)]}'
{"octavia/certificates/manager/barbican.py":[{"author":{"_account_id":38562,"name":"Richard Cruise","email":"rcruise@redhat.com","username":"rcruise"},"tag":"autogenerated:claude-review","change_message_id":"3a57a7ffd5f7895d40e5a28bd002753a5c6a9dfb","unresolved":false,"context_lines":[{"line_number":116,"context_line":"        connection \u003d self.auth.get_barbican_client(context.project_id)"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"        LOG.info(\u0027Loading certificate secret %s from Barbican.\u0027, cert_ref)"},{"line_number":119,"context_line":"        try:"},{"line_number":120,"context_line":"            cert_secret \u003d connection.secrets.get(secret_ref\u003dcert_ref)"},{"line_number":121,"context_line":"            cert_obj \u003d pkcs12.PKCS12Cert(cert_secret.payload)"},{"line_number":122,"context_line":"            pqc_utils.check_algorithm_compliance("},{"line_number":123,"context_line":"                cert_obj.certificate.certificate, \u0027data\u0027)"},{"line_number":124,"context_line":"            return cert_obj"},{"line_number":125,"context_line":"        except exceptions.UnreadablePKCS12:"},{"line_number":126,"context_line":"            raise"},{"line_number":127,"context_line":"        except Exception as e:"},{"line_number":128,"context_line":"            LOG.warning(\u0027Failed to load PKCS12Cert for secret %s with %s\u0027,"},{"line_number":129,"context_line":"                        cert_ref, str(e))"},{"line_number":130,"context_line":"            LOG.warning(\u0027Falling back to the barbican_legacy implementation.\u0027)"},{"line_number":131,"context_line":"            # If our get fails, try with the legacy driver."},{"line_number":132,"context_line":"            # TODO(rm_work): Remove this code when the deprecation cycle for"},{"line_number":133,"context_line":"            # the legacy driver is complete."},{"line_number":134,"context_line":"            legacy_mgr \u003d barbican_legacy.BarbicanCertManager()"},{"line_number":135,"context_line":"            legacy_cert \u003d legacy_mgr.get_cert("},{"line_number":136,"context_line":"                context, cert_ref, resource_ref\u003dresource_ref,"},{"line_number":137,"context_line":"                check_only\u003dcheck_only, service_name\u003dservice_name"},{"line_number":138,"context_line":"            )"},{"line_number":139,"context_line":"            return legacy_cert"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"    def delete_cert(self, context, cert_ref, resource_ref, service_name\u003dNone):"},{"line_number":142,"context_line":"        \"\"\"Deregister as a consumer for the specified cert."}],"source_content_type":"text/x-python","patch_set":2,"id":"ad93f5d6_380a39bc","line":139,"range":{"start_line":119,"start_character":0,"end_line":139,"end_character":0},"updated":"2026-06-16 21:07:39.000000000","message":"`CertificateValidationException` inherits from `APIException` (→ `exc.HTTPClientError` → `Exception`). It is not a subclass of `UnreadablePKCS12`, so it will be caught by the broad `except Exception as e:` handler on line 127, logged as a \"Failed to load PKCS12Cert\" warning, and the code will silently fall through to the legacy Barbican driver path. This completely defeats STRICT-mode enforcement — a certificate using a quantum-vulnerable algorithm would be loaded successfully via the legacy path despite the policy violation.","commit_id":"c0c5d10500e8f6ef27e33db2461ea2e3052dc38d"}]}
