Project

Profile

Help

Issue #6735

Docs incorrectly recommend to users they escape newlines from their ca_cert and client_cert

Added by bmbouter over 1 year ago. Updated about 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 77
Quarter:

Description

Background

The BaseRemote.ca_cert and BaseRemote.client_cert fields the current serializers tell the user "All new line characters must be escaped". You can see that here.

There are two issues with this:

  1. It's not needed. For example pulp-certguard allows users to submit certs without modification, they are saved in the database, and openssl uses them correctly.

  2. It's extra work for users.

Solution

  1. Update the serializers to not have newlines escaped
  2. Audit the handling of these fields throughout the code and remove any "unescaping" that is done
  3. Add a .removal release note indicating this is a breaking change and users will need to re-save their ca_cert and client_cert fields
  4. Audit client_key as well just for good measure
  5. Add a test that sync's content where a ca_cert is required
  6. Add a test that sync's content where a client_cert and client_key is required

How to add these tests?

These tests will use the Red Hat CDN and will use a test certificate and key registered to pulp-infra, along with the master ca_cert of the Red Hat CDN. The test certs will be stored as a Travis secret and made available to the tests via environment variables. If the test goes to run and the environment variables are not present the test should skip.

Associated revisions

Revision f1911e73 View on GitHub
Added by ppicka about 1 year ago

Remote certs esacping

User doesn't have to escape newlines for ca_cert, client_cert and client_key fields.

closes: #6735 https://pulp.plan.io/issues/6735

Revision e7f6ec13 View on GitHub
Added by ppicka about 1 year ago

Remote certs esacping

User doesn't have to escape newlines for ca_cert, client_cert and client_key fields.

closes: #6735 https://pulp.plan.io/issues/6735 (cherry picked from commit f1911e73ca6c3a27b72887f7eb7cb62b78b1d72f)

History

#1 Updated by bmbouter over 1 year ago

  • Description updated (diff)

#2 Updated by fao89 over 1 year ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 73

#3 Updated by lmjachky over 1 year ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky

#4 Updated by lmjachky over 1 year ago

  • Status changed from ASSIGNED to NEW
  • Assignee deleted (lmjachky)

#5 Updated by rchan over 1 year ago

  • Sprint changed from Sprint 73 to Sprint 74

#6 Updated by rchan over 1 year ago

  • Sprint changed from Sprint 74 to Sprint 75

#7 Updated by ppicka over 1 year ago

observations: even unescaped string got escaped by django so to use certificate 'at' notation (http POST :pulp/api/v3/...remote client_cert=@./cdn.crt client_key=@./cdn.key) must be used.

#8 Updated by rchan about 1 year ago

  • Sprint changed from Sprint 75 to Sprint 76

#9 Updated by ppicka about 1 year ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ppicka

#10 Updated by rchan about 1 year ago

  • Sprint changed from Sprint 76 to Sprint 77

#11 Updated by pulpbot about 1 year ago

  • Status changed from ASSIGNED to POST

#12 Updated by ppicka about 1 year ago

Test will be added to RPM plugin as CDN has an rpm content (https://pulp.plan.io/issues/7134).

#13 Updated by ppicka about 1 year ago

  • Status changed from POST to MODIFIED

#15 Updated by dkliban@redhat.com about 1 year ago

  • Sprint/Milestone set to 3.6.0

#16 Updated by pulpbot about 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF