Project

Profile

Help

Task #7854

closed

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

FIPS: QueryExistingArtifacts stage needs to enforce ALLOWED_CONTENT_CHECKSUMS

Added by ggainey over 3 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

See https://github.com/pulp/pulpcore/blob/b94abd64d76ea4554e6750ff38ce458eaa888cc8/pulpcore/plugin/stages/artifact_stages.py#L48

At this point, if a DeclarativeArtifact has an expected-checksum-algorithm that is in the FORBIDDEN list, we need to raise an exception.

See https://hackmd.io/d5y1IaW_QaSJ-DsosMDkjg?view for discussion.


Related issues

Has duplicate Pulp - Story #7987: As a user, I get an error message when I try to sync content and the only available checksum is not in ALLOWED_CONTENT_CHECKSUMSCLOSED - DUPLICATEbmbouter

Actions
Actions #1

Updated by ggainey over 3 years ago

This would be a good issue to add a test that attempts to sync the md5-only fixture AND FAILS, even if you're not ona FIPS-compliant box, if MD5 is not-allowed. Fixture is https://fixtures.pulpproject.org/rpm-with-md5/

Actions #2

Updated by fao89 over 3 years ago

  • Tracker changed from Issue to Task
  • % Done set to 0
  • Severity deleted (2. Medium)
  • Triaged deleted (No)
Actions #3

Updated by daviddavis over 3 years ago

  • Subject changed from FIPS: QueryExistingArtifacts stage needs to enforce ALLOWED_ALGORITHMS to FIPS: QueryExistingArtifacts stage needs to enforce ALLOWED_CONTENT_CHECKSUMS
Actions #4

Updated by daviddavis over 3 years ago

  • Parent issue set to #7960
Actions #5

Updated by ppicka about 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ppicka
Actions #6

Updated by pulpbot about 3 years ago

  • Status changed from ASSIGNED to POST
Actions #7

Updated by bmbouter about 3 years ago

  • Has duplicate Story #7987: As a user, I get an error message when I try to sync content and the only available checksum is not in ALLOWED_CONTENT_CHECKSUMS added
Actions #8

Updated by ppicka about 3 years ago

Needs to cover all policies. It needs to check remotes artifacts too.

Actions #9

Updated by daviddavis about 3 years ago

  • Sprint/Milestone set to 3.11.0

Added by ppicka about 3 years ago

Revision 94bb713f | View on GitHub

Raise exception when disallowed checksum

Raise exception when disallowed checksum found in QueryExistingArtifacts stage or when creating new remote artifacts.

closes: #7854 https://pulp.plan.io/issues/7854

Actions #10

Updated by ppicka about 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Added by daviddavis about 3 years ago

Revision ddecbe2b | View on GitHub

Remove enforcement of RemoteArtifact forbidden checksums for 3.11

refs #7854

[noissue]

Actions #11

Updated by ipanova@redhat.com about 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF