Issue #3413
closed
"http" and "https" options in distribution have no effect
Description
Let's say I create a distribution by making an HTTP POST request to /api/v3/distributions/, with the following JSON body:
{
"base_path": "my-base-path",
"http": false,
"https": false,
"name": "distribution-name",
"publication": "http://pulp-3.example.com:8000/api/v3/publications/publication-id/",
}
This will return a distribution:
{
"_href": "http://pulp-3.example.com:8000/api/v3/distributions/distribution-name/",
"base_path": "my-base-path",
"base_url": "pulp-3.example.com:8000/content/my-base-path",
"http": false,
"https": false,
"name": "distribution-name",
"publication": "http://pulp-3.example.com:8000/api/v3/publications/publication-id/",
"publisher": null,
"repository": null
}
Furthermore, let's say that the publication at …/api/v3/publications/publication-id/ contains a file named 1.iso. At which URLs are this file available? None at all. Right? After all, both "http" and "https" are false. Unfortunately, one can still GET the files at the following URLs:
http://pulp-3.example.com:8000/content/my-base-path/1.isohttps://pulp-3.example.com:8000/content/my-base-path/1.iso
Related issues
Updated by daviddavis over 6 years ago
- Project changed from File Support to Pulp
Updated by dalley over 6 years ago
- Sprint/Milestone set to 56
- Triaged changed from No to Yes
Updated by dalley over 6 years ago
- Related to Issue #3416: Pulp 3 Jenkins jobs use the development webserver added
Updated by dkliban@redhat.com over 6 years ago
We should just remove the http and https properties from the Distribution model.
Pulp is not in the business of providing SSL encryption. Web servers should be used to enforce SSL connections.
Updated by Ichimonji10 over 6 years ago
That solution would solve this issue. And from my personal experience in deploying web applications, shoveling that reponsibility onto a web server tends to work well.
Updated by jortel@redhat.com over 6 years ago
The proposal to remove the http & https attributes for the MVP is fine. The plan was always to delegate the SSL responsibilities to an external web server. There was another use case that required the content app to enforce the permitted schemes but I don't remember what it was.
Updated by jortel@redhat.com over 6 years ago
- Sprint changed from Sprint 33 to Sprint 34
Updated by daviddavis over 6 years ago
- Related to Issue #3451: Remove http and https options on distributions added
Updated by daviddavis over 6 years ago
- Status changed from NEW to CLOSED - WONTFIX
Closing out in favor of https://pulp.plan.io/issues/3451
.