Actions
Issue #2733
closed
Pulp's test certs are bad and do not conform to candlepin's entitlement cert format
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.13.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 19
Quarter:
Description
Currently our oid validation tests are failing on F25 after python-rhsm was updated to 1.19.4. See:
https://github.com/candlepin/subscription-manager/pull/1606
Talking with candlepin though, our test certs are bad. Due to their format, they are parsed as identity certs (which are used for authentication) when they should be entitlement certs since we're checking that paths are authorized [1].
Here's the conversation with @kahowell about what we need to do:
2017-04-26 15:55:37 kahowell bmbouter, daviddavis, so for sake of determining when python-rhsm behavior changed and broke that test, i have done the following so far: went back to python-rhsm-1.19.0-1 and used certificate.create_from_pem... it *still* shows as a IdentityCertificate...
2017-04-26 15:56:46 daviddavis kahowell: so I am totally new to this code... is that bad that the cert is an identify cert?
2017-04-26 15:56:58 daviddavis not sure I understand the differences between identify, product, etc
2017-04-26 15:57:05 kahowell bmbouter, daviddavis, also as far back as python-1.17.1...
2017-04-26 15:57:51 kahowell daviddavis, basically, identity is just a cert used as auth to candlepin. entitlement certs are used for actual access (cdn, etc.)
2017-04-26 15:59:21 daviddavis kahowell: so it looks like the test is trying to check the cert against the path (https://git.io/v933k) I'm guessing we should be using an entitlement cert?
2017-04-26 16:00:15 kahowell daviddavis, yeah, and from python-rhsm's point of view, e_limited.crt is not one.
2017-04-26 16:00:25 daviddavis I see
2017-04-26 16:01:30 daviddavis kahowell: going to look into this more tomorrow. thanks for your help
2017-04-26 16:04:59 kahowell daviddavis, i dug just a little bit more, and i think this file: https://github.com/pulp/pulp/blob/43cebf96a6af938e5688329d74959e0ca268bdf4/oid_validation/test/data/pulp_ssl.cnf could probably use some additional extensions defined. specifically either 1.3.6.1.4.1.2312.9.6 set to UTF8 "3.2" or similar or 1.3.6.1.4.1.2312.9.4.1 set to something. extensions are defined here: https://github.com/candlepin/subscription-manager/blob/master/python-rhsm/src/rhsm/certificate2.py#L35
Updated by bmbouter almost 6 years ago
We should get this fixed as soon as we can because every platform PR will show failed tests on F25 until we do. +1 to adding it to current sprint.
Updated by daviddavis almost 6 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to daviddavis
Updated by daviddavis almost 6 years ago
- Status changed from ASSIGNED to POST
Added by daviddavis almost 6 years ago
Updated by daviddavis almost 6 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp|e037885a034095035b8e6eb677afd5dc9b061837.
Updated by bizhang almost 6 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Updated by dalley about 5 years ago
- Related to Issue #3319: Certificates used in unit testing are expired added
Updated by dalley about 5 years ago
- Related to deleted (Issue #3319: Certificates used in unit testing are expired)
Actions
.
Updating our test certs to conform to v1 entitlement certs
Also, this fixes our tests on F25 which has an updated version of python-rhsm.
fixes #2733 https://pulp.plan.io/issues/2733