Bug 695483

Summary: repo-auth fails to protect the the repo if certs are added added after repo bind
Product: [Retired] Pulp Reporter: Preethi Thomas <pthomas>
Component: z_otherAssignee: Pradeep Kilambi <pkilambi>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jason.dobies
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-24 20:13:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Preethi Thomas 2011-04-11 20:29:43 UTC 
Description of problem:


I am pasting the irc conversation as I am not sure what exactly the issue is

<jdob> preethi: wow this is weird, did you do anything different to set the auth on it?
<jdob> differetn from f14 I mean
<jdob> hrm, ok, so its not applying auth cause its not listed in the protected repos file, but I need to figure out what you did that its not there
<jdob> preethi: was auth set on that repo with repo update after the fact?
<preethi> jdob, yes
<jdob> but for f14 it was set at creation?

<preethi> hmm thinking.  I did for both at creation. then removed
<preethi> just did for f14
<preethi> and then later on added f13 i think
<preethi> i can't be quite sure though on the exact sequence
<jdob> ah ha, I think I see what the issue is
<jdob> jeez, you really had to have the moons align for this
<jdob> preethi: file a bug please
Comment 1 Jay Dobies 2011-04-11 20:41:03 UTC 
commit	d798f37a16d76319ab0e38424316fe024c8c9ccf
tree	e53c3e91d09af1a2f1adfd9aaafdbaf2a0c1e595

695483 - Need to pass in an empty bundle to trigger the files getting
deleted on the server.

src/pulp/client/core/repo.py


Ok, here's what happened.

When passing --remove_consumer_cert, the CLI was incorrectly doing the remove call. It wasn't passing in an empty bundle but rather just None.

On the server, it expects an empty bundle and uses that bundle as the driver to cause the repo certs to be deleted. Since the bundle wasn't there, the certs weren't deleted. That's why /etc/pki/content/f13 still had certs in it. We'll come back to that later.

What was successful on the server was removing the entry from pulp-protected-repos for f13. That means pulp's auth didn't think it was protected and didn't bother applying any validation. Hence, you got through.

Getting back to the certs still existing in /etc/pki/content/f13, that's what the "Consumer Certs: Yes" used to determine if auth was enabled. So that's why it reported consumer auth was active even though it wasn't listed in pulp-protected-repos.

So, to reproduce:
- Configure a repo with individual auth.
- Verify it's protected.
- Remove the auth with --remove_consumer_cert
- Verify it's unprotected.
- Re-add the auth with repo update.
- Verify it's protected.
Comment 2 Jay Dobies 2011-04-13 19:22:55 UTC 
Fixed in build 0.163.
Comment 3 Preethi Thomas 2011-09-01 16:08:17 UTC 
verified
[root@pulp-f15 ~]# rpm -q pulp
pulp-0.0.229-1.fc15.noarch

[root@pulp-f15 ~]# pulp-admin -u admin -p admin repo create --id=pulp --feed=http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/ --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key 
Successfully created repository [ pulp ]

[root@pulp-f15 ~]# pulp-admin repo list
+------------------------------------------+
       List of Available Repositories
+------------------------------------------+

Id                 	pulp                     
Name               	pulp                     
Feed URL           	http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/
Feed Type          	remote                   
Content Type       	yum                      
Feed Certs         	CA:No   Cert:No
Consumer Certs     	CA:Yes   Cert:Yes
Architecture       	noarch                   
Sync Schedule      	None                     
Packages           	0                        
Files              	0                        
Distributions      	None                     
Publish            	True                     
Clones             	[]                       
Groups             	None                     
Filters            	[]                       
Notes              	{}                       


[root@pulp-f15 ~]# pulp-admin repo update --id=pulp --remove_consumer_cert
Successfully updated repository [ pulp ]

[root@pulp-f15 ~]# pulp-admin repo list
+------------------------------------------+
       List of Available Repositories
+------------------------------------------+

Id                 	pulp                     
Name               	pulp                     
Feed URL           	http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/
Feed Type          	remote                   
Content Type       	yum                      
Feed Certs         	CA:No   Cert:No
Consumer Certs     	CA:No   Cert:No
Architecture       	noarch                   
Sync Schedule      	None                     
Packages           	0                        
Files              	0                        
Distributions      	None                     
Publish            	True                     
Clones             	[]                       
Groups             	None                     
Filters            	[]                       
Notes              	{}                       


[root@pulp-f15 ~]# pulp-admin -u admin -p admin repo update --id=pulp --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key Successfully updated repository [ pulp ]

[root@pulp-f15 ~]# pulp-admin repo list
+------------------------------------------+
       List of Available Repositories
+------------------------------------------+

Id                 	pulp                     
Name               	pulp                     
Feed URL           	http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64/
Feed Type          	remote                   
Content Type       	yum                      
Feed Certs         	CA:No   Cert:No
Consumer Certs     	CA:Yes   Cert:Yes
Architecture       	noarch                   
Sync Schedule      	None                     
Packages           	0                        
Files              	0                        
Distributions      	None                     
Publish            	True                     
Clones             	[]                       
Groups             	None                     
Filters            	[]                       
Notes              	{}                       

[root@pulp-f15 ~]# pulp-admin -u admin -p admin repo update --id=pulp --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key 
Successfully updated repository [ pulp ]

[root@pulp-f15 ~]# cat /etc/pki/content/pulp-protected-repos repos/pulp/pulp/fedora-14/x86_64,pulp
[root@pulp-f15 ~]# 
[root@pulp-f15 ~]# 
[root@pulp-f15 ~]# 
[root@pulp-f15 ~]# pulp-admin repo update --id=pulp --remove_consumer_certSuccessfully updated repository [ pulp ]

[root@pulp-f15 ~]# cat /etc/pki/content/pulp-protected-repos 
[root@pulp-f15 ~]# pulp-admin -u admin -p admin repo update --id=pulp --consumer_ca=/root/certs/ca1.crt --consumer_cert=/root/certs/pulp-f14.crt --consumer_key=/root/certs/ca1.key 
Successfully updated repository [ pulp ]

[root@pulp-f15 ~]# cat /etc/pki/content/pulp-protected-repos repos/pulp/pulp/fedora-14/x86_64,pulp
Comment 4 Preethi Thomas 2012-02-24 20:13:51 UTC 
Pulp v1.0 is released
Closed Current Release.