Bug 760745 - All newly created repos are incorrectly being flagged as protected
Summary: All newly created repos are incorrectly being flagged as protected
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: user-experience
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Pradeep Kilambi
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-06 21:22 UTC by Jay Dobies
Modified: 2013-09-09 16:36 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jay Dobies 2011-12-06 21:22:26 UTC 
Not sure when this changed.

The /etc/pki/content/pulp-protected-repos file contains a list of all relative paths that are protected.

This will only get written if consumer cert data is passed in. The code is at api/repo.py line 276:

        if consumer_cert_data:
            # consolidate key & certificate
            self._consolidate_bundle(consumer_cert_data)
            # store certificates
            consumer_cert_files = repo_cert_utils.write_consumer_cert_bundle(id, consumer_cert_data)
            r['consumer_ca'] = consumer_cert_files['ca']
            r['consumer_cert'] = consumer_cert_files['cert']
            protected_repo_utils.add_protected_repo(r['relative_path'], id)


At some point, the change was made that instead of consumer cert data being None from the client, it's being a dict that references each potential piece of data as None:

{'ca': None, 'cert': None, 'key': None}

That's causing Pulp to mark the repository as protected.
Comment 1 Jay Dobies 2011-12-06 21:25:11 UTC 
The change in the CLI looks to have occurred on 5/17/11:

        consumer_cert_data = {"ca": cons_cacert_tmp,
                              "cert": cons_cert_tmp,
                              "key": cons_key_tmp}

It's building the dictionary regardless of whether or not the consumer certificate was passed in.

This was probably not noticed since by default repo auth is disabled. I suspect if repo auth was turned on, we'd lose the ability to create an unprotected repository.
Comment 2 Jay Dobies 2011-12-06 21:30:05 UTC 
commit 8706abf59c52047ce9bd7cf87eb7b899890aa76a
Author: Jay Dobies <jason.dobies>
Date:   Tue Dec 6 16:27:58 2011 -0500

    760745 - The CLI should pass None for consumer client bundle if no
    entries are present.

src/pulp/client/admin/plugins/repo.py
Comment 3 Jeff Ortel 2011-12-15 20:18:18 UTC 
build: 0.255
Comment 4 Preethi Thomas 2011-12-16 20:33:03 UTC 
[root@pulp-f16 ~]# rpm -q pulp
pulp-0.0.255-1.fc16.noarch
[root@pulp-f16 ~]# 

[root@pulp-f16 ~]# pulp-admin -u admin -p admin repo create --preserve_metadata --id=protected_test_repo  --feed=https://cdn.redhat.com/content/dist/rhel/rhui/server/6/6Server/i386/rhui/2.0/os --consumer_ca=/root/cdn_certs/rhui-rhqe/cdn.redhat.com-chain.crt --consumer_cert=/root/cdn_certs/rhui-rhqe/rhui-rhqe-20110803.crt --consumer_key=/root/cdn_certs/rhui-rhqe/rhui-rhqe-20110803.key 
Successfully created repository [ protected_test_repo ]

[root@pulp-f16 ~]# cat /etc/pki/content/pulp-protected-repos content/dist/rhel/rhui/server/6/6Server/i386/rhui/2.0/os,protected_test_repo
[root@pulp-f16 ~]# 
[root@pulp-f16 ~]# 

[root@pulp-f16 ~]# 
[root@pulp-f16 ~]# pulp-admin repo create --id=test --feed=http://10.16.76.78/pub/updates/ --relativepath=test
Successfully created repository [ test ]

[root@pulp-f16 ~]# cat /etc/pki/content/pulp-protected-repos content/dist/rhel/rhui/server/6/6Server/i386/rhui/2.0/os,protected_test_repo
Comment 5 Preethi Thomas 2012-02-24 20:16:41 UTC 
Pulp v1.0 is released
Closed Current Release.
Comment 6 Preethi Thomas 2012-02-24 20:17:56 UTC 
Pulp v1.0 is released.
Note You need to log in before you can comment on or make changes to this bug.