There's a bug in our regular expression that we use for oid validation. If you have a OID url like: content/dist/rhel/rhui/server/6/$releasever/$basearch/os That gets changed to the following regular expression string: content/dist/rhel/rhui/server/6/.+?/.+?/os This happens in oid_validation.py in _validate_url. This resulting regular expression matches too much. The intent is that any requested url that starts with content/dist/rhel/rhui/server/6/<release>/<arch>/os is allowed. However, it will actually allow other urls like: /pulp/repos//content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os The arch regular expression ends up matching x86_64/mrg-g/2.0. In fact, it will match any thing up to the os. Example: /home/jslagle $ python Python 2.7.1 (r271:86832, Apr 12 2011, 16:15:16) [GCC 4.6.0 20110331 (Red Hat 4.6.0-2)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import re >>> oid = 'content/dist/rhel/rhui/server/6/.+?/.+?/os' >>> url = '/pulp/repos//content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os' >>> re.search(oid, url) <_sre.SRE_Match object at 0x7fb67fa54370> And: >>> url = '/pulp/repos//content/dist/rhel/rhui/server/6/6Server/x86_64/my/super/secret/repo/os' >>> re.search(oid, url) <_sre.SRE_Match object at 0x7fb67fa543d8>
Instead of using '.+?' to match the release and arch, it looks like instead we should be using '[^/]+'. Using the latter, we'll basically match any character other than '/', which is what we want when matching the release and arch. The problem with using '.+?' is that even though we've specified the '?', making the regex non-greedy, it will still match against as much of the string as needed to satisfy the regex. Non-greedy doesn't mean only match up to the next character ('/' in this case), it means take the minimal amount of the string possible in order to satisfy the match. The second usage of '.+?' will happily match as possible, such as 'x86_64/mrg-g/2.0' so that it can find a match and satisfy the regex.
Committed to pulp master and RHUI branch. pulp master: commit 06b17d5cf4d02be3f2bc75a36c30d9e6880c6c4d Author: James Slagle <jslagle> Date: Mon Oct 24 14:56:43 2011 -0400 747725 Fix regular expression during oid validation and add a test that uses rhui: 948709966ff7bc3ec9a02f0d82dabeb7fbe97038 I also found another problem in that we were using re.search instead of re.match. re.search will search the whole string instead of verifying that the requested uri *starts* with the oid url. If you had a oid url like rhel/server/6, and a repo at /my/super/secret/repo/rhel/server/6, requests to that repo would have been allowed given that oid url. Switching to re.match will ensure that the requested URI must start with the oid url.
Verification: Make sure you have the MRG repos added and sync'd to your RHUI that match at least one of your base versions of RHEL. For example, if you RHEL 6Server i386 sync'd, at MRG for 6Server i386. Generate an entitlement certificate for the base RHEL 6 repo. What we want to verify is that that certificate does *not* give you access to MRG. You can generate a client config rpm for the MRG repos and point it at the entitlement certificate for the RHEL 6 repo. Then verify that you are denied access to the MRG repos. Another way to do it would be to just generate a client config rpm for the MRG repos as normal, but then edit the yum repo config file and point it at an entitlement certificate for the base RHEL 6 repo. As this touches our repo auth code, it's probably a good idea to do some other general verification around this area, just verifying in general that the generated entitlement certificates do give you access to only what you asked for.
To verify this defect, I generated a client config rpm for MRG repo as well as for RHUI2.0 repos. In both cases I'm getting "http 401 error while running yum operations on client. [root@dhcp201-191 ~]# yum repolist Loaded plugins: rhui-lb https://dhcp201-170.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml: [Errno 14] HTTP Error 401 : https://dhcp201-170.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml Trying other mirror. https://dhcp201-137.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml: [Errno 14] HTTP Error 401 : https://dhcp201-137.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml Trying other mirror. repo id repo name status rhui-rhel-x86_64-6-rhui-2-rpms Red Hat Update Infrastructure 2.0 (RPMs) 0 repolist: 0 [root@dhcp201-191 ~]# rpm -qi redhat-release-server| grep Version Version : 6Server Vendor: Red Hat, Inc. [root@dhcp201-191 ~]# Repos are synched on RHUA as well as on both CDS nodes. It could be a test configuration issue, however just wanted to confirm.
