Commit 0578762b authored by Łukasz Nowak's avatar Łukasz Nowak

Ignore bad signature certificates with message

When list of signature certificates is processed any of them can result
with not using a cache while download, which is bad situation.

Just ignore bad certificates while checking the list, so any other good
ones can be used.

/reviewed-on nexedi/slapos.libnetworkcache!4
parent f47b10af
...@@ -212,9 +212,13 @@ class NetworkcacheClient(object): ...@@ -212,9 +212,13 @@ class NetworkcacheClient(object):
signature_certificate_list = [cert_marker + '\n' + q.strip() \ signature_certificate_list = [cert_marker + '\n' + q.strip() \
for q in signature_certificate_list.split(cert_marker) \ for q in signature_certificate_list.split(cert_marker) \
if q.strip()] if q.strip()]
self.signature_certificate_list = [ self.signature_certificate_list = []
crypto.load_certificate(crypto.FILETYPE_PEM, certificate) for certificate in signature_certificate_list or ():
for certificate in signature_certificate_list or ()] try:
loaded_certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
except Exception as e:
logger.info('Ignored wrong certificate, reason:\n%s, offending certificate:\n%s', e.message, certificate)
self.signature_certificate_list.append(loaded_certificate)
# NetworkcacheClient context manager catches all exceptions and logs them # NetworkcacheClient context manager catches all exceptions and logs them
# with INFO severity. This provides a easy way to use a networkcache safely # with INFO severity. This provides a easy way to use a networkcache safely
......
...@@ -274,6 +274,21 @@ MME4ERnBbgy6Q0GBxceic+XAPBKPjqUP1DSS/qA7tagtKjhrkuViGB7frAs3hrgi ...@@ -274,6 +274,21 @@ MME4ERnBbgy6Q0GBxceic+XAPBKPjqUP1DSS/qA7tagtKjhrkuViGB7frAs3hrgi
kVeHJCQRw/7QzQMf99Sp6Ii3eoYmGK4nYDwjxq7w6jeDSykata35Qs//ZVv0eStt kVeHJCQRw/7QzQMf99Sp6Ii3eoYmGK4nYDwjxq7w6jeDSykata35Qs//ZVv0eStt
ZnQT1pVLar+DmUyaX9rehBM57JSnE0zvprgsVHSL0PRHH8fImdOJ ZnQT1pVLar+DmUyaX9rehBM57JSnE0zvprgsVHSL0PRHH8fImdOJ
-----END CERTIFICATE----- -----END CERTIFICATE-----
"""
bad_certificate = """-----BEGIN CERTIFICATE-----
MIIB4DCCAUkCADANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJGUjEZMBcGA1UE
CBMQRGVmYXVsdCBQcm92aW5jZTEPMA0GA1UEChMGTmV4ZWRpMB4XDTExMDkxNTA5
MDAwMloXDTEyMDkxNTA5MDAwMlowOTELMAkGA1UEBhMCRlIxGTAXBgNVBAgTEERl
ZmF1bHQgUHJvdmluY2UxDzANBgNVBAoTBk5leGVkaTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEApYZv6OstoqNzxG1KI6iE5U4Ts2Xx9lgLeUGAMyfJLyMmRLhw
boKOyJ9Xke4dncoBAyNPokUR6iWOcnPHtMvNOsBFZ2f7VA28em3+E1JRYdeNUEtX
Z0s3HjcouaNAnPfjFTXHYj4um1wOw2cURSPuU5dpzKBbV+/QCb5DLheynisCAwEA
ATANBgkqhkiG9w0BAQsFAAOBgQBCZLbTVdrw3RZlVVMFezSHrhBYKAukTwZrNmJX
mHqi2tN8tNo6FX+wmxUUAf3e8R2Ymbdbn2bfbPpcKQ2fG7PuKGvhwMG3BlF9paEC
q7jdfWO18Zp/BG7tagz0jmmC4y/8akzHsVlruo2+2du2freE8dK746uoMlXlP93g
QUUGLQ==
-----END CERTIFICATE-----
""" """
ca_cert = """-----BEGIN CERTIFICATE----- ca_cert = """-----BEGIN CERTIFICATE-----
...@@ -545,6 +560,13 @@ class OnlineTest(OnlineMixin, unittest.TestCase): ...@@ -545,6 +560,13 @@ class OnlineTest(OnlineMixin, unittest.TestCase):
json.dump(hacked_json, f) json.dump(hacked_json, f)
self.assertEqual(self.select(signed_nc, key), None) self.assertEqual(self.select(signed_nc, key), None)
def test_NetworkcacheClient_handle_bad_certificates(self):
signed_nc = slapos.libnetworkcache.NetworkcacheClient(
self.shacache, self.shadir, signature_certificate_list=[
self.certificate,
self.bad_certificate])
self.assertLog('Ignored wrong certificate, reason')
def test_DirectoryNotFound_non_trustable_entry(self): def test_DirectoryNotFound_non_trustable_entry(self):
key_file = tempfile.NamedTemporaryFile('w+') key_file = tempfile.NamedTemporaryFile('w+')
key_file.write(self.key) key_file.write(self.key)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment