Task #7537: Add support for ALLOWED_CONTENT_CHECKSUMS - RPM Support - Pulp

Actions

Send by e-mail Copy link

Task #7537

closed

Pulp - Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

Add support for ALLOWED_CONTENT_CHECKSUMS

Added by daviddavis over 3 years ago. Updated about 3 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

High

Assignee:

ggainey

Sprint/Milestone:

3.10.0

Start date:

Due date:

% Done:

100%

Estimated time:

(Total: 0:00 h)

Platform Release:

Groomed:

Sprint Candidate:

Tags:

Sprint:

Sprint 90

Quarter:

Description

The pulp_rpm should honor ALLOWED_CONTENT_CHECKSUMS. Some areas that might be affected (that I know of) include syncing (and verifying content), upload, and when publishing content.

Test these repos¶

All repos need to be tested with md5 only being disallowed, and then again with both 'md5' and 'sha1' being disallowed.

https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/extras/os
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/supplementary/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/extras/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/rhscl/1/os
http://mirror.centos.org/centos-7/7/extras/x86_64/
http://mirror.centos.org/centos-7/7/sclo/x86_64/sclo/
https://cdn.redhat.com/content/eus/rhel/server/6/6.6/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.7/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel8/8.0/x86_64/baseos/kickstart
https://mirrors.kernel.org/fedora-epel/7/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/6/6.7/x86_64/kickstart
https://cdn.redhat.com/content/eus/rhel/server/6/6.6/x86_64/rhscl/1/os
https://cdn.redhat.com/content/eus/rhel/server/6/6.6/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.3/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel8/8.0/x86_64/appstream/kickstart
https://cdn.redhat.com/content/eus/rhel/server/7/7.3/x86_64/optional/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.3/x86_64/supplementary/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.3/x86_64/rhscl/1/os
http://mirror.centos.org/centos-6/6/os/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ansible/2.5/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhgs-server-nfs/3.1/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.6/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel/workstation/7/7.5/x86_64/kickstart
https://mirrors.kernel.org/fedora-epel/8/Everything/x86_64/
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/insights/3/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/rh-common/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/extras/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rh-gluster-samba/3.1/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhgs-server/3.1/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.10/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhgs-nagios/3.1/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscon-agent/2/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscon-installer/2/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscon-main/2/os
http://mirror.centos.org/centos-6/6/updates/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/rhs-client/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhs-client/os
http://mirror.centos.org/centos-7/7/sclo/x86_64/rh/
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/supplementary/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/rhscl/1/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7.6/x86_64/kickstart
http://mirror.centos.org/centos-7/7/updates/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/6/6.8/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel/server/6/6.9/x86_64/kickstart
https://cdn.redhat.com/content/eus/rhel/server/6/6.6/x86_64/sat-tools/6.2/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os
http://mirror.centos.org/centos-7/7/os/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ansible/2.7/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.3/x86_64/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.6/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.4/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/sat-maintenance/6/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/kickstart
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhgs-server-bigdata/3.1/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhgs-server-splunk/3.1/os
https://cdn.redhat.com/content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ansible/2.6/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/dotnet/1/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.10/x86_64/optional/os
https://cdn.redhat.com/content/eus/rhel/server/7/7Server/x86_64/sat-tools/6.5/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/sat-tools/6.5/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.7/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.4/x86_64/optional/os
https://cdn.redhat.com/content/eus/rhel/server/6/6.7/x86_64/supplementary/os
https://cdn.redhat.com/content/eus/rhel/server/6/6.7/x86_64/optional/os
https://cdn.redhat.com/content/eus/rhel/server/6/6.7/x86_64/rhscl/1/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/rhscl/1/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.7/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.10/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.8/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.6/x86_64/os
https://cdn.redhat.com/content/eus/rhel/server/6/6.7/x86_64/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/supplementary/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/sat-tools/6.4/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/optional/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.3/x86_64/sat-tools/6.4/os
https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os
https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os
https://cdn.redhat.com/content/dist/rhel8/8/x86_64/supplementary/os
https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/kickstart
https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/kickstart
https://mirrors.kernel.org/fedora-epel/6Server/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/7/7.6/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.3/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.9/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.8/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.7/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/6/6.9/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.2/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.6/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.3/x86_64/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.6/x86_64/sat-tools/6.5/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.6/x86_64/optional/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.6/os
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/sat-tools/6.6/os
https://cdn.redhat.com/content/dist/layered/rhel8/x86_64/sat-tools/6.6/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/ansible/2.8/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.6/x86_64/sat-tools/6.6/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.7/x86_64/os
https://cdn.redhat.com/content/dist/rhel8/8.1/x86_64/appstream/kickstart
https://cdn.redhat.com/content/dist/rhel/server/7/7.4/x86_64/os
https://cdn.redhat.com/content/dist/rhel/server/7/7.2/x86_64/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.6/x86_64/supplementary/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.6/x86_64/rhscl/1/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.6/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.5/x86_64/sat-tools/6.6/os
https://cdn.redhat.com/content/dist/rhel8/8.1/x86_64/baseos/kickstart
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/highavailability/os
https://packages.vmware.com/tools/releases/10.3.5/rhel6/x86_64/
https://cdn.redhat.com/content/dist/rhel/server/7/7.8/x86_64/kickstart
https://cdn.redhat.com/content/eus/rhel/server/7/7.7/x86_64/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.7/x86_64/supplementary/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.7/x86_64/rhscl/1/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.7/x86_64/optional/os
https://cdn.redhat.com/content/eus/rhel/server/7/7.7/x86_64/sat-tools/6.6/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.7/os
https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/sat-tools/6.7/os
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.7/os
https://cdn.redhat.com/content/dist/layered/rhel8/x86_64/sat-tools/6.7/os
https://cdn.redhat.com/content/dist/rhel8/8.2/x86_64/appstream/kickstart
https://cdn.redhat.com/content/dist/rhel8/8.2/x86_64/baseos/kickstart
http://mirror.centos.org/centos-8/8/BaseOS/x86_64/os/
http://mirror.centos.org/centos-8/8/AppStream/x86_64/os/

