gwar

4867: Reviewboard mishandles a changed Perforce fingerprint (vs the initial cert)

gwar 
What version are you running?


3.0.14


What's the URL of the page containing the problem?


admin/db/scmtools/repository/3/

(where 3 is the perforce repo)


What steps will reproduce the problem?


    

  1. renew an SSL cert in perforce (which typically expire every 2 years)
    2. 

  2. RB fails to post and some UI components are missing from reviews (eg. the Information panel on the right above Reviewers)
    3. 

  3. Editing the repo fails when you save it again and then hit the "trust..." button (ends up sending the "p4 -p <path> trust -i ..." command gibberish and results in a 500 error.
    4. 





What is the expected output? What do you see instead?


RB parse the trust error properly in the case of a changed fingerprint.  This is how I hacked it to fix the issue but could be handled more elegantly (around line 500):


elif "To allow connection use the 'p4 trust' command" in error:

                fingerprint = error.split(r'\n')[3]

                if fingerprint.startswith("If this is not a scheduled key change"):

                    fingerprint = error.split(r'\n')[6]

                logging.info("fingerprint is: %s", fingerprint)

                raise UnverifiedCertificateError(

                    Certificate(fingerprint=fingerprint))

            else:

                raise SCMError(error)




In the case of the initial cert index [3] contains the fingerprint.  In the case of a changed cert index [6] contains the fingerprint.  With the original code, it passed "If this is a scheduled key change" to p4 trust -i which timesout and causes a 500 error.






What operating system are you using? What browser?


N/A - server side.  RB server is running on Ubuntu 16.04


Please provide any additional information below.


To figure out the issue I added a logging.info of the error message which contained this


error: [P4#run] Errors during command execution( "p4 login" )


[Error]: "******* WARNING P4PORT IDENTIFICATION HAS CHANGED! *******\nIt is possible that someone is intercepting your connection\nto the Perforce P4PORT '<p4-server>:1666'\nIf this is not a scheduled key change, then you should contact\nyour Perforce administrator.\nThe fingerprint for the mismatched key sent to your client is\n00:11:22:33:44:55:66:77:88:99:00:11:22:33\nTo allow connection use the 'p4 trust' command."









The stacktrace wasn't helpful by itself since it doesn't contain the error message only this:


File "/usr/local/lib/python2.7/dist-packages/ReviewBoard-3.0.14-py2.7.egg/reviewboard/scmtools/perforce.py", line 755, in get_changeset

    """

  File "/usr/local/lib/python2.7/dist-packages/ReviewBoard-3.0.14-py2.7.egg/reviewboard/scmtools/perforce.py", line 514, in get_changeset


File "/usr/lib/python2.7/contextlib.py", line 17, in enter

    return self.gen.next()

  File "/usr/local/lib/python2.7/dist-packages/ReviewBoard-3.0.14-py2.7.egg/reviewboard/scmtools/perforce.py", line 497, in run_worker

    raise UnverifiedCertificateError(

UnverifiedCertificateError: A verified SSL certificate is required to connect to this repository.