Wednesday, 2015-04-01

openstackgerritJohn Wood proposed openstack/barbican: Restore worker tasks processing catching exceptions
*** zz_dimtruck is now known as dimtruck01:04
*** alee_ has joined #openstack-barbican02:09
*** kebray has joined #openstack-barbican02:10
*** alee has joined #openstack-barbican02:17
aleewoodster_, ?02:17
*** david-lyle has joined #openstack-barbican03:13
openstackgerritAde Lee proposed openstack/barbican: Changes to get remaining cert functional tests working
*** dimtruck is now known as zz_dimtruck03:33
*** zz_dimtruck is now known as dimtruck03:36
*** tkelsey has joined #openstack-barbican03:39
*** tkelsey has quit IRC03:44
openstackgerritDave McCowan proposed openstack/barbican: Implement validators and tests for stored key certificate orders
*** dimtruck is now known as zz_dimtruck04:17
*** dave-mccowan has quit IRC04:42
*** alee_ has quit IRC04:47
*** alee has quit IRC04:47
*** alee has joined #openstack-barbican04:48
*** alee_ has joined #openstack-barbican04:49
*** tkelsey has joined #openstack-barbican05:40
*** tkelsey has quit IRC05:45
*** kebray has quit IRC05:48
*** kebray has joined #openstack-barbican05:49
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex
*** woodster_ has quit IRC06:30
*** everjeje has joined #openstack-barbican07:43
*** kebray has quit IRC08:10
*** tkelsey has joined #openstack-barbican08:28
openstackgerritThomas Herve proposed openstack/python-barbicanclient: Fix order listing on the command line.
*** darrenmoffat has quit IRC10:13
*** darrenmoffat has joined #openstack-barbican10:13
*** dave-mccowan has joined #openstack-barbican12:25
*** atiwari2 has joined #openstack-barbican12:28
*** atiwari1 has quit IRC12:31
*** woodster_ has joined #openstack-barbican12:38
woodster_I'm rubbing my eyes and still see it on my phone's gerrit review page...that circa 90's pesky Microsoft paper clip! Aghhhh!12:45
dave-mccowanwoodster_ lol april fools13:01
woodster_dave-mccowan: I had flash backs to the Microsoft Age man, not cool :)13:03
*** alee_ has quit IRC13:03
aleewoodster_, dave-mccowan aaargh - its clippy!13:04
dave-mccowanalee, woodster_, "it looks like you're writing a letter"13:07
woodster_Yeah I remember it being pretty opinionated....if you did something it didn't like it would wag its end at you with a frown, tapping the monitor like a cranky old teacher13:07
*** jaosorior has joined #openstack-barbican13:11
aleewoodster_, can you take a look at ?  some unit tests are failing under tox but work just fine for me in pycharm.13:15
woodster_alee: will do13:17
aleedave-mccowan, contains some of your changes right now too so that I could get the tests working.  I hope though that your cr will land before mine and I'll just rebase.13:17
*** nkinder has quit IRC13:17
dave-mccowanalee, +1 new patch with those is out for review.
