Project

Profile

Help

Issue #2733

Pulp's test certs are bad and do not conform to candlepin's entitlement cert format

Added by daviddavis over 4 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.13.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 19
Quarter:

Description

Currently our oid validation tests are failing on F25 after python-rhsm was updated to 1.19.4. See:

https://github.com/candlepin/subscription-manager/pull/1606

Talking with candlepin though, our test certs are bad. Due to their format, they are parsed as identity certs (which are used for authentication) when they should be entitlement certs since we're checking that paths are authorized [1].

Here's the conversation with @kahowell about what we need to do:

2017-04-26 15:55:37     kahowell        bmbouter, daviddavis, so for sake of determining when python-rhsm behavior changed and broke that test, i have done the following so far: went back to python-rhsm-1.19.0-1 and used certificate.create_from_pem... it *still* shows as a IdentityCertificate...
2017-04-26 15:56:46     daviddavis      kahowell: so I am totally new to this code... is that bad that the cert is an identify cert?
2017-04-26 15:56:58     daviddavis      not sure I understand the differences between identify, product, etc
2017-04-26 15:57:05     kahowell        bmbouter, daviddavis, also as far back as python-1.17.1...
2017-04-26 15:57:51     kahowell        daviddavis, basically, identity is just a cert used as auth to candlepin. entitlement certs are used for actual access (cdn, etc.)
2017-04-26 15:59:21     daviddavis      kahowell: so it looks like the test is trying to check the cert against the path (https://git.io/v933k) I'm guessing we should be using an entitlement cert?
2017-04-26 16:00:15     kahowell        daviddavis, yeah, and from python-rhsm's point of view, e_limited.crt is not one.
2017-04-26 16:00:25     daviddavis      I see
2017-04-26 16:01:30     daviddavis      kahowell: going to look into this more tomorrow. thanks for your help
2017-04-26 16:04:59     kahowell        daviddavis, i dug just a little bit more, and i think this file: https://github.com/pulp/pulp/blob/43cebf96a6af938e5688329d74959e0ca268bdf4/oid_validation/test/data/pulp_ssl.cnf could probably use some additional extensions defined. specifically either 1.3.6.1.4.1.2312.9.6 set to UTF8 "3.2" or similar or 1.3.6.1.4.1.2312.9.4.1 set to something. extensions are defined here: https://github.com/candlepin/subscription-manager/blob/master/python-rhsm/src/rhsm/certificate2.py#L35

[1] https://github.com/pulp/pulp/blob/678228549d231246e5e94efbbfe2b0ee18fb852e/oid_validation/test/test_oid_validation.py#L298-L304

Associated revisions

Revision e037885a View on GitHub
Added by daviddavis over 4 years ago

Updating our test certs to conform to v1 entitlement certs

Also, this fixes our tests on F25 which has an updated version of python-rhsm.

fixes #2733 https://pulp.plan.io/issues/2733

History

#1 Updated by daviddavis over 4 years ago

  • Description updated (diff)

#2 Updated by bmbouter over 4 years ago

We should get this fixed as soon as we can because every platform PR will show failed tests on F25 until we do. +1 to adding it to current sprint.

#3 Updated by jortel@redhat.com over 4 years ago

  • Sprint/Milestone set to 38

#4 Updated by jortel@redhat.com over 4 years ago

  • Triaged changed from No to Yes

#5 Updated by daviddavis over 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis

#6 Updated by daviddavis over 4 years ago

  • Status changed from ASSIGNED to POST

#7 Updated by daviddavis over 4 years ago

  • Status changed from POST to MODIFIED

#8 Updated by bizhang over 4 years ago

  • Platform Release set to 2.13.1

#9 Updated by bizhang over 4 years ago

  • Status changed from MODIFIED to 5

#10 Updated by bizhang over 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#11 Updated by dalley almost 4 years ago

  • Related to Issue #3319: Certificates used in unit testing are expired added

#12 Updated by dalley almost 4 years ago

  • Related to deleted (Issue #3319: Certificates used in unit testing are expired)

#13 Updated by bmbouter almost 4 years ago

  • Sprint set to Sprint 19

#14 Updated by bmbouter almost 4 years ago

  • Sprint/Milestone deleted (38)

#15 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF