Project

Profile

Help

Send by e-mail

Story #5216

Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment

As a user, I can configure which checksum types I want to use in Pulp

Added by daviddavis almost 2 years ago. Updated 10 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
ggainey
Category:
-
Sprint/Milestone:
3.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Sprint:
Sprint 81
Quarter:

Description

Background

Some users would like to disallow the use of certain checksums now determined to be insecure, e.g. md5 or sha1. It is desirable to allow users to configure which checksum types they want to use with Pulp.

When does Pulp call checksums?

When computing the Artifacts themselves a variety of checksums are computed here and then stored on the Artifact model's checksum fields.

Feature plan

Introduce a new setting called CONTENT_CHECKSUMS which would identify the set() of CHECKSUMS that Pulp should be using. Here's an example of the default:

CONTENT_CHECKSUMS = set("md5", "sha1", “sha224”, “sha256”, “sha384”, “sha512”)

In this case, all checksums would be computed and stored as they do today.

If a user configured this with:

CONTENT_CHECKSUMS = set("sha1", “sha224”, “sha256”, “sha384”, “sha512”)

Then all checksums would be computed and used except md5.

If a user configured this with:

CONTENT_CHECKSUMS = set(“sha224”, “sha256”, “sha384”, “sha512”)

Then all checksums would be computed and used except md5 and sha1.

sha256 cannot be removed

sha256 cannot be removed and must always be present in CONTENT_CHECKSUMS because Pulp's content addressable storage requires sha256 to lay the files out on disk.

All Pulp processes should refuse to start if sha256 is not present in CONTENT_CHECKSUMS by emitting a django.exceptions.ImproperlyConfigured exception indicating that sha256 is required in CONTENT_CHECKSUMS.

Model changes

The model changes should likely become:

    md5 = models.CharField(max_length=32, null=True, unique=False, db_index=True)
    sha1 = models.CharField(max_length=40, null=True, unique=False, db_index=True)
    sha224 = models.CharField(max_length=56, null=True, unique=False, db_index=True)
    sha256 = models.CharField(max_length=64, null=False, unique=True, db_index=True)
    sha384 = models.CharField(max_length=96, null=True, unique=True, db_index=True)
    sha512 = models.CharField(max_length=128, null=True, unique=True, db_index=True)

Class attribute re-work

The DIGEST_FIELDS, COMMON_DIGEST_FIELDS, and RELIABLE_DIGEST_FIELDS should become properties which are memoized computations that are built from the configured CONTENT_CHECKSUMS.

Docs

The new setting should have documentation on this page in the Pulp Settings area.

NOTE: this setting can never be changed once it's set prior to any data loaded into Pulp. We do not validate this; it's difficult to validate. Please document with a .. warning:: block at the settings documentation.

An additional check at Artifact instantiation time

The stages pipeline creates in-memory Artifacts, and these are later used to query the db if those Artifacts exist or not. We need to add a new Artifact.__init__ which checks that all checksum values being set are in the set of CONTENT_CHECKSUMS available. If they are not raise a TypeError.

Related issues

Related to Migration Plugin - Task #7536: Add support for ALLOWED_CONTENT_CHECKSUMSCLOSED - DUPLICATE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to RPM Support - Task #7537: Add support for ALLOWED_CONTENT_CHECKSUMSCLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Pulp - Story #7561: As a user, I can add checksums to ALLOWED_CONTENT_CHECKSUMSCLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Pulp - Story #7696: As a plugin developer, I have the Artifacts checked at pre-save time against the ALLOWED_CONTENT_CHECKSUMS instead of at __init__CLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Has duplicate Pulp - Story #6985: As a user, pulpcore itself is FIPS compatibleCLOSED - DUPLICATE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Has duplicate Pulp - Story #5440: As a user I can disable checksum types like md5CLOSED - DUPLICATE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 1926df8c View on GitHub
Added by ggainey 11 months ago

Added support for specifying/limiting content-checksums used by Pulp.

settings.ALLOWED_CONTENT_CHECKSUMS now drives the other checksum-related fields of Artifact (DIGEST_FIELDS, COMMON_DIGEST_FIELDS, RELIABLE_DIGEST_FIELDS)

closes #5216

History

#1 Updated by daviddavis almost 2 years ago

  • Tracker changed from Issue to Story
  • % Done set to 0

#2 Updated by daviddavis almost 2 years ago

  • Blocks Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment added

#3 Updated by daviddavis about 1 year ago

  • Blocks deleted (Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment)

#4 Updated by daviddavis about 1 year ago

  • Related to Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment added

#5 Updated by daviddavis about 1 year ago

  • Related to deleted (Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment)

#6 Updated by daviddavis 11 months ago

  • Parent task set to #3778

#7 Updated by daviddavis 11 months ago

  • Has duplicate Story #6985: As a user, pulpcore itself is FIPS compatible added

#8 Updated by bmbouter 11 months ago

  • Description updated (diff)

#9 Updated by bmbouter 11 months ago

  • Description updated (diff)

#10 Updated by bmbouter 11 months ago

  • Description updated (diff)

#11 Updated by daviddavis 11 months ago

  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes

This looks good to me.

We may want to call out in the 3.7 release notes that plugins might not yet support CONTENT_CHECKSUMS and that users should check plugin's release notes/docs for support before setting CONTENT_CHECKSUMS.

#12 Updated by ipanova@redhat.com 11 months ago

daviddavis wrote:

This looks good to me.

We may want to call out in the 3.7 release notes that plugins might not yet support CONTENT_CHECKSUMS and that users should check plugin's release notes/docs for support before setting CONTENT_CHECKSUMS.

+1

#13 Updated by ggainey 11 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ggainey

#14 Updated by rchan 11 months ago

  • Sprint set to Sprint 81

#15 Updated by ggainey 11 months ago

daviddavis bmbouter - description specifies unique=False for md5/sha1/sha224, and true elsewhere. Is there a reason for the difference?

#16 Updated by pulpbot 11 months ago

  • Status changed from ASSIGNED to POST

#17 Updated by daviddavis 11 months ago

  • Sprint/Milestone set to 3.7.0

#18 Updated by ggainey 11 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#19 Updated by daviddavis 10 months ago

  • Related to Task #7536: Add support for ALLOWED_CONTENT_CHECKSUMS added

#20 Updated by pulpbot 10 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

#21 Updated by daviddavis 10 months ago

  • Related to Task #7537: Add support for ALLOWED_CONTENT_CHECKSUMS added

#22 Updated by daviddavis 10 months ago

  • Related to Story #7561: As a user, I can add checksums to ALLOWED_CONTENT_CHECKSUMS added

#23 Updated by daviddavis 10 months ago

  • Has duplicate Story #5440: As a user I can disable checksum types like md5 added

#24 Updated by daviddavis 10 months ago

  • Related to Story #7696: As a plugin developer, I have the Artifacts checked at pre-save time against the ALLOWED_CONTENT_CHECKSUMS instead of at __init__ added

Please register to edit this issue

Send by e-mail

Also available in: Atom PDF