Bug 309139

Just to have complete information set: this .curlrc syntax change seems to have broken zypper, in case proxy with authentication is used, as seen from bug #227513, comment #6 (https://bugzilla.novell.com/show_bug.cgi?id=227513#c6)

*** Bug 310486 has been marked as a duplicate of this bug. ***

See https://bugzilla.novell.com/show_bug.cgi?id=227513#c10 and https://bugzilla.novell.com/show_bug.cgi?id=227513#c11 for the logs

"RC1 is showing new problems related to zypper proxy authentication. The .curlrc
file has the correct format, and curl itself works with no problems (also, the
proxy environment variables are set correctly)...

Unfortunately, zypper now refuses to authenticate with the proxy...

From everything I've seen, it looks to me like zypper attempts to get the xml
file via the proxy; the proxy requests authentication; zypper gives up (i.e.
does not send proxy authentication response) thinking it's got a permanent
error (?)"

I suggest to raise severity and/or make release managers aware of this issue, so that possible future online-update can be released, because it makes package management defunct for the users who have to use proxy authentication.

Coolo?

I think this is fine with an online update. I don't think this is very often used feature

> I think this is fine with an online update. I don't think this is very often
used feature

This bug is Blocker for me and ~50 my Linux users and my 14 servers in LAN outside from proxy server.

Please note that online update is not possible in this case - not being able to authenticate to proxy makes package management stack defunct for users that are behind proxy that requires authentication. Thus, such user won't be able to download the patch fixing the bug.

Workaround - add proxyuser and proxypassword as query strings to your URL, like this: http://some.server.net/pub/openSUSE/10.3?proxyuser=user?proxypassword=pass (Jano? Is that correct?)

The patch is simple one-liner, I'll attach it in a while.

If we don't include it in 10.3 goldmaster, I suggest at least to add above mentioned workaround to release notes.

Created attachment 174518 [details]
patch for MediaCurl.cc

(In reply to comment #8 from Katarina Machalkova)
> Please note that online update is not possible in this case - not being able to
> authenticate to proxy makes package management stack defunct for users that are
> behind proxy that requires authentication. Thus, such user won't be able to
> download the patch fixing the bug.

Correct. Coolo, the fix is harmless, it should go into GM.

> Workaround - add proxyuser and proxypassword as query strings to your URL, like
> this:
> http://some.server.net/pub/openSUSE/10.3?proxyuser=user?proxypassword=pass
> (Jano? Is that correct?)

Yup, that's correct.

Maxim, does the workaround in comment #8 work for you? I know it's not nice, but does it work?

fixed in libzypp 3.26.0

I've just tried the comment #8 fix. Although I was able to add the repository correctly (which I wasn't able to do before), now the refresh etc. commands still do not work:

# zypper ar 'http://download.opensuse.org/update/10.3?proxyuser=sdprice1&proxypassword=Vgy7hu8ji9' suse-update-proxy
* Adding repository 'suse-update-proxy'
Repository 'suse-update-proxy' successfully added:
Enabled: Yes
Autorefresh: Yes
URL: http://download.opensuse.org/update/10.3?proxyuser=sdprice1&proxypassword=Vgy7hu8ji9


# zypper ref
...
Refreshing 'suse-update-proxy'
Repository 'suse-update-proxy' is invalid.
File ./repodata/patch-glibc-4403.xml not found on media: http://download.opensuse.org/update/10.3?proxyuser=sdprice1&proxypassword=Vgy7hu8ji9
Please, check if the URLs defined for this repository are pointing to a valid repository.
Skipping repository 'suse-update-proxy' because of the above error.
...

Also, I used my squid workaround (using Squid to authenticate with the external proxy; set zypper to use Squid as proxy) to update libzypp. I can only install version 3.24.7-3 - where can I get 3.26.0 to try?

(In reply to comment #13 from Stanislav Visnovsky)
> Maxim, does the workaround in comment #8 work for you? I know it's not nice,
> but does it work?
> 

Works on libzypp-3.26.0, but only if the password does not contain symbols "[, ], {, }"

zypper addrepo "http://download.opensuse.org/repositories/openSUSE:10.3/standard?proxyuser=it\test&proxypassword=/[1]2{3}" "Main 10.3"
Given URL is invalid.
Invalid query string component 'proxyuser=it\test&proxypassword=/[1]2{3}'

(In reply to comment #17 from Maxim Vasilev)
> Invalid query string component 'proxyuser=it\test&proxypassword=/[1]2{3}'

Yes, since the password is part of a URL here, it has to be URL-encoded, i.e. the special characters have to be written in a hexadecimal form:

...proxyuser=it%5Ctest&proxypassword=%2F%5B1%5D2%7B3%7D

However, since the problem of reading the --proxy-user string form ~/.curlrc has been fixed in libzypp 3.26.0, you can also try that. If a problem occurs with special characters, please open a new bug report.

