Tuesday, 2015-03-24

*** dimtruck is now known as zz_dimtruck		00:54
*** SheenaG has joined #openstack-barbican		01:12
*** SheenaG has left #openstack-barbican		01:12
*** kgriffs is now known as kgriffs\|afk		01:18
*** xaeth_afk is now known as xaeth		02:39
*** xaeth is now known as xaeth_afk		02:50
*** xaeth_afk is now known as xaeth		02:56
*** zz_dimtruck is now known as dimtruck		03:04
*** gyee has quit IRC		03:06
*** xaeth is now known as xaeth_afk		03:47
*** dave-mccowan has quit IRC		04:22
openstackgerrit	John Vrbanac proposed openstack/barbican: Splitting out remaining order tests from test_resources https://review.openstack.org/164588	04:24
openstackgerrit	John Vrbanac proposed openstack/barbican: Removing unused TimeKeeper class https://review.openstack.org/167089	04:37
*** dimtruck is now known as zz_dimtruck		04:40
openstackgerrit	Merged openstack/barbican: Fix pep8 gate errors https://review.openstack.org/166965	04:58
openstackgerrit	Merged openstack/barbican: Use unique refs for RSA container example https://review.openstack.org/164739	05:25
openstackgerrit	John Wood proposed openstack/barbican: Initial connect up retry task submit and re-enqueue https://review.openstack.org/167110	06:19
openstackgerrit	Merged openstack/barbican: Removing the debian folder https://review.openstack.org/166913	06:35
*** chlong has quit IRC		06:42
openstackgerrit	Merged openstack/castellan: Renames for consistent namespaces https://review.openstack.org/165884	06:52
*** chlong has joined #openstack-barbican		07:03
*** gitorres has joined #openstack-barbican		07:22
openstackgerrit	Merged openstack/barbican: Fix common misspellings https://review.openstack.org/166819	07:25
openstackgerrit	Merged openstack/barbican: Updated from global requirements https://review.openstack.org/166929	07:25
*** gitorres has left #openstack-barbican		07:40
openstackgerrit	Thomas Goirand proposed openstack/barbican: Makes configuration files more standard https://review.openstack.org/167031	07:59
openstackgerrit	Merged openstack/python-barbicanclient: Second set of negative secrets tests. https://review.openstack.org/163556	08:00
openstackgerrit	Merged openstack/python-barbicanclient: Second set of negative secrets tests. https://review.openstack.org/163556	08:00
*** gitorres1 has joined #openstack-barbican		08:04
*** tkelsey has joined #openstack-barbican		08:08
*** chlong has quit IRC		08:12
*** gitorres1 has quit IRC		08:22
*** kebray has quit IRC		09:15
*** gitorres has joined #openstack-barbican		09:19
*** woodster_ has quit IRC		09:20
*** gitorres has quit IRC		09:35
*** gitorres has joined #openstack-barbican		09:37
*** gitorres has left #openstack-barbican		09:44
*** jaosorior has joined #openstack-barbican		10:46
*** jamielennox is now known as jamielennox\|away		11:45
*** chlong has joined #openstack-barbican		12:12
*** woodster_ has joined #openstack-barbican		12:13
*** chlong has quit IRC		12:15
woodster_	alee: I put up a CR that connects the periodic task and retry stuff	12:28
jaosorior	woodster_: Which is it?	12:28
woodster_	alee: jaosorior its this one: https://review.openstack.org/#/c/167110/	12:31
*** chlong has joined #openstack-barbican		12:32
*** dave-mccowan has joined #openstack-barbican		12:34
*** chlong has quit IRC		12:35
*** chlong has joined #openstack-barbican		12:36
*** chlong has quit IRC		12:39
woodster_	alee: jaosorior ugh only cover breaks locally for me :\ will fix later today	12:45
openstackgerrit	Merged openstack/castellan: Remove Python 3.3 from setup.cfg and tox.ini https://review.openstack.org/165903	12:55
*** chlong has joined #openstack-barbican		12:56
alee	woodster_, great - will take a look	13:31
alee	woodster_, redrobot , hockeynut https://review.openstack.org/#/c/166839/	13:34
*** SheenaG has joined #openstack-barbican		13:34
openstackgerrit	Merged openstack/barbican: Removing unused TimeKeeper class https://review.openstack.org/167089	13:57
