Univention Bugzilla – Bug 39305
Use domainUUID for repository access
Last modified: 2017-10-25 09:29:34 CEST
By default the domainUUID should be used as user name and password for the access to the UCS repository and the App repositories. The domainUUID is used for both, user name and password. The password can be changed later. The listener module license_uuid.py sets already the UCR variable uuid/license. The combination of user name and password should be used for the access to the UCS releases, the errata updates and the App Center repositories.
r64695 | Bug #39305 Updater: Implement repository access restriction r64694 | Bug #39305 Updater: Rework URL concatenation r64693 | Bug #39306 updater: Use https:// by default r64692 | Bug #39306 updater: miscellaneous packaging fixes r64691 | Bug #39306 updater: Switch external URLs to https:// r64690 | Bug #39306 updater: Separate UCS_Version r64689 | Bug #39306 updater: Updater-lock as context manager r64688 | Bug #39306 updater: Fix pyflakes/pep8 issues r64687 | Bug #39306 updater: autopep8 fixes r64686 | Bug #39306 updater: autopep8 Package: univention-updater Version: 11.0.3-1.1412.201510211632 Branch: ucs_4.1-0 r64696 | Bug #39305, Bug #39306 updater CL Test-setup: repo=$(ucr get repository/online/server|sed -re 's,^https?://,,;s,/.*$,,') uuid=$(python -c 'import uuid;print uuid.uuid4()') univention-certificate new -name $repo -days 365 ln -f /etc/univention/ssl/ucsCA/CAcert.pem /usr/local/share/ca-certificates/CAcert.crt update-ca-certificates --verbose --fresh ip -6 addr add ::2 dev lo ucr set hosts/static/127.0.0.2=$repo set hosts/static/::2=$repo nscd -i hosts getent ahosts $repo mkdir -p /var/www/repo/4.0/{,un}maintained/{4.0-{0,1,2,3},component/4.0-3-errata}/{all,amd64,i386,source} if ! mount -t nfs -o ro,rsize=8192 omar.knut.univention.de:/mnt/omar/vmwares/mirror_4.0 /var/www/repo/4.0 then cd /var/lib/apt/lists for f in *4.0* do p=${f#*_} ln -f "$f" /var/www/repo/"${p//_//}" done find /var/www/repo -name Packages -execdir sh -c 'gzip -n -9 <"$0" >"$0.gz"' {} + fi ucr set --forced uuid/license="$uuid" htpasswd -cb /etc/apache2/htpass "$uuid" "$uuid" cat >/etc/apache2/sites-enabled/$repo <<__CONF__ <VirtualHost *:80> ServerName $repo DocumentRoot /var/www/repo CustomLog /var/log/apache2/repo.log combined ErrorLog /var/log/apache2/repo-error.log </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/univention/ssl/$repo/cert.pem SSLCertificateKeyFile /etc/univention/ssl/$repo/private.key SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem ServerName $repo DocumentRoot /var/www/$repo CustomLog /var/log/apache2/repo.log combined ErrorLog /var/log/apache2/repo-error.log </VirtualHost> </IfModule> <Directory /var/www/$repo> Options Indexes FollowSymLinks MultiViews Order allow,deny allow from all AuthType Basic AuthName "Univention Software Repository" AuthBasicProvider file AuthUserFile /etc/apache2/htpass Require valid-user </Directory> __CONF__ apachectl graceful tail -f /var/log/apache2/repo* & wget -q -O/dev/null "http://$uuid:$uuid@$repo/" wget -q -O/dev/null "https://$uuid:$uuid@$repo/" ucr commit /etc/apt/sources.list.d/15_ucs-online-version.list python -c " import urllib2 password_manager = urllib2.HTTPPasswordMgrWithDefaultRealm() auth_handler = urllib2.HTTPBasicAuthHandler(password_manager) opener = urllib2.build_opener(auth_handler) password_manager.add_password('Univention Software Repository', 'https://$repo/', '$uuid', '$uuid') req = urllib2.Request('https://$repo/') req = opener.open('https://univention-repository.knut.univention.de/') "
My test system doesn't use the UUID as username / password after installing a new license with a domainUUID: root@master491:~# univention-ldapsearch -LLL univentionLicenseKeyID=* univentionLicenseKeyID dn: cn=admin,cn=license,cn=univention,dc=deadlock49,dc=intranet univentionLicenseKeyID: 397a8c22-82f1-47a9-b971-82ac66fb197c root@master491:~# ucr search --brief repository/credentials repository/credentials/.*/password: <empty> repository/credentials/.*/uris: <empty> repository/credentials/.*/username: <empty> repository/credentials/Univention Software Repository/uris: updates.software-univention.de updates-test.software-univention.de appcenter.software-univention.de appcenter-test.software-univention.de root@master491:~#
(In reply to Stefan Gohmann from comment #2) > My test system doesn't use the UUID as username / password after installing > a new license with a domainUUID: ... > repository/credentials/Univention Software Repository/uris: > updates.software-univention.de updates-test.software-univention.de > appcenter.software-univention.de appcenter-test.software-univention.de 1. As none of those repositories currently requires authentication, it is not set; this is the standard HTTP behavior: Only wen a request fails with "401 Unauthorized" a 2nd request is done with the appropriate "Authorization" header added. 2. If you temporarily added authentication yourself, you probably didn't use the HTTP Basic Authentication Realm Name "Univention Software Repository". See comment #1 for a proper test setup.
OK: code review ??: functional test is ok up to now currently not tested yet: - create local repo mirror via HTTPS from our public repo servers - use custom credentials REOPEN: - changelog*.xml should mention, that the default repo UCR entry is changed and switches to HTTPS → might be important for customer's firewall settings - release-notes*xml should mention, that the repo uses HTTPS now by default
(In reply to Sönke Schwardt-Krummrich from comment #4) > REOPEN: > - changelog*.xml should mention, that the default repo UCR entry is changed > and switches to HTTPS → might be important for customer's firewall settings > - release-notes*xml should mention, that the repo uses HTTPS now by default That is Bug #39306: $ grep -n https * changelog-4.1-0.xml:414: The updater now uses the protocol <systemitem class="protocol">https://</systemitem> to access the Univention Software Repository at <uri>https://updates.software-univention.de/</uri> by default (<u:bug>39306</u:bug>). changelog-4.1-0.xml:417: The updater now uses the license UUID (&ucsUCRV; <envar>license/uuid</envar>) to access the Univention Software Repository at <uri>https://updates.software-univention.de/</uri> by default (<u:bug>39305</u:bug>). changelog-4.1-0.xml:462: The package <package>cURL</package> treated warning alerts as fatal during the TLS handshake, which prevented connecting to some <systemitem class="protocol">https://</systemitem> servers using <acronym lang="">SNI</acronym> (<u:bug>39603</u:bug>). release-notes-4.1-0-de.xml:66: Alle Pakete (<foreignphrase>maintained</foreignphrase> und <foreignphrase>unmaintained</foreignphrase>) sind auch online über <ulink url="https://updates.software-univention.de/"/> verfügbar. release-notes-4.1-0-en.xml:66: All packages (<phrase>maintained</phrase> and <phrase>unmaintained</phrase>) are available online through <ulink url="https://updates.software-univention.de/"/>.
OK: code review OK: functional test Tested the mentioned scenario in comment 1. Additional tests: - tested with a second host - custom credentials instead of $UUID - created local mirror and pulled repo update via HTTPS - usage of port 44300 instead of 443 for HTTPS; if this is the case, the host+port combination has to be added to "repository/credentials/Univention Software Repository/uris": repository/credentials/Univention Software Repository/uris="updates.software-univention.de:44300 …"
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".