2054121 – API and WebUI must disallow repo create with negative Retain package versions count

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2054121 - API and WebUI must disallow repo create with negative Retain package versions count

Summary: API and WebUI must disallow repo create with negative Retain package versions...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Repositories
Sub Component:
Version:	6.11.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	6.11.0
Assignee:	satellite6-bugs
QA Contact:	Cole Higgins
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-14 08:41 UTC by Pavel Moravec
Modified:	2022-09-02 18:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-05 14:33:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:33:29 UTC

Description Pavel Moravec 2022-02-14 08:41:53 UTC

Description of problem:
It is possible to "create" a repo with negative Retain package versions count. Katello object is created, pulp rejects the repo create request with an error

{"retain_package_versions":["Ensure this value is greater than or equal to 0."]}

So we end up with katello repo but no pulp repo (and paused/error task).

Two pieces of a fix are required:
1) WebUI field to set the value must disallow negative values to be put (in fact I was able to reproduce the problem by a mistake by a) printing there value like 5, b) still focusing on the field and scrolling down on mouse - that lowered the typed number from 5 to e.g. -2)
2) API itself must reject negative values (as hammer or direct API can be used as well)


Version-Release number of selected component (if applicable):
Sat 7.0 snap 9


How reproducible:
100%


Steps to Reproduce:
1. Create (or modify) a repo, set Retain package versions to a negative value
2. Save the repo.
3. Use hammer or direct API call for the same.


Actual results:
2. WebUI allows that save.
3. hammer and directly API does allow that as well. (be aware, hammer has a bug that effectively ignores --retain-package-versions-count settings)


Expected results:
2. WebUI form does not allow even selecting a negative number.
3. API to reject negative values.


Additional info:

Comment 1 Pavel Moravec 2022-02-14 08:57:25 UTC

See also related:

Bug 2054123 - hammer repository create ignores --retain-package-versions-count option

Comment 3 Samir Jha 2022-04-19 17:55:40 UTC

This should be fixed by changes that went in as part of https://bugzilla.redhat.com/show_bug.cgi?id=2054123 and https://bugzilla.redhat.com/show_bug.cgi?id=2054008.

Comment 4 Brad Buckingham 2022-04-28 19:21:15 UTC

Samir,

If this is resolved by the 2 bugzillas mentioned in comment 3, this bugzilla can go to ON_DEV.  This will allow the bugzilla to be 'handed off' to QE for verification with the next snap.  Any concerns with that approach?

Thanks!

Comment 5 Samir Jha 2022-04-28 19:37:05 UTC

Hey Brad,

That sounds good. QE should be able to test this out with the other 2 BZs.

Comment 6 Sam Bible 2022-05-02 18:49:48 UTC

Verified on
Sat 6.11 - 18

Note: Retain version count is only visible when setting mirroring policy to Additive 
Steps to Reproduce:
1. Create (or modify) a repo
2. Set mirroring policy to Additive, and set retain version count to a negative number
3. Save the repo.
4) Attempt to create a repo through hammer with a negative retain version count.

Expected results:
The UI will not allow you to save a package retain version count with a negative number
Hammer command will fail

Actual Results:
When saving with a negative retain version count, an error card appears letting you know that negative numbers are not valid values for retain version
hammer command returns an error, "Validation failed: Retain package versions count must not be a negative value."

Comment 9 errata-xmlrpc 2022-07-05 14:33:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498

Note You need to log in before you can comment on or make changes to this bug.