aleewoodster_, what I don't understand is that tox seems to be throwing an exception in get_plugin_retrieve_delete() in -- but (and pycharm agrees with me when I do this) I am mock patching that function.13:21
*** joesavak has joined #openstack-barbican13:26
-openstackstatus- NOTICE: gerrit has been restarted to restore event streaming. any change events missed by zuul (between 12:48 and 13:28 utc) will need to be rechecked or have new approval votes set13:28
woodster_alee, do you mean on the cover gate? The rest of the gates are passing13:28
aleewoodster_, ?13:29
aleewoodster_, unless clippy fixed it :)13:30
woodster_alee, ha! wrong CR sorry13:30
woodster_chellygel, do you remember clippy or is that before your time?13:32
dave-mccowanalee, woodster_ i remember this exception happening last month for a CR where the gate fails, but it works locally.13:33
woodster_yeah, it's probably a global mem setting issue13:34
woodster_alee, too many changes in that test file...clippy would be wagging his wiry finger at you :)13:35
aleedave-mccowan, woodster_ well tox fails locally for me too in this case.  but pycharm works just fine.13:42
aleewoodster_, clippy would also have opened the code files in notepad.13:43
woodster_alee, ha! Yeah I see where it should be mocked13:43
aleewoodster_, yeah - so that works for me in pycharm -- and when I step through in debug mode, I can see it happening.  But not in tox.13:45
aleewoodster_, one thing that is interesting -- in _config_cert_event_plugin() you mock EVENT_PLUGIN_MANAGER instead of _CertificateEventPluginManager13:47
aleewoodster_, should I be mocking _SECRET_STORE instead?13:48
woodster_alee, yeah I'm looking at that now....I think you should be mocking the return of the get_manager() method at the end of secret_store.py13:48
woodster_alee, avoid the global check that might be getting set to the real plugin manabge13:49
aleewoodster_, trying that now ..13:49
woodster_alee, 'manager' that is13:49
aleewoodster_, that works -- both tox and pycharm like it13:52
aleewoodster_, thanks!  now to figure out why a couple of functional tests look like they are failing at the gate.13:54
chellygelwoodster_, i remember clippy!!13:54
aleeI'll resubmit and see what happens13:54
woodster_alee: Nice!13:54
chellygelwoodster_, i was an active computer user at the ripe ol' age of 6. I was very lucky in that my step father was a programmer. I remember good ol' windows 3.0 :D13:54
dave-mccowanalee if it still fails, that exception showed up here too:  at 2015-03-20T20:30:2113:56
woodster_chellygel: impressive! I had to settle for an abacus at that age...but no clippy at least13:56
aleewoodster_, at the ripe ol' age of 6, I don't think we even had computers .. slide rules maybe ..13:58
*** ametts has joined #openstack-barbican13:58
openstackgerritAde Lee proposed openstack/barbican: Changes to get remaining cert functional tests working
*** nkinder has joined #openstack-barbican14:00
aleewoodster_, feel free to take a look at the other changes in that CR, so that you're familiar with them when we need to get it all acked14:00
*** xaeth_afk is now known as xaeth14:00
chellygeli could take a workflow on my latest docs change:
aleechellygel, done14:02
chellygelthank you :)14:02
dave-mccowan also needs a workflow14:06
aleedave-mccowan, done14:08
dave-mccowanalee thanks!14:08
*** paul_glass has joined #openstack-barbican14:13
aleedave-mccowan, reviewed14:19
openstackgerritMerged openstack/barbican: Adding GET and DELETE for containers quickstart guide
dave-mccowanalee thanks14:25
*** ametts has quit IRC14:27
openstackgerritMerged openstack/barbican: Fix string formatting for a secret store exception message
*** dave-mccowan has quit IRC14:32
*** zz_dimtruck is now known as dimtruck14:36
xaethd'oh... i never saw the e-mail with updates to the barbican package review.14:47
xaethle sigh. sorry14:47
xaethoh wait. ha that was today14:47
xaethnow i dont feed as bad14:47
jvrbanacWAT! Why is there a clippy on my gerrit review?14:48
chellygeljvrbanac, dont question clippy, he'll cut you14:48
jvrbanacchellygel, pretty sure MS cut him already14:49
chellygelba dum tis14:49
