You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
129 lines
4.9 KiB
129 lines
4.9 KiB
5 years ago
|
From fc56c987058558d47d6bfe64ec11d2819b7886fe Mon Sep 17 00:00:00 2001
|
||
|
From: Matej Habrnal <mhabrnal@redhat.com>
|
||
|
Date: Thu, 3 Sep 2015 13:55:07 +0200
|
||
|
Subject: [PATCH] ureport: use Red Hat Certificate Authority to make rhsm cert
|
||
|
trusted
|
||
|
|
||
|
In the case we use authenticated auto reporting by rhsm the cert is not trusted
|
||
|
and it breaks Auto-reporting feature. This commit feeds curl with the
|
||
|
cert-api.access.redhat.com.pem file which make the cert trusted.
|
||
|
|
||
|
Related to rhbz#1223805
|
||
|
|
||
|
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
|
||
|
---
|
||
|
src/include/ureport.h | 1 +
|
||
|
src/lib/ureport.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||
|
2 files changed, 43 insertions(+)
|
||
|
|
||
|
diff --git a/src/include/ureport.h b/src/include/ureport.h
|
||
|
index 780b898..a1d03f6 100644
|
||
|
--- a/src/include/ureport.h
|
||
|
+++ b/src/include/ureport.h
|
||
|
@@ -52,6 +52,7 @@ struct ureport_server_config
|
||
|
char *ur_client_cert; ///< Path to certificate used for client
|
||
|
///< authentication (or NULL)
|
||
|
char *ur_client_key; ///< Private key for the certificate
|
||
|
+ char *ur_cert_authority_cert; ///< Certificate authority certificate
|
||
|
char *ur_username; ///< username for basic HTTP auth
|
||
|
char *ur_password; ///< password for basic HTTP auth
|
||
|
map_string_t *ur_http_headers; ///< Additional HTTP headers
|
||
|
diff --git a/src/lib/ureport.c b/src/lib/ureport.c
|
||
|
index 990ace6..76bcc95 100644
|
||
|
--- a/src/lib/ureport.c
|
||
|
+++ b/src/lib/ureport.c
|
||
|
@@ -37,6 +37,12 @@
|
||
|
#define RHSMCON_CERT_NAME "cert.pem"
|
||
|
#define RHSMCON_KEY_NAME "key.pem"
|
||
|
|
||
|
+/* Using the same template as for RHSM certificate, macro for cert dir path and
|
||
|
+ * macro for cert name. Cert path can be easily modified for example by reading
|
||
|
+ * an environment variable LIBREPORT_DEBUG_AUTHORITY_CERT_DIR_PATH
|
||
|
+ */
|
||
|
+#define CERT_AUTHORITY_CERT_PATH "/etc/redhat-access-insights"
|
||
|
+#define CERT_AUTHORITY_CERT_NAME "cert-api.access.redhat.com.pem"
|
||
|
|
||
|
static char *
|
||
|
puppet_config_print(const char *key)
|
||
|
@@ -106,6 +112,17 @@ certificate_exist(char *cert_name)
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
+static bool
|
||
|
+cert_authority_cert_exist(char *cert_name)
|
||
|
+{
|
||
|
+ if (access(cert_name, F_OK) != 0)
|
||
|
+ {
|
||
|
+ log_notice("Certs validating the server '%s' does not exist.", cert_name);
|
||
|
+ return false;
|
||
|
+ }
|
||
|
+ return true;
|
||
|
+}
|
||
|
+
|
||
|
void
|
||
|
ureport_server_config_set_client_auth(struct ureport_server_config *config,
|
||
|
const char *client_auth)
|
||
|
@@ -134,6 +151,16 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
|
||
|
char *cert_full_name = concat_path_file(rhsm_dir, RHSMCON_CERT_NAME);
|
||
|
char *key_full_name = concat_path_file(rhsm_dir, RHSMCON_KEY_NAME);
|
||
|
|
||
|
+ /* get authority certificate dir path from environment variable, if it
|
||
|
+ * is not set, use CERT_AUTHORITY_CERT_PATH
|
||
|
+ */
|
||
|
+ const char *authority_cert_dir_path = getenv("LIBREPORT_DEBUG_AUTHORITY_CERT_DIR_PATH");
|
||
|
+ if (authority_cert_dir_path == NULL)
|
||
|
+ authority_cert_dir_path = CERT_AUTHORITY_CERT_PATH;
|
||
|
+
|
||
|
+ char *cert_authority_cert_full_name = concat_path_file(authority_cert_dir_path,
|
||
|
+ CERT_AUTHORITY_CERT_NAME);
|
||
|
+
|
||
|
if (certificate_exist(cert_full_name) && certificate_exist(key_full_name))
|
||
|
{
|
||
|
config->ur_client_cert = cert_full_name;
|
||
|
@@ -147,6 +174,16 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
|
||
|
log_notice("Using the default configuration for uReports.");
|
||
|
}
|
||
|
|
||
|
+ if (cert_authority_cert_exist(cert_authority_cert_full_name))
|
||
|
+ {
|
||
|
+ config->ur_cert_authority_cert = cert_authority_cert_full_name;
|
||
|
+ log_debug("Using validating server cert: '%s'", config->ur_cert_authority_cert);
|
||
|
+ }
|
||
|
+ else
|
||
|
+ {
|
||
|
+ free(cert_authority_cert_full_name);
|
||
|
+ }
|
||
|
+
|
||
|
free(rhsm_dir);
|
||
|
|
||
|
}
|
||
|
@@ -286,6 +323,7 @@ ureport_server_config_init(struct ureport_server_config *config)
|
||
|
config->ur_ssl_verify = true;
|
||
|
config->ur_client_cert = NULL;
|
||
|
config->ur_client_key = NULL;
|
||
|
+ config->ur_cert_authority_cert = NULL;
|
||
|
config->ur_username = NULL;
|
||
|
config->ur_password = NULL;
|
||
|
config->ur_http_headers = new_map_string();
|
||
|
@@ -304,6 +342,9 @@ ureport_server_config_destroy(struct ureport_server_config *config)
|
||
|
free(config->ur_client_key);
|
||
|
config->ur_client_key = DESTROYED_POINTER;
|
||
|
|
||
|
+ free(config->ur_cert_authority_cert);
|
||
|
+ config->ur_cert_authority_cert = DESTROYED_POINTER;
|
||
|
+
|
||
|
free(config->ur_username);
|
||
|
config->ur_username = DESTROYED_POINTER;
|
||
|
|
||
|
@@ -701,6 +742,7 @@ ureport_do_post(const char *json, struct ureport_server_config *config,
|
||
|
{
|
||
|
post_state->client_cert_path = config->ur_client_cert;
|
||
|
post_state->client_key_path = config->ur_client_key;
|
||
|
+ post_state->cert_authority_cert_path = config->ur_cert_authority_cert;
|
||
|
}
|
||
|
else if (config->ur_username && config->ur_password)
|
||
|
{
|
||
|
--
|
||
|
2.4.3
|
||
|
|