Bug 39305 - Use domainUUID for repository access
Use domainUUID for repository access
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Update - univention-updater
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Philipp Hahn
Sönke Schwardt-Krummrich
: interim-2
Depends on:
Blocks: 38886 45593
  Show dependency treegraph
 
Reported: 2015-09-03 14:55 CEST by Stefan Gohmann
Modified: 2017-10-25 09:29 CEST (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-09-03 14:55:13 CEST
By default the domainUUID should be used as user name and password for the access to the UCS repository and the App repositories. The domainUUID is used for both, user name and password. The password can be changed later.

The listener module license_uuid.py sets already the UCR variable uuid/license. 

The combination of user name and password should be used for the access to the UCS releases, the errata updates and the App Center repositories.
Comment 1 Philipp Hahn univentionstaff 2015-10-21 16:37:57 CEST
r64695 | Bug #39305 Updater: Implement repository access restriction
r64694 | Bug #39305 Updater: Rework URL concatenation
r64693 | Bug #39306 updater: Use https:// by default
r64692 | Bug #39306 updater: miscellaneous packaging fixes
r64691 | Bug #39306 updater: Switch external URLs to https://
r64690 | Bug #39306 updater: Separate UCS_Version
r64689 | Bug #39306 updater: Updater-lock as context manager
r64688 | Bug #39306 updater: Fix pyflakes/pep8 issues
r64687 | Bug #39306 updater: autopep8 fixes
r64686 | Bug #39306 updater: autopep8

Package: univention-updater
Version: 11.0.3-1.1412.201510211632
Branch: ucs_4.1-0

r64696 | Bug #39305, Bug #39306 updater CL


Test-setup:

repo=$(ucr get repository/online/server|sed -re 's,^https?://,,;s,/.*$,,')
uuid=$(python -c 'import uuid;print uuid.uuid4()')

univention-certificate new -name $repo -days 365
ln -f /etc/univention/ssl/ucsCA/CAcert.pem /usr/local/share/ca-certificates/CAcert.crt
update-ca-certificates --verbose --fresh

ip -6 addr add ::2 dev lo
ucr set hosts/static/127.0.0.2=$repo set hosts/static/::2=$repo
nscd -i hosts
getent ahosts $repo

mkdir -p /var/www/repo/4.0/{,un}maintained/{4.0-{0,1,2,3},component/4.0-3-errata}/{all,amd64,i386,source}
if ! mount -t nfs -o ro,rsize=8192 omar.knut.univention.de:/mnt/omar/vmwares/mirror_4.0 /var/www/repo/4.0
then
 cd /var/lib/apt/lists
 for f in *4.0*
 do
  p=${f#*_}
  ln -f "$f" /var/www/repo/"${p//_//}"
 done
 find /var/www/repo -name Packages -execdir sh -c 'gzip -n -9 <"$0" >"$0.gz"' {} +
fi

ucr set --forced uuid/license="$uuid"
htpasswd -cb /etc/apache2/htpass "$uuid" "$uuid"

cat >/etc/apache2/sites-enabled/$repo  <<__CONF__
<VirtualHost *:80>
        ServerName $repo
        DocumentRoot /var/www/repo
        CustomLog /var/log/apache2/repo.log combined
        ErrorLog /var/log/apache2/repo-error.log
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/univention/ssl/$repo/cert.pem
        SSLCertificateKeyFile /etc/univention/ssl/$repo/private.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
        ServerName $repo
        DocumentRoot /var/www/$repo
        CustomLog /var/log/apache2/repo.log combined
        ErrorLog /var/log/apache2/repo-error.log
</VirtualHost>
</IfModule>
<Directory /var/www/$repo>
        Options Indexes FollowSymLinks MultiViews
        Order allow,deny
        allow from all
        AuthType Basic
        AuthName "Univention Software Repository"
        AuthBasicProvider file
        AuthUserFile /etc/apache2/htpass
        Require valid-user
</Directory>
__CONF__
apachectl graceful

tail -f /var/log/apache2/repo* &
wget -q -O/dev/null "http://$uuid:$uuid@$repo/"
wget -q -O/dev/null "https://$uuid:$uuid@$repo/"
ucr commit /etc/apt/sources.list.d/15_ucs-online-version.list 

