Bug 1255862
| Summary: | Get provider certificates to import from user instead of from backend | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | Juan Hernández <juan.hernandez> |
| Component: | RestAPI | Assignee: | Juan Hernández <juan.hernandez> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Gonza <grafuls> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | --- | CC: | awels, bugs, gklein, lsurette, rbalakri, yeylon, ykaul |
| Target Milestone: | ovirt-3.6.0-rc | Flags: | rule-engine:
ovirt-3.6.0+
ylavi: planning_ack+ rule-engine: devel_ack+ pstehlik: testing_ack+ |
| Target Release: | 3.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 3.6.0-11 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-11 07:18:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified with: rhevm-3.6.3.3-0.1.el6.noarch + url=https://xxx/ovirt-engine/api + user=admin@internal + password=xxx + provider=c9631b7d-e4af-469b-a4ab-62327b7a2aa3 + curl --verbose --insecure --user admin@internal:xxx --request POST --header 'Content-Type: application/xml' --header 'Accept: application/xml' --data ' <action> <certificates> <certificate> <subject>CN=xxx.com</subject> <content> xxx </content> </certificate> </certificates> </action> ' https://10.34.60.251/ovirt-engine/api/externalhostproviders/c9631b7d-e4af-469b-a4ab-62327b7a2aa3/importcertificates * Trying 10.34.60.251... * Connected to 10.34.60.251 (10.34.60.251) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=xxx,O=xxx,C=US * start date: Feb 21 16:23:27 2016 GMT * expire date: Jan 26 16:23:27 2021 GMT * common name: xxx * issuer: CN=xxx,O=xxx,C=US * Server auth using Basic with user 'admin@internal' > POST /ovirt-engine/api/externalhostproviders/c9631b7d-e4af-469b-a4ab-62327b7a2aa3/importcertificates HTTP/1.1 > User-Agent: curl/7.40.0 > Host: 10.34.60.251 > Content-Type: application/xml > Accept: application/xml > Content-Length: 1134 > Expect: 100-continue > * Done waiting for 100-continue < HTTP/1.1 200 OK < Date: Thu, 25 Feb 2016 11:48:15 GMT < Content-Type: application/xml < Content-Length: 134 < Vary: Accept-Encoding < Connection: close < <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <action> <status> <state>complete</state> </status> </action> * Closing connection 0 |
Currently the RESTAPI action used to import provider certificates gets the certificates to import from the backend and then, in the same request, it asks the backend to import them. This is not very safe because there is no guarantee that the caller has ever seen or approved these certificates. The action should be changed so that the caller is forced to send the certificates that are to be approved: POST /openstackimageproviders/{provider:id}/importcertificates <action> <certificate>the certificate to import</certificate> </action> The certificates can already be retrieved by the caller as follows: GET /openstackimageproviders/{provider:id}/certificates