Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 754468

Summary: Provided ueber cert does not unlock the secured pulp repo content
Product: [Retired] Katello Reporter: Garik Khachikyan <gkhachik>
Component: Webservice APIAssignee: Bryan Kearney <bkearney>
Status: CLOSED NOTABUG QA Contact: Garik Khachikyan <gkhachik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 1.0CC: mkoci
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-16 19:08:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 755097    

Description Garik Khachikyan 2011-11-16 15:51:33 UTC 
Description of problem:
template export and the ueber certificate that generates for the according organization, does not unlock access to the pulp repo actually. Apache still complains:
---
"Forbidden: You don't have permission to access /pulp/repos/ACME_Corporation/Dev/fedora15/f15-x86_64 on this server."

Version-Release number of selected component (if applicable):
recent katello:
katello-0.1.103-1.git.1.eaaf33d.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1. create provider: fedora
2. create product fedora15
3. create repo f15-x86_64 
4. sync the repo 
5. create a template, add that product
6. generate ueber cert (through cli: `org generate_uebercert --name ACME_Corporation`)
7. do the template export (again from cli: template export)
8. browse the file content: xmllint --format --recover <filename>.xml
9. copy the block with (clientcert) to: client.crt
10. copy the block with (clientkey) to: client.key
11. do create Firefox format pkcs12 cert:
`openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in client.crt -inkey client.key -out <certname>.pfx -name "<any_name>"`
12. import to firefox the *.pfx certificate
13. try to access in the Firefox url under (repository->url) like:
https://<fqdn>/pulp/repos/ACME_Corporation/Dev/fedora15/f15-x86_64
  
Actual results:
Error - forbidden

Expected results:
content should be unlocked/displayed

Additional info:
We really need the TDL export scenario to be functional with E2E scenario.
Comment 1 Garik Khachikyan 2011-11-16 19:08:26 UTC 
My fault actually - I was mixing the certificates (using another pulp certificate with different info there).

Keeping the certificates stuff untouched the scenario above works fine.

ONE NOTE ONLY: trying to access to directories would fail, use the files to list/access instead, like: "/pulp/repos/ACME_Corporation/Dev/fedora15/f15-x86_64/repodata/repomd.xml"