python -c "
import urllib2
password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm()
auth_handler = urllib2.HTTPBasicAuthHandler(password_manager)
opener = urllib2.build_opener(auth_handler)
password_manager.add_password('Univention Software Repository', 'https://$repo/', '$uuid', '$uuid')
req = urllib2.Request('https://$repo/')
req = opener.open('https://univention-repository.knut.univention.de/')
"
Comment 2 Stefan Gohmann univentionstaff 2015-10-23 07:28:17 CEST
My test system doesn't use the UUID as username / password after installing a new license with a domainUUID:

root@master491:~# univention-ldapsearch -LLL univentionLicenseKeyID=* univentionLicenseKeyID
dn: cn=admin,cn=license,cn=univention,dc=deadlock49,dc=intranet
univentionLicenseKeyID: 397a8c22-82f1-47a9-b971-82ac66fb197c

root@master491:~# ucr search --brief repository/credentials
repository/credentials/.*/password: <empty>
repository/credentials/.*/uris: <empty>
repository/credentials/.*/username: <empty>
repository/credentials/Univention Software Repository/uris: updates.software-univention.de updates-test.software-univention.de appcenter.software-univention.de appcenter-test.software-univention.de
root@master491:~#
Comment 3 Philipp Hahn univentionstaff 2015-10-23 12:01:22 CEST
(In reply to Stefan Gohmann from comment #2)
> My test system doesn't use the UUID as username / password after installing
> a new license with a domainUUID:
...
> repository/credentials/Univention Software Repository/uris:
> updates.software-univention.de updates-test.software-univention.de
> appcenter.software-univention.de appcenter-test.software-univention.de

1. As none of those repositories currently requires authentication, it is not set; this is the standard HTTP behavior: Only wen a request fails with "401	Unauthorized" a 2nd request is done with the appropriate "Authorization" header added.

2. If you temporarily added authentication yourself, you probably didn't use the HTTP Basic Authentication Realm Name "Univention Software Repository". See comment #1 for a proper test setup.
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2015-11-04 14:47:50 CET
OK: code review
??: functional test is ok up to now
    currently not tested yet:
    - create local repo mirror via HTTPS from our public repo servers
    - use custom credentials

REOPEN: 
- changelog*.xml should mention, that the default repo UCR entry is changed and switches to HTTPS → might be important for customer's firewall settings
- release-notes*xml should mention, that the repo uses HTTPS now by default
Comment 5 Philipp Hahn univentionstaff 2015-11-04 14:54:04 CET
(In reply to Sönke Schwardt-Krummrich from comment #4)
> REOPEN: 
> - changelog*.xml should mention, that the default repo UCR entry is changed
> and switches to HTTPS → might be important for customer's firewall settings
> - release-notes*xml should mention, that the repo uses HTTPS now by default

That is Bug #39306:

$ grep -n https *
changelog-4.1-0.xml:414:                                        The updater now uses the protocol <systemitem class="protocol">https://</systemitem> to access the Univention Software Repository at <uri>https://updates.software-univention.de/</uri> by default (<u:bug>39306</u:bug>).
changelog-4.1-0.xml:417:                                        The updater now uses the license UUID (&ucsUCRV; <envar>license/uuid</envar>) to access the Univention Software Repository at <uri>https://updates.software-univention.de/</uri> by default (<u:bug>39305</u:bug>).
changelog-4.1-0.xml:462:                                        The package <package>cURL</package> treated warning alerts as fatal during the TLS handshake, which prevented connecting to some <systemitem class="protocol">https://</systemitem> servers using <acronym lang="">SNI</acronym> (<u:bug>39603</u:bug>).
release-notes-4.1-0-de.xml:66:                                                  Alle Pakete (<foreignphrase>maintained</foreignphrase> und <foreignphrase>unmaintained</foreignphrase>) sind auch online über <ulink url="https://updates.software-univention.de/"/> verfügbar.
release-notes-4.1-0-en.xml:66:                                                  All packages (<phrase>maintained</phrase> and <phrase>unmaintained</phrase>) are available online through <ulink url="https://updates.software-univention.de/"/>.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2015-11-05 14:49:55 CET
OK: code review
OK: functional test

Tested the mentioned scenario in comment 1. Additional tests:
- tested with a second host
- custom credentials instead of $UUID
- created local mirror and pulled repo update via HTTPS
- usage of port 44300 instead of 443 for HTTPS; if this is the case, the host+port combination has to be added to "repository/credentials/Univention Software Repository/uris":

repository/credentials/Univention Software Repository/uris="updates.software-univention.de:44300 …"
Comment 7 Stefan Gohmann univentionstaff 2015-11-17 12:12:28 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".