This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 707641 - CLI auto-subscribe tries to re-use basic auth credentials.
CLI auto-subscribe tries to re-use basic auth credentials.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: subscription-manager (Show other bugs)
6.2
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Bryan Kearney
John Sefler
:
Depends On:
Blocks: rhsm-rhel62 743047
  Show dependency treegraph
 
Reported: 2011-05-25 11:39 EDT by Devan Goodwin
Modified: 2011-12-06 12:14 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 12:14:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Devan Goodwin 2011-05-25 11:39:38 EDT
Description of problem:

Doing a register with auto-subscribe on the CLI does not properly reset the credentials after the registration completes. (before attempting the separate auto-subscribe request)

Version-Release number of selected component (if applicable):



How reproducible:

100%, but it may technically work in most deployments, it just shouldn't be using basic auth.

Steps to Reproduce:
1. subscription-manager register --autosubscribe
  
Actual results:

This will technoically work in a devel deployment, and even in hosted they are making changes to allow basic auth for auto-subscribe calls. However, it should not be using basic auth for the auto-subscribe request. The type of auth will have to be verified in server logs.

Expected results:

Registration should complete, identity cert should be loaded as the credential for all future candlepin requests.

Additional info:

I believe the GUI is doing this correctly, in managergui.py you will see something like this:

self.backend.create_admin_uep(username=username,                                           password=password)                              
            newAccount = self.backend.admin_uep.registerConsumer(name=consumername,                           facts=self.facts.get_facts())                                         managerlib.persist_consumer_cert(newAccount)                                  
self.consumer.reload()
if self.auto_subscribe():

We should probably verify the GUI is doing the right thing, and if so, make the CLI behave the same.
Comment 4 Devan Goodwin 2011-09-12 09:45:24 EDT
You can verify against a local candlepin by registering with autosubscribe, and checking /var/log/tomcat6/catalina.out. Look for the request to: /consumers/531c1021-fd58-453b-9c0d-e2838d99ccdf/entitlements

I just tried and see this:

ep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/531c1021-fd58-453b-9c0d-e2838d99ccdf/entitlements
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - check for: admin - password of length #5 = <omitted>
Sep 12 10:41:40 [http-8443-2] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - principal created for user 'admin
Sep 12 10:41:41 [http-8443-2] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public javax.ws.rs.core.Response org.fedoraproject.candlepin.resource.ConsumerResource.bind(java.lang.String,java.lang.String,java.lang.String[],java.lang.Integer,java.lang.String,java.lang.String,boolean)
Sep 12 10:41:41 [http-8443-2] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 12 10:41:41 [http-8443-2] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Verifying ALL access to class org.fedoraproject.candlepin.model.Consumer: 531c1021-fd58-453b-9c0d-e2838d99ccdf


In here you can see BasicAuth creating the principal, which I believe is a strong indication this is not even fixed.

Will: need to assign the tickets to yourself when you fix them, and add a comment with the git hash after you've pushed to master, and any notes that might be useful to QE or for historical purposes. This looks like it's not working as far as I can tell.
Comment 5 J.C. Molet 2011-09-12 11:16:31 EDT
QE has replicated what appears in comment 4 exactly.  Failing QA, I'm pushing this back to NEW.
Comment 7 William Poteat 2011-09-23 07:49:49 EDT
Master:

Author: William Poteat <wpoteat@redhat.com>
Date:   Mon Sep 12 10:51:03 2011 -0400

    707641: CLI auto-subscribe tries to re-use basic auth credentials.
    
    730020: Subscription-manager configuration should not allow list and modify in single command.

commit adab5e37024cf2a52e40cd37bfc447fc795d1244


RHEL6.2:

Author: William Poteat <wpoteat@redhat.com>
Date:   Mon Sep 12 10:51:03 2011 -0400

    707641: CLI auto-subscribe tries to re-use basic auth credentials.
    