(In reply to comment #16 from Steve Price)
> I've just tried the comment #8 fix. Although I was able to add the repository
> correctly (which I wasn't able to do before), now the refresh etc. commands
> still do not work:

hmm.. works for me:

$ sudo src/zypper ar http://download.opensuse.org/update/10.3?proxyuser=www\&proxypassword=passwd proxy
root's password:
* Adding repository 'proxy'
Repository 'proxy' successfully added:
Enabled: Yes
Autorefresh: Yes
URL: http://download.opensuse.org/update/10.3?proxyuser=www&proxypassword=passwd

$ sudo src/zypper refresh proxy
Refreshing 'proxy'
* Building repository 'proxy' cache
Specified repositories have been refreshed.

Please give it another try and if you still will have a problem, open a new bug report and attach zypper log (remove the old log before reproducing the problem).

Is libzypp 3.26.0 available as a package, or do I need to build my own libzypp+zypper from the subversion sources?

It was version libzypp 3.24.7-3 (the latest available in the repositories) that I tried, and failed.

(In reply to comment #20 from Steve Price)
> Is libzypp 3.26.0 available as a package, or do I need to build my own
> libzypp+zypper from the subversion sources?

It should be available in the factory repository soon.

> It was version libzypp 3.24.7-3 (the latest available in the repositories) that
> I tried, and failed.

The workaround in question should work also in 3.24.7. It's the ~/.curlrc parsing that has been fixed in 3.26.0.

Sorry, yes it does work - I'd forgotten to escape the & !

*** Bug 330351 has been marked as a duplicate of this bug. ***

Created attachment 176465 [details]
YaST2 log curl error 407

 
The problem still unresolved in OpenSuSE 10.3 final.

The libzypp changelog reports:

* mar set 25 2007 - jkupec@suse.cz
- release all attached media before attempting to eject (#293428)
- fixed parsing of --proxy-user parameter of .curlrc (#309139)
- revision 7352
- version 3.26.0

But when I add or refresh or try to download I obtain the same error 407

Angelo, in https://bugzilla.novell.com/show_bug.cgi?id=330351#c6, you mentioned that YaST proxy module created /home/.curlrc file for you. 

That's wrong, it should have created /root/.curlrc file, which should be correctly read by libzypp (zypper) version 3.26.0

Can you please confirm that it doesn't work for you with this .curlrc file syntax
--proxy-user "user:password"
--proxy "http://my.proxy.net:8080"

placed in /root directory?

Actually, it depends on $HOME. If you run zypper as root, ~root/.curlrc is read. Also there may be a problem with suid - bug 227511.

I confirm the location of .curlrc is /root.

I can user curl from the root account without troubles in commandline. Curl in YaST2 rises the 407 error as mentioned above.

YaST2 should export $HOME=/root during it's initialization, althought the proxy setting module is without utility.

My configuration is standard and my installation is fresh, so it's an unresolved YaST2 problem as the log explains.

Thanks!

opensuse103:~ # curl --head http://www.opensuse.org
HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.6.STABLE6
Date: Fri, 05 Oct 2007 08:32:08 GMT
Content-Type: text/html
Content-Length: 1303
Expires: Fri, 05 Oct 2007 08:32:08 GMT
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
X-Cache: MISS from proxy2ad.okb
X-Cache-Lookup: NONE from proxy2ad.okb:37982
Via: 1.0
Proxy-Connection: close

opensuse103:~ # pwd
/root
opensuse103:~ # echo $HOME
/root
opensuse103:~ # cat .curlrc

# Changed by YaST2 module proxy 03.10.2007
--proxy-user "it\suse:tESt"
--proxy "http://proxy2.hq.kcck:37982"
opensuse103:~ #
opensuse103:~ # curl --head http://www.opensuse.org --proxy "http://proxy2.hq.kcck:37982" --proxy-user "it\suse:tESt"
HTTP/1.0 200 OK
Date: Fri, 05 Oct 2007 08:33:10 GMT
Server: Apache
Last-Modified: Wed, 15 Aug 2007 14:49:09 GMT
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 5562
Set-Cookie: ZNPCQ002-opensuse=V0013f7cc9d2; path=/
P3p: CP="NOI"
X-Cache: MISS from proxy2ad.okb
X-Cache-Lookup: HIT from proxy2ad.okb:37982
Via: 1.0 ICS_SERVER (iChain 2.3.344), 1.0
Proxy-Connection: keep-alive

Maxim, please report comment #29 in a separate bug report.

Angelo, thanx for reporting this, but this is also another problem. Please create a new bug report with comment #24 and #25 and assign it to lslezak@novell.com. Please CC me in the report. Then close this bug. Thanx!

Angelo, also comment #28 of course :O)

It's enough to reopen Angelo's bug #330351, as it is not dup of this bug. The original issue is fixed however