action #53891
[openqa] Posting comments results in getting comments unless the URI scheme is specified
0%
Description
Take the following:
rich@rpws ~> openqa-client --host openqa.opensuse.org --apikey CB3705D3354546E0 --apisecret XXX jobs/975114/comments POST text=test123
[
{
bugrefs => [],
created => "2019-07-05 08:15:47 +0000",
id => 43271,
renderedMarkdown => "update comment test\n",
text => "update comment test",
updated => "2019-07-05 08:45:11 +0000",
userName => "rpalethorpe",
},
]
rich@rpws ~> openqa-client --host https://openqa.opensuse.org --apikey CB3705D3354546E0 --apisecret XXX jobs/975114/comments POST text=test123
{ id => 43287 }
okurz thinks this may be due to https://github.com/os-autoinst/openQA/pull/2110.
Note that this only happens on O3 and not OSD. I also tried using two different versions of the openqa-client. Also the following works:
openqa-client --host openqa.opensuse.org --apikey CB3705D3354546E0 --apisecret XXX jobs/975114/comments/43271 PUT text="update comment test"
{ id => 43271 }
So the problem maybe only effects POST requests.
History
#1
Updated by okurz almost 4 years ago
Updated by - Description updated (diff)
- Assignee set to kraih
As O3 and OSD have been mentioned: OSD has an older version of openQA than O3. The diff is 4.6.1558532409.ab91f319..4.6.1561959871.3b6d67be
kraih could that be related to https://github.com/os-autoinst/openQA/pull/2110 ?
#3
Updated by kraih almost 4 years ago
Updated by - Status changed from New to In Progress
So, what's happening here doesn't look like a bug at all. When you use --host openqa.opensuse.org the client turns
it into --host http://openqa.opensuse.org. Now http://openqa.opensuse.org redirects to
https://openqa.opensuse.org.
That means our original HTTP request was POST /api/v1/jobs/975114/comments?text=test123, it receives a
301 Moved Permanently to Location: https://openqa.opensuse.org/api/v1/jobs/975114/comments?text=test123.
And because OpenQA::Client follows redirects it requests GET /api/v1/jobs/975114/comments?text=test123,
since redirects change the method to GET.
The same does not happen for --host openqa.suse.de because it does not redirect from HTTP to HTTPS.
Now we have multiple options:
- We decide this is ok and close the ticket
- We default to using HTTPS instead of HTTP when schema is missing (probably best)
- We make OpenQA::Client not follow redirects (does it have to? Only for some methods? Worst option, many side effects...)
- We throw an error when a redirect changes the schema
- Something else?
#4
Updated by kraih almost 4 years ago
On second thought, i believe this should be considered a minor security flaw. And i've therefore proposed to change
the default from HTTP to HTTPS. https://github.com/os-autoinst/openQA/pull/2194
#5
Updated by okurz almost 4 years ago
merged.
#6
Updated by kraih almost 4 years ago
- Status changed from In Progress to Resolved
#7
Updated by okurz almost 4 years ago
- Status changed from Resolved to Feedback
there was feedback on the github PR after merge that the applied change is not really obvious, especially because we fall back to "localhost" which in most cases does not offer https, see https://github.com/os-autoinst/openQA/pull/2194#issuecomment-514510164 . Today a report by "lruzicka" on [#opensuse-factory](irc://chat.freenode.net/opensuse-factory) stated the same problem. Can we fall back to http://localhost by default?
#8
Updated by okurz over 3 years ago
- Status changed from Feedback to Resolved
- Assignee changed from kraih to okurz
34ba6ed90