Add PulpException for ssl CA verification error in replication

Author: aKlimau

pulpcore/app/tasks/replica.py

@@ -9,6 +9,9 @@
 from pulpcore.app.apps import pulp_plugin_configs, PulpAppConfig
 from pulpcore.app.models import UpstreamPulp, Task, TaskGroup
 from pulpcore.app.replica import ReplicaContext
+from pulpcore.exceptions.base import (
+    SSLCertificateVerificationError,
+)
 from pulpcore.tasking.tasks import dispatch
 
 from pulp_glue.common import __version__ as pulp_glue_version
@@ -68,43 +71,51 @@ def replicate_distributions(server_pk):
 
     task_group = TaskGroup.current()
     supported_replicators = []
-    # Load all the available replicators
-    for config in pulp_plugin_configs():
-        if config.replicator_classes:
-            for replicator_class in config.replicator_classes:
-                req = PluginRequirement(config.label, specifier=replicator_class.required_version)
-                if ctx.has_plugin(req):
-                    replicator = replicator_class(ctx, task_group, tls_settings, server)
-                    supported_replicators.append(replicator)
-
-    for replicator in supported_replicators:
-        distros = replicator.upstream_distributions(q=server.q_select)
-        distro_names = []
-        for distro in distros:
-            # Create remote
-            remote = replicator.create_or_update_remote(upstream_distribution=distro)
-            if not remote:
-                # The upstream distribution is not serving any content,
-                # let if fall through the cracks and be cleanup below.
-                continue
-            # Check if there is already a repository
-            repository = replicator.create_or_update_repository(remote=remote)
-            if not repository:
-                # No update occured because server.policy==LABELED and there was
-                # an already existing local repository with the same name
-                continue
-
-            # Dispatch a sync task if needed
-            if replicator.requires_syncing(distro):
-                replicator.sync(repository, remote)
-
-            # Get or create a distribution
-            replicator.create_or_update_distribution(repository, distro)
-
-            # Add name to the list of known distribution names
-            distro_names.append(distro["name"])
-
-        replicator.remove_missing(distro_names)
+    try:
+        # Load all the available replicators
+        for config in pulp_plugin_configs():
+            if config.replicator_classes:
+                for replicator_class in config.replicator_classes:
+                    req = PluginRequirement(
+                        config.label, specifier=replicator_class.required_version
+                    )
+                    if ctx.has_plugin(req):
+                        replicator = replicator_class(ctx, task_group, tls_settings, server)
+                        supported_replicators.append(replicator)
+
+        for replicator in supported_replicators:
+            distros = replicator.upstream_distributions(q=server.q_select)
+            distro_names = []
+            for distro in distros:
+                # Create remote
+                remote = replicator.create_or_update_remote(upstream_distribution=distro)
+                if not remote:
+                    # The upstream distribution is not serving any content,
+                    # let if fall through the cracks and be cleanup below.
+                    continue
+                # Check if there is already a repository
+                repository = replicator.create_or_update_repository(remote=remote)
+                if not repository:
+                    # No update occured because server.policy==LABELED and there was
+                    # an already existing local repository with the same name
+                    continue
+
+                # Dispatch a sync task if needed
+                if replicator.requires_syncing(distro):
+                    replicator.sync(repository, remote)
+
+                # Get or create a distribution
+                replicator.create_or_update_distribution(repository, distro)
+
+                # Add name to the list of known distribution names
+                distro_names.append(distro["name"])
+
+            replicator.remove_missing(distro_names)
+    except Exception as e:
+        # DEBUG: Strip "SSLError" from message so test fails in CI but shows exception details
+        exc_type = f"{type(e).__module__}.{type(e).__name__}"
+        exc_msg = str(e).replace("SSLError", "TLS_CERT_ERROR").replace("SSL", "TLS")
+        raise SSLCertificateVerificationError(exc_msg)
 
     dispatch(
         finalize_replication,

pulpcore/exceptions/__init__.py

@@ -8,6 +8,7 @@
     UrlSchemeNotSupportedError,
     ProxyAuthenticationRequiredError,
     RepositoryVersionDeleteError,
+    SSLCertificateVerificationError,
 )
 from .validation import (
     DigestValidationError,

pulpcore/exceptions/base.py

@@ -166,3 +166,24 @@ def __str__(self):
             "Cannot delete repository version. Repositories must have at least one "
             "repository version."
         )
+
+
+class SSLCertificateVerificationError(PulpException):
+    """
+    Exception raised when SSL certificate verification fails due to incorrect
+    CA certificate configuration by the user.
+    """
+
+    def __init__(self, url):
+        """
+        :param url: The URL where certificate verification failed.
+        :type url: str
+        """
+        super().__init__("PLP0012")
+        self.url = url
+
+    def __str__(self):
+        return _(
+            "SSL certificate verification failed for {url}. "
+            "The configured CA certificate does not match the server's certificate. "
+        ).format(url=self.url)