Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for specifying/limiting content-checksums used by Pulp. #894

Merged
merged 1 commit into from Sep 15, 2020
Merged

Added support for specifying/limiting content-checksums used by Pulp. #894

merged 1 commit into from Sep 15, 2020

Conversation

ggainey
Copy link
Contributor

@ggainey ggainey commented Sep 8, 2020

settings.ALLOWED_CONTENT_CHECKSUMS now drives the other checksum-related
fields of Artifact (DIGEST_FIELDS, COMMON_DIGEST_FIELDS, RELIABLE_DIGEST_FIELDS)

closes #5216

@pulpbot
Copy link
Member

pulpbot commented Sep 8, 2020

Attached issue: https://pulp.plan.io/issues/5216

@ggainey ggainey force-pushed the 5216_fips_checksums branch 2 times, most recently from b556eac to 1e04525 Compare September 9, 2020 00:23
mdellweg
mdellweg requested changes Sep 9, 2020
View reviewed changes
Copy link
Member

@mdellweg mdellweg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for letting me get a very early look on this brill PR.

Running it in the FIPS environment exposed at least one more location where a not allowed hash algorithm is used: pulpcore/app/files.py

docs/settings.rst Outdated Show resolved Hide resolved
docs/settings.rst Outdated Show resolved Hide resolved
pulpcore/app/settings.py Outdated Show resolved Hide resolved
pulpcore/app/settings.py Outdated Show resolved Hide resolved
pulpcore/tests/unit/serializers/test_content.py Show resolved Hide resolved
pulpcore/app/models/content.py Outdated Show resolved Hide resolved
pulpcore/app/models/content.py Outdated Show resolved Hide resolved
pulpcore/app/models/content.py Outdated Show resolved Hide resolved
@ggainey
Copy link
Contributor Author

ggainey commented Sep 9, 2020

Thank you for letting me get a very early look on this brill PR.

Running it in the FIPS environment exposed at least one more location where a not allowed hash algorithm is used: pulpcore/app/files.py

Concur - see changes in files.py with latest repush

bmbouter
bmbouter reviewed Sep 9, 2020
View reviewed changes
docs/settings.rst Outdated Show resolved Hide resolved
@daviddavis
Copy link
Contributor

This code looks great to me. Impressive turnaround time on this.

Question: would it be possible to test this out by defining ALLOWED_CONTENT_CHECKSUMS in https://github.com/pulp/pulpcore/blob/master/.travis/settings.py.j2?

bmbouter
bmbouter reviewed Sep 9, 2020
View reviewed changes
pulpcore/app/settings.py Outdated Show resolved Hide resolved
bmbouter
bmbouter reviewed Sep 9, 2020
View reviewed changes
docs/settings.rst Outdated Show resolved Hide resolved
bmbouter
bmbouter reviewed Sep 9, 2020
View reviewed changes
pulpcore/app/settings.py Outdated Show resolved Hide resolved
bmbouter
bmbouter reviewed Sep 9, 2020
View reviewed changes
docs/settings.rst Outdated Show resolved Hide resolved
bmbouter
bmbouter reviewed Sep 9, 2020
View reviewed changes
pulpcore/app/settings.py Outdated Show resolved Hide resolved
@mdellweg
Copy link
Member

I can confirm, this peachy PR is passing the pulp_file test suite (unit & functional) on a the centos8-fips box.

@ggainey ggainey force-pushed the 5216_fips_checksums branch 2 times, most recently from e3a560c to aaf90be Compare September 10, 2020 16:22
@ggainey
Copy link
Contributor Author

ggainey commented Sep 10, 2020

This code looks great to me. Impressive turnaround time on this.

Question: would it be possible to test this out by defining ALLOWED_CONTENT_CHECKSUMS in https://github.com/pulp/pulpcore/blob/master/.travis/settings.py.j2?

@daviddavis , I have...no insight here. I've done a lot of local testing by setting in /etc/pulp/settings.py.

@mdellweg
Copy link
Member

mdellweg commented Sep 10, 2020
edited

This code looks great to me. Impressive turnaround time on this.
Question: would it be possible to test this out by defining ALLOWED_CONTENT_CHECKSUMS in https://github.com/pulp/pulpcore/blob/master/.travis/settings.py.j2?

@daviddavis , I have...no insight here. I've done a lot of local testing by setting in /etc/pulp/settings.py.

You would add that to the plugins template_config and regenerate the travis directory.

Like here: https://github.com/pulp/pulpcore/blob/master/template_config.yml#L30

bmbouter
bmbouter reviewed Sep 10, 2020
View reviewed changes
pulpcore/app/models/content.py Outdated
Comment on lines 29 to 51
# All available digest fields ordered by algorithm strength.
_DIGEST_FIELDS = []
for alg in ("sha512", "sha384", "sha256", "sha224", "sha1", "md5"):
if alg in settings.ALLOWED_CONTENT_CHECKSUMS:
_DIGEST_FIELDS.append(alg)

# All available digest fields ordered by relative frequency
# (Better average-case performance in some algorithms with fallback)
_COMMON_DIGEST_FIELDS = []
for alg in ("sha256", "sha512", "sha384", "sha224", "sha1", "md5"):
if alg in settings.ALLOWED_CONTENT_CHECKSUMS:
_COMMON_DIGEST_FIELDS.append(alg)