openstackgerrit	Merged openstack/barbican: Adding more content to the api reference for secrets https://review.openstack.org/167015	13:57
*** SheenaG has quit IRC		14:05
*** SheenaG has joined #openstack-barbican		14:10
*** zz_dimtruck is now known as dimtruck		14:16
*** kgriffs\|afk is now known as kgriffs		14:30
*** SheenaG has quit IRC		14:38
*** paul_glass has joined #openstack-barbican		14:39
*** SheenaG has joined #openstack-barbican		14:46
dave-mccowan	alee ping	14:47
alee	dave-mccowan, your fingers must be burning -- I was just thinking of pinging you	14:48
alee	dave-mccowan, you first ..	14:48
dave-mccowan	alee :-) some of the negative functional tests i wrote for stored key (bad secrets, missing secrets in container), i can't do. the container validators prevents me from creating the negative test case.	14:50
*** kebray has joined #openstack-barbican		14:51
alee	dave-mccowan, well thats the mark of a good validator ;) let me take a look	14:51
alee	dave-mccowan, so containers are immutable once you create them, right?	14:52
alee	so you can't create a generic container and then change it later to be a "certificate" container ..	14:53
alee	dave-mccowan, so at this point, we are requiring the container to be an 'rsa' container ..	14:54
*** kebray has quit IRC		14:54
alee	dave-mccowan, so in terms of negative test cases - what that means is that you try to pass in a generic container (ie type != 'rsa')	14:55
alee	and have a validation for that	14:56
alee	dave-mccowan, and you can certainly create a 'rsa' container with bad data -- although perhaps the check for that should be in the container validator for 'rsa' container	14:57
dave-mccowan	alee yep: i can do bad container ref, not found container, wrong type container. i just can't make a bad rsa container. all attempts fail at container validation for functional tests. i could just test those cases with unit test. (unless there is some override)	14:58
alee	dave-mccowan, the more I think on this - it seems that we should 1) require that the container_ref be 1) present 2) referencing a real container 3) be a 'rsa container'	14:59
dave-mccowan	alee for example, i tried to make a container with secret refs for secrets that dont exist. i got: Response: {"code": 404, "description": "Secret provided for 'public_key' doesn't exist.", "title": "Not Found"}	14:59
alee	dave-mccowan, we should add code to the 'rsa' container to ensure that the data used is valid	15:00
alee	dave-mccowan, so we can piggy back off the rsa container validator	15:00
alee	it is sufficient for us to check (in the cert validator) if the ref is there, is real and is rsa	15:00
dave-mccowan	alee yes. in that case perhaps i'm pretty close to done.	15:01
alee	if we want to check for internal structure of the rsa container and the goodness of the secrets stored within (ie. are they really rsa keys?) then that should be in the rsa container	15:01
dave-mccowan	alee from my attempts at creating a bad one, it looks like rsa container code is doing a pretty job validating already.	15:02
*** kebray has joined #openstack-barbican		15:03
alee	dave-mccowan, so you can't create a container with bogus secret_refs?	15:03
alee	ie. http://localhost/v1/secrets/badref	15:04
dave-mccowan	alee Request Body: {"name": "rsacontainer", "secret_refs": [{"secret_ref": "http://localhost:9311/v1/secrets/not_found1", "name": "public_key"}, {"secret_ref": "http://localhost:9311/v1/secrets/not_found2", "name": "private_key"}], "type": "rsa"}	15:04
dave-mccowan	Response: {"code": 404, "description": "Secret provided for 'public_key' doesn't exist.", "title": "Not Found"}	15:04
alee	cool	15:04
alee	dave-mccowan, the other test is whether those secrets are really rsa keys	15:05
alee	dave-mccowan, that I'm sure is not there	15:05
alee	ie. can public key be derived from private	15:05