Even I see the same issues. [root@ip-10-6-49-175 noarch]# yum repolist Loaded plugins: product-id, pulp-profile-update, rhui-lb, subscription-manager Updating Red Hat repositories. https://ip-10-46-213-61.ec2.internal/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/rhui/2.0/os/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 401" Trying other mirror. repo id repo name status rhui-rhel-x86_64-6-rhui-2-rpms Red Hat Update Infrastructure 2.0 (RPMs) 0 repolist: 0
The OID urls in the content certificate might start with a / (slash), so I need to account for that in the regular expression matching. committed to pulp rhui branch: 1beed29819cd1719f8d1c129771b872651ed3856
Verified with RHUI Gold iso having version: RHEL-6.1-RHUI-2.0.1-20111027.1-Server-x86_64-DVD1.iso Now yum install operations are working fine, without http 401 error: [root@dhcp201-191 ~]# ls anaconda-ks.cfg install.log.syslog install.log rh-client-config-rhel6-2.0-1.el6.noarch.rpm [root@dhcp201-191 ~]# rpm -ivh rh-client-config-rhel6-2.0-1.el6.noarch.rpm Preparing... (100########################################### [100%] 1:rh-client-config-rhel6 ( 16########################################### [100%] [root@dhcp201-191 ~]# yum clean all Loaded plugins: rhui-lb Cleaning up Everything [root@dhcp201-191 ~]# yum repolist Loaded plugins: rhui-lb rhui-rhel-6-server-rhui-rpms | 2.4 kB 00:00 rhui-rhel-6-server-rhui-rpms/primary | 4.4 MB 00:00 rhui-rhel-6-server-rhui-rpms 5489/5489 repo id repo name status rhui-rhel-6-server-rhui-rpms Red Hat Enterprise Linux 6 Server from R 5,489 repolist: 5,489 [root@dhcp201-191 ~]# yum install zsh Loaded plugins: rhui-lb Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package zsh.x86_64 0:4.3.10-4.1.el6 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================ Package Arch Version Repository Size ============================================================================ Installing: zsh x86_64 4.3.10-4.1.el6 rhui-rhel-6-server-rhui-rpms 2.1 M Transaction Summary ============================================================================ Install 1 Package(s) Upgrade 0 Package(s) Total download size: 2.1 M Installed size: 2.1 M Is this ok [y/N]: y Downloading Packages: zsh-4.3.10-4.1.el6.x86_64.rpm | 2.1 MB 00:00 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY rhui-rhel-6-server-rhui-rpms/gpgkey | 6.3 kB 00:00 ... Importing GPG key 0xFD431D51 "Red Hat, Inc. (release key 2) <security>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Importing GPG key 0x2FA658E0 "Red Hat, Inc. (auxiliary key) <security>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : zsh-4.3.10-4.1.el6.x86_64 1/1 Installed: zsh.x86_64 0:4.3.10-4.1.el6 Complete! [root@dhcp201-191 ~]#
MRG repos added that matches the rhel6 base version: Last Refreshed: 17:43:35 (updated every 5 seconds, ctrl+c to exit) Next Sync Last Sync Last Result ------------------------------------------------------------------------------ MRG Grid from RHUI (RPMs) (6Server-i386) 10-28-2011 21:52 10-28-2011 15:53 Success MRG Grid from RHUI (RPMs) (6Server-x86_64) 10-28-2011 21:52 10-28-2011 15:53 Success Red Hat Enterprise Linux 6 Server from RHUI (RPMs) (6Server-x86_64) 10-28-2011 21:52 10-28-2011 16:23 Success Red Hat Update Infrastructure 2.0 (RPMs) (6Server-i386) 10-28-2011 21:52 10-28-2011 15:53 Success Red Hat Update Infrastructure 2.0 (RPMs) (6Server-x86_64) 10-28-2011 21:52 10-28-2011 15:53 Success Connected: dhcp201-180.englab.pnq.redhat.com ------------------------------------------------------------------------------ Installed client config rpm of mrg repo: [root@dhcp201-191 ~]# rpm -ivh rh-client-config-mrg-2.0-1.el6.noarch.rpm Preparing... (100########################################### [100%] 1:rh-client-config-mrg ( 16########################################### [100%] [root@dhcp201-191 ~]# yum repolist Loaded plugins: rhui-lb repo id repo name status rhui-rhel-6-server-rhui-grid-rpms MRG Grid from RHUI (RPMs) 54 repolist: 54 [root@dhcp201-191 ~]# yum clean all Loaded plugins: rhui-lb Cleaning up Everything [root@dhcp201-191 ~]# yum repolist Loaded plugins: rhui-lb rhui-rhel-6-server-rhui-grid-rpms | 2.2 kB 00:00 rhui-rhel-6-server-rhui-grid-rpms/primary | 16 kB 00:00 rhui-rhel-6-server-rhui-grid-rpms 54/54 repo id repo name status rhui-rhel-6-server-rhui-grid-rpms MRG Grid from RHUI (RPMs) 54 repolist: 54 [root@dhcp201-191 ~]# installed client config rpm of mrg repo and point it at the entitlement cert for rhel6. [root@dhcp201-191 ~]# cat /etc/yum.repos.d/rh-cloud.repo [rhui-rhel-6-server-rhui-grid-rpms] name=MRG Grid from RHUI (RPMs) mirrorlist=https://dhcp201-136.englab.pnq.redhat.com/pulp/mirror//content/dist/rhel/rhui/server/6/$releasever/$basearch/mrg-g/2.0/os enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 sslcacert=/etc/pki/entitlement/ca.crt #sslclientcert=/etc/pki/entitlement/product/content.crt sslclientcert=/root/rhel6.crt sslclientkey=/etc/pki/entitlement/key.pem [root@dhcp201-191 ~]# [root@dhcp201-191 ~]# yum repolist Loaded plugins: rhui-lb https://dhcp201-187.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os/repodata/repomd.xml: [Errno 14] PYCURL ERROR 56 - "" Trying other mirror. https://dhcp201-136.englab.pnq.redhat.com/pulp/repos///content/dist/rhel/rhui/server/6/6Server/x86_64/mrg-g/2.0/os/repodata/repomd.xml: [Errno 14] PYCURL ERROR 56 - "" Trying other mirror. repo id repo name status rhui-rhel-6-server-rhui-grid-rpms MRG Grid from RHUI (RPMs) 0 repolist: 0 [root@dhcp201-191 ~]#
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0367