Project

Profile

Help

Issue #2065

closed

Error doing an ostree pull from pulp with an entitlement certificate.

Added by paji@redhat.com over 7 years ago. Updated over 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.7
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The following section of code https://github.com/pulp/pulp/blob/master/oid_validation/pulp/oid_validation/oid_validation.py#L193-L211 in pulp has an issue that breaks ostree pull with an entitlement certificate.

        cert = certificate.create_from_pem(cert_pem)

        valid = False
        for prefix in repo_url_prefixes:
            # Extract the repo portion of the URL
            repo_dest = dest[dest.find(prefix) + len(prefix):]
            try:
                valid = cert.check_path(repo_dest)
            except AttributeError:
                # not an entitlement certificate, so no entitlements
                log_func('The provided client certificate is not an entitlement certificate.\n')
            # if we have a valid url check, no need to continue
            if valid:
                break

        if not valid:
            log_func('Request denied to destination [%s]' % dest)

        return valid

problem is in this part

            repo_dest = dest[dest.find(prefix) + len(prefix):]
            try:
                valid = cert.check_path(repo_dest)
            except AttributeError:

Using the debugger we find that the "repo_url_prefixes" work out to

(Pdb) repo_url_prefixes
['/pulp/repos', '/pulp/ostree/web']

and the "dest" works out to "'/pulp/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'" in the case of katello.

This means

(Pdb) l
193           cert = certificate.create_from_pem(cert_pem)
194           import rpdb; rpdb.set_trace()
195           valid = False
196           for prefix in repo_url_prefixes:
197               # Extract the repo portion of the URL
198  ->             repo_dest = dest[dest.find(prefix) + len(prefix):]
199               try:
200                   valid = cert.check_path(repo_dest)
201               except AttributeError:
202                   # not an entitlement certificate, so no entitlements
203                   log_func('The provided client certificate is not an entitlement certificate.\n')
(Pdb) dest
'/pulp/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'
(Pdb) prefix
'/pulp/repos'
(Pdb) dest.find(prefix) 
-1

line 198 works out to

(Pdb) repo_dest
'ee/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'

causing that to get sent to -> "valid = cert.check_path(repo_dest)". There by failing with a value error showing saying something like

 Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/pulp/repoauth/wsgi.py", line 43, 
     if not authenticators[auth_method](environ):
   File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
     valid = validator.is_valid(environ["REQUEST_URI"], cert_pem, 
   File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
     is_valid = self._check_extensions(cert_pem, dest, log_func, 
   File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
     valid = cert.check_path(repo_dest)
   File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 558, 
     return self._path_tree.match_path(path)
   File "/usr/lib64/python2.7/site-packages/rhsm/pathtree.py", line 78, in 
     raise ValueError('path must start with "/"')
 ValueError: path must start with "/"
 mod_wsgi (pid=15303): Client denied by server configuration: '/var/www/pub/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'.

Related issues

Related to Packaging - Task #2083: Issues common to 2.9.1 and 2.8 streamCLOSED - NOTABUGsemyers

Actions
Actions #1

Updated by mhrivnak over 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to paji@redhat.com
Actions #3

Updated by jcline@redhat.com over 7 years ago

  • Project changed from OSTree Support to Pulp
  • Assignee changed from paji@redhat.com to jcline@redhat.com
  • Triaged changed from No to Yes
Actions #4

Updated by jcline@redhat.com over 7 years ago

  • Status changed from ASSIGNED to POST

Added by paji@redhat.com over 7 years ago

Revision 8950157d | View on GitHub

Fixes #2065 - Handles OSTree cert paths correctly

Fixed a bug that caused the wrong repo destination path to be verified on a ostree pull.

Look at https://pulp.plan.io/issues/2065 for more info

Added by paji@redhat.com over 7 years ago

Revision 8950157d | View on GitHub

Fixes #2065 - Handles OSTree cert paths correctly

Fixed a bug that caused the wrong repo destination path to be verified on a ostree pull.

Look at https://pulp.plan.io/issues/2065 for more info

Added by Jeremy Cline over 7 years ago

Revision 01871af1 | View on GitHub

Update the prefix-stripping method in oid_validator

The prefix stripping method used in the oid_validator failed if the prefix was not found in the path. This fixes that particular issue, improves readability, and adds a unit test.

fixes #2065

Added by Jeremy Cline over 7 years ago

Revision 01871af1 | View on GitHub

Update the prefix-stripping method in oid_validator

The prefix stripping method used in the oid_validator failed if the prefix was not found in the path. This fixes that particular issue, improves readability, and adds a unit test.

fixes #2065

Actions #5

Updated by Anonymous over 7 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #6

Updated by semyers over 7 years ago

  • Platform Release set to 2.8.7
Actions #7

Updated by semyers over 7 years ago

  • Related to Task #2083: Issues common to 2.9.1 and 2.8 stream added
Actions #8

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions #9

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6

verified

# pulp-admin ostree repo create     --feed https://cdn.redhat.com/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/     --feed-ca-cert cdn/ent.crt     --feed-cert cdn/feed.crt     --feed-key cdn/feed.key  --repo-id atomic1
Repository [atomic1] successfully created

# pulp-admin ostree repo sync run --repo-id atomic1
+----------------------------------------------------------------------+
                   Synchronizing Repository [atomic1]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Create Local Repository
[-]
... completed

Update Summary
[/]
... completed

Pull Remote Branches
[\]
... completed

Add Content Units
[-]
... completed

Clean
[-]
... completed

Task Succeeded

Publish Trees
[\]
... completed

Making files available via web.
[/]
... completed

Task Succeeded

rpm -qa |grep pulp
pulp-admin-client-2.8.7-0.3.beta.el7.noarch
python-kombu-3.0.33-6.pulp.el7.noarch
pulp-rpm-plugins-2.8.7-0.2.beta.el7.noarch
python-pulp-bindings-2.8.7-0.3.beta.el7.noarch
python-pulp-rpm-common-2.8.7-0.2.beta.el7.noarch
pulp-puppet-plugins-2.8.7-0.2.beta.el7.noarch
pulp-docker-admin-extensions-2.0.3-1.el7.noarch
pulp-ostree-plugins-1.1.3-1.el7.noarch
pulp-docker-plugins-2.0.3-1.el7.noarch
pulp-rpm-admin-extensions-2.8.7-0.2.beta.el7.noarch
pulp-python-admin-extensions-1.1.3-1.el7.noarch
python-pulp-common-2.8.7-0.3.beta.el7.noarch
python-pulp-docker-common-2.0.3-1.el7.noarch
pulp-puppet-admin-extensions-2.8.7-0.2.beta.el7.noarch
python-pulp-python-common-1.1.3-1.el7.noarch
pulp-selinux-2.8.7-0.3.beta.el7.noarch
python-pulp-streamer-2.8.7-0.3.beta.el7.noarch
python-pulp-repoauth-2.8.7-0.3.beta.el7.noarch
pulp-server-2.8.7-0.3.beta.el7.noarch
python-pulp-oid_validation-2.8.7-0.3.beta.el7.noarch
python-pulp-puppet-common-2.8.7-0.2.beta.el7.noarch
python-pulp-ostree-common-1.1.3-1.el7.noarch
pulp-ostree-admin-extensions-1.1.3-1.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
pulp-python-plugins-1.1.3-1.el7.noarch
python-pulp-client-lib-2.8.7-0.3.beta.el7.noarch
Actions #10

Updated by semyers over 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF