Project

Profile

Help

Issue #2733

closed

Pulp's test certs are bad and do not conform to candlepin's entitlement cert format

Added by daviddavis almost 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.13.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 19
Quarter:

Description

Currently our oid validation tests are failing on F25 after python-rhsm was updated to 1.19.4. See:

https://github.com/candlepin/subscription-manager/pull/1606

Talking with candlepin though, our test certs are bad. Due to their format, they are parsed as identity certs (which are used for authentication) when they should be entitlement certs since we're checking that paths are authorized [1].

Here's the conversation with @kahowell about what we need to do:

2017-04-26 15:55:37     kahowell        bmbouter, daviddavis, so for sake of determining when python-rhsm behavior changed and broke that test, i have done the following so far: went back to python-rhsm-1.19.0-1 and used certificate.create_from_pem... it *still* shows as a IdentityCertificate...
2017-04-26 15:56:46     daviddavis      kahowell: so I am totally new to this code... is that bad that the cert is an identify cert?
2017-04-26 15:56:58     daviddavis      not sure I understand the differences between identify, product, etc
2017-04-26 15:57:05     kahowell        bmbouter, daviddavis, also as far back as python-1.17.1...
2017-04-26 15:57:51     kahowell        daviddavis, basically, identity is just a cert used as auth to candlepin. entitlement certs are used for actual access (cdn, etc.)
2017-04-26 15:59:21     daviddavis      kahowell: so it looks like the test is trying to check the cert against the path (https://git.io/v933k) I'm guessing we should be using an entitlement cert?
2017-04-26 16:00:15     kahowell        daviddavis, yeah, and from python-rhsm's point of view, e_limited.crt is not one.
2017-04-26 16:00:25     daviddavis      I see
2017-04-26 16:01:30     daviddavis      kahowell: going to look into this more tomorrow. thanks for your help
2017-04-26 16:04:59     kahowell        daviddavis, i dug just a little bit more, and i think this file: https://github.com/pulp/pulp/blob/43cebf96a6af938e5688329d74959e0ca268bdf4/oid_validation/test/data/pulp_ssl.cnf could probably use some additional extensions defined. specifically either 1.3.6.1.4.1.2312.9.6 set to UTF8 "3.2" or similar or 1.3.6.1.4.1.2312.9.4.1 set to something. extensions are defined here: https://github.com/candlepin/subscription-manager/blob/master/python-rhsm/src/rhsm/certificate2.py#L35

[1] https://github.com/pulp/pulp/blob/678228549d231246e5e94efbbfe2b0ee18fb852e/oid_validation/test/test_oid_validation.py#L298-L304

Actions #1

Updated by daviddavis almost 7 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter almost 7 years ago

We should get this fixed as soon as we can because every platform PR will show failed tests on F25 until we do. +1 to adding it to current sprint.

Actions #3

Updated by jortel@redhat.com almost 7 years ago

  • Sprint/Milestone set to 38
Actions #4

Updated by jortel@redhat.com almost 7 years ago

  • Triaged changed from No to Yes
Actions #5

Updated by daviddavis almost 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis
Actions #6

Updated by daviddavis almost 7 years ago

  • Status changed from ASSIGNED to POST

Added by daviddavis almost 7 years ago

Revision e037885a | View on GitHub

Updating our test certs to conform to v1 entitlement certs

Also, this fixes our tests on F25 which has an updated version of python-rhsm.

fixes #2733 https://pulp.plan.io/issues/2733

Actions #7

Updated by daviddavis almost 7 years ago

  • Status changed from POST to MODIFIED
Actions #8

Updated by bizhang almost 7 years ago

  • Platform Release set to 2.13.1
Actions #9

Updated by bizhang almost 7 years ago

  • Status changed from MODIFIED to 5
Actions #10

Updated by bizhang almost 7 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #11

Updated by dalley about 6 years ago

  • Related to Issue #3319: Certificates used in unit testing are expired added
Actions #12

Updated by dalley about 6 years ago

  • Related to deleted (Issue #3319: Certificates used in unit testing are expired)
Actions #13

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 19
Actions #14

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (38)
Actions #15

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF