Update Zypper auth check #1270
Update Zypper auth check #1270
Conversation
When a hybrid system runs zypper command, the check needs to take care of the subscription verification Currently, the check lacks paid extension ID, resulting in an unsuccessful verification This change fixes that If system is hybrid, and the path being accessed belongs to a paid extension, we check that the paid extension subscription is active if the repository path belongs to a free repository or no matches with paid extensions, no need to check the subscription if ZypperAuth handle_scc_subscription method gets called without a product id, the method will check _all_ non free products suscriptions to be active, if any This fixes bsc#1230157
jesusbv
force-pushed
the
fix-auth-repo
branch
from
1b158b0 to
ac56301
Compare
jesusbv
changed the title
| repos_paths.each do |repo_path| | ||
| if headers.fetch('X-Original-URI', '').include? repo_path | ||
| logger.info "verifying paid extension #{paid_extension.identifier}" | ||
| return ZypperAuth.verify_instance(request, logger, @system, paid_extension.id) |
There was a problem hiding this comment.
We could call handle_scc_subscription from path_allowed? or all_allowed_paths in the same file
I think adjusting the logic for ZypperAuth's path_allowed? (as in this PR) split the responsibilities clearer
There was a problem hiding this comment.
This creates a loop ZypperAuth.verify_instance calls handle_scc_subscription in 2 places. In one of those places we have if is_valid && system.hybrid? && !handle_scc_subscription(request, system, verification_provider, params_product_id) So if the instance verification passed and the system is hybrid we end up in handle_scc_subscription and then here, since the system is a hybrid system we turn around and call verify_instance again. I do not understand how this is going to end well.
There was a problem hiding this comment.
and then here, since the system is a hybrid system we turn around and call verify_instance again
I do not know what you mean, if you mean that we call ZypperAuth.verify_instance twice,
- one in line 166 (which we return the returned value of that call)
- one in line 173
the call in line 173 happens if the system is not hybrid (and I would add byos) or if it is hybrid/byos and the path trying to be accessed was not found in that system products
is that what you meant, @rjschwei ?
There was a problem hiding this comment.
my comment of moving the handle_scc_subscription (in ZypperAuth engine) call to path_allowed? (in strict_authentication engine) is more of "whose responsibility is it ?"
For example, if zypper is trying to access path A, it makes sense that the method checking if it is allowed
path_allowed? checks that the path is a non free repo and then checks that the subscription is valid/not expired
while verify_instance maybe should verify that the instance metadata is valid
It was just an open question than a suggestion
There was a problem hiding this comment.
@rjschwei can you explain what you mean with
and then here, since the system is a hybrid system we turn around and call verify_instance again
?
|
I will add the tests and coverage but it can be reviewed in the meantime |
| @@ -51,9 +51,22 @@ def verify_instance(request, logger, system, params_product_id = nil) | |||
| end | |||
|
|
|||
| def handle_scc_subscription(request, system, verification_provider, params_product_id = nil) | |||
There was a problem hiding this comment.
Would such name describe that method intent better?
| def handle_scc_subscription(request, system, verification_provider, params_product_id = nil) | |
| def has_active_subscription?(request, system, verification_provider, params_product_id = nil) |
| def path_allowed?(path) | ||
| return false unless original_path_allowed?(path) | ||
| def path_allowed?(headers) | ||
| return false unless original_path_allowed?(headers) |
There was a problem hiding this comment.
What's going on here, original_path_allowed? is an alias for path_allowed?, and then we call original_path_allowed? from inside path_allowed??
| def path_allowed?(headers) | ||
| return false unless original_path_allowed?(headers) | ||
|
|
||
| if @system.hybrid? |
There was a problem hiding this comment.
But shouldn't this apply to proxy systems as well? A BYOS system that uses RMT as a proxy to SCC should have the same verification right? OR do we not hit this code path for proxy clients?
There was a problem hiding this comment.
we do, and I think byos? system should be included, unless there are BYOS subscriptions to register the system that include LTSS, meaning one regcode including system + LTSS instead of two regcodes (something I wanted to check here before including it)
I think the workflow is two reg codes
Description
When a hybrid system runs zypper command, the check
needs to take care of the subscription verification
Currently, the check lacks paid extension ID, resulting in
an unsuccessful verification
This change fixes that
If system is hybrid, and the path being accessed belongs to a paid extension,
we check that the paid extension subscription is active
if the repository path belongs to a free repository or no matches with paid extensions,
no need to check the subscription
if ZypperAuth handle_scc_subscription method gets called without a product id,
the method will check all non free products suscriptions to be active, if any
This fixes bsc#1230157
How to test
Start an Azure instance, register LTSS, wait > 20 min for the cache to get expired
run
zypper refshould workChange Type
Please select the correct option.
Checklist
Please check off each item if the requirement is met.
MANUAL.mdfile with any changes to the user experience.package/obs/rmt-server.changes.Review
Please check out our review guidelines
and get in touch with the author to get a shared understanding of the change.