Bug 1873649 - proxy.config.openshift.io should validate user inputs
Summary: proxy.config.openshift.io should validate user inputs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.5
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.8.0
Assignee: Aditya Narayanaswamy
QA Contact: Yang Yang
URL:
Whiteboard:
: 1914305 (view as bug list)
Depends On:
Blocks: 1954595 1979988
TreeView+ depends on / blocked
 
Reported: 2020-08-28 21:15 UTC by Eric Rich
Modified: 2021-08-17 14:28 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Since proxy values were user input and no validation checks were done, parts of the installer will fail after a long time. Added in a validation check to see if the HTTPProxy and the HTTPSProxy were proper URLs and sending out error messages if they were not in order to reduce debugging time for the user and for them to better understand what exactly went wrong in their input.
Clone Of:
Environment:
Last Closed: 2021-07-27 22:32:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4632 0 None open Bug 1873649: Validate noProxy input and add prefix for proxy urls 2021-02-15 14:26:13 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:33:19 UTC

Description Eric Rich 2020-08-28 21:15:00 UTC
Description of problem: proxy.config.openshift.io should validate user inputs, or post a staus message about invalid values provided by users. 

Actual results: 
Parts of the OpenShift install, or other operations will fail or not properly function, if these settings are not properly configured in settings where a proxy is used (within the infrastructure). 


Expected results:

Inputs should be validated to make sure that they provide the proper http:// or https:// prefixes (if needed, why can't we append these for user if they are not supplied?)

noProxy can't have spaces (as an example), and thus we should possibly try and remove spaces for users? 

Additional info:

Comment 1 Eric Rich 2020-08-28 21:18:27 UTC
We should also check that these seeings don't overlap with other network settings like the service network.

Comment 2 Stefan Schimanski 2020-08-31 07:48:03 UTC
I have started https://gist.github.com/sttts/3d858df53a5787d6b5304461d552e8dd to add ratcheting update validation. But I noticed that https://github.com/openshift/cluster-network-operator/blob/fbd5c13cd16478fb9076a4ee771f1f42b03af087/pkg/controller/proxyconfig/validation.go already has validation code. Please move that to library-go and reuse it on kube-apiserver admission (as seen in my gist).

Comment 4 Andrew McDermott 2020-09-09 16:06:56 UTC
Assigning to Dane to take an initial look.

Comment 6 Abhinav Dahiya 2020-09-11 17:21:51 UTC
We will work on this asap, but moving to 4.7.0 to mark it is not blocker for 4.6

Comment 13 Yang Yang 2021-01-15 04:25:34 UTC
Reproducing it from installer QE side:

# openshift-install version
openshift-install 4.7.0-0.nightly-2021-01-14-211319
built from commit b3dae7f4736bcd1dbf5a1e0ddafa826ee1738d81
release image registry.ci.openshift.org/ocp/release@sha256:4c4e4e15e7c9cb334c8e1fc49cbf92ce6d620ff5fa2538ea578c53a48fe15b98


1. Specify invalid proxy value to install-config.yaml
proxy:
  httpProxy: proxy-user1:xxxxx@QE_PROXY_PLACEHOLDER:3128
  httpsProxy: proxy-user1:xxxxx@QE_PROXY_PLACEHOLDER:3128
  noProxy: test.no-proxy.com, localhost

2. Create manifests
# openshift-install create manifests --dir bz
INFO Credentials loaded from file "/root/.gcp/osServiceAccount.json" 
INFO Consuming Install Config from target directory 
INFO Manifests created in: bz/manifests and bz/openshift 

Manifests are created successfully and no error prompts.

Comment 14 Brenton Leanhardt 2021-02-04 18:58:40 UTC
*** Bug 1914305 has been marked as a duplicate of this bug. ***

Comment 15 Patrick Dillon 2021-02-04 19:03:52 UTC
We closed https://bugzilla.redhat.com/show_bug.cgi?id=1914305 as a duplicate of this bug, so we need to make sure we fix that problem in this bug.

Currently we are trimming spaces in noProxy, but instead of changing that user input, we should just validate and reject it if there are spaces. Leave it to the users to fix.

Comment 23 Yang Yang 2021-02-18 07:37:53 UTC
Verifying it with 4.8.0-0.nightly-2021-02-18-054727

# openshift-install version
openshift-install 4.8.0-0.nightly-2021-02-18-054727
built from commit 2b8f47bc6081de310ad05995c6e4f91479b0eae9
release image registry.ci.openshift.org/ocp/release@sha256:e39c426927b3529f73e323f725364055f5462e57f7087ad1d34aac12a31de36b

1. Specify invalid proxy setting in install-config.yaml
 18 proxy:
 19   httpProxy: user:password.0.1:3128  (httpProxy does not have scheme)
 20   httpsProxy: ftp://user:password@127.0.0.1:3128 (httpsProxy uses ftp as scheme)
 21   noProxy: test.no-proxy.com, localhost (noProxy has space)

# openshift-install create manifests --dir bz
FATAL failed to fetch Master Machines: failed to load asset "Install Config": invalid "install-config.yaml" file: [proxy.httpProxy: Unsupported value: "user": supported values: "http", proxy.httpsProxy: Unsupported value: "ftp": supported values: "http", "https", proxy.noProxy: Invalid value: "test.no-proxy.com, localhost": noProxy must not have spaces]

Comment 27 Matthew Staebler 2021-02-18 14:54:38 UTC
The follow-on work to validate that the proxy is not within the cluster or service network is in https://issues.redhat.com/browse/CORS-1642.

Comment 28 Yang Yang 2021-02-19 02:36:20 UTC
Verifying it with 4.8.0-0.nightly-2021-02-18-054727

# openshift-install version
openshift-install 4.8.0-0.nightly-2021-02-18-054727
built from commit 2b8f47bc6081de310ad05995c6e4f91479b0eae9
release image registry.ci.openshift.org/ocp/release@sha256:e39c426927b3529f73e323f725364055f5462e57f7087ad1d34aac12a31de36b

Test invalid noProxy domain

 18 proxy:
 19   httpProxy: http://user:password@127.0.0.1:3128
 20   httpsProxy: https://user:password@127.0.0.1:3128
 21   noProxy: ABC.com,10.0.2.1/280

# openshift-install create manifests --dir bz
FATAL failed to fetch Master Machines: failed to load asset "Install Config": invalid "install-config.yaml" file: [proxy.noProxy: Invalid value: "ABC.com,10.0.2.1/280": each element of noProxy must be a CIDR or domain without wildcard characters, which is violated by element 0 "ABC.com", proxy.noProxy: Invalid value: "ABC.com,10.0.2.1/280": each element of noProxy must be a CIDR or domain without wildcard characters, which is violated by element 1 "10.0.2.1/280"]

Comment 29 Yang Yang 2021-02-19 02:38:03 UTC
Based on comment#23 and #28, moving it to verified state.

Comment 34 errata-xmlrpc 2021-07-27 22:32:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.