Remove the ability to use checksums weaker than sha256 during publish

closes #2488
pulp · Dec 4, 2023 · fe66883 · fe66883
1 parent a014efa
commit fe66883
Show file tree

Hide file tree

Showing 9 changed files with 87 additions and 71 deletions.
diff --git a/.github/workflows/scripts/install.sh b/.github/workflows/scripts/install.sh
@@ -66,7 +66,7 @@ VARSYAML
 
 cat >> vars/main.yaml << VARSYAML
 pulp_env: {}
-pulp_settings: {"allowed_content_checksums": ["sha1", "sha224", "sha256", "sha384", "sha512"], "allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"], "orphan_protection_time": 0}
+pulp_settings: {"allowed_content_checksums": ["sha1", "sha224", "sha256", "sha512"], "allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"], "orphan_protection_time": 0}
 pulp_scheme: https
 
 pulp_container_tag: "latest"

diff --git a/CHANGES/2488.removal b/CHANGES/2488.removal
@@ -0,0 +1 @@
+Removed support for publishing repos with a checksum type of md5, sha1, or sha224
diff --git a/pulp_rpm/app/constants.py b/pulp_rpm/app/constants.py
@@ -26,6 +26,12 @@
 ALLOWED_CHECKSUM_ERROR_MSG = """Checksum must be one of the allowed checksum types.
 You can adjust these with the 'ALLOWED_CONTENT_CHECKSUMS' setting."""
 
+ALLOWED_PUBLISH_CHECKSUMS = {CHECKSUM_TYPES.SHA256, CHECKSUM_TYPES.SHA384, CHECKSUM_TYPES.SHA512}
+
+ALLOWED_PUBLISH_CHECKSUM_ERROR_MSG = (
+    """Checksum must be one of the allowed checksum types: sha256, sha384, or sha512."""
+)
+
 SYNC_POLICIES = SimpleNamespace(
     ADDITIVE="additive",
     MIRROR_COMPLETE="mirror_complete",

diff --git a/pulp_rpm/app/models/repository.py b/pulp_rpm/app/models/repository.py
@@ -247,9 +247,9 @@ def on_new_version(self, version):
                 repository_version_pk=version.pk,
                 metadata_signing_service=self.metadata_signing_service,
                 checksum_types={
+                    "general": self.checksum_type,
                     "metadata": self.metadata_checksum_type,
                     "package": self.package_checksum_type,
-                    "general": self.checksum_type,
                 },
                 repo_config=self.repo_config,
             )

diff --git a/pulp_rpm/app/serializers/repository.py b/pulp_rpm/app/serializers/repository.py
@@ -25,6 +25,8 @@
 
 from pulp_rpm.app.constants import (
     ALLOWED_CHECKSUM_ERROR_MSG,
+    ALLOWED_PUBLISH_CHECKSUMS,
+    ALLOWED_PUBLISH_CHECKSUM_ERROR_MSG,
     CHECKSUM_CHOICES,
     SKIP_TYPES,
     SYNC_POLICY_CHOICES,
@@ -124,12 +126,14 @@ class RpmRepositorySerializer(RepositorySerializer):
     def validate(self, data):
         """Validate data."""
         for field in ("checksum_type", "metadata_checksum_type", "package_checksum_type"):
-            if (
-                field in data
-                and data[field]
-                and data[field] not in settings.ALLOWED_CONTENT_CHECKSUMS
-            ):
-                raise serializers.ValidationError({field: _(ALLOWED_CHECKSUM_ERROR_MSG)})
+            if field in data and data[field]:
+                if data[field] not in settings.ALLOWED_CONTENT_CHECKSUMS:
+                    raise serializers.ValidationError({field: _(ALLOWED_CHECKSUM_ERROR_MSG)})
+
+                if data[field] not in ALLOWED_PUBLISH_CHECKSUMS:
+                    raise serializers.ValidationError(
+                        {field: _(ALLOWED_PUBLISH_CHECKSUM_ERROR_MSG)}
+                    )
 
         if data.get("package_checksum_type") or data.get("metadata_checksum_type"):
             logging.getLogger("pulp_rpm.deprecation").info(
@@ -329,14 +333,15 @@ class RpmPublicationSerializer(PublicationSerializer):
 
     def validate(self, data):
         """Validate data."""
-        if (
-            data.get("metadata_checksum_type")
-            and data["metadata_checksum_type"] not in settings.ALLOWED_CONTENT_CHECKSUMS
-        ) or (
-            data.get("package_checksum_type")
-            and data["package_checksum_type"] not in settings.ALLOWED_CONTENT_CHECKSUMS
-        ):
-            raise serializers.ValidationError(_(ALLOWED_CHECKSUM_ERROR_MSG))
+        for field in ("checksum_type", "metadata_checksum_type", "package_checksum_type"):
+            if field in data and data[field]:
+                if data[field] not in settings.ALLOWED_CONTENT_CHECKSUMS:
+                    raise serializers.ValidationError({field: _(ALLOWED_CHECKSUM_ERROR_MSG)})
+
+                if data[field] not in ALLOWED_PUBLISH_CHECKSUMS:
+                    raise serializers.ValidationError(
+                        {field: _(ALLOWED_PUBLISH_CHECKSUM_ERROR_MSG)}
+                    )
 
         if data.get("package_checksum_type") or data.get("metadata_checksum_type"):
             logging.getLogger("pulp_rpm.deprecation").info(

diff --git a/pulp_rpm/tests/functional/api/test_download_policies.py b/pulp_rpm/tests/functional/api/test_download_policies.py
@@ -8,16 +8,6 @@
 from pulpcore.client.pulp_rpm import RpmRpmPublication
 