openstackgerritChelsea Winfree proposed openstack/barbican: Adding docs to index and minor fixes
*** arunkant has quit IRC15:16
*** paul_glass has quit IRC15:22
*** paul_glass has joined #openstack-barbican15:23
*** arunkant has joined #openstack-barbican15:29
*** kebray has joined #openstack-barbican15:33
aleewoodster_, ping15:34
woodster_alee, hello15:35
aleewoodster_, do you have an environement in which the functional tests can be run?15:35
aleewoodster_, the reason I ask is because one of the cert functional tests is failing at the gate, but is succeeding for me locally.  I think that might be because I have things set up for a dogtag type environment15:36
woodster_alee, I had one setup :)  Some bit rot since then I'm sure. That dockerize keystone CR I have out there adds more info to set this up15:37
woodster_alee, which CR15:37
aleewoodster_,  it passes tox unit tests now, and I can also explain away the coverage failure15:38
openstackgerritMerged openstack/barbican: Imported Translations from Transifex
woodster_alee, I'm running func against my setup now...15:51
hockeynutjvrbanac glad I'm not the only one who saw clippy15:54
aleewoodster_, cool thanks15:54
redrobotxaeth word!  thanks for the link, I'll try to take a look at it today.15:56
rm_workalee: any idea if there are stale pyc files?16:00
rm_workalee: we had issues with that the last couple of days because of oslo renames16:00
rm_workbut i think barbican may have done those renames a month or so ago, so might be unrelated16:01
rm_workwhich tests? I can try in my devstack16:01
aleerm_work, thanks --
woodster_alee, ugh, boot2docker is giving me fits! :)16:02
chellygel workflow for a +3, -1 change :D16:02
openstackgerritAdam Harwell proposed openstack/barbican: Use the new Devstack external plugin method
aleerm_work, in the gate, functional test create_stored_key_order is failing (but succeeding for me locally16:03
aleewoodster_, sorry :)16:04
rm_workwoodster_: you work for a cloud company, use a VM :P16:04
woodster_rm_work, ha, no kidding!16:04
rm_workwget and run:
*** dave-mccowan has joined #openstack-barbican16:10
redrobotchellygel I agree with jvrbanac, we need to get rid of the old api doc16:16
chellygelalready on it redrobot  :D16:16
redrobotchellygel got plans for lunch?  I have to be back at 1pm for the CR hangout.16:17
jvrbanacredrobot, yeah, unfortunately we can't quite get rid of that page yet; however, we can mark it as old and focus on the new format we want people to use16:17
redrobotjvrbanac why can't it be deleted?16:17
redrobotI think having an API page and an "Old API" page is confusing16:18
jvrbanacredrobot, we haven't ported orders and consumers yet.16:18
chellygeli am about to commit this change, so i want a decision before we lunch redrobot16:18
aleedave-mccowan, ping16:18
dave-mccowanalee pong16:18
chellygeland i agree, we can't get rid of it until its 100% done16:18
aleedave-mccowan, you have the functional tests running, right?16:18
woodster_have you guys pulled over all the content from that old wiki now?16:18
chellygelno woodster_ there's no way16:19
redrobotchellygel jvrbanac any duplicate info?16:19
dave-mccowanalee yes, they all pass with my patch16:19
* redrobot looks16:19
* chellygel is also looking16:19
aleedave-mccowan, can you pull down my patch and see if the tests pass?16:19
chellygelredrobot, turning my tiny cr into a big one16:19
chellygelblame the ptl o/16:20
dave-mccowanalee sure. will do now.16:20
aleedave-mccowan, they all pass for me locally - but one fails in the gate.16:20
woodster_alee, I see this error:16:20
rm_worksorry alee got delayed by shitty VPN, on it now16:20
aleewoodster_, good - thats what happens in the gate.  Can you see whats happening in your server log?16:21
chellygelredrobot, some of it can be deleted i can delete all references to secrets and consumers, just a few extra minutes of work16:21
aleewoodster_, I can't debug because it doesn't fail for me :/16:21
chellygelthere are some things that are probably not 1:116:21
chellygelbut thankfully, git is a thing that keeps our history16:21
aleewoodster_, my guess is there will be a stack trace16:22
redrobotchellygel yeah, delete all the stuff that has already been added to the new structure.  Move the old api.rst under the new structure as orders.rst16:22
woodster_rm_work, i like the devstack foo btw, nice. Would be good to document that somewhere :)16:23
rm_workwoodster_: it's on the wiki ;)16:23
rm_workwoodster_: did you actually use it?16:24
dave-mccowanalee i'm seeing what woodster_ is seeing.16:27
aleedave-mccowan, great -- do you see a stack trace?16:28
dave-mccowanalee INFO barbican.openstack.common.policy [-] Can not find policy directory: policy.d16:28
aleedave-mccowan, yeah - thats not relevant I think16:29
aleedave-mccowan, aha - interesting that I dont see that -- looking ..16:31
aleedave-mccowan, can you add debug= True to barbican-api.conf?16:35
openstackgerritChelsea Winfree proposed openstack/barbican: Adding docs to index and minor fixes
dave-mccowanalee i have the exception stopped at a breakpoint in pycharm.  do you want to share a screen?16:36
woodster_any nosetests experts out there? passing in path/to/module:TestClass.testmethod doesn't work for me. Only path/to/module works16:36
woodster_...for trying to run just one test method16:37
dave-mccowanwoodster_ nosetests functionaltests/api/v1/functional/
aleedave-mccowan, sure16:37
*** crc32 has joined #openstack-barbican16:37
*** crc32 has quit IRC16:38
aleewoodster_, dave-mccowan -- so the code that is central to all of this -- and which would be failing in this test is this ..16:52
aleewoodster_, dave-mccowan
aleenot sure why its not failing for me - but it seems to be failing at line 4116:54
aleethis is in certificate_resources.py16:56
aleewoodster_, dave-mccowan - now we initially create the data by creating secrets and adding a rsa container16:57
aleewoodster_, dave-mccowan  so what is initially passed in is this -- barbican.tests.utils.get_private_key()16:59
aleewhich is a key in PEM format16:59
dave-mccowanalee i have code stopped at a breakpoint in that function now16:59
aleedave-mccowan, yeah -- let me enable java in my browser and hop on17:00
dave-mccowanalee btw private_key looks like binary, not PEM17:05
aleedave-mccowan, trying to figure out how to do that :)17:06
aleedave-mccowan, right - which is what I would expect -- thats why I selected type "ASN1"17:06
aleeinstead of PEM17:06
aleein the load_privatekey() call17:07
*** jkf has joined #openstack-barbican17:17
*** jaosorior has quit IRC17:32
*** ametts has joined #openstack-barbican17:43
aleereaperhulk, ping17:52
*** chadlung has joined #openstack-barbican17:52
aleereaperhulk, what is crypto.FILETYPE_ASN1 in openssl ?  is that binary?17:52
aleedave-mccowan, woodster_ -- so we store a private key in the backend17:56
aleewhen we get it out -- it comes out of the backend as base64 encoded data -- we then call denormalize_after_decryption()17:57
aleewhich strips off any pem components and coverts to binary17:58
reaperhulkwhat is that from?17:58
aleethats what I pass into load_privatekey()17:58
reaperhulkthat's pycrypto, but yeah I'd expect that to be the flag stating that it's DER encoded binary ASN117:58
rm_youredrobot: wait is this thing via Hangouts or Vidyo?17:59
redrobotrm_you hangouts17:59
rm_youredrobot: kk17:59
reaperhulkoh, that's pyopenssl, gotcha17:59
reaperhulklemme take a quick look17:59
*** chadlung has quit IRC17:59
reaperhulkyep, that's the DER encoding flag in the guts of OpenSSL17:59
rm_youredrobot: can't seem to get a LINK out of the calendar invite, can you msg me?17:59
reaperhulkI'm surprised PyOpenSSL is using that...there are ways to avoid it (we don't use it in cryptography's hazmat code)18:00
*** chadlung has joined #openstack-barbican18:00
aleereaperhulk, need to jump on the google hangout -- but I may need to chat on how to do some code afterwards18:00
aleereaperhulk, basically -- I have code in that s not working18:01
aleereaperhulk, in certificate_resources.py18:02
aleeactually its working for me locally but not in the functional tests at the gate (or for anyone else)18:02
reaperhulkwhat's the data in private_key when it fails? Is it a string in the tests?18:03
