Project

Profile

Help

Issue #2733

closed

Pulp's test certs are bad and do not conform to candlepin's entitlement cert format

Added by daviddavis almost 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.13.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 19
Quarter:

Description

Currently our oid validation tests are failing on F25 after python-rhsm was updated to 1.19.4. See:

https://github.com/candlepin/subscription-manager/pull/1606

Talking with candlepin though, our test certs are bad. Due to their format, they are parsed as identity certs (which are used for authentication) when they should be entitlement certs since we're checking that paths are authorized [1].

Here's the conversation with @kahowell about what we need to do:

2017-04-26 15:55:37     kahowell        bmbouter, daviddavis, so for sake of determining when python-rhsm behavior changed and broke that test, i have done the following so far: went back to python-rhsm-1.19.0-1 and used certificate.create_from_pem... it *still* shows as a IdentityCertificate...
2017-04-26 15:56:46     daviddavis      kahowell: so I am totally new to this code... is that bad that the cert is an identify cert?
2017-04-26 15:56:58     daviddavis      not sure I understand the differences between identify, product, etc
2017-04-26 15:57:05     kahowell        bmbouter, daviddavis, also as far back as python-1.17.1...
2017-04-26 15:57:51     kahowell        daviddavis, basically, identity is just a cert used as auth to candlepin. entitlement certs are used for actual access (cdn, etc.)
2017-04-26 15:59:21     daviddavis      kahowell: so it looks like the test is trying to check the cert against the path (https://git.io/v933k) I'm guessing we should be using an entitlement cert?
2017-04-26 16:00:15     kahowell        daviddavis, yeah, and from python-rhsm's point of view, e_limited.crt is not one.
2017-04-26 16:00:25     daviddavis      I see
2017-04-26 16:01:30     daviddavis      kahowell: going to look into this more tomorrow. thanks for your help
2017-04-26 16:04:59     kahowell        daviddavis, i dug just a little bit more, and i think this file: https://github.com/pulp/pulp/blob/43cebf96a6af938e5688329d74959e0ca268bdf4/oid_validation/test/data/pulp_ssl.cnf could probably use some additional extensions defined. specifically either 1.3.6.1.4.1.2312.9.6 set to UTF8 "3.2" or similar or 1.3.6.1.4.1.2312.9.4.1 set to something. extensions are defined here: https://github.com/candlepin/subscription-manager/blob/master/python-rhsm/src/rhsm/certificate2.py#L35

[1] https://github.com/pulp/pulp/blob/678228549d231246e5e94efbbfe2b0ee18fb852e/oid_validation/test/test_oid_validation.py#L298-L304

Also available in: Atom PDF