Bug 1255862 - Get provider certificates to import from user instead of from backend
Summary: Get provider certificates to import from user instead of from backend
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RestAPI
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Juan Hernández
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-21 17:57 UTC by Juan Hernández
Modified: 2016-03-11 07:18 UTC (History)
7 users (show)

Fixed In Version: 3.6.0-11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-11 07:18:15 UTC
oVirt Team: Infra
Embargoed:
rule-engine: ovirt-3.6.0+
ylavi: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 45247 0 master MERGED restapi: Get provider certificates to import from user Never
oVirt gerrit 45408 0 ovirt-engine-3.6 MERGED restapi: Get provider certificates to import from user Never

Description Juan Hernández 2015-08-21 17:57:02 UTC 
Currently the RESTAPI action used to import provider certificates gets the certificates to import from the backend and then, in the same request, it asks the backend to import them. This is not very safe because there is no guarantee that the caller has ever seen or approved these certificates. The action should be changed so that the caller is forced to send the certificates that are to be approved:

  POST /openstackimageproviders/{provider:id}/importcertificates
  <action>
    <certificate>the certificate to import</certificate>
  </action>

The certificates can already be retrieved by the caller as follows:

  GET /openstackimageproviders/{provider:id}/certificates
Comment 1 Gonza 2016-02-25 11:53:44 UTC 
Verified with:
rhevm-3.6.3.3-0.1.el6.noarch

+ url=https://xxx/ovirt-engine/api
+ user=admin@internal
+ password=xxx
+ provider=c9631b7d-e4af-469b-a4ab-62327b7a2aa3
+ curl --verbose --insecure --user admin@internal:xxx --request POST --header 'Content-Type: application/xml' --header 'Accept: application/xml' --data '
<action>
<certificates>
<certificate>
<subject>CN=xxx.com</subject>
<content>
xxx
</content>
</certificate>
</certificates>
</action>
' https://10.34.60.251/ovirt-engine/api/externalhostproviders/c9631b7d-e4af-469b-a4ab-62327b7a2aa3/importcertificates
*   Trying 10.34.60.251...
* Connected to 10.34.60.251 (10.34.60.251) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=xxx,O=xxx,C=US
* 	start date: Feb 21 16:23:27 2016 GMT
* 	expire date: Jan 26 16:23:27 2021 GMT
* 	common name: xxx
* 	issuer: CN=xxx,O=xxx,C=US
* Server auth using Basic with user 'admin@internal'
> POST /ovirt-engine/api/externalhostproviders/c9631b7d-e4af-469b-a4ab-62327b7a2aa3/importcertificates HTTP/1.1
> User-Agent: curl/7.40.0
> Host: 10.34.60.251
> Content-Type: application/xml
> Accept: application/xml
> Content-Length: 1134
> Expect: 100-continue
> 
* Done waiting for 100-continue
< HTTP/1.1 200 OK
< Date: Thu, 25 Feb 2016 11:48:15 GMT
< Content-Type: application/xml
< Content-Length: 134
< Vary: Accept-Encoding
< Connection: close
< 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<action>
    <status>
        <state>complete</state>
    </status>
</action>
* Closing connection 0
Note You need to log in before you can comment on or make changes to this bug.