aleereaperhulk,  load_privatekey() doesn;t like the binary its being passed in ..18:03
reaperhulkis it the current CR revision that's failing? I want to replicate it locally18:03
aleereaperhulk, yes18:04
aleereaperhulk, you should be able to -- I can't , but others can18:04
aleereaperhulk, you need to run the functional tests18:05
aleereaperhulk, the create_stored_key_order fails18:05
reaperhulkokay I'll take a look shortly18:05
aleereaperhulk, thanks18:05
*** kfarr has joined #openstack-barbican18:08
dave-mccowanalee, reaperhulk this is the contents of the private_key string that fails load_privatekey() on my system
*** jaosorior has joined #openstack-barbican18:38
jvrbanacthx rm_work18:50
*** tkelsey has quit IRC18:51
rm_youjvrbanac: wait what did i do? :P18:53
jvrbanacrm_you, you muted redrobot :P18:54
rm_youah, yes :P18:54
rm_youi was surprised it let me do that18:54
*** chadlung has quit IRC18:58
*** chadlung has joined #openstack-barbican18:58
*** crc32 has joined #openstack-barbican19:14
*** tkelsey has joined #openstack-barbican19:18
reaperhulk I have no idea why this is working for anybody. It is PKCS8 PEM (so you should use FILETYPE_PEM), but it is missing all the line feeds. Every line should have \n on the end. As is it's being implicitly concatenated with no \n and is invalid19:18
reaperhulk^-- alee that's your problem19:19
reaperhulkthe public key and certificate have the same problem19:19
reaperhulkthey all just need \n stuck to the end of each string line19:20
*** tkelsey has quit IRC19:22
*** ametts has quit IRC19:27
openstackgerritMerged openstack/barbican: Adding docs to index and minor fixes
rm_youyeah I think if that was """19:29
rm_youit would work19:30
rm_yousince that captures newlines, right?19:30
* rm_you just checked19:30
rm_youI prefer the """ approach because then you don't make it painful to copy/paste in and out :P19:31
aleereaperhulk, looking ..19:38
rm_youreaperhulk should be correct there -- those are malformed as-is19:39
aleerm_you, did you just run the test and it seemed to work?19:40
reaperhulkif you do """ you'll need to textwrap.dedent19:41
reaperhulk(that's how we do it in cryptograpy19:41
reaperhulkcryptography even19:41
aleereaperhulk, when we do a get_secret(), we end up stripping the headers off the secret and returning as binary19:43
*** rm_work is now known as rm_work|away19:43
aleereaperhulk, see denormalize_after_decryption()19:44
aleereaperhulk, in translations.py19:44
reaperhulkokay, will have to look, but those are definitely invalid PEMs19:44
reaperhulk(due to the newlines, but the DER decode should ignore that issue obviously)19:44
aleereaperhulk, yeah - thats good to know --not sure why it was working for me -- but ok.19:45
dave-mccowanalee, reaperhulk if i dump the buffer to file, and run "openssl rsa -inform DER -in private_key.bin -check" on it, i get "rsa key ok".  but call load_privatekey() in that file fails on the same buffer.19:49
rm_youreaperhulk: does hacking not like it if you don't dedent manually with """ ?19:50
reaperhulkpep8 shouldn't like it.19:50
rm_youit seems to flake8 fine19:50
reaperhulkand if it does, it's ugly.19:50
rm_youit IS ugly19:50
rm_youi like the textwrap suggestion though, i will check it out19:51
aleedave-mccowan, can you try adding "\n" to the end and see if the test runs ok -- it all seems to work for me just fine.19:51
rm_yousecond cool python lib thing i've been introduced to this week :P19:51
rm_youthat and itertools.ifilter19:51
dave-mccowanalee yep.  trying it out now.19:52
dave-mccowanalee, reaperhulk same error after adding "\n"19:55
dave-mccowanalee i'll try skipping these hard coded keys altogether and call crypto to get a fresh key pair.19:57
aleedave-mccowan, yup - good idea19:58
dave-mccowanalee, reaperhulk an odd thing is that the PEM dumped from "openssl rsa" does not the same as the PEM from tests/  so something weird is happening between store and retrieve, even after I added the newlines.19:59
reaperhulkwhen using openssl rsa it's going to output a PKCS1/Traditional OpenSSL format rather than PKCS820:02
reaperhulk(but it can read PKCS8)20:03
reaperhulkthat's why it looks different20:03
