On 02/19/13 03:57 PM, Shawn Walker wrote:
On 01/18/13 14:23, Erik Trauschke wrote:
Hi folks,
this is the addition of SSL client cert support to pkgrecv destinations,
pkgsend and pkgrepo.
The code changes are quite simple, it's the test suite changes which are
more complicated. I created a new TestClass which should make it easy to
test anything which requires client certs in the future.
One thing I noticed is that when reproducing the certs we use for the
signing and https tests, some sysrepo tests fail. Not sure if they use
some hard-coded cert data which wouldn't work anymore.
https://cr.opensolaris.org/action/browse/pkg/erisch/16193298/webrev/
src/pkgrepo.py:
line 1028: extra newline
lines 1503-1506: I don't think we should have the allow-timestamp thing
here, it doens't make sense. I'd just drop the first if condition and
simplify.
src/tests/cli/t_pkgrecv.py:
lines 819-824: missing ' ' after ':'; this goes for all of the other
test files where this was copy/pasted as well
line 847: extra newline
src/tests/cli/t_pkgrepo.py:
line 2228: insert another newline
general comment: I don't see any tests here to see what happens when a
user only specifies a key file and not a cert file, when they don't have
permission to read the key/cert, or when they specify a file that
doesn't exist, or when the file is zero-length. Can you add tests for
those for each command and provide sample error output for each case
from *one* of the commands?
I know that's a non-trivial amount of work, but inevitably, it will trip
us up later.
What do you want to test for? That it fails? This is how this looks like
now:
# no cert file
$ pkgrepo list -s https://ipkg.us.oracle.com/solaris12/dev --key
/tmp/ipkg.key.pem
pkgrepo: Framework error: code: 56 reason: SSL read: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure, errno 0
URL: 'https://ipkg.us.oracle.com/solaris12/dev/versions/0/'
# key does not exist
$ pkgrepo list -s https://ipkg.us.oracle.com/solaris12/dev --key
/tmp/blubberbla --cert /tmp/ipkg.certificate.pem
pkgrepo: Framework error: code: 58 reason: unable to set private key
file: '/tmp/blubberbla' type PEM
URL: 'https://ipkg.us.oracle.com/solaris12/dev/versions/0/'
# no permissions
$ pkgrepo list -s https://ipkg.us.oracle.com/solaris12/dev --key
/tmp/ipkg.key.pem --cert /tmp/ipkg.certificate.pem
pkgrepo: Framework error: code: 58 reason: unable to set private key
file: '/tmp/ipkg.key.pem' type PEM
URL: 'https://ipkg.us.oracle.com/solaris12/dev/versions/0/'
# empty key file
$ pkgrepo list -s https://ipkg.us.oracle.com/solaris12/dev --key
/tmp/key --cert /tmp/ipkg.certificate.pem
pkgrepo: Framework error: code: 58 reason: unable to set private key
file: '/tmp/key' type PEM
URL: 'https://ipkg.us.oracle.com/solaris12/dev/versions/0/'
I have to test all iterations but I guess it fails exactly as all other
pkg commands since the whole handling of the certs/keys is done in the
transport.
We can work on better error messages in pkgrepo, pkgrecv and pkgsend,
though. However, this would mean changing the transport to fail with
something different than an SSL error.
Erik
_______________________________________________
pkg-discuss mailing list
pkg-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
