Bug 1844840 - Cannot create "HTTP Proxies" in GUI if password includes special component in Satellite 6.7
Summary: Cannot create "HTTP Proxies" in GUI if password includes special component in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Networking
Version: 6.7.0
Hardware: All
OS: All
high
high vote
Target Milestone: 6.9.6
Assignee: Ian Ballou
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-07 14:13 UTC by Sayan Das
Modified: 2021-09-29 14:35 UTC (History)
24 users (show)

Fixed In Version: foreman-2.3.1.22-1,tfm-rubygem-katello-3.18.1.38-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1962835 (view as bug list)
Environment:
Last Closed: 2021-09-21 14:37:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 32192 0 Normal Closed When creating a HTTP proxy the username and password is used verbatim, leading to issues if they contain special charact... 2021-07-12 18:58:13 UTC
Foreman Issue Tracker 32998 0 Normal Closed Http Proxy passwords are not making it to candlepin properly 2021-07-20 15:25:08 UTC
Foreman Issue Tracker 33220 0 None None None 2021-08-11 13:59:35 UTC
Red Hat Knowledge Base (Solution) 5157051 0 None None None 2020-06-15 11:00:16 UTC
Red Hat Product Errata RHBA-2021:3628 0 None None None 2021-09-21 14:37:41 UTC

Description Sayan Das 2020-06-07 14:13:01 UTC
Description of problem:

Satellite 6.7 is not accepting the proxy password containing special characters like [ ] @ etc and test connection always fails.

Even if we just mention the password and submit, the password field remains blank.

Version-Release number of selected component (if applicable):
6.7.0

How reproducible:
Always

Steps to Reproduce:
1. Configure a squid proxy with the following details.
hostname: squid.example.com
port: 3128
proxy_username: proxyuser
proxy: password: test]satellite@password+

2. Go to Satellite GUI --> Infrastructure --> HTTP Proxies --> Fill up all the details including the proxy_password, in Test URL mention "https://aws.amazon.com" and then click on "Test Connection".

3. With all options filled up, submit the settings.

4. Now open the newly created proxy and look at the password field.


Actual results:

At Step 2, with test connection, you will get an error pop up saying "bad password component"

At Step 4, we will be able to see that the password is blank


Expected results:

Satellite 6.7 should be able to accept the password with special characters properly and allow it to save\user further from GUI.


Additional info:

If I use the same password from the command line, it will work just fine without escaping anything.

# curl -I --proxy-user proxyuser:test]satellite@password+ --proxy squid.example.com:3128 https://aws.amazon.com
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Content-Length: 210503
Connection: keep-alive
Server: Server
Date: Sun, 07 Jun 2020 14:10:24 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
x-amz-id-1: CR7RJ4KVMK4B3V4YM60K
Last-Modified: Thu, 04 Jun 2020 02:51:19 GMT
Set-Cookie: aws-priv=eyJ2IjoxLCJldSI6MCwic3QiOjB9; Version=1; Comment="Anonymous cookie for privacy regulations"; Domain=.amazon.com; Max-Age=94672800; Expires=Thu, 08-Jun-2023 08:10:24 GMT; Path=/
Set-Cookie: aws_lang=en; Domain=.amazon.com; Path=/
Vary: accept-encoding,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-Agent
x-amz-rid: CR7RJ4KVMK4B3V4YM60K
X-Cache: Miss from cloudfront
Via: 1.1 e3e9665628588ed211b9d1805feda855.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: BOM51-C1
X-Amz-Cf-Id: AABZojxETJN_fdEvP1-AtLgyAnvy04MxYFEjxJoQrqn6ldVPIa4xQg==

Comment 7 Sayan Das 2020-08-29 14:55:54 UTC
This problem still exists on Red Hat Satellite 6.8-Beta .

Comment 16 Adam Ruzicka 2021-03-24 10:52:00 UTC
TL;DR: There is no workaround, we will need to patch foreman and restclient. Foreman patch will be small, restclient patch was already written by ManageIQ folks and we'll just need to borrow it from them.

Notes:
There are two issues at play here.

The first is on our side. We try to stuff the user provided strings into an URI object, but that fails because special characters are not allowed there. If we escape the user provided strings first (turn '@' into '%40' and so on), this part should be resolved.

The other issue is restclient (the library we use for making http requests) does not unescape the proxy username and password, so even if we fix the first issue, then the escaped form will be sent to the proxy and the proxy will reject it. There is a PR[1] opened against restclient which fixes this, but last movement there was in October 2018, so I'm afraid we can't wait for this to be fixed there. Unless I'm missing something the only real option we have is to monkey-patch restclient the same way ManageIQ did[2].

[1] - https://github.com/rest-client/rest-client/pull/665
[2] - https://github.com/ManageIQ/manageiq/pull/18105

Comment 29 James Jeffers 2021-06-01 13:02:44 UTC
This item was selected for a z-stream release (6.9.3) - can we petition the Foreman maintainers to review this sooner rather than later?

Comment 30 Adam Ruzicka 2021-06-11 08:57:16 UTC
Fix was merged in upstream

Comment 43 Bryan Kearney 2021-07-12 20:03:21 UTC
Upstream bug assigned to iballou@redhat.com

Comment 44 Bryan Kearney 2021-07-12 20:03:24 UTC
Upstream bug assigned to iballou@redhat.com

Comment 45 Bryan Kearney 2021-07-15 16:03:26 UTC
Upstream bug assigned to aruzicka@redhat.com

Comment 53 Bryan Kearney 2021-08-06 08:02:51 UTC
Upstream bug assigned to iballou@redhat.com

Comment 54 Bryan Kearney 2021-08-06 08:02:53 UTC
Upstream bug assigned to iballou@redhat.com

Comment 59 Jameer Pathan 2021-09-08 10:58:58 UTC
Verified:

Verified with:
- Satellite 6.9.6 snap 1
- katello-3.18.1-3.el7sat.noarch
- foreman-2.3.1.23-1.el7sat.noarch

Test steps:
- Create HTTP Proxy with special characters in password
(Go to Infrastructure > Http Proxies > Click on "New Http Proxy") 
- Fill the details related to HTTP Proxy and click on "Test connection" button.
- Go to Administer > Settings > Content. Set "Default HTTP Proxy" setting.
- Refresh manifest.
- Enable and sync repositories.

Observations:
- "Test connection" button worked as expected.
- Manifest refresh, repository enable/disable and repository sync operation finished successfully. 

Additional info:
- Tried following Http proxy password combination:
    - t]se@pa+@#$%^
    - test]satellite@password+
    - t]se@pa+_~-*.,=[
    - a?dd.}v{a
    - test%5Dhttp_password%40password%2B

Comment 64 errata-xmlrpc 2021-09-21 14:37:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Satellite 6.9.6 Async Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3628


Note You need to log in before you can comment on or make changes to this bug.