Project

Profile

Help

Issue #4506

ssl_client_* and ssl_ca_certificate remote options are difficult to use

Added by jsherril@redhat.com 8 months ago. Updated 6 months ago.

Status:
MODIFIED
Priority:
High
Category:
-
Sprint/Milestone:
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Katello-P1
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 52

Description

The three options:

ssl_ca_certificate
ssl_client_certificate
ssl_client_key

take pem encoded certs, which is base64 encoded, however when i use the bindings to pass them in, pulp throws an error:

{"ssl_ca_certificate":["The submitted data was not a file. Check the encoding type on the
form."],"ssl_client_certificate":["The submitted data was not a file. Check the encoding type on the
form."],"ssl_client_key":["The submitted data was not a file. Check the encoding type on the form."]}

this seem to indicate that they need to be uploaded as a multi-part form (as files)? I'd expect the bindings to handle this if it were the case, but i'm not really sure it'd need to be the case?

In addition, these options are not documented in the remote_file_file_create api, even though the api seems to try to accept them.


Related issues

Related to Pulp - Task #2455: Store SSL certificates on the filesystem instead of DB MODIFIED Actions
Related to Pulp - Test #5270: Test - Syncing with ssl client certs and ca cert CLOSED - DUPLICATE Actions
Related to File Support - Issue #5352: Unable to sync using SSL certs from distribution with cert-guards NEW Actions

Associated revisions

Revision 0fea20fd View on GitHub
Added by dkliban@redhat.com 6 months ago

Problem: ssl fields on remote are hard to use

Solution: switch all ssl fields to TextField

This patch switches the storage of SSL certs, keys, and CAs from filesystem to
database. This patch also introduces a new serializer field that returns a SHA256
digest for GET operations.

Required PR: https://github.com/pulp/pulpcore-plugin/pull/91

fixes: #4506
https://pulp.plan.io/issues/4506

re: #4676
https://pulp.plan.io/issues/4676

Revision 30287783 View on GitHub
Added by dkliban@redhat.com 6 months ago

Problem: downloader factory requires ssl certs as files

Solutions: write client cert and key to temporary file

This patch enables the download factory to construct downloaders from certificates stored in the db.
The cadata object is used to pass in the CA for verifying the server0. The client key and client cert
are written to temporary files just before being loaded into the sslcontext. The temporary files are
then destroyed.

[0] https://docs.python.org/3.5/library/ssl.html#ssl-certificates

re: #4506
https://pulp.plan.io/issues/4506

History

#1 Updated by dkliban@redhat.com 8 months ago

  • Project changed from File Support to Pulp

#2 Updated by daviddavis 8 months ago

  • Related to Task #2455: Store SSL certificates on the filesystem instead of DB added

#3 Updated by dkliban@redhat.com 8 months ago

It looks like the serializer is not exposing these fields so the documentation and bindings don't mention any of these parameters. When the bindings work correctly, the user is supposed to provide a path to a file for each cert and key. The bindings do all the file handling to do the upload.

The FileFields on the Remote make this behaviour possible. However, they also produce paths to files as responses for a GET. The response should contain either the whole content of a key/cert or a digest for it. Users would like to be able to verify that the Remote is configured as expected.

#4 Updated by CodeHeeler 8 months ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes
  • Sprint set to Sprint 50

#5 Updated by daviddavis 7 months ago

  • Tags Pulp 3 added

#6 Updated by rchan 7 months ago

  • Sprint changed from Sprint 50 to Sprint 51

#7 Updated by daviddavis 6 months ago

  • Sprint/Milestone set to 3.0

#8 Updated by rchan 6 months ago

  • Sprint changed from Sprint 51 to Sprint 52

#9 Updated by dkliban@redhat.com 6 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com

#11 Updated by dkliban@redhat.com 6 months ago

Even though we will accept the keys and certs as strings, we will not be able to load them into the sslcontext from memory. Python currently only supports loading the certs from memory0, but not keys1.

[0] https://bugs.python.org/issue18138
[1] https://bugs.python.org/issue16487

#12 Updated by dkliban@redhat.com 6 months ago

  • Status changed from POST to MODIFIED

#13 Updated by bmbouter 6 months ago

  • Tags deleted (Pulp 3)

#14 Updated by kersom 2 months ago

  • Related to Test #5270: Test - Syncing with ssl client certs and ca cert added

#16 Updated by kersom about 2 months ago

  • Related to Issue #5352: Unable to sync using SSL certs from distribution with cert-guards added

Please register to edit this issue

Also available in: Atom PDF