 
-"""Sync a repository with different download policies.
-
-This test targets the following issue:
-
-`Pulp #4126 <https://pulp.plan.io/issues/4126>`_
-`Pulp #4213 <https://pulp.plan.io/issues/4213>`_
-`Pulp #4418 <https://pulp.plan.io/issues/4418>`_
-"""
-
-
 @pytest.mark.parametrize("download_policy", DOWNLOAD_POLICIES)
 def test_download_policies(
     download_policy,

diff --git a/pulp_rpm/tests/functional/api/test_publish.py b/pulp_rpm/tests/functional/api/test_publish.py
@@ -34,34 +34,6 @@
 from pulpcore.client.pulp_rpm.exceptions import ApiException
 
 
-class TestPublishWithUnsignedRepoSyncedOnDemand:
-    @pytest.mark.parallel
-    def test_publish_with_unsupported_checksum_type(
-        self, rpm_unsigned_repo_on_demand, rpm_publication_api
-    ):
-        """
-        Sync and try to publish an RPM repository.
-
-        - Sync repository with on_demand policy
-        - Try to publish with 'md5' checksum type
-        - Publish should fail because 'md5' is not allowed
-
-        This test require disallowed 'MD5' checksum type from ALLOWED_CONTENT_CHECKSUMS settings.
-        """
-        if "md5" in settings.ALLOWED_CONTENT_CHECKSUMS:
-            pytest.skip(
-                reason="Cannot verify the expected hasher error if the 'MD5' checksum is allowed."
-            )
-
-        publish_data = RpmRpmPublication(
-            repository=rpm_unsigned_repo_on_demand.pulp_href, package_checksum_type="md5"
-        )
-        with pytest.raises(ApiException) as ctx:
-            rpm_publication_api.create(publish_data)
-
-        assert "Checksum must be one of the allowed checksum types." in ctx.value.body
-
-
 class TestPublishWithUnsignedRepoSyncedImmediate:
     @pytest.mark.parallel
     def test_publish_any_repo_version(
@@ -541,6 +513,50 @@ def _get_checksum_types(**kwargs):
     return _get_checksum_types
 
 
+@pytest.mark.parallel
+def test_publish_with_disallowed_checksum_type(rpm_unsigned_repo_on_demand, rpm_publication_api):
+    """
+    Sync and try to publish an RPM repository.
+
+    - Sync repository with on_demand policy
+    - Try to publish with 'sha384' checksum type
+    - Publish should fail because 'sha384' is not allowed
+
+    This test require disallowed 'sha384' checksum type from ALLOWED_CONTENT_CHECKSUMS settings.
+    """
+    if "sha384" in settings.ALLOWED_CONTENT_CHECKSUMS:
+        pytest.skip(
+            reason="Cannot check for the expected error if the 'sha384' checksum is allowed."
+        )
+
+    publish_data = RpmRpmPublication(
+        repository=rpm_unsigned_repo_on_demand.pulp_href, package_checksum_type="sha384"
+    )
+    with pytest.raises(ApiException) as ctx:
+        rpm_publication_api.create(publish_data)
+
+    assert "Checksum must be one of the allowed checksum types." in ctx.value.body
+
+
+@pytest.mark.parallel
+def test_publish_with_unsupported_checksum_type(rpm_unsigned_repo_on_demand, rpm_publication_api):
+    """
+    Sync and try to publish an RPM repository.
+
+    - Sync repository with on_demand policy
+    - Try to publish with 'sha1' checksum type
+    - Publish should fail because 'sha1' is not allowed
+      (even though it is in ALLOWED_CONTENT_CHECKSUMS)
+    """
+    publish_data = RpmRpmPublication(
+        repository=rpm_unsigned_repo_on_demand.pulp_href, package_checksum_type="sha1"
+    )
+    with pytest.raises(ApiException) as ctx:
+        rpm_publication_api.create(publish_data)
+
+    assert "Checksum must be one of the allowed checksum types." in ctx.value.body
+
+
 @pytest.mark.parallel
 def test_on_demand_unspecified_checksum_types(get_checksum_types):
     """Sync and publish an RPM repository and verify the checksum types."""
@@ -580,14 +596,14 @@ def test_immediate_unspecified_checksum_types(get_checksum_types):
 def test_on_demand_specified_package_checksum_type(get_checksum_types, delete_orphans_pre):
     """Sync and publish an RPM repository and verify the checksum types."""
     repomd_checksum_types, primary_checksum_types = get_checksum_types(
-        package_checksum_type="sha384", policy="on_demand"
+        package_checksum_type="sha512", policy="on_demand"
     )
 
     for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
         assert repomd_checksum_type == "sha256"
 
     for package, package_checksum_type in primary_checksum_types.items():
-        # since none of the packages in question have sha384 checksums, the
+        # since none of the packages in question have sha512 checksums, the
         # checksums they do have will be used instead. In this case, sha256.
         assert package_checksum_type == "sha256"
 
