713176 – Pulp admin certs expire after 10 years

Bug 713176 - Pulp admin certs expire after 10 years

Summary: Pulp admin certs expire after 10 years

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	z_other
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	Sprint 25
Assignee:	Jay Dobies
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	688298
TreeView+	depends on / blocked

Reported:	2011-06-14 14:55 UTC by Chris St. Pierre
Modified:	2012-02-24 20:13 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-24 20:13:13 UTC
Embargoed:

Attachments	(Terms of Use)
Patch to fix the bug in question (3.19 KB, application/octet-stream) 2011-06-14 14:55 UTC, Chris St. Pierre	no flags	Details
View All

Description Chris St. Pierre 2011-06-14 14:55:10 UTC

Created attachment 504697 [details]
Patch to fix the bug in question

Description of problem:

Pulp admin and consumer certs both expire after 10 years.  Our security team would have kittens if we told them that users would have to authenticate every 10 years.  Cert expiration should be configurable.

Additionally, authenticating with an expired cert produces a stack trace, not a nice friendly error.  The same is true of any cert invalidity issue.

Version-Release number of selected component (if applicable):

0.0.190, HEAD

How reproducible:

Every time.

Steps to Reproduce:

1. Run "pulp-admin auth login -u <username>"
2. Wait 3649 days.

Actual results:

You are able to use pulp-admin without authenticating after nearly 10 years.

Expected results:

The security-conscious should be able to lock this down a bit.

Additional info:

I've attached a patch that allows admins to set security.cert_expiration to the number of days an admin cert should be valid for.  It also catches SSL errors in the client.server routines (GET, POST, etc.) and returns nice tidy error messages instead of stack traces.

Comment 1 Jay Dobies 2011-06-15 20:08:06 UTC

commit 23fdefd6635fd819f1f7fdafcbf5643c49412d4a
Author: Jay Dobies <jason.dobies>
Date:   Wed Jun 15 16:09:12 2011 -0400

    713176 - Changed user certificate expirations to 1 week. Consumer
    certificate expirations, while configurable, remain at the default of 10
    years.

etc/pulp/pulp.conf
src/pulp/client/server.py
src/pulp/server/api/consumer.py
src/pulp/server/auth/cert_generator.py
test/unit/test_cert_generator.py

Comment 2 Jeff Ortel 2011-06-17 21:10:04 UTC

build: 0.192

Comment 3 Preethi Thomas 2011-08-17 14:42:10 UTC

verified in pulp.conf
[root@preethi ~]# rpm -q pulp
pulp-0.0.224-1.fc14.noarch

# Configures aspects of the pulp web server security.
#
# cacert:    full path to the CA certificate that will be used to sign
#            consumer and admin identification certificates.  This MUST match
#            the value of SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf.
# cakey:     full path to the private key for the CA certificate
# user_cert_expiration: number of days a user certificate is valid
# consumer_cert_expiration: number of days a consumer certificate is valid

Comment 4 Preethi Thomas 2012-02-24 20:13:13 UTC

Pulp v1.0 is released
Closed Current Release.

Note You need to log in before you can comment on or make changes to this bug.