*** kfarr has quit IRC20:09
aleedave-mccowan, can you dump the data before denormalize_after_decryption() ?20:20
aleedave-mccowan, and try load_privatekey() on that?20:20
dave-mccowanalee sure.20:21
aleeusing PEM and ASN1 file formats20:21
dave-mccowanalee, reaperhulk  there's not a crypto.dump_publickey().  is there some crypto foo to get the public key in PEM format?20:22
aleedave-mccowan, yeah - but its ugly20:22
dave-mccowanalee do we need it to fill a container if we want to test with generated keys?20:23
aleedave-mccowan, I just want to see whats coming out of the get_secret call.20:24
aleeand what whether it will work in _generate_csr()20:24
dave-mccowanalee i know, i'm still working on [15:57:55] to generate a container with a new key pair for testing, instead of using the hard coded ones.20:25
dave-mccowanalee, i'll stash this for now and try removing denormalize.20:26
aleedave-mccowan, thanks -- unfortunately I can't debug this myself because it works for me.20:27
reaperhulkalee: version of OpenSSL?20:27
reaperhulksame for you dave20:27
reaperhulkI believe this is an issue with the version of OpenSSL underlying this20:27
reaperhulkI can parse this DER with 1.0.2 (and 1.0.1) but not 0.9.820:27
aleeinteresting --20:28
aleedave-mccowan, whats your version of openssl?20:28
dave-mccowanOpenSSL 1.0.2 22 Jan 201520:28
reaperhulkdave-mccowan: what OS are you on?20:28
reaperhulkso that's homebrew openssl20:28
reaperhulkdo this for me in your barbican venv20:29
reaperhulkpython -c "from cryptography.hazmat.backends.openssl import backend;print(backend.openssl_version_text())"20:29
* reaperhulk expects it to say 0.9.8zc20:29
dave-mccowanOpenSSL 0.9.8za 5 Jun 201420:30
aleemine says "OpenSSL 1.0.1e-fips 11 Feb 2013"20:30
reaperhulkyep, so it's definitely the 0.9.8 vs 1.0.x issue20:30
aleewoodster_, what do you have?20:30
reaperhulkHe'll definitely have 0.9.820:30
reaperhulkany mac is going to link against 0.9.8 by default unless you pass some extra flags20:31
reaperhulkWhy this key is having trouble under 0.9.8 is an interesting question20:31
aleereaperhulk, so - on your system, what do you have?20:31
reaperhulkI have 0.9.8zc and 1.0.2a, but I link my cryptography explicitly against 1.0.2a :)20:31
reaperhulk(I also rebuild cryptography several times a day, heh)20:31
aleereaperhulk, so  -- if I can replace what I have with cryptography calls -- then it will pull in 1.0.2a?20:32
aleereaperhulk, can you confirm that the functional test runs on your system with the right flags?20:33
aleereaperhulk, of course all of this is moot if whats in the gate is 0.9.820:34
reaperhulkcryptography will link against 0.9.8 by default on OS X (since that's what Apple ships)20:34
reaperhulkI'm looking into this a bit more now20:34
aleecool :)20:36
dave-mccowanyep, real question is how to make a DER that 0.9.8 likes.20:36
reaperhulk0.9.8 is perfectly capable of reading it, but you have to pass -nocrypt20:36
reaperhulkI vaguely recall this being an issue with OpenSSL not properly falling back on its parse paths20:36
reaperhulkThere's a function inside OpenSSL called d2i_AutoPrivateKey but it had bugs20:37
reaperhulkSo much so that we actually wrote our own loaders in cryptography20:37
reaperhulknote the comment :)20:37
reaperhulkSo you are running afoul of this exact bug in OpenSSL ade20:38
reaperhulkArguably I should go patch this in pyOpenSSL as well, but that won't resolve your problem right now...20:38
reaperhulkso where is this getting decoded into DER?20:41
*** chadlung has quit IRC20:43
*** rm_work|away is now known as rm_work20:47
reaperhulk(If possible, let's just not do DER PKCS8)20:50
reaperhulkat least not until we can switch to cryptography, which will handle this pain for you20:50
reaperhulkbut that's going to be a liberty thing (hopefully)20:50
*** rm_work is now known as rm_work|away20:53
aleesorry -- trying to deal with a flat tire issue20:56
alee(grandma has flat tire on other side of town)20:57
aleereaperhulk, dave-mccowan -- as part of the whole content types thing we standardized on pkcs820:58
aleenow that said -- what we should expect to get back from the plugins is PEM20:59
