Story #4664
Updated by bmbouter over 5 years ago
h2. NOTE Pulp is blocked on merging any work creating this certguard until python-rhsm is installable on Travis' Debian environment. h3. Problem Katello uses Pulp with RHSM based certificates. Pulp3 needs to protect content and validate a client's access when they present this type of a certificate. h3. What is a RHSM an OID Certificate? It's an X.509 certificates that use encoding and compression techniques to compress the data in a format RHSM understands. There are two formats: * V1 which uses repo paths in plaintext inside the extended X.509 attributes. The * V3 which encodes and compresses the pathing data into the X.509 cert. This version was developed as a workaround to not being able to specify enough urls in the V1 cert before hitting the maximums of X.509 data extension limits. The V3 format was called a OID Certificate in Pulp2. h3. Solution A new certguard will be added to the pulp-certguard project called RHSMCertGuard. h3. What versions will it support V1, V3, both? RHSMCertGuard Both V1 and V3 will be supported. The user can use either and does not have to indicate which they are using. python-RHSM will "do the right thing". h3. What crypto libraries will handle this RHSMCertGuard? The python-rhsm library that would be an optional dependency of pulp-certguard RHSM is in charge of the crypto entirely. Pulp will present the cert data and ask python-RHSM RHSM if its valid for a given path being requested. This is similar to how it worked in Pulp2: https://github.com/pulp/pulp/blob/e5a22e13ae46fe86dccedc5bf214537c2b90ad0d/oid_validation/pulp/oid_validation/oid_validation.py#L20 h3. Where will python-rhsm rhsm come from? It has C components so bcourt from the Candlepin RHSM team indicated they are only able to have this dependency delivered via system packagers. So not PyPI installs of python-rhsm rhsm as a dependency won't work. It is available for Fedora, CentOS, and RHEL already via their package managers already. It is not available via Debian's package manager. h3. How will this be tested? We'll add additional functional tests for this certguard type next to the "existing functional tests":https://github.com/pulp/pulp-certguard/tree/master/pulp_certguard/tests/functional/api Test issues will be filed that will identify how to test this new certguard. h3. How will this work with CI? We'll CI it the same as we CI the existing pulp-certguard plugin using funcitonal tests and via Travis running them with each merge, nightly, and at release time. Test issues will be filed that will identify how to test this new certguard. h3. How will this work with CI? Pulp is blocked on merging any work creating this certguard until python-rhsm rhsm is installable on Travis' Debian environment.