Bug 1726380 - Foreman-proxy parses /etc/ipa/default.conf incorrectly which results in ERROR -- : Unknown realm my-realm-server.example.com even when all config files are OK
Summary: Foreman-proxy parses /etc/ipa/default.conf incorrectly which results in ERROR...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Capsule
Version: 6.4.2
Hardware: Unspecified
OS: Linux
unspecified
low vote
Target Milestone: 6.6.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-02 17:42 UTC by Pablo Hess
Modified: 2019-10-22 19:52 UTC (History)
3 users (show)

Fixed In Version: foreman-proxy-1.22.0.2-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 19:52:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 27218 0 None None None 2019-07-03 06:20:15 UTC
Red Hat Knowledge Base (Solution) 4264441 0 Troubleshoot None When a content host is being created it fails with “Failed to create host-test.demo1.freeipa.org l's realm entry: ERF12-... 2019-07-06 14:20:52 UTC

Description Pablo Hess 2019-07-02 17:42:20 UTC
Description of problem:
Foreman-proxy parses the /etc/ipa/default.conf file incorrectly: it will consider _any_ line containing the string 'realm' as a realm name definition. The last line in this file containing 'realm' will then be used as realm definition, most often resulting in this error on /var/log/foreman-proxy/proxy.log:

   ERROR -- : Unknown realm EXAMPLE.COM

Example of an /etc/ipa/default.conf file that will trigger this error:
~~~
[global]
basedn = dc=example,dc=com
domain = example.com
server = phess-realm.usersys.redhat.com
host = sat64a.usersys.redhat.com
xmlrpc_uri = https://phess-realm.usersys.redhat.com/ipa/xml
enable_ra = True
realm = EXAMPLE.COM
## nice comment: this used to be realm = MY.OLD.DOMAIN.ORG
~~~

This file above will result in foreman-proxy considering the realm name to be MY.OLD.DOMAIN.ORG.


This is a result of poor config file parsing -- not really parsing but fetching values with the help of regexes -- in /usr/share/foreman-proxy/modules/realm_freeipa/ipa_config_parser.rb:
~~~
 38 
 39     def do_parse(io)
 40       parsed_uri, realm_name = nil
 41 
 42       io.readlines.each do |line|
 43         if line =~ /xmlrpc_uri/
 44           uri = line.split("=")[1].strip
 45           parsed_uri = URI.parse(uri)
 46           logger.debug "freeipa: uri is #{uri}"
 47         elsif line =~ /realm/
 48           realm_name = line.split("=")[1].strip
 49           logger.debug "freeipa: realm #{realm_name}"
 50         end
 51       end
~~~


Lines 47 and 48 will regex-match any line containing the string 'realm', even if the matching string is one of these below:

thisisrealmagic =
not my realm =


Then, the realm name is extracted by getting the "right-hand" value of the same line.

An actual real-life example hitting this issue is when the IPA/IdM server name in /etc/ipa/default.conf contains the string realm, e.g.:
~~~
[global]
basedn = dc=demo1,dc=freeipa,dc=org
realm = DEMO1.FREEIPA.ORG
domain = demo1.freeipa.org
server = realm-server.demo1.freeipa.org
host = lucid-nonsense
xmlrpc_uri = https://ipa.demo1.freeipa.org/ipa/xml
enable_ra = True
~~~


Since the line with the `server` directive contains the string 'realm', it will match the regex and foreman-proxy will consider the right-hand side of this line as the realm name. Then /var/log/foreman-proxy/proxy.log would read the realm name twice:
~~~
DEBUG -- : freeipa: uri is https://ipa.demo1.freeipa.org/ipa/xml
DEBUG -- : freeipa: realm DEMO1.FREEIPA.ORG
DEBUG -- : freeipa: realm realm-server.demo1.freeipa.org
~~~


The latter one would overwrite the realm variable and would thus cause foreman-proxy to fail when adding a new host to the IPA/IdM domain, with:
~~~
ERROR -- : Unknown realm realm-server.demo1.freeipa.org
~~~



Version-Release number of selected component (if applicable):
All currently released Satellite versions as of today contain this bug, as well as the upstream smart-proxy at https://github.com/theforeman/smart-proxy/blob/develop/modules/realm_freeipa/ipa_config_parser.rb.

How reproducible:
Every time if /etc/ipa/default.conf meets the required criteria.

Steps to Reproduce:
1. Set up foreman-proxy to communicate with IPA/IdM server realm-server.example.com for realm purposes.
2. Create a new host and set it up as a realm member.

Actual results:
Foreman-proxy will fail to add the host to the realm, stating it does not know the realm-server.example.com realm.

Expected results:
Foreman-proxy would add the host to the realm as set up by the 'realm' directive in /etc/ipa/default.conf

Additional info:
Simply reordering lines in /etc/ipa/default.conf so the `realm =` line is at the bottom of the file allows one to workaround the issue by forcing ipa_config_parser.rb to process the correct realm last.

Comment 4 Pablo Hess 2019-07-02 18:24:48 UTC
Pull Request is ready at https://github.com/theforeman/smart-proxy/pull/665 but is failing due to missing redmine issue.

Comment 5 Adam Ruzicka 2019-07-03 06:20:14 UTC
Created redmine issue http://projects.theforeman.org/issues/27218 from this bug

Comment 6 Bryan Kearney 2019-07-03 08:06:08 UTC
Upstream bug assigned to lzap

Comment 8 Lukas Pramuk 2019-10-13 21:54:18 UTC
VERIFIED.

@Satellite 6.6.0 Snap22
foreman-proxy-1.22.0.2-1.el7sat.noarch

by the following manual reproducer:

1) Have a Satellite enrolled to IdM server and setup for realm SATQE.EXAMPLE.COM

2) Change log level for foreman-proxy to debug and restart foreman-proxy service

3) Add offending line to the end of ipa config file

# echo "# Some random line containing = sign and realm word" >> /etc/ipa/default.conf

# grep realm /etc/ipa/default.conf 
realm = SATQE.EXAMPLE.COM
# Some random line containing = sign and realm word

4) Create a host and assign SATQE.EXAMPLE.COM realm while watching foreman-proxy log:

# tail -f /var/log/foreman-proxy/proxy.log 


2019-10-13T17:39:00 a63682ee [I] Started POST /SATQE.EXAMPLE.COM/ 
2019-10-13T17:39:00 a63682ee [D] verifying remote client ::ffff:192.168.100.1 against trusted_hosts ["sat.example.com"]
2019-10-13T17:39:00 a63682ee [D] freeipa: realm SATQE.EXAMPLE.COM
2019-10-13T17:39:00 a63682ee [D] freeipa: uri is https://ipa.example.com/ipa/xml
2019-10-13T17:39:00 a63682ee [D] Making IPA call: ["host_show", ["lora-delahunt.example.com"]]

>>> offending line is ignored as we can see in the log "freeipa: realm SATQE.EXAMPLE.COM"

Comment 9 Bryan Kearney 2019-10-22 19:52:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172


Note You need to log in before you can comment on or make changes to this bug.