foreman icon indicating copy to clipboard operation
foreman copied to clipboard

Published 20 hours ago verified publisher icon theforeman

Fixes #36646 - compare remote address against correct IP address family

Open mgollo opened this issue 1 year ago • 10 comments

So far, the find_host_by_ip_or_mac function in the HostFinder class was unable to identify a host if the remote address (e.g. in a user-data query) was an IPv6 address because the address was not checked for whether it was an IPv6 address and always compared to the ip field of the NICs.

This PR contains a minimal change that checks whether the remote address is an IPv6 address and in that case checks the ip6 field instead of the ip field. In all other cases, it defaults to the previous behaviour.

To test this, an IPv6-enabled Foreman installation or at least a capsule server is required.

I tested the change against a dual-stacked capsule server which is connected to an IPv4-only Redhat Satellite server with properly configured trusted-proxies setting. Without the change, a request for endpoint /userdata/user-data via IPv6 to the capsule server would fail (but give the correct result via IPv4), after applying the change, the result was the same for IPv4 and IPv6.

mgollo avatar Jan 21 '24 16:01 mgollo

Can one of the admins verify this patch?

theforeman-bot avatar Jan 21 '24 16:01 theforeman-bot

Can one of the admins verify this patch?

theforeman-bot avatar Jan 21 '24 16:01 theforeman-bot

Can one of the admins verify this patch?

theforeman-bot avatar Jan 21 '24 16:01 theforeman-bot

Fixed Rubocop complaints

mgollo avatar Jan 23 '24 15:01 mgollo

ok to test

ekohl avatar Jan 23 '24 19:01 ekohl

Fixed indentation

mgollo avatar Jan 23 '24 20:01 mgollo

The change is breaking something in the unattended controller, unit test failed. I will have a look at this tomorrow.

mgollo avatar Jan 23 '24 21:01 mgollo

I would like to add a unit test for template retrieval via IPv6 too, but I am not sure if I understand the test suite correctly. Here is a change that to my understanding would add such a test, but I'd like to have this reviewed by someone with a better understanding:

diff --git a/test/controllers/unattended_controller_test.rb b/test/controllers/unattended_controller_test.rb
index 077e8e973..28a521ea5 100644
--- a/test/controllers/unattended_controller_test.rb
+++ b/test/controllers/unattended_controller_test.rb
@@ -18,7 +18,7 @@ class UnattendedControllerTest < ActionController::TestCase
       media(:one).locations << @loc
       media(:ubuntu).organizations << @org
       media(:ubuntu).locations << @loc
-      @rh_host = FactoryBot.create(:host, :managed, :with_dhcp_orchestration, :build => true,
+      @rh_host = FactoryBot.create(:host, :managed, :with_dhcp_orchestration, :with_ipv6, :build => true,
                                     :operatingsystem => operatingsystems(:redhat),
                                     :ptable => ptable,
                                     :medium => media(:one),
@@ -65,6 +65,13 @@ class UnattendedControllerTest < ActionController::TestCase
       assert_response :success
     end
 
+    test "should get a kickstart over IPv6" do
+      @request.env["HTTP_X_FORWARDED_FOR"] = @rh_host.ip6
+      @request.env["REMOTE_ADDR"] = "127.0.0.1"
+      get :host_template, params: { :kind => 'provision' }
+      assert_response :success
+    end
+
     test "should set @static when requested" do
       Setting[:safemode_render] = false
       @request.env["HTTP_X_RHN_PROVISIONING_MAC_0"] = "eth0 #{@rh_host.mac}"

mgollo avatar Jan 23 '24 22:01 mgollo

Added a unit test for template retrieval over IPv6, tested locally; test passes with the applied change, but fails against the old version Patch posted above almost correct, had to replace :with_ipv6 with :dualstack

mgollo avatar Jan 24 '24 11:01 mgollo

@ekohl Could you maybe approve the workflows to see if all the checks pass? Thanks!

mgollo avatar Jan 26 '24 11:01 mgollo