Bug 806298 - [REST API]: GET'ing domain with bad credentials returns 404
Summary: [REST API]: GET'ing domain with bad credentials returns 404
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Pod
Version: 2.x
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Krishna Raman
QA Contact: libra bugs
URL:
Whiteboard:
: 806293 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-23 11:45 UTC by Andre Dietisheim
Modified: 2015-05-15 01:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-13 18:32:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Andre Dietisheim 2012-03-23 11:45:06 UTC 
If I do a GET on a specific domain i have while using erroneous credentials I get 404:

curl -v -k -H "Accept: application/xml" --user "adietish:BADPW" https://openshift.redhat.com/broker/rest/domains/1329997507457 -X GET


< HTTP/1.1 404 Not Found
< Date: Fri, 23 Mar 2012 11:42:33 GMT
< Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
< X-Runtime: 0.945164
< Cache-Control: no-cache
< X-UA-Compatible: IE=Edge,chrome=1
< Status: 404
< Content-Type: application/xml; charset=utf-8
< Vary: Accept-Encoding,User-Agent
< ProxyTime: D=968946
< Connection: close
< Transfer-Encoding: chunked
< 
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <type nil="true"></type>
  <status>not_found</status>
  <messages>
    <message>
      <exit-code>127</exit-code>
      <field nil="true"></field>
      <text>Domain 1329997507457 not found.</text>
      <severity>error</severity>
    </message>
  </messages>
  <data nil="true"></data>
  <version>1.0</version>
</response>

I would have expected the response code 403
Comment 1 Andre Dietisheim 2012-03-23 11:46:37 UTC 
The very same request (to the same existing domain) while using valid credentials, lists the expected informations.
Comment 2 Lili Nader 2012-03-24 02:52:31 UTC 
since this is on production the authentication should be failing and routing the user to login or return a 401.
Comment 3 Andre Dietisheim 2012-03-26 13:43:09 UTC 
switched severity to urgent since we cannot differentiate if a user has no domain or he's simply not authorized
Comment 4 Krishna Raman 2012-03-27 04:22:06 UTC 
5764b5c849d19492c7186cf5d3bd66dfd564e955
Comment 5 Xiaoli Tian 2012-03-29 08:55:41 UTC 
(In reply to comment #4)
> 5764b5c849d19492c7186cf5d3bd66dfd564e955

Test this on devenv_1679, configure the instance to integrated environment (which will require authentication for user),

Access with invalid password will return access denied
curl -k -H 'Accept: application/xml' --user 'xtian+test5:invalidpwd' https://$instancedns/broker/rest/domains/doms6 -X GET
HTTP Basic: Access denied.

Access with valid password but non-exist domain:
curl -k -H 'Accept: application/xml' --user 'xtian+test5:validpwd' https://$instancedns/broker/rest/domains/doms7 -X GET
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <type nil="true"></type>
  <data>
    <datum nil="true"></datum>
  </data>
  <messages>
    <message>
      <exit-code>127</exit-code>
      <severity>error</severity>
      <text>Domain doms7 not found.</text>
      <field nil="true"></field>
    </message>
  </messages>
  <status>not_found</status>
  <version>1.0</version>
</response>
Comment 6 Xiaoli Tian 2012-03-29 13:03:41 UTC 
*** Bug 806293 has been marked as a duplicate of this bug. ***
Comment 7 Andre Dietisheim 2012-03-29 13:09:33 UTC 
looks perfect, thanks!
Note You need to log in before you can comment on or make changes to this bug.