749536 – incorrect oauth string for requests with multiple parameters having same name

Bug 749536 - incorrect oauth string for requests with multiple parameters having same name

Summary: incorrect oauth string for requests with multiple parameters having same name

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	z_other
Sub Component:
Version:	1.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	Sprint 30
Assignee:	Jason Connor
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-27 11:47 UTC by Tomas Strachota
Modified:	2014-03-31 01:39 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-25 14:13:59 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tomas Strachota 2011-10-27 11:47:55 UTC

Description of problem:

If oauth is enabled, authentication fails when trying to make a request with multiple parameters that have same name.
Eg. /repositories/?_intersect=groupid&groupid=product:1319641168168&groupid=env:1

According to log, oauth base string is calculated incorrectly:

pulp.server.auth.authentication:ERROR: authentication:214 error verifying OAuth signature: Invalid signature. Expected signature base string: GET&https%3A%2F%2Flocalhost%2Fpulp%2Fapi%2Frepositories%2F&_intersect%3Dgroupid%26groupid%3Dproduct%3A1319641168168%26oauth_consumer_key%3Dkatello%26oauth_nonce%3DHXxQnvo0H3f9kfEctEI3iFoQylDNIlnsZ4NMC1DsnI%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1319706227%26oauth_version%3D1.0

In this case it uses only the first groupid parameter and ignores the rest. Everything works fine for requests with only one groupid.

Comment 1 Tomas Strachota 2011-10-27 11:56:35 UTC

According to my investigation I guess the problem is in python oauth implementation.

Function _split_url_string in 
http://oauth.googlecode.com/svn/code/python/oauth/oauth.py parses the query parameters and saves them into a hash.

Comment 2 Jason Connor 2011-12-05 16:59:23 UTC

We've solved this by going to a patched version of oauth2: 1.5.170

Comment 3 Jeff Ortel 2011-12-15 20:18:07 UTC

build: 0.255

Comment 4 Jason Connor 2012-01-16 20:46:50 UTC

testing
1. add oauth credential to admin
2. use curl or wget to fetch the url http://localhost/pulp/api/tasks/?state=waiting&state=running along with the oauth credentials
3. success: list of task in the waiting or running state
   failure: authentication failure

Comment 5 Preethi Thomas 2012-05-17 14:11:37 UTC

verified

Comment 6 Preethi Thomas 2012-05-25 14:13:59 UTC

Pulp v1.1 Release

Note You need to log in before you can comment on or make changes to this bug.