Project

Profile

Help

Task #7854

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

FIPS: QueryExistingArtifacts stage needs to enforce ALLOWED_CONTENT_CHECKSUMS

Added by ggainey 5 months ago. Updated about 1 month ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

See https://github.com/pulp/pulpcore/blob/b94abd64d76ea4554e6750ff38ce458eaa888cc8/pulpcore/plugin/stages/artifact_stages.py#L48

At this point, if a DeclarativeArtifact has an expected-checksum-algorithm that is in the FORBIDDEN list, we need to raise an exception.

See https://hackmd.io/d5y1IaW_QaSJ-DsosMDkjg?view for discussion.


Related issues

Has duplicate Pulp - Story #7987: As a user, I get an error message when I try to sync content and the only available checksum is not in ALLOWED_CONTENT_CHECKSUMSCLOSED - DUPLICATE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 94bb713f View on GitHub
Added by ppicka about 2 months ago

Raise exception when disallowed checksum

Raise exception when disallowed checksum found in QueryExistingArtifacts stage or when creating new remote artifacts.

closes: #7854 https://pulp.plan.io/issues/7854

Revision ddecbe2b View on GitHub
Added by daviddavis about 2 months ago

Remove enforcement of RemoteArtifact forbidden checksums for 3.11

refs #7854

[noissue]

History

#1 Updated by ggainey 5 months ago

This would be a good issue to add a test that attempts to sync the md5-only fixture AND FAILS, even if you're not ona FIPS-compliant box, if MD5 is not-allowed. Fixture is https://fixtures.pulpproject.org/rpm-with-md5/

#2 Updated by fao89 5 months ago

  • Tracker changed from Issue to Task
  • % Done set to 0
  • Severity deleted (2. Medium)
  • Triaged deleted (No)

#3 Updated by daviddavis 5 months ago

  • Subject changed from FIPS: QueryExistingArtifacts stage needs to enforce ALLOWED_ALGORITHMS to FIPS: QueryExistingArtifacts stage needs to enforce ALLOWED_CONTENT_CHECKSUMS

#4 Updated by daviddavis 4 months ago

  • Parent task set to #7960

#5 Updated by ppicka 3 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ppicka

#6 Updated by pulpbot 3 months ago

  • Status changed from ASSIGNED to POST

#7 Updated by bmbouter 2 months ago

  • Has duplicate Story #7987: As a user, I get an error message when I try to sync content and the only available checksum is not in ALLOWED_CONTENT_CHECKSUMS added

#8 Updated by ppicka 2 months ago

Needs to cover all policies. It needs to check remotes artifacts too.

#9 Updated by daviddavis about 2 months ago

  • Sprint/Milestone set to 3.11.0

#10 Updated by ppicka about 2 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#11 Updated by ipanova@redhat.com about 1 month ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF