Project

Profile

Help

Issue #6735

Docs incorrectly recommend to users they escape newlines from their ca_cert and client_cert

Added by bmbouter 5 months ago. Updated about 2 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 77
Quarter:

Description

Background

The BaseRemote.ca_cert and BaseRemote.client_cert fields the current serializers tell the user "All new line characters must be escaped". You can see that here.

There are two issues with this:

  1. It's not needed. For example pulp-certguard allows users to submit certs without modification, they are saved in the database, and openssl uses them correctly.

  2. It's extra work for users.

Solution

  1. Update the serializers to not have newlines escaped
  2. Audit the handling of these fields throughout the code and remove any "unescaping" that is done
  3. Add a .removal release note indicating this is a breaking change and users will need to re-save their ca_cert and client_cert fields
  4. Audit client_key as well just for good measure
  5. Add a test that sync's content where a ca_cert is required
  6. Add a test that sync's content where a client_cert and client_key is required

How to add these tests?

These tests will use the Red Hat CDN and will use a test certificate and key registered to pulp-infra, along with the master ca_cert of the Red Hat CDN. The test certs will be stored as a Travis secret and made available to the tests via environment variables. If the test goes to run and the environment variables are not present the test should skip.

Associated revisions

Revision f1911e73 View on GitHub
Added by ppicka 2 months ago

Remote certs esacping

User doesn't have to escape newlines for ca_cert, client_cert and client_key fields.

closes: #6735 https://pulp.plan.io/issues/6735

Revision e7f6ec13 View on GitHub
Added by ppicka 2 months ago

Remote certs esacping

User doesn't have to escape newlines for ca_cert, client_cert and client_key fields.

closes: #6735 https://pulp.plan.io/issues/6735 (cherry picked from commit f1911e73ca6c3a27b72887f7eb7cb62b78b1d72f)

History

#1 Updated by bmbouter 5 months ago

  • Description updated (diff)

#2 Updated by fao89 5 months ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 73

#3 Updated by lmjachky 4 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky

#4 Updated by lmjachky 4 months ago

  • Status changed from ASSIGNED to NEW
  • Assignee deleted (lmjachky)

#5 Updated by rchan 4 months ago

  • Sprint changed from Sprint 73 to Sprint 74

#6 Updated by rchan 4 months ago

  • Sprint changed from Sprint 74 to Sprint 75

#7 Updated by ppicka 4 months ago

observations: even unescaped string got escaped by django so to use certificate 'at' notation (http POST :pulp/api/v3/...remote client_cert=@./cdn.crt client_key=@./cdn.key) must be used.

#8 Updated by rchan 3 months ago

  • Sprint changed from Sprint 75 to Sprint 76

#9 Updated by ppicka 3 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ppicka

#10 Updated by rchan 3 months ago

  • Sprint changed from Sprint 76 to Sprint 77

#11 Updated by pulpbot 2 months ago

  • Status changed from ASSIGNED to POST

#12 Updated by ppicka 2 months ago

Test will be added to RPM plugin as CDN has an rpm content (https://pulp.plan.io/issues/7134).

#13 Updated by ppicka 2 months ago

  • Status changed from POST to MODIFIED

#15 Updated by dkliban@redhat.com about 2 months ago

  • Sprint/Milestone set to 3.6.0

#16 Updated by pulpbot about 2 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF