Bug 1131260
| Summary: | pulp_rpm requires an API from m2crypto that is not provided upstream | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Randy Barlow <rbarlow> |
| Component: | rpm-support | Assignee: | Jeff Ortel <jortel> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.4.0 | CC: | bbuckingham, pthomas |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 2.4.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-23 17:54:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1129307, 1131719 | ||
|
Description
Randy Barlow
2014-08-18 19:35:35 UTC
I need to focus on cherry picking. Can someone else pick this up? This was fixed in pulp-2.4.1-0.3.beta. Moving it to fails-qa for 2 reasons on rhel6 The requirement is for >21 for m2crypto m2crypto-0.21.1.pulp-8.el6.x86_64 exists in the pulp repos and that is what gets installed. El7 seems to be installing the one from the rhel repo. m2crypto-0.21.1-15.el7.x86_64 Fixed in 2.4.1-0.4.beta. verified rhel6 requirement for >21 has been removed. Also m2crypto-0.21.1.pulp has been removed from the pulp repo. In order to verify the latest changes to this bug, there are four test cases to run: 1) Case #1 tests what will happen for users who upgrade and don't do anything. For them, there won't be a verify_ssl setting in /etc/pulp/repo_auth.conf, so make sure that isn't defined there. In this case, Pulp should assume you still want to do per-repo authorization. Test this case like you normally would for repo auth. It should succeed with valid entitlement certs and it should fail with invalid ones. 2) Case #2 tests what happens for users who explicitly set verify_ssl to true. The rest of this test case should work just like #1. 3) Case #3 tests what happens for users who set verify_ssl to false, but do not configure Apache to do the validation. In this case, all certificates that have the correct OIDs (the OIDs are still checked even when verify_ssl is false) should be allowed access, even if they are not signed by a valid CA. Make sure that certificates signed by invalid CAs are allowed access, as well as certificates that have valid CA signatures. Also, make sure that all certificates that don't have the correct OIDs for the given repos are still denied (this is very important!). 4) Case #4 tests what happens for users who set verify_ssl to false and also configure Apache to require validly signed certificates. This should again work just like Case #1, but Apache will be enforcing the signature checks instead of Pulp. Make sure the right certs are allowed and rejected, both due to signatures and due to correct/incorrect OIDs. Note that the CA still needs to be uploaded to the repo in order to configure repo_auth for it, otherwise Pulp will not check the OIDs. I mistook this bug for #1135144 when I did all that I did in the last several comments. I'll reset this one to VERIFIED. https://bugzilla.redhat.com/show_bug.cgi?id=1135144 This is fixed in Pulp-2.4.1-1. |