on separate machine continue by running:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"

  * To upgrade an existing 6.4 Capsule to 6.5:
      Please see official documentation for steps and parameters to use when upgrading a 6.4 Capsule to 6.5.

  The full log is at /var/log/foreman-installer/satellite.log


-bash-4.2# view /etc/foreman/plugins/katello.yaml
...
  :cdn_proxy:
    :host: http://localhost
    :port: 50123
    :user: jake
    :password: Red@Hat
Comment 22 jcallaha 2019-03-07 19:43:04 UTC 
Verified in Satellite 6.5.0 Snap 18

The manifest refresh completed successfully.

Additionally, the squid proxy's (non-satellite) access log shows good connections.

-bash-4.2# tail -f /var/log/squid/access.log 
1551987430.790    596 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987451.086    559 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987558.638    491 10.16.210.57 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987578.537    423 10.16.210.57 TCP_TUNNEL/200 9253 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987578.853    483 10.16.210.57 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987591.287    427 10.16.210.57 TCP_TUNNEL/200 2732 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987598.946   4084 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 741458 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987622.442    424 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 9224 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
1551987622.964    511 2620:52:0:10d2:21e:67ff:fe65:8b81 TCP_TUNNEL/200 4117 CONNECT subscription.rhsm.redhat.com:443 jake HIER_DIRECT/10.4.204.72 -
Comment 25 errata-xmlrpc 2019-05-14 12:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222
Note You need to log in before you can comment on or make changes to this bug.