Skip to content

Commit

Permalink
Remove the ability to use checksums weaker than sha256 during publish
Browse files Browse the repository at this point in the history
closes #2488
  • Loading branch information
dralley committed Dec 4, 2023
1 parent a014efa commit 9f18e8c
Show file tree
Hide file tree
Showing 10 changed files with 83 additions and 40 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/scripts/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ VARSYAML

cat >> vars/main.yaml << VARSYAML
pulp_env: {}
pulp_settings: {"allowed_content_checksums": ["sha1", "sha224", "sha256", "sha384", "sha512"], "allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"], "orphan_protection_time": 0}
pulp_settings: {"allowed_content_checksums": ["sha1", "sha224", "sha256", "sha512"], "allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"], "orphan_protection_time": 0}
pulp_scheme: https
pulp_container_tag: "latest"
Expand Down
1 change: 1 addition & 0 deletions CHANGES/2488.removal
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Removed support for publishing repos with a checksum type of md5, sha1, or sha224
5 changes: 0 additions & 5 deletions pulp_rpm/app/constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,6 @@

# The same as above, but in a format that choice fields can use
CHECKSUM_CHOICES = (
(CHECKSUM_TYPES.UNKNOWN, CHECKSUM_TYPES.UNKNOWN),
(CHECKSUM_TYPES.MD5, CHECKSUM_TYPES.MD5),
(CHECKSUM_TYPES.SHA, CHECKSUM_TYPES.SHA1),
(CHECKSUM_TYPES.SHA1, CHECKSUM_TYPES.SHA1),
(CHECKSUM_TYPES.SHA224, CHECKSUM_TYPES.SHA224),
(CHECKSUM_TYPES.SHA256, CHECKSUM_TYPES.SHA256),
(CHECKSUM_TYPES.SHA384, CHECKSUM_TYPES.SHA384),
(CHECKSUM_TYPES.SHA512, CHECKSUM_TYPES.SHA512),
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Generated by Django 4.2.5 on 2023-11-07 05:26

from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
('rpm', '0056_rpmpublication_checksum_type_and_more'),
]

operations = [
migrations.AlterField(
model_name='package',
name='checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')]),
),
migrations.AlterField(
model_name='repometadatafile',
name='checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')]),
),
migrations.AlterField(
model_name='rpmpublication',
name='checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')]),
),
migrations.AlterField(
model_name='rpmpublication',
name='metadata_checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')]),
),
migrations.AlterField(
model_name='rpmpublication',
name='package_checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')]),
),
migrations.AlterField(
model_name='rpmrepository',
name='checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')], null=True),
),
migrations.AlterField(
model_name='rpmrepository',
name='metadata_checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')], null=True),
),
migrations.AlterField(
model_name='rpmrepository',
name='package_checksum_type',
field=models.TextField(choices=[('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')], null=True),
),
]
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@ def set_publication_checksum(apps, schema_editor):
RpmPublication = apps.get_model("rpm", "RpmPublication")
RpmPublication.objects.update(checksum_type=F("metadata_checksum_type"))

def set_repository_checksum(apps, schema_editor):
RpmRepository = apps.get_model("rpm", "RpmRepository")
RpmRepository.objects.filter(metadata_checksum_type__in=["md5", "sha", "sha1", "sha224"]).update(checksum_type="sha256")


class Migration(migrations.Migration):

dependencies = [
('rpm', '0056_remove_rpmpublication_sqlite_metadata_and_more'),
('rpm', '0057_alter_package_checksum_type_and_more'),
]

operations = [
Expand All @@ -32,4 +36,5 @@ class Migration(migrations.Migration):
name='checksum_type',
field=models.TextField(choices=[('unknown', 'unknown'), ('md5', 'md5'), ('sha1', 'sha1'), ('sha1', 'sha1'), ('sha224', 'sha224'), ('sha256', 'sha256'), ('sha384', 'sha384'), ('sha512', 'sha512')], null=True),
),
migrations.RunPython(set_repository_checksum),
]
1 change: 1 addition & 0 deletions pulp_rpm/app/models/repository.py
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@ def on_new_version(self, version):
repository_version_pk=version.pk,
metadata_signing_service=self.metadata_signing_service,
checksum_types={
"general": self.checksum_type,
"metadata": self.metadata_checksum_type,
"package": self.package_checksum_type,
"general": self.checksum_type,
Expand Down
10 changes: 0 additions & 10 deletions pulp_rpm/tests/functional/api/test_download_policies.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,6 @@
from pulpcore.client.pulp_rpm import RpmRpmPublication


"""Sync a repository with different download policies.
This test targets the following issue:
`Pulp #4126 <https://pulp.plan.io/issues/4126>`_
`Pulp #4213 <https://pulp.plan.io/issues/4213>`_
`Pulp #4418 <https://pulp.plan.io/issues/4418>`_
"""


