class TestProtectedRepoUtils(unittest.TestCase):

    def setUp(self):
        if os.path.exists(TEST_FILE):
            os.remove(TEST_FILE)
        self.utils = ProtectedRepoUtils(CONFIG)

    def tearDown(self):
        if os.path.exists(TEST_FILE):
            os.remove(TEST_FILE)
        global_cert_location = CONFIG.get('repos', 'global_cert_location')
        if os.path.exists(global_cert_location):
            shutil.rmtree(global_cert_location)

    def test_add_protected_repo(self):
        """
        Tests adding a protected repo.
        """

        # Setup
        repo_id = 'prot-repo-1'
        relative_path = 'path-1'

        # Test
        self.utils.add_protected_repo(relative_path, repo_id)

        # Verify
        listings = self.utils.read_protected_repo_listings()

        self.assertEqual(1, len(listings))
        self.assertTrue(relative_path in listings)
        self.assertEqual(listings[relative_path], repo_id)

    def test_delete_protected_repo(self):
        """
        Tests deleting an existing protected repo.
        """

        # Setup
        repo_id = 'prot-repo-1'
        relative_path = 'path-1'
        self.utils.add_protected_repo(relative_path, repo_id)

        # Test
        self.utils.delete_protected_repo(relative_path)

        # Verify
        listings = self.utils.read_protected_repo_listings()

        self.assertEqual(0, len(listings))
Exemple #2
0
 def __init__(self, config):
     self.config = config
     self.repo_cert_utils = RepoCertUtils(config)
     self.protected_repo_utils = ProtectedRepoUtils(config)
Exemple #3
0
class OidValidator:

    def __init__(self, config):
        self.config = config
        self.repo_cert_utils = RepoCertUtils(config)
        self.protected_repo_utils = ProtectedRepoUtils(config)

    def is_valid(self, dest, cert_pem, log_func):
        '''
        Returns if the specified  certificate should be able to access a certain URL.

        @param dest: destination URL trying to be accessed
        @type  dest: string

        @param cert_pem: PEM encoded client certificate sent with the request
        @type  cert_pem: string
        '''
        # Load the repo credentials if they exist
        passes_individual_ca = False
        repo_bundle = self._matching_repo_bundle(dest)
        if repo_bundle is not None:

            # If there is an individual bundle but no client certificate has been specified,
            # they are invalid
            if cert_pem == '':
                return False

            # Make sure the client cert is signed by the correct CA
            is_valid = self.repo_cert_utils.validate_certificate_pem(cert_pem, repo_bundle['ca'], log_func=log_func)
            if not is_valid:
                log_func('Client certificate did not match the repo consumer CA certificate')
                return False
            else:
                # Indicate it passed individual check so we don't run the global too
                passes_individual_ca = True

        # Load the global repo auth cert bundle and check it's CA against the client cert
        # if it didn't already pass the individual auth check
        global_bundle = self.repo_cert_utils.read_global_cert_bundle(['ca'])
        if not passes_individual_ca and global_bundle is not None:

            # If there is a global repo bundle but no client certificate has been specified,
            # they are invalid
            if cert_pem == '':
                return False

            # Make sure the client cert is signed by the correct CA
            is_valid = self.repo_cert_utils.validate_certificate_pem(cert_pem, global_bundle['ca'], log_func=log_func)
            if not is_valid:
                log_func('Client certificate did not match the global repo auth CA certificate')
                return False

        # If there were neither global nor repo auth credentials, auth passes.
        if global_bundle is None and repo_bundle is None:
            return True

        # If the credentials were specified for either case, apply the OID checks.
        is_valid = self._check_extensions(cert_pem, dest, log_func)
        if not is_valid:
            log_func("Client certificate failed extension check for destination: %s" % (dest))
        return is_valid

    def _matching_repo_bundle(self, dest):

        # Load the path -> repo ID mappings
        prot_repos = self.protected_repo_utils.read_protected_repo_listings()

        # Extract the repo portion of the URL
        #   Example URL: https://guardian/pulp/repos/my-repo/pulp/fedora-13/i386/repodata/repomd.xml
        #   Repo Portion: /my-repo/pulp/fedora-13/i386/repodata/repomd.xml
        repo_url = dest[dest.find(RELATIVE_URL) + len(RELATIVE_URL):]

        # If the repo portion of the URL starts with any of the protected relative URLs,
        # it is considered to be a request against that protected repo
        repo_id = None
        for relative_url in prot_repos.keys():

            # Relative URL is inconsistent in Pulp, so a simple "startswith" tends to
            # break. Changing this to a find helps remove issues where the leading /
            # is missing, present, or duplicated.
            if repo_url.find(relative_url) != -1:
                repo_id = prot_repos[relative_url]
                break

        if not repo_id:
            return None

        bundle = self.repo_cert_utils.read_consumer_cert_bundle(repo_id, ['ca'])
        return bundle

    def _check_extensions(self, cert_pem, dest, log_func):
        """
        Checks the requested destination path against the entitlement cert.

