Pulp

The following section of code https://github.com/pulp/pulp/blob/master/oid_validation/pulp/oid_validation/oid_validation.py#L193-L211 in pulp has an issue that breaks ostree pull with an entitlement certificate.

        cert = certificate.create_from_pem(cert_pem)

        valid = False
        for prefix in repo_url_prefixes:
            # Extract the repo portion of the URL
            repo_dest = dest[dest.find(prefix) + len(prefix):]
            try:
                valid = cert.check_path(repo_dest)
            except AttributeError:
                # not an entitlement certificate, so no entitlements
                log_func('The provided client certificate is not an entitlement certificate.\n')
            # if we have a valid url check, no need to continue
            if valid:
                break

        if not valid:
            log_func('Request denied to destination [%s]' % dest)

        return valid

problem is in this part

            repo_dest = dest[dest.find(prefix) + len(prefix):]
            try:
                valid = cert.check_path(repo_dest)
            except AttributeError:

Using the debugger we find that the "repo_url_prefixes" work out to

(Pdb) repo_url_prefixes
['/pulp/repos', '/pulp/ostree/web']

and the "dest" works out to "'/pulp/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'" in the case of katello.

This means

(Pdb) l
193           cert = certificate.create_from_pem(cert_pem)
194           import rpdb; rpdb.set_trace()
195           valid = False
196           for prefix in repo_url_prefixes:
197               # Extract the repo portion of the URL
198  ->             repo_dest = dest[dest.find(prefix) + len(prefix):]
199               try:
200                   valid = cert.check_path(repo_dest)
201               except AttributeError:
202                   # not an entitlement certificate, so no entitlements
203                   log_func('The provided client certificate is not an entitlement certificate.\n')
(Pdb) dest
'/pulp/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'
(Pdb) prefix
'/pulp/repos'
(Pdb) dest.find(prefix) 
-1

line 198 works out to

(Pdb) repo_dest
'ee/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'

causing that to get sent to -> "valid = cert.check_path(repo_dest)". There by failing with a value error showing saying something like

 Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/pulp/repoauth/wsgi.py", line 43, 
     if not authenticators[auth_method](environ):
   File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
     valid = validator.is_valid(environ["REQUEST_URI"], cert_pem, 
   File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
     is_valid = self._check_extensions(cert_pem, dest, log_func, 
   File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
     valid = cert.check_path(repo_dest)
   File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 558, 
     return self._path_tree.match_path(path)
   File "/usr/lib64/python2.7/site-packages/rhsm/pathtree.py", line 78, in 
     raise ValueError('path must start with "/"')
 ValueError: path must start with "/"
 mod_wsgi (pid=15303): Client denied by server configuration: '/var/www/pub/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'.