@@ -596,11 +612,11 @@ def test_on_demand_specified_package_checksum_type(get_checksum_types, delete_or
 def test_on_demand_specified_metadata_checksum_type(get_checksum_types):
     """Sync and publish an RPM repository and verify the checksum types."""
     repomd_checksum_types, primary_checksum_types = get_checksum_types(
-        metadata_checksum_type="sha384", policy="on_demand"
+        metadata_checksum_type="sha512", policy="on_demand"
     )
 
     for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
-        assert repomd_checksum_type == "sha384"
+        assert repomd_checksum_type == "sha512"
 
     for package, package_checksum_type in primary_checksum_types.items():
         assert package_checksum_type == "sha256"
@@ -611,14 +627,14 @@ def test_on_demand_specified_metadata_and_package_checksum_type(
 ):
     """Sync and publish an RPM repository and verify the checksum types."""
     repomd_checksum_types, primary_checksum_types = get_checksum_types(
-        package_checksum_type="sha224", metadata_checksum_type="sha224", policy="on_demand"
+        package_checksum_type="sha512", metadata_checksum_type="sha512", policy="on_demand"
     )
 
     for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
-        assert repomd_checksum_type == "sha224"
+        assert repomd_checksum_type == "sha512"
 
     for package, package_checksum_type in primary_checksum_types.items():
-        # since none of the packages in question have sha224 checksums, the
+        # since none of the packages in question have sha512 checksums, the
         # checksums they do have will be used instead. In this case, sha256.
         assert package_checksum_type == "sha256"
 
@@ -627,25 +643,25 @@ def test_on_demand_specified_metadata_and_package_checksum_type(
 def test_immediate_specified_package_checksum_type(get_checksum_types):
     """Sync and publish an RPM repository and verify the checksum types."""
     repomd_checksum_types, primary_checksum_types = get_checksum_types(
-        package_checksum_type="sha384", policy="immediate"
+        package_checksum_type="sha512", policy="immediate"
     )
 
     for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
         assert repomd_checksum_type == "sha256"
 
     for package, package_checksum_type in primary_checksum_types.items():
-        assert package_checksum_type == "sha384"
+        assert package_checksum_type == "sha512"
 
 
 @pytest.mark.parallel
 def test_immediate_specified_metadata_checksum_type(get_checksum_types):
     """Sync and publish an RPM repository and verify the checksum types."""
     repomd_checksum_types, primary_checksum_types = get_checksum_types(
-        metadata_checksum_type="sha384", policy="immediate"
+        metadata_checksum_type="sha512", policy="immediate"
     )
 
     for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
-        assert repomd_checksum_type == "sha384"
+        assert repomd_checksum_type == "sha512"
 
     for package, package_checksum_type in primary_checksum_types.items():
         assert package_checksum_type == "sha256"
@@ -655,14 +671,14 @@ def test_immediate_specified_metadata_checksum_type(get_checksum_types):
 def test_immediate_specified_metadata_and_package_checksum_type(get_checksum_types):
     """Sync and publish an RPM repository and verify the checksum types."""
     repomd_checksum_types, primary_checksum_types = get_checksum_types(
-        package_checksum_type="sha224", metadata_checksum_type="sha224", policy="immediate"
+        package_checksum_type="sha512", metadata_checksum_type="sha512", policy="immediate"
     )
 
     for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
-        assert repomd_checksum_type == "sha224"
+        assert repomd_checksum_type == "sha512"
 
     for package, package_checksum_type in primary_checksum_types.items():
-        assert package_checksum_type == "sha224"
+        assert package_checksum_type == "sha512"
 
 
 @pytest.mark.parallel

diff --git a/pulp_rpm/tests/functional/api/test_pulp_to_pulp.py b/pulp_rpm/tests/functional/api/test_pulp_to_pulp.py
@@ -32,8 +32,7 @@ def test_pulp_pulp_sync(
     # Create a publication.
     publish_data = RpmRpmPublication(
         repository=repo.pulp_href,
-        metadata_checksum_type="sha384",
-        package_checksum_type="sha224",
+        checksum_type="sha512",
     )
     publication = gen_object_with_cleanup(rpm_publication_api, publish_data)
 

diff --git a/template_config.yml b/template_config.yml
@@ -56,7 +56,6 @@ pulp_settings:
   - sha1
   - sha224
   - sha256
-  - sha384
   - sha512
   allowed_export_paths:
   - /tmp