        :param cert_pem: certificate as PEM
        :type  cert_pem: str
        :param dest: path of desired destination
        :type  dest: str
        :param log_func: function used for logging
        :type  log_func: callable taking 1 argument of type basestring
        :return: True iff request is authorized, else False
        :rtype:  bool
        """
        cert = certificate.create_from_pem(cert_pem)

        # Extract the repo portion of the URL
        repo_dest = dest[dest.find(RELATIVE_URL) + len(RELATIVE_URL):]

        try:
            valid = cert.check_path(repo_dest)
        except AttributeError:
            # not an entitlement certificate, so no entitlements
            valid = False
        if not valid:
            log_func('Request denied to destination [%s]' % dest)

        return valid
 def setUp(self):
     if os.path.exists(TEST_FILE):
         os.remove(TEST_FILE)
     self.utils = ProtectedRepoUtils(CONFIG)
Exemple #5
0
class OidValidator:

    def __init__(self, config):
        self.config = config
        self.repo_cert_utils = RepoCertUtils(config)
        self.protected_repo_utils = ProtectedRepoUtils(config)

    def is_valid(self, dest, cert_pem, log_func):
        '''
        Returns if the specified  certificate should be able to access a certain URL.

        @param dest: destination URL trying to be accessed
        @type  dest: string

        @param cert_pem: PEM encoded client certificate sent with the request
        @type  cert_pem: string
        '''
        # Load the repo credentials if they exist
        passes_individual_ca = False
        repo_bundle = self._matching_repo_bundle(dest)
        if repo_bundle is not None:

            # If there is an individual bundle but no client certificate has been specified,
            # they are invalid
            if cert_pem == '':
                return False

            # Make sure the client cert is signed by the correct CA
            is_valid = self.repo_cert_utils.validate_certificate_pem(cert_pem, repo_bundle['ca'], log_func=log_func)
            if not is_valid:
                log_func('Client certificate did not match the repo consumer CA certificate')
                return False
            else:
                # Indicate it passed individual check so we don't run the global too
                passes_individual_ca = True

        # Load the global repo auth cert bundle and check it's CA against the client cert
        # if it didn't already pass the individual auth check
        global_bundle = self.repo_cert_utils.read_global_cert_bundle(['ca'])
        if not passes_individual_ca and global_bundle is not None:

            # If there is a global repo bundle but no client certificate has been specified,
            # they are invalid
            if cert_pem == '':
                return False

            # Make sure the client cert is signed by the correct CA
            is_valid = self.repo_cert_utils.validate_certificate_pem(cert_pem, global_bundle['ca'], log_func=log_func)
            if not is_valid:
                log_func('Client certificate did not match the global repo auth CA certificate')
                return False

        # If there were neither global nor repo auth credentials, auth passes.
        if global_bundle is None and repo_bundle is None:
            return True

        # If the credentials were specified for either case, apply the OID checks.
        is_valid = self._check_extensions(cert_pem, dest, log_func)
        if not is_valid:
            log_func("Client certificate failed extension check for destination: %s" % (dest))
        return is_valid

    def _matching_repo_bundle(self, dest):

        # Load the path -> repo ID mappings
        prot_repos = self.protected_repo_utils.read_protected_repo_listings()

        # Extract the repo portion of the URL
        #   Example URL: https://guardian/pulp/repos/my-repo/pulp/fedora-13/i386/repodata/repomd.xml
        #   Repo Portion: /my-repo/pulp/fedora-13/i386/repodata/repomd.xml
        repo_url = dest[dest.find(RELATIVE_URL) + len(RELATIVE_URL):]

        # If the repo portion of the URL starts with any of the protected relative URLs,
        # it is considered to be a request against that protected repo
        repo_id = None
        for relative_url in prot_repos.keys():

            # Relative URL is inconsistent in Pulp, so a simple "startswith" tends to
            # break. Changing this to a find helps remove issues where the leading /
            # is missing, present, or duplicated.
            if repo_url.find(relative_url) != -1:
                repo_id = prot_repos[relative_url]
                break

        if not repo_id:
            return None

        bundle = self.repo_cert_utils.read_consumer_cert_bundle(repo_id, ['ca'])
        return bundle

    def _check_extensions(self, cert_pem, dest, log_func):

        cert = certificate.Certificate(content=cert_pem)
        extensions = cert.extensions()

        # Extract the repo portion of the URL
        repo_dest = dest[dest.find(RELATIVE_URL) + len(RELATIVE_URL) + 1:]
        # Remove any initial or trailing slashes
        repo_dest = repo_dest.strip('/')

        valid = False
        for e in extensions:
            if self._is_download_url_ext(e):
                oid_url = extensions[e]

                if self._validate_url(oid_url, repo_dest):
                    valid = True
                    break

        if not valid:
            log_func('Request denied to destination [%s]' % dest)

        return valid

    def _is_download_url_ext(self, ext_oid):
        '''
        Tests to see if the given OID corresponds to a download URL value.

        @param ext_oid: OID being tested; cannot be None
        @type  ext_oid: a certificiate.OID object

        @return: True if the OID contains download URL information; False otherwise
        @rtype:  boolean
        '''
        result = ext_oid.match('1.3.6.1.4.1.2312.9.2.') and ext_oid.match('.1.6')
        return result

    def _validate_url(self, oid_url, dest):
        '''
        Returns whether or not the destination matches the OID download URL.

        @return: True if the OID permits the destination; False otherwise
        @rtype:  bool
        '''

        # Swap out all $ variables (e.g. $basearch, $version) for a reg ex wildcard in that location
        #
        # For example, the following entitlement:
        #   content/dist/rhel/server/$version/$basearch/os
        #
        # Should allow any value for the variables:
        #   content/dist/rhel/server/.+?/.+?/os

        # Remove initial and trailing '/', and substitute the $variables for
        # equivalent regular expressions in oid_url.
        oid_re = re.sub(r'\$[^/]+(/|$)', '[^/]+/', oid_url.strip('/'))
        return re.match(oid_re, dest) is not None