Actions
Issue #2065
closed
Error doing an ostree pull from pulp with an entitlement certificate.
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.7
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
The following section of code https://github.com/pulp/pulp/blob/master/oid_validation/pulp/oid_validation/oid_validation.py#L193-L211 in pulp has an issue that breaks ostree pull with an entitlement certificate.
cert = certificate.create_from_pem(cert_pem)
valid = False
for prefix in repo_url_prefixes:
# Extract the repo portion of the URL
repo_dest = dest[dest.find(prefix) + len(prefix):]
try:
valid = cert.check_path(repo_dest)
except AttributeError:
# not an entitlement certificate, so no entitlements
log_func('The provided client certificate is not an entitlement certificate.\n')
# if we have a valid url check, no need to continue
if valid:
break
if not valid:
log_func('Request denied to destination [%s]' % dest)
return valid
problem is in this part
repo_dest = dest[dest.find(prefix) + len(prefix):]
try:
valid = cert.check_path(repo_dest)
except AttributeError:
Using the debugger we find that the "repo_url_prefixes" work out to
(Pdb) repo_url_prefixes
['/pulp/repos', '/pulp/ostree/web']
and the "dest" works out to "'/pulp/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'" in the case of katello.
This means
(Pdb) l
193 cert = certificate.create_from_pem(cert_pem)
194 import rpdb; rpdb.set_trace()
195 valid = False
196 for prefix in repo_url_prefixes:
197 # Extract the repo portion of the URL
198 -> repo_dest = dest[dest.find(prefix) + len(prefix):]
199 try:
200 valid = cert.check_path(repo_dest)
201 except AttributeError:
202 # not an entitlement certificate, so no entitlements
203 log_func('The provided client certificate is not an entitlement certificate.\n')
(Pdb) dest
'/pulp/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'
(Pdb) prefix
'/pulp/repos'
(Pdb) dest.find(prefix)
-1
line 198 works out to
(Pdb) repo_dest
'ee/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'
causing that to get sent to -> "valid = cert.check_path(repo_dest)". There by failing with a value error showing saying something like
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pulp/repoauth/wsgi.py", line 43,
if not authenticators[auth_method](environ):
File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
valid = validator.is_valid(environ["REQUEST_URI"], cert_pem,
File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
is_valid = self._check_extensions(cert_pem, dest, log_func,
File "/usr/lib/python2.7/site-packages/pulp/oid_validation/
valid = cert.check_path(repo_dest)
File "/usr/lib64/python2.7/site-packages/rhsm/certificate2.py", line 558,
return self._path_tree.match_path(path)
File "/usr/lib64/python2.7/site-packages/rhsm/pathtree.py", line 78, in
raise ValueError('path must start with "/"')
ValueError: path must start with "/"
mod_wsgi (pid=15303): Client denied by server configuration: '/var/www/pub/ostree/web/Default_Organization/Library/atomic-view/content/dist/rhel/atomic/7/7Server/x86_64/ostree/repo/config'.
Related issues
Actions
.
Fixes #2065 - Handles OSTree cert paths correctly
Fixed a bug that caused the wrong repo destination path to be verified on a ostree pull.
Look at https://pulp.plan.io/issues/2065 for more info