alee	my guess is that validation code loads the key into some openssl function and derives the public key and verifies	15:06
dave-mccowan	alee ok. i'll try to create a negative test case along those lines.	15:06
alee	but that validator should be in rsa container	15:06
alee	dave-mccowan, co-incidentally someone was asking for specifically that kind of test the other day	15:07
alee	dave-mccowan, but maybe package up what you have so far	15:07
alee	dave-mccowan, I'm ready to start testing the stored key cases - and need your test code to do so.	15:08
alee	dave-mccowan, do the bad data test in a separate CR	15:08
dave-mccowan	alee sure. i just rebased and am fixing pep8 stuff now. i think i can get something up shortly.	15:09
rm_work	alee: woah, those kind of validation tests are actually in now?	15:18
*** SheenaG has quit IRC		15:18
rm_work	alee: what about Cert containers? does it check the cert vs. the private key, and the passphrase vs. the private key?	15:18
rm_work	we have code doing that right now in Octavia and Neutron, but I didn't think it'd make it to Barbican for various reasons	15:19
alee	rm_work, there is some cert container validation code in there already	15:20
alee	rm_work, dave-mccowan is working on validator for the stored_key case -- in this case, we will require a referecne to a 'rsa' container	15:21
rm_work	what I seem to recall was that there was concern about doing validation because of: A) The work-effort required to do that on the API nodes; B) It wouldn't work with transport-key because everything would need to be open	15:21
alee	rm_work, which type of validation are you talking about?	15:22
rm_work	the kind where you actually compare the private key to the cert, and the passphrase to the private key	15:22
alee	rm_work, gotcha	15:23
*** SheenaG has joined #openstack-barbican		15:23
rm_work	or like what you're apparently doing already for RSA, comparing private key to public	15:23
alee	rm_work, that validation isn't in there now -- we're discussing adding it	15:23
openstackgerrit	John Wood proposed openstack/barbican: Initial connect up retry task submit and re-enqueue https://review.openstack.org/167110	15:23
alee	rm_work, dave-mccowan but perhaps thats something for future discussion	15:24
alee	for the reasons mentioned above	15:24
alee	dave-mccowan, so lets table priv/public key validation on an rsa container for now	15:26
dave-mccowan	alee ok. i will make the test case, just so we know what happens from the stored-key-order perspective.	15:27
alee	yup	15:28
alee	dave-mccowan, let me know when you have something ready for review and I'll grab it and test it out	15:28
alee	(in the functional tests)	15:28
dave-mccowan	alee ok. should be by lunch, unless git bites me. i'm not sure what will happen, since my changes are based on cherry-picks.	15:30
*** ccneill has joined #openstack-barbican		15:30
alee	yup	15:31
*** gyee has joined #openstack-barbican		15:39
*** ccneill has quit IRC		15:56
*** ccneill has joined #openstack-barbican		15:59
*** SheenaG has quit IRC		16:00
*** ccneill has quit IRC		16:03
*** ccneill has joined #openstack-barbican		16:05
*** dimtruck is now known as zz_dimtruck		16:10
*** atiwari has quit IRC		16:15
openstackgerrit	Dave McCowan proposed openstack/barbican: Fix CA related exceptions, and unskip relevant tests https://review.openstack.org/166316	16:15
openstackgerrit	Dave McCowan proposed openstack/barbican: Implement validators and tests for stored key certificate orders https://review.openstack.org/167291	16:15
*** chlong has quit IRC		16:16
dave-mccowan	alee ^^ hopefully i did it right. first time i've tried to push changes based on another CR.	16:16
openstackgerrit	Everardo Padilla Saca proposed openstack/barbican: Avoid printing unexpected HTTP content types https://review.openstack.org/165056	16:20
*** SheenaG has joined #openstack-barbican		16:33
alee	dave-mccowan, yeah when you do that , you end up overwriting my cr	16:33