# Available, reliable digest fields ordered by algorithm strength.
_RELIABLE_DIGEST_FIELDS = []
for alg in ("sha512", "sha384", "sha256"):
if alg in settings.ALLOWED_CONTENT_CHECKSUMS:
_RELIABLE_DIGEST_FIELDS.append(alg)

# Digest-fields that are NOT ALLOWED
_FORBIDDEN_DIGESTS = set(ALL_KNOWN_CONTENT_CHECKSUMS).difference(
set(settings.ALLOWED_CONTENT_CHECKSUMS)
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ty for all this.

bmbouter
bmbouter reviewed Sep 10, 2020
View reviewed changes
pulpcore/tests/unit/serializers/test_content.py Outdated
@@ -2,6 +2,8 @@

import mock
from pulpcore.app.serializers import ArtifactSerializer
from pulpcore.app import models
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test suite is expected to be run from a third party box and may not have pulpcore packages installed on it, or if they are, they may not be configured the same way. In those environments this import will fail or return incorrect data.

To resolve this, I think do two things:

  1. Have the test suite expect that ALLOWED_CONTENT_CHECKSUMS = {"sha1", "sha224", "sha256", "sha384", "sha512"}. This is the same approach used by the import/export tests which require the user to set settings to specific values for the test suite to pass.
  2. Have travis fulfill that requirement by adding in the var here:

    pulpcore/.travis/install.sh

    Line 78 in ab3e4eb

    pulp_settings: {"allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"]}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This last thing would need to go into the plugins template_config.yaml to survive regenerating the ci files.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also i just realize that this is a unit test. And i fail to see why it should be ok to import ArtifactSerializer but not Artifact.
Is there any context missing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated template_config.yml and regen'd. Turns out you cannot use sets and dynaconf together; tweaked ALLOWED_CONTENT_CHECKSUMS to be a list, explicitly used a set() around it wherever I needed to use difference/intersection.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, yes, as noted by @mdellweg , these are unit-tests not functional-tests, so it's ok to rely on being able to import directly (as they all do)

@ggainey
Copy link
Contributor Author

ggainey commented Sep 11, 2020

This code looks great to me. Impressive turnaround time on this.
Question: would it be possible to test this out by defining ALLOWED_CONTENT_CHECKSUMS in https://github.com/pulp/pulpcore/blob/master/.travis/settings.py.j2?

@daviddavis , I have...no insight here. I've done a lot of local testing by setting in /etc/pulp/settings.py.

You would add that to the plugins template_config and regenerate the travis directory.

Like here: https://github.com/pulp/pulpcore/blob/master/template_config.yml#L30

And done!

@ggainey ggainey force-pushed the 5216_fips_checksums branch 2 times, most recently from 5f9e459 to 7cee76f Compare September 11, 2020 20:42
@mdellweg
Copy link
Member

I was finally (sort of) able to pass the functional testsuite of pulpcore (pagination fails due to remaining repos from earlier tests of the same run) in fips environment.

@bmbouter
Copy link
Member

@ggainey is there a functional test that can assert that a sync'd content unit does not have 'md5' set?

@ggainey
Copy link
Contributor Author

ggainey commented Sep 14, 2020

@ggainey is there a functional test that can assert that a sync'd content unit does not have 'md5' set?

I only have unit-tests in this commit. Hm.

@bmbouter
Copy link
Member

@ggainey is there a functional test that can assert that a sync'd content unit does not have 'md5' set?

I only have unit-tests in this commit. Hm.

I think you could likely extend this test to check on the md5 aspects of things pretty easily. https://github.com/pulp/pulpcore/blob/master/pulpcore/tests/functional/api/test_crd_artifacts.py#L52-L57 wdyt?

@ggainey
Copy link
Contributor Author

ggainey commented Sep 15, 2020
edited

@ggainey is there a functional test that can assert that a sync'd content unit does not have 'md5' set?

I only have unit-tests in this commit. Hm.

I think you could likely extend this test to check on the md5 aspects of things pretty easily. https://github.com/pulp/pulpcore/blob/master/pulpcore/tests/functional/api/test_crd_artifacts.py#L52-L57 wdyt?

Fine idea - added testing for "did you get md5 back from a valid upload?" and a new test for "trying to upload while specifying md5 as the checksum should fail" (both assuming md5 is not present in ALLOWED_CONTENT_CHECKSUMS)

@bmbouter
Copy link
Member

I'm LGTM once the Artifact.__init__ docstring is added. Thank you @ggainey !

bmbouter
bmbouter approved these changes Sep 15, 2020
View reviewed changes
Copy link
Member

@bmbouter bmbouter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this very excellent piece of work. I really appreciate how you brought this together so quickly. 👍 🥇 🚀

@ggainey
Added support for specifying/limiting content-checksums used by Pulp.
542714b 
settings.ALLOWED_CONTENT_CHECKSUMS now drives the other checksum-related
fields of Artifact (DIGEST_FIELDS, COMMON_DIGEST_FIELDS, RELIABLE_DIGEST_FIELDS)

closes #5216
@daviddavis daviddavis merged commit 1926df8 into pulp:master Sep 15, 2020
@ggainey ggainey deleted the 5216_fips_checksums branch April 27, 2021 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdellweg mdellweg mdellweg requested changes

@daviddavis daviddavis daviddavis approved these changes

@bmbouter bmbouter bmbouter approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ggainey @pulpbot @daviddavis @mdellweg @bmbouter