### pulp-certguard Overview and Tour May 20, 2020 Brian Bouterse slides: https://hackmd.io/@pulp/HJ54ndWo8#/ docs: https://pulp-certguard.readthedocs.io/ repo: https://github.com/pulp/pulp-certguard/ --- ### User Agenda * Problem Staement * User Example * API overview * Architecture * Features * X509CertGuard * RHSMCertGuard * RHSM Paths 4 examples * Reverse Proxy Configuration * Nginx * Apache 2.4.10+ * Apache < 2.4.10 * Configuring yum/dnf clients * Debugging * Documentation --- ### Developer Agenda * code overview * test coverage --- ### Problem Statement :closed_lock_with_key: Pulp should only serve content, e.g. rpms, to authorized clients. --- ### User Example https://pulp-certguard.readthedocs.io/en/latest/index.html#example --- ### API Overview https://pulp-certguard.readthedocs.io/en/latest/redoc_ui.html --- ### Architecture client <-1-> Reverse Proxy <–2-> pulpcore-content 1. Client communicates to Reverse Proxy via TLS 2. X-CLIENT-CERT header passes urlencoded cert to pulp-content. --- ### Why use TLS to submit certs? * Guarantee client has both the cert **and** its key * Works well with existing tools * yum/dnf * curl * httpie * etc --- ### Why urlencode X-CLIENT_CERT? * Headers cannot have newlines --- ### X509CertGuard Features * Stores a certificate authority certificate * Can be associated with one or more Pulp Distributions * Authorizes clients iff client cert is: * signed by CA associated with X509CertGaurd * non-expired --- ### RHSMCertGuard Things to Know * Needs `pip install rhsm` or runtime errors raised * Supports both V1 and V3 certificates * transparently handled by RHSM library --- ### RHSMCertGuard Features * Stores a certificate authority certificate * Can be associated with one or more Pulp Distributions * Authorizes clients iff client cert is: * signed by CA associated with X509CertGuard * non-expired * contains the Distribution.base_path --- ### RHSMCertGuard Path Example 1 Cert: /Default_Organization/Library/custom/foo/foo #### Allowed Paths * /Default_Organization/Library/custom/foo/foo/ * /Default_Organization/Library/custom/foo/foo/somefile.txt * /Default_Organization/Library/custom/foo/foo/subdir/asdf/ --- ### RHSMCertGuard Path Example 2 Cert: /Default_Organization/Library/content/dist/rhel/server/7/7Server/\$basearch/extras/os #### Allowed Paths * /Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/extras/os/ * /Default_Organization/Library/content/dist/rhel/server/7/7Server/i386/extras/os/ * /Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/extras/os/subdir/somefile.txt --- ### RHSMCertGuard Path Example 3 Cert: /Default_Organization/Library/content/dist/rhel/server/7/\$releasever/\$basearch/os/ #### Allowed Paths * /Default_Organization/Library/content/dist/rhel/server/7/7.4/x86_64/os/ * /Default_Organization/Library/content/dist/rhel/server/7/7.6/x86_64/os/ * /Default_Organization/Library/content/dist/rhel/server/7/7.4/x86_64/os/subdir/somefile.txt --- ### RHSMCertGuard Path Example 4 Cert: /Default_Organization #### Allowed Paths * /Default_Organization/Library/content/dist/rhel/server/7/7.4/x86_64/os/ * /Default_Organization/AnotherFolder/ * /Default_Organization/AnotherFolder/anything.txt --- ### Nginx Reverse Proxy Config https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#nginx-config-example --- ### Apache 2.4.10+ Reverse Proxy Config https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#apache-2-4-10-config-example --- ### Apache < 2.4.10+ Reverse Proxy Config Centos ships 2.4.4 ... https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#id1 --- ### Configuring yum/dnf clients Was here, but needs updating... https://pulp-certguard.readthedocs.io/en/latest/yum-howto.html --- ### Debugging https://pulp-certguard.readthedocs.io/en/latest/debugging.html --- ### User Links docs: https://pulp-certguard.readthedocs.io/ bugs: https://pulp.plan.io/projects/certguard --- ### Code Overview --- ### Models Contains both data and authorization logic... * [BaseCertGuard](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/app/models.py#L26) * ca_certificate field * urlunquoting * Apache < 2.4.10 certificate reassembly * trust validation with openssl * non-expiration check * [RHSMCertGuard](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/app/models.py#L86) * [X509CertGuard](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/app/models.py#L152) --- ### Functional Tests Lots of tests... --- ### Setup and Denial Tests * [`BaseCertGuard`](https://github.com/pulp/pulp-certguard/blob/040177c629d24b02c93afe922e782df9acdba58e/pulp_certguard/tests/functional/api/base.py#L32) * Handles setup for all tests * [`CommonDenialTestsMixin`](https://github.com/pulp/pulp-certguard/blob/040177c629d24b02c93afe922e782df9acdba58e/pulp_certguard/tests/functional/api/base.py#L99) * handles most denials * [`constants.py`](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/tests/functional/constants.py) --- ### X509CertGuard Tests [`X509CertGuardTestCase`](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/tests/functional/api/test_x509_certguard.py#L20) --- ### RHSMCertGuard Tests * [`RHSMV1CertGuardTestCase`](https://github.com/pulp/pulp-certguard/blob/98b033344674df15e27338407b89c396f9eda395/pulp_certguard/tests/functional/api/test_rhsm_certguard.py#L139) * [`RHSMV3CertGuardTestCase`](https://github.com/pulp/pulp-certguard/blob/98b033344674df15e27338407b89c396f9eda395/pulp_certguard/tests/functional/api/test_rhsm_certguard.py#L56) --- ### Thank you! slides: https://hackmd.io/@pulp/HJ54ndWo8#/ docs: https://pulp-certguard.readthedocs.io/ repo: https://github.com/pulp/pulp-certguard/