@pytest.mark.parametrize("download_policy", DOWNLOAD_POLICIES)
def test_download_policies(
download_policy,
Expand Down
40 changes: 20 additions & 20 deletions pulp_rpm/tests/functional/api/test_publish.py
Original file line number Diff line number Diff line change
Expand Up @@ -43,18 +43,18 @@ def test_publish_with_unsupported_checksum_type(
Sync and try to publish an RPM repository.
- Sync repository with on_demand policy
- Try to publish with 'md5' checksum type
- Publish should fail because 'md5' is not allowed
- Try to publish with 'sha384' checksum type
- Publish should fail because 'sha384' is not allowed
This test require disallowed 'MD5' checksum type from ALLOWED_CONTENT_CHECKSUMS settings.
This test require disallowed 'sha384' checksum type from ALLOWED_CONTENT_CHECKSUMS settings.
"""
if "md5" in settings.ALLOWED_CONTENT_CHECKSUMS:
if "sha384" in settings.ALLOWED_CONTENT_CHECKSUMS:
pytest.skip(
reason="Cannot verify the expected hasher error if the 'MD5' checksum is allowed."
reason="Cannot check for the expected error if the 'sha384' checksum is allowed."
)

publish_data = RpmRpmPublication(
repository=rpm_unsigned_repo_on_demand.pulp_href, package_checksum_type="md5"
repository=rpm_unsigned_repo_on_demand.pulp_href, package_checksum_type="sha384"
)
with pytest.raises(ApiException) as ctx:
rpm_publication_api.create(publish_data)
Expand Down Expand Up @@ -580,14 +580,14 @@ def test_immediate_unspecified_checksum_types(get_checksum_types):
def test_on_demand_specified_package_checksum_type(get_checksum_types, delete_orphans_pre):
"""Sync and publish an RPM repository and verify the checksum types."""
repomd_checksum_types, primary_checksum_types = get_checksum_types(
package_checksum_type="sha384", policy="on_demand"
package_checksum_type="sha512", policy="on_demand"
)

for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
assert repomd_checksum_type == "sha256"

for package, package_checksum_type in primary_checksum_types.items():
# since none of the packages in question have sha384 checksums, the
# since none of the packages in question have sha512 checksums, the
# checksums they do have will be used instead. In this case, sha256.
assert package_checksum_type == "sha256"

Expand All @@ -596,11 +596,11 @@ def test_on_demand_specified_package_checksum_type(get_checksum_types, delete_or
def test_on_demand_specified_metadata_checksum_type(get_checksum_types):
"""Sync and publish an RPM repository and verify the checksum types."""
repomd_checksum_types, primary_checksum_types = get_checksum_types(
metadata_checksum_type="sha384", policy="on_demand"
metadata_checksum_type="sha512", policy="on_demand"
)

for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
assert repomd_checksum_type == "sha384"
assert repomd_checksum_type == "sha512"

for package, package_checksum_type in primary_checksum_types.items():
assert package_checksum_type == "sha256"
Expand All @@ -611,14 +611,14 @@ def test_on_demand_specified_metadata_and_package_checksum_type(
):
"""Sync and publish an RPM repository and verify the checksum types."""
repomd_checksum_types, primary_checksum_types = get_checksum_types(
package_checksum_type="sha224", metadata_checksum_type="sha224", policy="on_demand"
package_checksum_type="sha512", metadata_checksum_type="sha512", policy="on_demand"
)

for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
assert repomd_checksum_type == "sha224"
assert repomd_checksum_type == "sha512"

for package, package_checksum_type in primary_checksum_types.items():
# since none of the packages in question have sha224 checksums, the
# since none of the packages in question have sha512 checksums, the
# checksums they do have will be used instead. In this case, sha256.
assert package_checksum_type == "sha256"

Expand All @@ -627,25 +627,25 @@ def test_on_demand_specified_metadata_and_package_checksum_type(
def test_immediate_specified_package_checksum_type(get_checksum_types):
"""Sync and publish an RPM repository and verify the checksum types."""
repomd_checksum_types, primary_checksum_types = get_checksum_types(
package_checksum_type="sha384", policy="immediate"
package_checksum_type="sha512", policy="immediate"
)

for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
assert repomd_checksum_type == "sha256"

for package, package_checksum_type in primary_checksum_types.items():
assert package_checksum_type == "sha384"
assert package_checksum_type == "sha512"


@pytest.mark.parallel
def test_immediate_specified_metadata_checksum_type(get_checksum_types):
"""Sync and publish an RPM repository and verify the checksum types."""
repomd_checksum_types, primary_checksum_types = get_checksum_types(
metadata_checksum_type="sha384", policy="immediate"
metadata_checksum_type="sha512", policy="immediate"
)

for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
assert repomd_checksum_type == "sha384"
assert repomd_checksum_type == "sha512"

for package, package_checksum_type in primary_checksum_types.items():
assert package_checksum_type == "sha256"
Expand All @@ -655,14 +655,14 @@ def test_immediate_specified_metadata_checksum_type(get_checksum_types):
def test_immediate_specified_metadata_and_package_checksum_type(get_checksum_types):
"""Sync and publish an RPM repository and verify the checksum types."""
repomd_checksum_types, primary_checksum_types = get_checksum_types(
package_checksum_type="sha224", metadata_checksum_type="sha224", policy="immediate"
package_checksum_type="sha512", metadata_checksum_type="sha512", policy="immediate"
)

for repomd_type, repomd_checksum_type in repomd_checksum_types.items():
assert repomd_checksum_type == "sha224"
assert repomd_checksum_type == "sha512"

for package, package_checksum_type in primary_checksum_types.items():
assert package_checksum_type == "sha224"
assert package_checksum_type == "sha512"


@pytest.mark.parallel
Expand Down
3 changes: 1 addition & 2 deletions pulp_rpm/tests/functional/api/test_pulp_to_pulp.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,7 @@ def test_pulp_pulp_sync(
# Create a publication.
publish_data = RpmRpmPublication(
repository=repo.pulp_href,
metadata_checksum_type="sha384",
package_checksum_type="sha224",
checksum_type="sha512",
)
publication = gen_object_with_cleanup(rpm_publication_api, publish_data)

Expand Down
1 change: 0 additions & 1 deletion template_config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ pulp_settings:
- sha1
- sha224
- sha256
- sha384
- sha512
allowed_export_paths:
- /tmp
Expand Down

0 comments on commit 9f18e8c

Please sign in to comment.