pulp-certguard

X.509 Certguards plugin for the Pulp Project

These details have been verified by PyPI

Maintainers

These details have not been verified by PyPI

Project links

Homepage

Project description

This is the pulp_certguard Plugin for the Pulp Project 3.0+. This plugin provides X.509 certificate based content protection. The X509CertGuard authenticates the web request by validating the client certificate passed in the SSL_CLIENT_CERTIFICATE HTTP header using the CA (Certificate Authority) certificate that it has been configured with.

All REST API examples bellow use httpie to perform the requests. The httpie commands below assume that the user executing the commands has a .netrc file in the home directory. The ~/.netrc should have the following configuration:

machine localhost
login admin
password admin

If you configured the admin user with a different password, adjust the configuration accordingly. If you prefer to specify the username and password with each request, please see httpie documentation on how to do that.

This documentation makes use of the jq library to parse the json received from requests, in order to get the unique urls generated when objects are created. To follow this documentation as-is please install the jq library with:

$ sudo dnf install jq

Install pulpcore

Follow the installation instructions provided with pulpcore.

Users should install from either PyPI or source.

Install pulp-certguard from source

source ~/pulpvenv/bin/activate
git clone https://github.com/pulp/pulp-certguard.git
cd pulp-certguard
pip install -e .

Install pulp-certguard From PyPI

source ~/pulpvenv/bin/activate
pip install pulp-certguard

Make and Run Migrations

django-admin makemigrations certguard
django-admin migrate certguard

Create a content guard named foo

This example assumes that ~/ca.pem is a PEM encoded CA certificate.

$ http --form POST http://localhost:8000/pulp/api/v3/contentguards/certguard/x509/ name=foo ca_certificate@~/ca.pem

{
    ...
    "_href": "/pulp/api/v3/contentguards/certguard/x509/3046291f-d432-4a85-9d7e-fad12b0aaed7/",
    ...
}

$ export GUARD_HREF=$(http localhost:8000/pulp/api/v3/contentguards/certguard/x509/?name=foo | jq -r '.results[0]._href')

Create a distribution with content protection

`` $ http POST http://localhost:8000/pulp/api/v3/distributions/ name=bar base_path=files content_guard=${GUARD_HREF}``

{
    ...
    "_href": "/pulp/api/v3/distributions/305adfe0-4851-432f-9de3-13f9b10fe131/"
    ...
}

Add content protection to an existing distribution

`` $ http PATCH http://localhost:8000/pulp/api/v3/distributions/1/ content_guard=${GUARD_HREF}``

{
    ...
    "_href": "/pulp/api/v3/distributions/0fbb102a-cb38-4d5c-afc2-b9a76e862a1d/"
    ...
}

Download protected content

The following examples assume there is a file named 1.iso published under the files distribution. Further, they assume there is a PEM encoded client certificate at ~/client.pem signed by the CA at ~/ca.pem. And, a PEM encoded private key at ~/key.pem.

Example of GET directly to the content application running on port 8080 over HTTP. When setting the SSL-CLIENT-CERTIFICATE manually, the newlines need to be stripped due to restrictions on legal characters in HTTP header values.

$ http localhost:8080/pulp/content/files/1.iso SSL-CLIENT-CERTIFICATE:"$(tr -d '\n' < ~/client.pem)"

+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+

Example of GET through a reverse proxy using HTTPS (like apache or nginx) in front of the content application. It’s assumed that the reverse proxy has been configured to set the SSL-CLIENT-CERTIFICATE header using the client certificate exchanged as part of the SSL negotiation.

$ http https://localhost/pulp/content/files/1.iso --cert=~/client.pem --cert-key=~/key.pem --verify=no

+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+

Project details

These details have been verified by PyPI

Maintainers

dkliban dralley ggainey mdellweg pulp

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

1.8.0

Jan 25, 2024

1.7.2

Jul 23, 2024

1.7.1

Nov 3, 2023

1.7.0

Oct 19, 2023

1.6.6

Oct 17, 2023

1.6.5

May 11, 2023

1.6.4

May 4, 2023

1.6.3

May 2, 2023

1.6.2

May 2, 2023

1.6.1

Mar 23, 2023

1.6.0

Mar 14, 2023

1.5.9

Oct 17, 2023

1.5.8

Mar 3, 2023

1.5.7

Feb 3, 2023

1.5.6

Jan 31, 2023

1.5.5

Aug 16, 2022

1.5.4

Aug 15, 2022

1.5.3

Jun 23, 2022

1.5.2

Dec 16, 2021

1.5.1

Oct 6, 2021

1.5.0 yanked

Aug 4, 2021

Reason this release was yanked:

no upper bound on requirement

1.4.0

Jun 30, 2021

1.3.0

May 19, 2021

1.2.0

Mar 17, 2021

1.1.0

Dec 14, 2020

1.0.3

Sep 25, 2020

1.0.2

Aug 18, 2020

1.0.1

Jul 20, 2020

1.0.0

Jul 1, 2020

0.1.0rc5 pre-release

May 22, 2020

0.1.0rc4 pre-release

Apr 23, 2020

0.1.0rc2 pre-release

Sep 20, 2019

This version

0.1.0rc1 pre-release

Mar 29, 2019

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pulp-certguard-0.1.0rc1.tar.gz (15.6 kB view details)

Uploaded Mar 29, 2019 Source

Built Distribution

pulp_certguard-0.1.0rc1-py3-none-any.whl (17.2 kB view details)

Uploaded Mar 29, 2019 Python 3

File details

Details for the file pulp-certguard-0.1.0rc1.tar.gz.

File metadata

Download URL: pulp-certguard-0.1.0rc1.tar.gz
Upload date: Mar 29, 2019
Size: 15.6 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.7

File hashes

Hashes for pulp-certguard-0.1.0rc1.tar.gz
Algorithm	Hash digest
SHA256	`4b32ba7501b8dfbd773e7aeeff6c409acf348e4c79c7d0e739c9f2d8be91f9b7`
MD5	`bc8b412407d1e67fa40b969d70a2b61d`
BLAKE2b-256	`2036b1927be375a417ca5fba65037e4ba0bb4ca49e62a49ab2ca3bff09fd1930`

See more details on using hashes here.

File details

Details for the file pulp_certguard-0.1.0rc1-py3-none-any.whl.

File metadata

Download URL: pulp_certguard-0.1.0rc1-py3-none-any.whl
Upload date: Mar 29, 2019
Size: 17.2 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.7

File hashes

Hashes for pulp_certguard-0.1.0rc1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`5720c037fe1bd78451d30e28e429a06e417a7c800ba16138f1c7d86eec7eb502`
MD5	`675eb0f61f89ad4ea09dabcef9ab2128`
BLAKE2b-256	`fd65380448b7c1c784008950050f4642367c21ae3bb0f1880dc82364623bdc43`