Bug 678051 - Authentication cannot handle consumer certificates
Summary: Authentication cannot handle consumer certificates
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: Sprint 21
Assignee: Jason Connor
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks: verified-to-close
TreeView+ depends on / blocked
 
Reported: 2011-02-16 16:03 UTC by Jay Dobies
Modified: 2014-03-31 01:39 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-08-16 12:07:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Jay Dobies 2011-02-16 16:03:17 UTC 
The change was made that all certs (consumer and admin) now have users. The user parsing code was reused from admin certs. However, that parsing code expects the user format to be admin:<username>:<id>. Consumer certs, however, only contain the ID of the consumer.

This basically means that no consumer certs will ever result in a valid authentication. I suspect we haven't seen this due to another bug in the CLI that prefers to send the admin cert if one is present over the consumer cert. So we're accidentally sending that and the server is accidentally parsing it correctly, giving the consumer access.
Comment 1 Jason Connor 2011-02-16 19:22:21 UTC 
Steps to reproduce:
1. install fresh pulp instance
2. log onto server and create consumer:
   pulp-client -u admin -p admin consumer create --id <consumer name>
3. try to run a command as the consumer:
   pulp-client repo list

You should see:
No repositories to list (or something similar, I forget the exact message)

If the fix has failed, you will see this traceback:
error: operation failed: Traceback (most recent call last):
  File "/home/jconnor/Workspace/pulp/src/pulp/server/webservices/controllers/base.py", line 52, in report_error
    return method(self, *args, **kwargs)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/compat.py", line 40, in _decorator
    return decorator(*args,**kwargs)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/webservices/controllers/base.py", line 98, in _auth_decorator
    user = check_ssl_cert(cert_pem)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/auth/authentication.py", line 145, in check_ssl_cert
    username, id = cert_generator.decode_admin_user(encoded_user)
  File "/home/jconnor/Workspace/pulp/src/pulp/server/auth/cert_generator.py", line 211, in decode_admin_user
    raise PulpException('Invalid encoded admin user information [%s]' % encoded_string)
PulpException: 'Invalid encoded admin user information []'
Comment 2 Jason Connor 2011-02-16 19:23:18 UTC 
NOTE: DO NOT USE THE AUTH LOGIN COMMAND
pulp-admin auth login

This can circumvent the server-side bug.
Comment 3 Jeff Ortel 2011-02-16 20:08:52 UTC 
QE Build: 0.139
Comment 4 Preethi Thomas 2011-02-16 20:15:00 UTC 
[root@preethi ~]# rpm -q pulp
pulp-0.0.139-1.fc14.noarch

[root@preethi ~]# pulp-client -u admin -p admin consumer create --id=preethi
Successfully created consumer [ preethi ]

[root@preethi ~]# 
[root@preethi ~]# 
[root@preethi ~]# 
[root@preethi ~]# pulp-client repo list
No repositories available to list
Comment 5 Preethi Thomas 2011-02-16 20:50:54 UTC 
verified


[root@dell-pe1855-01 ~]# pulp-client -u admin -p admin consumer create --id=test
warning: this client is not registered; please register to continue
Successfully created consumer [ test ]

[root@dell-pe1855-01 ~]# pulp-client repo list
No repositories available to list
[root@dell-pe1855-01 ~]# rpm -q pulp
pulp-0.0.139-1.fc14.noarch
Comment 6 Preethi Thomas 2011-08-16 12:07:16 UTC 
Closing with Community Release 15

pulp-0.0.223-4.
Comment 7 Preethi Thomas 2011-08-16 12:20:57 UTC 
Closing with Community Release 15

pulp-0.0.223-4.
Note You need to log in before you can comment on or make changes to this bug.