    730020: Subscription-manager configuration should not allow list and modify in single command.

commit adab5e37024cf2a52e40cd37bfc447fc795d1244
Comment 8 John Sefler 2011-09-23 11:28:10 EDT
Verifying Version...
[root@jsefler-onprem-62server ~]# rpm -q subscription-manager
subscription-manager-0.96.11-1.el6.x86_64
[root@jsefler-onprem-62server ~]# curl -k https://jsefler-onprem-62candlepin.usersys.redhat.com:8443/candlepin/status
{"version":"0.4.17","result":true,"release":"1"}


Following Devan's test strategy in comment 4, I registered with autosubscribe on a client...
[root@jsefler-onprem-62server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --autosubscribe
The system has been registered with id: c06d6b7e-f143-4f95-adfe-de28adb48f78 
... and then parsed the following output from tail -f /var/log/tomcat6/catalina.out in search of log blocks beginning with "Authentication check for"




Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - check for: testuser1 - password of length #8 = <omitted>
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - principal created for user 'testuser1
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public java.util.List org.fedoraproject.candlepin.resource.RootResource.getRootResources()
Sep 23 10:48:44 [http-8443-1] WARN  org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Allowing invocation to proceed with no authentication required.
Sep 23 10:48:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - 

^^^ HERE interceptor.BasicAuth IS BEING USED AGAINST / WHICH MAKES SENSE



Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - check for: testuser1 - password of length #8 = <omitted>
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.BasicAuth - principal created for user 'testuser1
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public org.fedoraproject.candlepin.model.Consumer org.fedoraproject.candlepin.resource.ConsumerResource.create(org.fedoraproject.candlepin.model.Consumer,org.fedoraproject.candlepin.auth.Principal,java.lang.String,java.lang.String,java.lang.String) throws org.fedoraproject.candlepin.exceptions.BadRequestException
Sep 23 10:48:45 [http-8443-1] WARN  org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Allowing invocation to proceed with no authentication required.
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.Principal - org.fedoraproject.candlepin.auth.UserPrincipal principal checking for access to: Owner [name = Admin Owner, key = admin, id = 8a90f8c63296bc55013296bcd0890006]
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.Principal -  perm class: org.fedoraproject.candlepin.model.OwnerPermission
Sep 23 10:48:45 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.Principal -   permission granted

^^^ HERE interceptor.BasicAuth IS BEING USED AGAINST /consumers ALSO MAKES SENSE AS WE ARE ABOUT TO CREATE A CONSUMER



Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.ConsumerAuth - principal created for consumer 'c06d6b7e-f143-4f95-adfe-de28adb48f78
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public java.util.List org.fedoraproject.candlepin.resource.RootResource.getRootResources()
Sep 23 10:48:47 [http-8443-1] WARN  org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Allowing invocation to proceed with no authentication required.
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - 

^^^ HERE interceptor.ConsumerAuth IS BEING USED AGAINST / BECAUSE NOW THE CONSUMER HAS BEEN CREATED AND ACTUALLY HAS A CERT THAT CAN BE USED FOR AUTHENTICATION - THAT's GOOD



org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78/entitlements
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.ConsumerAuth - principal created for consumer 'c06d6b7e-f143-4f95-adfe-de28adb48f78
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public javax.ws.rs.core.Response org.fedoraproject.candlepin.resource.ConsumerResource.bind(java.lang.String,java.lang.String,java.lang.String[],java.lang.Integer,java.lang.String,java.lang.String,boolean)
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US

^^^ HERE interceptor.ConsumerAuth IS BEING USED AGAINST /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78 - THAT's GOOD TOO



Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78/certificates/serials
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.OAuth - Checking for oauth authentication
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.ConsumerAuth - principal created for consumer 'c06d6b7e-f143-4f95-adfe-de28adb48f78
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.auth.interceptor.SecurityInterceptor - Invoked security interceptor public java.util.List org.fedoraproject.candlepin.resource.ConsumerResource.getEntitlementCertificateSerials(java.lang.String)
Sep 23 10:48:47 [http-8443-1] DEBUG org.fedoraproject.candlepin.guice.I18nProvider - Getting i18n engine for locale en_US

^^^ FINALLY interceptor.ConsumerAuth IS BEING USED AGAINST /consumers/c06d6b7e-f143-4f95-adfe-de28adb48f78/certificates/serials - THAT's GREAT



Moving to VERIFIED. ConsumerAuth is being used by the client after BasicAuth is used to obtain a consumer cert.
Comment 9 errata-xmlrpc 2011-12-06 12:14:39 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1695.html

Note You need to log in before you can comment on or make changes to this bug.