alee	dave-mccowan, I need to put in another patch for that one in any case -- will do so shortly	16:35
openstackgerrit	Merged openstack/python-barbicanclient: Container negative tests https://review.openstack.org/163985	16:37
*** SheenaG has quit IRC		17:06
*** darrenmoffat has quit IRC		17:12
*** ccneill_ has joined #openstack-barbican		17:13
*** darrenmoffat has joined #openstack-barbican		17:13
*** ccneill has quit IRC		17:16
*** jkf has joined #openstack-barbican		17:32
*** ccneill_ has quit IRC		17:33
*** kfarr has joined #openstack-barbican		17:37
openstackgerrit	Merged openstack/barbican: Splitting out remaining order tests from test_resources https://review.openstack.org/164588	17:46
*** ccneill_ has joined #openstack-barbican		17:58
*** ccneill_ has quit IRC		18:02
*** jamielennox\|away is now known as jamielennox		18:04
*** zz_dimtruck is now known as dimtruck		18:06
*** ccneill_ has joined #openstack-barbican		18:06
*** ccneill__ has joined #openstack-barbican		18:08
*** ccneill_ has quit IRC		18:11
*** crc32 has joined #openstack-barbican		18:26
*** SheenaG has joined #openstack-barbican		18:50
*** paul_glass has quit IRC		19:02
*** tkelsey has quit IRC		19:23
*** SheenaG has quit IRC		19:24
*** gyee has quit IRC		19:30
*** morganfainberg is now known as needslesscoffee		19:39
*** needslesscoffee is now known as morganfainberg		19:50
*** tkelsey has joined #openstack-barbican		19:50
*** tkelsey has quit IRC		19:55
*** jkf has quit IRC		19:59
*** SheenaG has joined #openstack-barbican		19:59
*** ccneill__ has quit IRC		20:00
*** jkf has joined #openstack-barbican		20:01
*** ccneill__ has joined #openstack-barbican		20:06
*** paul_glass has joined #openstack-barbican		20:08
*** ccneill__ has quit IRC		20:30
*** SheenaG has quit IRC		20:48
*** SheenaG has joined #openstack-barbican		20:51
*** jaosorior has quit IRC		20:52
*** ccneill__ has joined #openstack-barbican		21:00
*** ccneill__ is now known as ccneill		21:03
*** openstackgerrit has quit IRC		21:07
*** openstackgerrit has joined #openstack-barbican		21:07
*** SheenaG has quit IRC		21:12
*** jkf has quit IRC		21:39
*** jkf has joined #openstack-barbican		21:41
*** redrobot has quit IRC		21:42
*** redrobot has joined #openstack-barbican		21:47
*** redrobot is now known as Guest9385		21:47
*** paul_glass has quit IRC		21:58
*** ccneill has quit IRC		21:59
*** kebray has quit IRC		21:59
*** Guest9385 is now known as redrobot		22:00
*** ChanServ sets mode: +o redrobot		22:01
*** kfarr has quit IRC		22:03
*** ccneill has joined #openstack-barbican		22:05
*** kebray has joined #openstack-barbican		22:11
*** dimtruck is now known as zz_dimtruck		22:24
hockeynut	jvrbanac reaperhulk ping?	22:32
reaperhulk	what's up?	22:33
hockeynut	requests v2.6.0	22:33
hockeynut	getting InsecurePlatformWarning	22:33
hockeynut	InsecurePlatformWarning	22:33
hockeynut	A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.	22:33
reaperhulk	old python 2.7	22:34
reaperhulk	upgrade to 2.7.9 to make that go away	22:34
reaperhulk	(or ignore it)	22:34
hockeynut	thats the other thing	22:34
hockeynut	wasn't sure if I should grab 2.5.3 requests or use py279	22:34
hockeynut	I guess no reason not to use 279	22:34
reaperhulk	yeah just update python	22:34
hockeynut	done. thx!	22:35
hockeynut	+1 experience points for you!	22:35
*** crc32 has quit IRC		22:35
*** joesavak has joined #openstack-barbican		22:40
*** alee is now known as alee_afk		23:09
*** ccneill has quit IRC		23:13
*** kebray has quit IRC		23:15
*** chlong has joined #openstack-barbican		23:20
*** joesavak has quit IRC		23:24
*** chlong has quit IRC		23:35
*** chlong has joined #openstack-barbican		23:35
*** jkf has quit IRC		23:39
*** everjeje has quit IRC		23:46
*** tkelsey has joined #openstack-barbican		23:52
*** gyee has joined #openstack-barbican		23:54
*** tkelsey has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!