### pulp-certguard Overview and Tour
May 20, 2020
Brian Bouterse
slides: https://hackmd.io/@pulp/HJ54ndWo8#/
docs: https://pulp-certguard.readthedocs.io/
repo: https://github.com/pulp/pulp-certguard/
---
### User Agenda
* Problem Staement
* User Example
* API overview
* Architecture
* Features
* X509CertGuard
* RHSMCertGuard
* RHSM Paths 4 examples
* Reverse Proxy Configuration
* Nginx
* Apache 2.4.10+
* Apache < 2.4.10
* Configuring yum/dnf clients
* Debugging
* Documentation
---
### Developer Agenda
* code overview
* test coverage
---
### Problem Statement
:closed_lock_with_key: Pulp should only serve content, e.g. rpms, to authorized clients.
---
### User Example
https://pulp-certguard.readthedocs.io/en/latest/index.html#example
---
### API Overview
https://pulp-certguard.readthedocs.io/en/latest/redoc_ui.html
---
### Architecture
client <-1-> Reverse Proxy <–2-> pulpcore-content
1. Client communicates to Reverse Proxy via TLS
2. X-CLIENT-CERT header passes urlencoded cert to pulp-content.
---
### Why use TLS to submit certs?
* Guarantee client has both the cert **and** its key
* Works well with existing tools
* yum/dnf
* curl
* httpie
* etc
---
### Why urlencode X-CLIENT_CERT?
* Headers cannot have newlines
---
### X509CertGuard Features
* Stores a certificate authority certificate
* Can be associated with one or more Pulp Distributions
* Authorizes clients iff client cert is:
* signed by CA associated with X509CertGaurd
* non-expired
---
### RHSMCertGuard Things to Know
* Needs `pip install rhsm` or runtime errors raised
* Supports both V1 and V3 certificates
* transparently handled by RHSM library
---
### RHSMCertGuard Features
* Stores a certificate authority certificate
* Can be associated with one or more Pulp Distributions
* Authorizes clients iff client cert is:
* signed by CA associated with X509CertGuard
* non-expired
* contains the Distribution.base_path
---
### RHSMCertGuard Path Example 1
Cert: /Default_Organization/Library/custom/foo/foo
#### Allowed Paths
* /Default_Organization/Library/custom/foo/foo/
* /Default_Organization/Library/custom/foo/foo/somefile.txt
* /Default_Organization/Library/custom/foo/foo/subdir/asdf/
---
### RHSMCertGuard Path Example 2
Cert: /Default_Organization/Library/content/dist/rhel/server/7/7Server/\$basearch/extras/os
#### Allowed Paths
* /Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/extras/os/
* /Default_Organization/Library/content/dist/rhel/server/7/7Server/i386/extras/os/
* /Default_Organization/Library/content/dist/rhel/server/7/7Server/x86_64/extras/os/subdir/somefile.txt
---
### RHSMCertGuard Path Example 3
Cert: /Default_Organization/Library/content/dist/rhel/server/7/\$releasever/\$basearch/os/
#### Allowed Paths
* /Default_Organization/Library/content/dist/rhel/server/7/7.4/x86_64/os/
* /Default_Organization/Library/content/dist/rhel/server/7/7.6/x86_64/os/
* /Default_Organization/Library/content/dist/rhel/server/7/7.4/x86_64/os/subdir/somefile.txt
---
### RHSMCertGuard Path Example 4
Cert: /Default_Organization
#### Allowed Paths
* /Default_Organization/Library/content/dist/rhel/server/7/7.4/x86_64/os/
* /Default_Organization/AnotherFolder/
* /Default_Organization/AnotherFolder/anything.txt
---
### Nginx Reverse Proxy Config
https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#nginx-config-example
---
### Apache 2.4.10+ Reverse Proxy Config
https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#apache-2-4-10-config-example
---
### Apache < 2.4.10+ Reverse Proxy Config
Centos ships 2.4.4 ...
https://pulp-certguard.readthedocs.io/en/latest/reverse_proxy_config.html#id1
---
### Configuring yum/dnf clients
Was here, but needs updating...
https://pulp-certguard.readthedocs.io/en/latest/yum-howto.html
---
### Debugging
https://pulp-certguard.readthedocs.io/en/latest/debugging.html
---
### User Links
docs: https://pulp-certguard.readthedocs.io/
bugs: https://pulp.plan.io/projects/certguard
---
### Code Overview
---
### Models
Contains both data and authorization logic...
* [BaseCertGuard](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/app/models.py#L26)
* ca_certificate field
* urlunquoting
* Apache < 2.4.10 certificate reassembly
* trust validation with openssl
* non-expiration check
* [RHSMCertGuard](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/app/models.py#L86)
* [X509CertGuard](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/app/models.py#L152)
---
### Functional Tests
Lots of tests...
---
### Setup and Denial Tests
* [`BaseCertGuard`](https://github.com/pulp/pulp-certguard/blob/040177c629d24b02c93afe922e782df9acdba58e/pulp_certguard/tests/functional/api/base.py#L32)
* Handles setup for all tests
* [`CommonDenialTestsMixin`](https://github.com/pulp/pulp-certguard/blob/040177c629d24b02c93afe922e782df9acdba58e/pulp_certguard/tests/functional/api/base.py#L99)
* handles most denials
* [`constants.py`](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/tests/functional/constants.py)
---
### X509CertGuard Tests
[`X509CertGuardTestCase`](https://github.com/pulp/pulp-certguard/blob/ff4fd03dea3b8863e0a4331ffa73e5afcb0682d4/pulp_certguard/tests/functional/api/test_x509_certguard.py#L20)
---
### RHSMCertGuard Tests
* [`RHSMV1CertGuardTestCase`](https://github.com/pulp/pulp-certguard/blob/98b033344674df15e27338407b89c396f9eda395/pulp_certguard/tests/functional/api/test_rhsm_certguard.py#L139)
* [`RHSMV3CertGuardTestCase`](https://github.com/pulp/pulp-certguard/blob/98b033344674df15e27338407b89c396f9eda395/pulp_certguard/tests/functional/api/test_rhsm_certguard.py#L56)
---
### Thank you!
slides: https://hackmd.io/@pulp/HJ54ndWo8#/
docs: https://pulp-certguard.readthedocs.io/
repo: https://github.com/pulp/pulp-certguard/
{"metaMigratedAt":"2023-06-15T08:26:33.151Z","metaMigratedFrom":"YAML","title":"Certguard Overview and Tour as of May 20, 2020","breaks":"true","description":"An overview of certguard functionality","contributors":"[{\"id\":\"dc40d541-bddd-4823-82c8-6e5276fe233a\",\"add\":9157,\"del\":2880},{\"id\":\"1a6032ad-e6b7-434d-aa35-96e6ebf50256\",\"add\":6,\"del\":6}]"}