Hide Forgot
Automation uses httpclient in conjuncture of signpost (oauth lib) to make requests to configserver. For regular GET request, the server was able to authorized and return the proper information. For POST or PUT, it returns a 401 Unauthorized error while using the same consumer key/secret. After speaking w/ the dev, it sounds like conductor does not take the entire header and generate the hash and signature. Instead it omits the "data=..." section. As a result, because the automation includes the data section when it generate the hash and signature, it fails verification on configserver side.
The correct behavior according to oauth standards is to include the entire post body payload when generating the signature in the HTTP request. However, Conductor is using the RestClient ruby library with a request preprocessor that signs the request via oauth prior to sending the request. Either the way Conductor is using the RestClient library, or the library itself, is not including the entire post body when signing the request. Namely, it's not including the "data=..." part of the post body payload when generating the oauth signature. The workaround on the server side (i.e., inside of configserver) is to omit the "data=..." part of the post body when validating the signature. The security implications here are minimal, since there is a timestamp as well as other oauth headers included in the signed value. The major downside to this approach is that it is non-standard. Which leads right back to David's comment about test automation failing.
https://fedorahosted.org/pipermail/aeolus-devel/2011-December/007547.html and https://fedorahosted.org/pipermail/aeolus-devel/2011-December/007549.html RPM versions: * aeolus-configserver-0.4.4-2 (the conductor patch still needs to be reviewed, accepted, pushed, and built)
adding ce-sprint-next bugs to ce-sprint
Fixed in the below build of audrey client and configserver: aeolus-audrey-agent-0.4.3-1.el6.noarch.rpm aeolus-configserver-0.4.5-1.el6.noarch.rpm