Project

Profile

Help

Story #4009

Pulp - Story #3968: As a Pulp user, I can protect content I have stored in Pulp

Make CertGuard capabilities in Pulp3

Added by bmbouter about 1 year ago. Updated 7 months ago.

Status:
MODIFIED
Priority:
Normal
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Platform Release:
Blocks Release:
Backwards Incompatible:
No
Groomed:
Yes
Sprint Candidate:
No
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 47

Description

In RPM for Pulp2, there is a WSGIAccessScript that uses the client script to verify the client's right to access a specific URL. This should be a RPM-specific guard that is provided by the RPM plugin.

In Pulp2 here are some links that are related:

https://github.com/pulp/pulp/tree/2-master/repoauth/pulp/repoauth <--- the actual checking code itself
https://github.com/pulp/pulp_rpm/blob/2-master/plugins/etc/httpd/conf.d/pulp_rpm.conf#L48 <---- the httpd WSGIAccessScript

We need to get some test data posted on here that can be used for development.

For crypto the Red Hat security team has recommended: https://pypi.org/project/cryptography/ as a portable crypto library for Python.

This should inherit from ContentGuard and be discoverable by core as an available ContentGuard.

Here are some field names:

class OidContentGuard(ContentGuard):

  • name 32 Charfield
  • CA certificate - TextFile (not a path) <------ note this is uploaded by the user

Related issues

Blocked by Pulp - Story #4074: As a user, the content guard logic needs to be loaded and used by the content app. MODIFIED Actions
Copied to CertGuard - Test #4363: Test the RHSMCertGuard NEW Actions

Associated revisions

Revision 53986229 View on GitHub
Added by jortel@redhat.com 10 months ago

Add content guard.
closes #4009

History

#1 Updated by bmbouter about 1 year ago

  • Parent task set to #3968

#2 Updated by bmbouter about 1 year ago

  • Tracker changed from Issue to Story
  • % Done set to 0

Converted to story at triage

#3 Updated by bmbouter about 1 year ago

  • Description updated (diff)

#4 Updated by bmbouter about 1 year ago

  • Description updated (diff)

#5 Updated by daviddavis about 1 year ago

  • Groomed changed from No to Yes
  • Sprint set to Sprint 43

#6 Updated by amacdona@redhat.com about 1 year ago

  • Sprint changed from Sprint 43 to Sprint 44

#7 Updated by jortel@redhat.com about 1 year ago

  • Blocked by Story #4074: As a user, the content guard logic needs to be loaded and used by the content app. added

#8 Updated by daviddavis about 1 year ago

  • Sprint changed from Sprint 44 to Sprint 45

#9 Updated by jortel@redhat.com 12 months ago

Is this really specific to RPM content only? If not, perhaps this content-guard should be contributed by a separate plugin?

#10 Updated by bmbouter 12 months ago

I think it's more broadly useful to other plugins. I also think that until another plugin actually wants to use it, shipping it along with RPM is a very easy thing to do now. The packaging, release bumping, release note-ing, travis overhead can be a lot to do.

When we do go to make it, it's own package and repo, I highly recommend using cookiecutter which is how I generated the generic package for the pulp_streamer.

#11 Updated by bmbouter 12 months ago

I had some questions about where the cert will be checked, and if we are sure that Pulp needs to provide custom code to do that type of checking?

In terms of where the checking is happening, I've been wondering lately about if Pulp should be doing cert validation in its WSGI process or outside of it. In Pulp2 the WSGIAccessScript was code Pulp provided but it was run "outside" of the Pulp WSGI process. Or are we validating the cert "inside" the Pulp WSGI process in Pulp's Django view code?

Also does Pulp have to provide code on how to check an OidCertificateGuard or can Apache validate an OidCertificateGuard like a nomral cert without Pulp providing a custom WSGIAccessScript?
I have the same quesiton for nginx as well.

#12 Updated by jortel@redhat.com 12 months ago

It's been my understanding that the primary motivation behind pulp3 ContentGuards was to provide content protection in a way that was independent of the web server. Mainly, that complicated apache/nginx configurations and access scripts would not be necessary. To fully achieve this, it seems that an SSL based ContentGuard should have the capability to validate the certificate in addition to the specialized things such as OID matching. I would expect the certificate validation to be enabled/disabled through the guard attributes. When content protection starts to require mod-ssl configurations and/or access scripts, I no longer see the value of ContentGuards.