Sub-issues 1 (0 open — 1 closed)

Related issues

Actions

Copy link

Updated by ipanova@redhat.com over 3 years ago

Project changed from Migration Plugin to RPM Support

Actions

Copy link

Updated by daviddavis over 3 years ago

I noticed this morning that while we have validation for checksums when initializing Artifacts:

https://github.com/pulp/pulpcore/blob/1926df8cdb4abc157d48dbc37e26221ad5745ea5/pulpcore/app/models/content.py#L193-L210

pulp_rpm may not hit this validation during syncing as it's using setattr:

https://github.com/pulp/pulp_rpm/blob/0a341101a0640b42a500f11ee22222c3b9e87733/pulp_rpm/app/tasks/synchronizing.py#L592

Which could obviously be a problem.

Actions

Copy link

Updated by daviddavis over 3 years ago

Related to Story #5216: As a user, I can configure which checksum types I want to use in Pulp added

Actions

Copy link

Updated by ttereshc over 3 years ago

Sprint set to Sprint 82

Actions

Copy link

Updated by ggainey over 3 years ago

Status changed from NEW to ASSIGNED
Assignee set to ggainey

Actions

Copy link

Updated by rchan over 3 years ago

Sprint changed from Sprint 82 to Sprint 83

Actions

Copy link

Updated by bmbouter over 3 years ago

Description updated (diff)

Actions

Copy link

Updated by bmbouter over 3 years ago

Description updated (diff)

Actions

Copy link

Updated by bmbouter over 3 years ago

Related to Story #3778: [Epic] As a user, I can run Pulp 3 in a FIPS-enabled environment added

Actions

Copy link

#10

Updated by bmbouter over 3 years ago

Has duplicate Story #5188: As a user, I can run Pulp 3 with pulp_rpm in FIPS mode added

Actions

Copy link

#11

Updated by ggainey over 3 years ago

Test using this md5-only fixture : https://github.com/pulp/pulp-fixtures/pull/196

Add functional tests for the list of repos in the description (make sure they do NOT run 'always', the full list is large. THink about how to have access to proper certs for cdn.redhat.com access.)

Actions

Copy link

#12

Updated by rchan over 3 years ago

Sprint changed from Sprint 83 to Sprint 84

Actions

Copy link

#13

Updated by rchan over 3 years ago

Sprint changed from Sprint 84 to Sprint 85

Actions

Copy link

#14

Updated by dalley over 3 years ago

Priority changed from Normal to High

Actions

Copy link

#15

Updated by rchan over 3 years ago

Sprint changed from Sprint 85 to Sprint 86

Actions

Copy link

#16

Updated by ggainey over 3 years ago

pulp_rpm repositories sync, publish, and distribute successfully when checksums are missing from ALLOWED_CONTENT_CHECKSUMS.

Syncing an MD5-only repository like the one in #11 results in rpm.package entries with a checksum_type of md5 and a pkgId of the md5sum found in primary.xml. This is to be expected - it's all sync has to go on when building the Package entities. This doesn't impact sync/publish/distribute, either in immediate or on_demand mode.

See https://pulp.plan.io/issues/7836 for a problem that is caused by missing checksums, however.

Actions

Copy link

#17