Project

Profile

Help

Story #7985

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

As a user, I get a warning at start time if I have on-demand content checksums that are not in ALLOWED_CONTENT_CHECKSUMS

Added by daviddavis 5 months ago. Updated about 1 month ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 93
Quarter:

Associated revisions

Revision 8400c422 View on GitHub
Added by daviddavis 3 months ago

Add warning if on-demand content does not have allowed checksum

fixes #7985

Revision a95cabee View on GitHub
Added by daviddavis about 2 months ago

Add warning for remote artifacts with no allowed checksums

fixes #7985

History

#1 Updated by daviddavis 4 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis

Will address this along with #8077.

#2 Updated by daviddavis 3 months ago

  • Sprint set to Sprint 90

#3 Updated by daviddavis 3 months ago

  • Blocked by Refactor #8077: Have the settings checks use django.core.checks added

#4 Updated by daviddavis 3 months ago

  • Blocked by deleted (Refactor #8077: Have the settings checks use django.core.checks)

#5 Updated by daviddavis 3 months ago

Should this raise a warning if:

  1. Any remote artifacts has a forbidden checksum
  2. Any remote artifact doesn't have an allowed checksum
  3. Any content artifact does not have a remote artifact with an allowed checksum

Also, I have to use raw sql in this check so these are listed in order from easiest (1) to hardest (3).

#6 Updated by ggainey 3 months ago

daviddavis wrote:

Should this raise a warning if:

  1. Any remote artifacts has a forbidden checksum
  2. Any remote artifact doesn't have an allowed checksum

As long as the remote-artifact has at least one allowed-checksum, it's possible to download-and-verify. That the remote sent along a string for a forbidden-checksum doesn't hurt, since sync will just ignore the forbidden-, and verify using the allowed-.

If the only checksums listed for the RemoteArtifact are forbidden, that has to be a warning/error, since we can't sync that content and be able to verify the results.

So I think #2 is the important thing here.

  1. Any content artifact does not have a remote artifact with an allowed checksum

Wouldn't this be caught by point-2? The RemoteArtifact is the problem, yeah?

Also, I have to use raw sql in this check so these are listed in order from easiest (1) to hardest (3).

Fun!

#7 Updated by bmbouter 3 months ago

I agree, I think (2) is the important thing here. I would just implement (2).

#8 Updated by pulpbot 3 months ago

  • Status changed from ASSIGNED to POST

#9 Updated by rchan 3 months ago

  • Sprint changed from Sprint 90 to Sprint 91

#10 Updated by daviddavis 3 months ago

  • Sprint/Milestone set to 3.11.0

#11 Updated by daviddavis 3 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#12 Updated by daviddavis 2 months ago

  • Status changed from MODIFIED to NEW

#13 Updated by daviddavis 2 months ago

  • Subject changed from As a user, I get a warning at start time if I have on-demand content checksums that are not in ALLOWED_CONTENT_CHECKSUMS to As a user, I get a error at start time if I have on-demand content checksums that are not in ALLOWED_CONTENT_CHECKSUMS

#14 Updated by pulpbot 2 months ago

  • Status changed from NEW to POST

#15 Updated by daviddavis 2 months ago

  • Sprint/Milestone changed from 3.11.0 to 3.12.0

#16 Updated by daviddavis 2 months ago

  • Status changed from POST to NEW
  • Assignee deleted (daviddavis)

#17 Updated by daviddavis 2 months ago

  • Subject changed from As a user, I get a error at start time if I have on-demand content checksums that are not in ALLOWED_CONTENT_CHECKSUMS to As a user, I get a warning at start time if I have on-demand content checksums that are not in ALLOWED_CONTENT_CHECKSUMS

#18 Updated by rchan 2 months ago

  • Sprint changed from Sprint 91 to Sprint 92

#19 Updated by daviddavis about 2 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis

#20 Updated by rchan about 2 months ago

  • Sprint changed from Sprint 92 to Sprint 93

#21 Updated by pulpbot about 2 months ago

  • Status changed from ASSIGNED to POST

#22 Updated by daviddavis about 2 months ago

  • Status changed from POST to MODIFIED

#23 Updated by pulpbot about 1 month ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF