Bug 55561 – 09_updater/18proxy-special: proxy/http used for https

Bug 55561 - 09_updater/18proxy-special: proxy/http used for https


Summary:	09_updater/18proxy-special: proxy/http used for https

Status:	CLOSED FIXED

Product:	UCS Test
Classification:	Unclassified
Component:	Updater
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Philipp Hahn
QA Contact:	Erik Damrose

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:	55044 12571 39922
Blocks:
	Show dependency tree / graph

Reported:	2023-01-11 21:02 CET by Philipp Hahn
Modified:	2023-01-25 12:39 CET (History)
CC List:	1 user (show)

See Also:	55273
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2023-01-11 21:02:35 CET

test/ucs-test/tests/09_updater/18proxy-special is failing in our internal test setup since 257 runs:

https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master-part-II/testReport/09_updater/18proxy-special/master091/

> E: The repository 'https://updates-test.software-univention.de/4.4/maintained/component 4.4-9-errata-test/all/ Release' does not have a Release file.

Actually in UCS 5.0-2 this is also failing, but APT seems to handle this more gracefully and only flags it as warnings:

> W: Fehlschlag beim Holen von https://updates-test.software-univention.de/5.0/maintained/component/5.0-2-errata-test/all/InRelease Invalid response from proxy: HTTP/1.0 501 Unsupported method ('CONNECT')  Server: UCSTestProxy/1.0 Python/3.7.3  Date: Wed, 11 Jan 2023 17:25:49 GMT  Connection: close  Content-Type: text/html;charset=utf-8  Content-Length: 500     [IP: 127.0.0.1 45581]
> W: Einige Indexdateien konnten nicht heruntergeladen werden. Sie wurden ignoriert oder alte an ihrer Stelle benutzt.

Only `18proxy-special` is failing as all other proxy tests use `config_repo proxy/http=` to configure the proxy already during the initial repository setup. This triggers UCR to re-generate `/etc/apt/sources.list.d/20_ucs-online-component.list`, where URL is validated then and thus dropped. Only for `18proxy-special` the URL is included as the validation happens BEFORE the proxy is configured. As Bug #12571 was never fixed the URL still gets used after configuring UCRV `proxy/http` and `apt-get update` does access the URL. For APT in UCS 4.4 this is an "Error", while for APT in UCS 5.0 this is only a "Warning".

This probably happens since for Bug #55044 we changed `activate-errata-test-scope.sh` to setup that errata repository using `https://`, which is still used while running the tests. UCRV "proxy/https" is never set and since Bug #39922 the updater then defaults to UCRV `proxy/http` and uses the same dummy `proxy.py`, which does NOT implement HTTP `CONNECT`, which is required for proxying encrypted HTTP connections.


Sadly the UCR template `base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy` does not support setting an empty UCRV `proxy/https=""` to disable using any proxy for HTTPS, which the following patch would add:

diff --git base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy
index bb6835cdf3..6ab6bfc6d4 100644
--- base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy
+++ base/univention-base-files/conffiles/etc/apt/apt.conf.d/80proxy
@@ -17,10 +17,8 @@ if proxy:
     if '://' not in proxy:
         proxy = 'http://%s' % proxy
     print_proxy(proxy, 'http')
-    if not configRegistry.get('proxy/https', None):
-        print_proxy(proxy, 'https')
 
-proxy = configRegistry.get('proxy/https', None)
+proxy = configRegistry.get('proxy/https', proxy)
 if proxy:
     if '://' not in proxy:
         proxy = 'http://%s' % proxy

Comment 1 Philipp Hahn

2023-01-13 18:14:04 CET

See https://git.knut.univention.de/univention/ucs/-/commits/phahn/55561_proxy5

[phahn/55561_proxy5] d507836882 test(updater): Always create Release files
1. Fixes my issues that running `./47component-auth` failed for me because `5.0/maintained/component/testXXXXX/all/Release` was not created, which `apt-get update` expected to find

[phahn/55561_proxy5] c23fc3f1ef test(updater): proxy
2. Adds "HTTP CONNECT" support to proxy.py to make it usable as an proxy for https://

[phahn/55561_proxy5] f1eb543a8b fix: proxy/https defaulting
3. Move the fallback handling of UCRV "proxy/https" to "proxy/http" to the default layer instead of having it multiple times.

[phahn/55561_proxy5] 81f2256dff fix(USS): Separate proxy/https setting
4. Allow to configure UCRV `proxy/https` explicitly

[phahn/55561_proxy5] 556c5b5a4d style(ClamAV): proxy/http parsing
5. Use `urllib.parse.urlpase` instead of hand-crafted code

[phahn/55561_proxy5] 8776d4acda doc: UCRV proxy/https
6. Update manuals to current state; will hopefully go in first by https://git.knut.univention.de/univention/ucs/-/merge_requests/613

[phahn/55561_proxy5] d405dbbc49 fix: Also handle UCRV proxy/https
7. Actually use the configures HTTPS proxy for HTTP, not the HTTP proxy.


1 & 2 & 6 should go in ASAP, the rest is for later on your convenience.

Comment 2 Erik Damrose

2023-01-25 12:39:33 CET

OK: ed949961 test(updater): Always create Release files
OK: 0115afd3 test(updater): proxy

ucs-test 10.0.7-31A~5.0.0.202301231127

No proxy tests fail currently.

CLOSED directly, as there is nothing to be released separately