aleedave-mccowan, reaperhulk  - which is converted to DER in the denormalize function21:00
aleedave-mccowan, can you try adding a parameter to get_secret() that tells it not to call denormalize()?21:00
aleedave-mccowan, and then load using PEM?21:02
dave-mccowanalee ok21:04
*** nkinder has quit IRC21:11
*** jaosorior has quit IRC21:12
openstackgerritThomas Dinkjian proposed openstack/barbican: Updating Orders functional tests to new naming convention
dave-mccowanalee coded.  now different error, debugging now.21:12
jamielennoxcan someone tell me what's causing
dave-mccowanalee hmmm.  code is failing in same place, this time parsing PEM format.  one odd thing is the \ns disappeared somehow, which may be causing error.21:18
*** kebray has quit IRC21:18
redrobotjamielennox it appears that the exception raised for a 404 in the new Adapter class you're introducing does not include an http_status attribute, which is what the functional test is looking for21:19
aleedave-mccowan, the \n's are in your code?21:19
dave-mccowanreaperhulk, alee do i need to add \n or \\n ?21:19
redrobotjamielennox I don't think it's a useful test though, so you could probably just delete this assert
aleemaybe remove the \n's and see what it does?21:19
dave-mccowanalee is the code expecting only base64 characters?21:20
redrobotjamielennox I think the fact that an exception is raised is good enough.  We're planning on revisiting the exceptions being thrown for 4xx and 5xx errors21:20
jamielennoxredrobot: i'm interested in what that exception object is though, the standard exceptions don't have a http_status
aleedave-mccowan, so whats coming out of the plugin is base64 encoded21:20
aleedave-mccowan, if you dump it -- can you see base 64 + headers>21:21
redrobotjamielennox it's likely a keystoneclient exception... there's a few places where we're not catching the underlying exceptions and raising a Barbicanclient exception.21:21
jamielennoxredrobot: hmmm, that's weird... i wonder why that's happening...21:22
redrobotjamielennox we've filed this bug to track the work being done to prevent 3rd party exceptions from bubbling up like that
openstackLaunchpad bug 1431514 in python-barbicanclient "client shouldn't return http errors directly" [Medium,Confirmed]21:22
jamielennoxredrobot: well hopefully soon we can standardize the http errors across all the clients21:22
dave-mccowanalee when i dump it, it is base64 + headers.  but the newline characters have been removed.21:23
aleedave-mccowan, maybe \\n ?21:24
*** kebray has joined #openstack-barbican21:25
jamielennoxredrobot: do you know how the keystone error would bubble up like that?21:25
jamielennox is the test21:26
jamielennoxand _delete is doing it's own status_code checking:
aleedave-mccowan, maybe it makes sense at this point to take the '\n' thing out of the equation and just generate keys?21:27
jamielennoxredrobot: oh - it looks like it's not getting to that point at all, it's coming from the session directly21:27
aleedave-mccowan, there is code that does that in the test_certificate_resources.py21:27
redrobotjamielennox yeah, the _session.delete() should be done in a try/except21:28
aleedave-mccowan, in fact, I suspect that if we do that, this whole issue might just go away21:29
jamielennoxredrobot: that or if you pass raise_exc=False like in L86 then request() will return the response object with >400 status codes and the existing error handling will work21:29
aleeirrespective of whether we skip the denormalization or not21:29
aleedave-mccowan, though tbh - we may end up skipping denormalization in any case to support the passphrase case21:31
dave-mccowanalee i have that mostly coded, just need a way to get the public key from pkey21:31
redrobotjamielennox your CR makes that change right?  Looks like it's definitely a bad assert then.21:31
aleedave-mccowan, try using pycrypto instead ..21:31
aleelet me point you to the right test ..21:31
jamielennoxredrobot: well i don't want to mix the two changes, i'll fix it so that the behaviour is the same as now, and i'll leave a note as to how to fix it if you want to handle those errors yourself.21:32