#13 Updated by jortel@redhat.com 12 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#14 Updated by bmbouter 12 months ago

wrote:

It's been my understanding that the primary motivation behind pulp3 ContentGuards was to provide content protection in a way that was independent of the web server. Mainly, that complicated apache/nginx configurations and access scripts would not be necessary. To fully achieve this, it seems that an SSL based ContentGuard should have the capability to validate the certificate in addition to the specialized things such as OID matching. I would expect the certificate validation to be enabled/disabled through the guard attributes. When content protection starts to require mod-ssl configurations and/or access scripts, I no longer see the value of ContentGuards.

I totally agree with this reasoning. So this means authorization for content guards are checked "inside" Pulp's Content app.

Is the plan to only use the cryptography Python library mentioned in the ticket? That is a Python dependency so that I think would work well.

#15 Updated by jortel@redhat.com 12 months ago

Looking into the cryptography package, it does not seem to support certificate validation.

[1] https://github.com/pyca/cryptography/issues/2381

#16 Updated by daviddavis 12 months ago

  • Tags Pulp 3 RC Blocker added

#17 Updated by rchan 12 months ago

  • Sprint changed from Sprint 45 to Sprint 46

#18 Updated by bmbouter 12 months ago

In discussing making this its own python package that ships separately from RPM, here are some questions we came up with:

1. What will the PyPI package name be? e.g. for the streamer it's pulp_streamer
2. What will the python package path be? e.g. for the streamer it's pulpcore.streamer
3. What will the repo name be? I recommend the same as (1)
4. Which github team will have write perms to that repo?
5. Where will issues for it be filed?

#19 Updated by jortel@redhat.com 12 months ago

bmbouter wrote:

In discussing making this its own python package that ships separately from RPM, here are some questions we came up with:

1. What will the PyPI package name be? e.g. for the streamer it's pulp_streamer

pulp_oidguard

2. What will the python package path be? e.g. for the streamer it's pulpcore.streamer

pulp_oidguard

3. What will the repo name be? I recommend the same as (1)

pulp_oidguard

4. Which github team will have write perms to that repo?

I recommend we have a new team of 2-3.

5. Where will issues for it be filed?

My first thought is a new project in pulp.plan.io but wondering if we should consider just using github issues.

#20 Updated by bmbouter 12 months ago

@jortel, all those answers look great, ty.

+1 to using Redmine as a tracker for consistency. Let me know if you need any help setting that up, there are a few strange configuration points.

#21 Updated by jortel@redhat.com 12 months ago

Let's consider an attribute (setting) on the guard to enable/disable OID/path matching. This supports the guard also being useful to users only needing the client certificate validation part. Given this, I wonder if the name should be more focused on SSL/certificate (more broadly) and less on the OID/path matching. Perhaps: pulp_sslguard would be more appropriate.

Thoughts?

#22 Updated by bmbouter 12 months ago

wrote:

Let's consider an attribute (setting) on the guard to enable/disable OID/path matching. This supports the guard also being useful to users only needing the client certificate validation part. Given this, I wonder if the name should be more focused on SSL/certificate (more broadly) and less on the OID/path matching. Perhaps: pulp_sslguard would be more appropriate.

Thoughts?

+1 to a setting to disable the OID/path matching. I think it should by default do the checking so that could turn it off.

Renaming I think makes sense. I really like the "certificate" or "cert" in the name over SSL because strictly speaking we're not doing SSL. Maybe pulp-certguard or pulp-cert-guard which would be either pulp_certguard or pulp_cert_guard respectively as package names?

What do you think?

#23 Updated by jortel@redhat.com 12 months ago

The name pulp-certguard (or pulp_certguard) works for me.

#24 Updated by bmbouter 12 months ago

That works for me also.

#26 Updated by jortel@redhat.com 11 months ago

  • Project changed from RPM Support to CertGuard

#27 Updated by rchan 11 months ago

  • Sprint changed from Sprint 46 to Sprint 47

#28 Updated by jortel@redhat.com 10 months ago

  • Status changed from ASSIGNED to MODIFIED
  • % Done changed from 0 to 100

#29 Updated by jortel@redhat.com 10 months ago

  • Tags Pulp 3 added

#30 Updated by bherring 10 months ago

  • Copied to Test #4363: Test the RHSMCertGuard added

#31 Updated by bmbouter 7 months ago

  • Subject changed from Make a OidCertificateGuard that is ported from Pulp2 to Make CertGuard capabilities in Pulp3

retitling this because another issue actually providing the OID Certificate functionality so I want to retitle this for clarity.

#32 Updated by bmbouter 7 months ago

  • Sprint/Milestone set to 0.1 Release

#33 Updated by bmbouter 7 months ago

  • Tags deleted (Pulp 3)

Please register to edit this issue

Also available in: Atom PDF