pulp_rpm's repository protection feature relies on the verify_cert() method provided in the patch we used to carry[0] in our custom m2crypto package. The Pulp team has been working towards removing our reliance on custom patched dependencies, so we need to convert the repo protection code to use m2.x509_verify_cert(self.ctx) directly to avoid the custom patch. [0] https://github.com/pulp/pulp/blob/eac9f0683e01413ccf2b97ce6026d8becc22b71e/deps/m2crypto/m2crypto-0.21.1-x509_crl.patch#L89
I need to focus on cherry picking. Can someone else pick this up?
https://github.com/pulp/pulp/pull/1107
https://github.com/pulp/pulp_rpm/pull/550
This was fixed in pulp-2.4.1-0.3.beta.
Moving it to fails-qa for 2 reasons on rhel6 The requirement is for >21 for m2crypto m2crypto-0.21.1.pulp-8.el6.x86_64 exists in the pulp repos and that is what gets installed. El7 seems to be installing the one from the rhel repo. m2crypto-0.21.1-15.el7.x86_64
https://github.com/pulp/pulp/pull/1128
Fixed in 2.4.1-0.4.beta.
verified rhel6 requirement for >21 has been removed. Also m2crypto-0.21.1.pulp has been removed from the pulp repo.
https://github.com/pulp/pulp/pull/1152
https://github.com/pulp/pulp_rpm/pull/558
In order to verify the latest changes to this bug, there are four test cases to run: 1) Case #1 tests what will happen for users who upgrade and don't do anything. For them, there won't be a verify_ssl setting in /etc/pulp/repo_auth.conf, so make sure that isn't defined there. In this case, Pulp should assume you still want to do per-repo authorization. Test this case like you normally would for repo auth. It should succeed with valid entitlement certs and it should fail with invalid ones. 2) Case #2 tests what happens for users who explicitly set verify_ssl to true. The rest of this test case should work just like #1. 3) Case #3 tests what happens for users who set verify_ssl to false, but do not configure Apache to do the validation. In this case, all certificates that have the correct OIDs (the OIDs are still checked even when verify_ssl is false) should be allowed access, even if they are not signed by a valid CA. Make sure that certificates signed by invalid CAs are allowed access, as well as certificates that have valid CA signatures. Also, make sure that all certificates that don't have the correct OIDs for the given repos are still denied (this is very important!). 4) Case #4 tests what happens for users who set verify_ssl to false and also configure Apache to require validly signed certificates. This should again work just like Case #1, but Apache will be enforcing the signature checks instead of Pulp. Make sure the right certs are allowed and rejected, both due to signatures and due to correct/incorrect OIDs. Note that the CA still needs to be uploaded to the repo in order to configure repo_auth for it, otherwise Pulp will not check the OIDs.
I mistook this bug for #1135144 when I did all that I did in the last several comments. I'll reset this one to VERIFIED. https://bugzilla.redhat.com/show_bug.cgi?id=1135144
This is fixed in Pulp-2.4.1-1.