openstackgerritJamie Lennox proposed openstack/python-barbicanclient: Use the ksc Adapter instead of custom HTTPClient
aleedave-mccowan, test_should_return_for_pycrypto_stored_key_without_passphrase()21:32
aleein test_certificate_resources.py21:33
aleedave-mccowan, right now -- the public key does not really matter21:33
aleewe just need and get the private key21:34
redrobotjamielennox sounds good21:34
dave-mccowanalee yea, i think the container validators gripe if it's not there though.21:34
aleedave-mccowan, sur but any value is ok21:34
dave-mccowanalee pycrypto everywhere and the world is a better place?21:35
aleedave-mccowan, you can send "public key"21:35
dave-mccowanalee OK... same error.  still wind up with "PEM format" with no newlines.21:41
*** chadlung has joined #openstack-barbican21:44
aleedave-mccowan, interesting -- the test_should_return_for_openssl_stored_key_ca_id_passed_in() unit test works ..21:45
aleedave-mccowan, so that says something changes when we actually store and then retrieve21:47
*** bdpayne has joined #openstack-barbican21:48
*** chadlung has quit IRC21:49
dave-mccowanalee that would be a good functional test. does original == retrieved.  for the rsa key case, at least the newlines are stripped.21:49
aleedave-mccowan, well I'm looking at the test_secrets() functional test21:49
aleeand that seems to pass too21:49
aleeusing the utils.get_private_key()21:50
dave-mccowanalee so bug is specific to rsa container ?21:50
aleedave-mccowan, I think maybe when we store the private key , we are not passing in the right content types21:51
aleepayload_content_type': 'application/octet-stream',21:51
alee            'payload_content_encoding': 'base64',21:51
aleewe need to pass in the right content type and encoding21:51
aleedave-mccowan, I think that may be the problem and why when we retrieve, we get the wrong thing21:53
aleedave-mccowan, see the tests in there for private and public key21:53
dave-mccowanalee what should the encoding be?21:57
aleedave-mccowan, ok -- let me look at the secret functional tests21:57
dave-mccowanalee i followed that example.  i guess base64 is not right, because PEM is base64 + headers + and newlines.21:59
aleedave-mccowan, actually it looks like you followed the example ..22:00
aleedave-mccowan, in _generate_csr()22:00
aleethere is a call to get_secret()22:00
aleeand a content type in there --22:00
aleemaybe that content type should be 'application/octet-stream' ?22:01
dave-mccowanalee change from application/pkcs8 to application/octet-stream?22:02
dave-mccowanalee no difference22:04
aleedave-mccowan, sorry - still trying to deal with tire thing22:10
aleediagnosing flat tire across town over phone is like trying to diagnose openssl code issue remotely :)22:10
dave-mccowanalee lol22:11
aleedave-mccowan, will have to get back to you tommorow morning  or later tonight22:11
dave-mccowanalee a break sounds like a good idea.  let's hope for epiphanies.22:11
*** paul_glass has quit IRC22:14
*** xaeth is now known as xaeth_afk22:17
*** bdpayne has quit IRC22:19
*** kebray has quit IRC22:20
*** chadlung has joined #openstack-barbican22:25
*** dimtruck is now known as zz_dimtruck22:25
*** chadlung has quit IRC22:25
*** dave-mccowan has quit IRC22:28
*** tkelsey has joined #openstack-barbican22:28
woodster_reaperhulk or jvrbanac, were you able to autogenerate the alembic migration that adds FK indices, or was that hand generated?22:31
*** tkelsey has quit IRC22:32
*** nkinder has joined #openstack-barbican22:34
reaperhulkwe autogenerated it and then tweaked by hand a bit22:35
woodster_for some reason even though the FK is indexed, the generated alembic file didn't have the constraint generated:
*** dave-mccowan has joined #openstack-barbican22:40
*** kebray has joined #openstack-barbican23:02
*** chlong has joined #openstack-barbican23:07
*** kebray has quit IRC23:08
*** kebray has joined #openstack-barbican23:09
openstackgerritJohn Wood proposed openstack/barbican: Add order_retry_tasks migration per latest model
*** joesavak has quit IRC23:21
*** jkf has quit IRC23:58

Generated by 2.14.0 by Marius Gedminas - find it at!