baseurl does not properly handle http GET query parameter #467
Comments
|
If I understand correctly, you have this configured in your And |
|
This is correct! Thank you for the fast response 👍 |
|
Thinking about this, I get more questions: Let's say we have successfully fetched the metadata file I am wondering how We do have username/password authentication, see https://github.com/vmware/tdnf/wiki/Repository-Configuration#password . Does your server support that? |
Your hunch is correct, the query params would need to be used in every request to the storage endpoint (package location fetching, package fetching, etc...) I am not familiar with how the For added context, the Azure Storage service does not readily use Username/Password (unless controlled by Azure CLI or powershell [Link]). Instead, a construct known as "sas tokens" are used (these query params that I've alluded to). This [Link] can provide more information on sas tokens. Additionally, I'm happy to work with you 1:1 to generate a private storage account, protected by sas tokens, that we can use to test functionality with TDNF.
I do know that dnf handles this scenario. Exactly how, I am unaware... However, the size of the
A colleague of mine has a working patch to the With your permission, I am much more interested in upstreaming this fix, instead of applying the patch to just my own Thanks |
|
I think I understand how it works. I am not enthusiastic about how it works - HTTP has headers which could be used, and there are standardized authentication mechanisms. I don't know why Microsoft has to use query parameters. I am very short on bandwidth right now, and this is a feature for which I am not aware of any other use cases, so I don't know when and if I am able to work on this. But if you or your colleague have a patch and it's of good quality I would accept that. |
Describe the bug
When utilizing a baseurl that is hosted with access control measures in place, tdnf has difficulty attempting to properly append paths to the baseurl.
E.g.,
A package repository is hosted in a cloud service and access to anything within the cloud storage is handled through passing of http query parameters
(For example, in
https://github.com/vmware/tdnf/issues/new?assignees=&labels=bug&projects=&template=bug-report.ymlurl, the substring?assignees=&labels=bug&projects=&template=bug-report.ymlis the query parameter)In the cloud storage situation, the unauthenticated baseurl may look like:
foo.cloudservice.storage.com/reporootand the authenticated baseurl will look like:foo.cloudservice.storage.com/reporoot?<authenticationtoken>.This authentication token must be appended to every HTTP get request when interacting with the cloud storage service.
In TDNF, there is no handling of this query substring, so the final path will get appended after this query parameter.
This prevents the use of tdnf with secured package repositories.
When a baseurl contains an http query parameter, tdnf fails to retrieve the repomd.xml and will cease to function, causing a non-zero exit code.
Reproduction steps
tdnf makecache...
Expected behavior
tdnf makecache, and all other tdnf commands should behave the same as with an unauthenticated baseurl
Additional context
No response
The text was updated successfully, but these errors were encountered: