Commit 0578762b by Łukasz Nowak

Ignore bad signature certificates with message

When list of signature certificates is processed any of them can result
with not using a cache while download, which is bad situation.

Just ignore bad certificates while checking the list, so any other good
ones can be used.

/reviewed-on !4
1 parent f47b10af
Pipeline #6934 for 0578762b failed in 0 seconds
......@@ -212,9 +212,13 @@ class NetworkcacheClient(object):
signature_certificate_list = [cert_marker + '\n' + q.strip() \
for q in signature_certificate_list.split(cert_marker) \
if q.strip()]
self.signature_certificate_list = [
crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
for certificate in signature_certificate_list or ()]
self.signature_certificate_list = []
for certificate in signature_certificate_list or ():
try:
loaded_certificate = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
except Exception as e:
logger.info('Ignored wrong certificate, reason:\n%s, offending certificate:\n%s', e.message, certificate)
self.signature_certificate_list.append(loaded_certificate)
# NetworkcacheClient context manager catches all exceptions and logs them
# with INFO severity. This provides a easy way to use a networkcache safely
......
......@@ -276,6 +276,21 @@ ZnQT1pVLar+DmUyaX9rehBM57JSnE0zvprgsVHSL0PRHH8fImdOJ
-----END CERTIFICATE-----
"""
bad_certificate = """-----BEGIN CERTIFICATE-----
MIIB4DCCAUkCADANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJGUjEZMBcGA1UE
CBMQRGVmYXVsdCBQcm92aW5jZTEPMA0GA1UEChMGTmV4ZWRpMB4XDTExMDkxNTA5
MDAwMloXDTEyMDkxNTA5MDAwMlowOTELMAkGA1UEBhMCRlIxGTAXBgNVBAgTEERl
ZmF1bHQgUHJvdmluY2UxDzANBgNVBAoTBk5leGVkaTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEApYZv6OstoqNzxG1KI6iE5U4Ts2Xx9lgLeUGAMyfJLyMmRLhw
boKOyJ9Xke4dncoBAyNPokUR6iWOcnPHtMvNOsBFZ2f7VA28em3+E1JRYdeNUEtX
Z0s3HjcouaNAnPfjFTXHYj4um1wOw2cURSPuU5dpzKBbV+/QCb5DLheynisCAwEA
ATANBgkqhkiG9w0BAQsFAAOBgQBCZLbTVdrw3RZlVVMFezSHrhBYKAukTwZrNmJX
mHqi2tN8tNo6FX+wmxUUAf3e8R2Ymbdbn2bfbPpcKQ2fG7PuKGvhwMG3BlF9paEC
q7jdfWO18Zp/BG7tagz0jmmC4y/8akzHsVlruo2+2du2freE8dK746uoMlXlP93g
QUUGLQ==
-----END CERTIFICATE-----
"""
ca_cert = """-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAK6xwAnLgupDMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
VQQGEwJQTDENMAsGA1UECAwETGFrYTELMAkGA1UEBwwCVWwxEDAOBgNVBAoMB1Bh
......@@ -545,6 +560,13 @@ class OnlineTest(OnlineMixin, unittest.TestCase):
json.dump(hacked_json, f)
self.assertEqual(self.select(signed_nc, key), None)
def test_NetworkcacheClient_handle_bad_certificates(self):
signed_nc = slapos.libnetworkcache.NetworkcacheClient(
self.shacache, self.shadir, signature_certificate_list=[
self.certificate,
self.bad_certificate])
self.assertLog('Ignored wrong certificate, reason')
def test_DirectoryNotFound_non_trustable_entry(self):
key_file = tempfile.NamedTemporaryFile('w+')
key_file.write(self.key)
......
Styling with Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!