Bug 1255862 - Get provider certificates to import from user instead of from backend
Get provider certificates to import from user instead of from backend
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: RestAPI (Show other bugs)
---
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-3.6.0-rc
: 3.6.0
Assigned To: Juan Hernández
Gonza
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-21 13:57 EDT by Juan Hernández
Modified: 2016-03-11 02:18 EST (History)
7 users (show)

See Also:
Fixed In Version: 3.6.0-11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-11 02:18:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑3.6.0+
ylavi: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 45247 master MERGED restapi: Get provider certificates to import from user Never
oVirt gerrit 45408 ovirt-engine-3.6 MERGED restapi: Get provider certificates to import from user Never

  None (edit)
Description Juan Hernández 2015-08-21 13:57:02 EDT
Currently the RESTAPI action used to import provider certificates gets the certificates to import from the backend and then, in the same request, it asks the backend to import them. This is not very safe because there is no guarantee that the caller has ever seen or approved these certificates. The action should be changed so that the caller is forced to send the certificates that are to be approved:

  POST /openstackimageproviders/{provider:id}/importcertificates
  <action>
    <certificate>the certificate to import</certificate>
  </action>

The certificates can already be retrieved by the caller as follows:

  GET /openstackimageproviders/{provider:id}/certificates
Comment 1 Gonza 2016-02-25 06:53:44 EST
Verified with:
rhevm-3.6.3.3-0.1.el6.noarch

+ url=https://xxx/ovirt-engine/api
+ user=admin@internal
+ password=xxx
+ provider=c9631b7d-e4af-469b-a4ab-62327b7a2aa3
+ curl --verbose --insecure --user admin@internal:xxx --request POST --header 'Content-Type: application/xml' --header 'Accept: application/xml' --data '
<action>
<certificates>
<certificate>
<subject>CN=xxx.com</subject>
<content>
xxx
</content>
</certificate>
</certificates>
</action>
' https://10.34.60.251/ovirt-engine/api/externalhostproviders/c9631b7d-e4af-469b-a4ab-62327b7a2aa3/importcertificates
*   Trying 10.34.60.251...
* Connected to 10.34.60.251 (10.34.60.251) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=xxx,O=xxx,C=US
* 	start date: Feb 21 16:23:27 2016 GMT
* 	expire date: Jan 26 16:23:27 2021 GMT
* 	common name: xxx
* 	issuer: CN=xxx,O=xxx,C=US
* Server auth using Basic with user 'admin@internal'
> POST /ovirt-engine/api/externalhostproviders/c9631b7d-e4af-469b-a4ab-62327b7a2aa3/importcertificates HTTP/1.1
> User-Agent: curl/7.40.0
> Host: 10.34.60.251
> Content-Type: application/xml
> Accept: application/xml
> Content-Length: 1134
> Expect: 100-continue
> 
* Done waiting for 100-continue
< HTTP/1.1 200 OK
< Date: Thu, 25 Feb 2016 11:48:15 GMT
< Content-Type: application/xml
< Content-Length: 134
< Vary: Accept-Encoding
< Connection: close
< 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<action>
    <status>
        <state>complete</state>
    </status>
</action>
* Closing connection 0

Note You need to log in before you can comment on or make changes to this bug.