Project

Profile

Help

Task #8435

closed

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

Remove checksum filtering in Remote.get_downloader and add checksum type enforcement to downloaders itself

Added by bmbouter almost 4 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Sprint:
Sprint 93
Quarter:

Description

Current behavior

  1. The downloaders don't have any capability to only use those checksums that are in ALLOWED_CONTENT_CHECKSUMS. This usage happens here.

  2. The Remote.get_downloader will filter out the checksums on an Artifact to only those that are allowed. That happens here.

  3. The DeclarativeArtifact.download also filters checksums. That occurs here.

The First Issue

(1) is an issue because the downloaders can be used directly and as-is they won't respect the ALLOWED_CONTENT_CHECKSUMS feature.

Solution to the first Issue

The downloader code should be adjusted to only use those checksums in ALLOWED_CONTENT_CHECKSUMS. If any checksums are specified (trusted or not), at least one trusted hasher must be available or an exception should be raised. If no checksums are requested the downloader should be allowed to proceed because some content does not have checksums, e.g. the very first metadata file fetched, or ruby content.

The second problem

By (2)(3) filtering out checksums, it could misrepresent the set of checksums to the downloader as being an empty set when really checksums exist but no trusted checksums exist.

Solution to the second problem

Remove the filtering done in Remove.get_downloader and DeclarativeArtiface.download. Instead have it pass all original checksums unmodified to the downloader.

Actions #1

Updated by bmbouter almost 4 years ago

  • Subject changed from Remove checksum filtering that happens prior to checksums being passed to downloaders to Remove checksum filtering in Remote.get_downloader and add checksum type enforcement to downloaders itself
Actions #2

Updated by bmbouter almost 4 years ago

  • Description updated (diff)
Actions #3

Updated by daviddavis almost 4 years ago

  • Tracker changed from Issue to Task
  • % Done set to 0
  • Severity deleted (2. Medium)
  • Triaged deleted (No)
  • Groomed changed from No to Yes
  • Sprint Candidate changed from No to Yes
  • Sprint set to Sprint 93
Actions #4

Updated by ipanova@redhat.com over 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ipanova@redhat.com
Actions #5

Updated by pulpbot over 3 years ago

  • Status changed from ASSIGNED to POST

Added by ipanova@redhat.com over 3 years ago

Revision 0ab6e8c1 | View on GitHub

Added checksum type enforcement to the BaseDownloader.

closes #8435

Actions #6

Updated by ipanova@redhat.com over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #7

Updated by pulpbot over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF