Bug 749536 - incorrect oauth string for requests with multiple parameters having same name
Summary: incorrect oauth string for requests with multiple parameters having same name
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Sprint 30
Assignee: Jason Connor
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-27 11:47 UTC by Tomas Strachota
Modified: 2014-03-31 01:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-25 14:13:59 UTC


Attachments (Terms of Use)

Description Tomas Strachota 2011-10-27 11:47:55 UTC
Description of problem:

If oauth is enabled, authentication fails when trying to make a request with multiple parameters that have same name.
Eg. /repositories/?_intersect=groupid&groupid=product:1319641168168&groupid=env:1

According to log, oauth base string is calculated incorrectly:

pulp.server.auth.authentication:ERROR: authentication:214 error verifying OAuth signature: Invalid signature. Expected signature base string: GET&https%3A%2F%2Flocalhost%2Fpulp%2Fapi%2Frepositories%2F&_intersect%3Dgroupid%26groupid%3Dproduct%3A1319641168168%26oauth_consumer_key%3Dkatello%26oauth_nonce%3DHXxQnvo0H3f9kfEctEI3iFoQylDNIlnsZ4NMC1DsnI%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1319706227%26oauth_version%3D1.0

In this case it uses only the first groupid parameter and ignores the rest. Everything works fine for requests with only one groupid.

Comment 1 Tomas Strachota 2011-10-27 11:56:35 UTC
According to my investigation I guess the problem is in python oauth implementation.

Function _split_url_string in 
http://oauth.googlecode.com/svn/code/python/oauth/oauth.py parses the query parameters and saves them into a hash.

Comment 2 Jason Connor 2011-12-05 16:59:23 UTC
We've solved this by going to a patched version of oauth2: 1.5.170

Comment 3 Jeff Ortel 2011-12-15 20:18:07 UTC
build: 0.255

Comment 4 Jason Connor 2012-01-16 20:46:50 UTC
testing
1. add oauth credential to admin
2. use curl or wget to fetch the url http://localhost/pulp/api/tasks/?state=waiting&state=running along with the oauth credentials
3. success: list of task in the waiting or running state
   failure: authentication failure

Comment 5 Preethi Thomas 2012-05-17 14:11:37 UTC
verified

Comment 6 Preethi Thomas 2012-05-25 14:13:59 UTC
Pulp v1.1 Release


Note You need to log in before you can comment on or make changes to this bug.