You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
240 lines
8.7 KiB
240 lines
8.7 KiB
5 years ago
|
From 4f61f5d9eec75e471c8176dac0c21f4361e40ee6 Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Filak <jfilak@redhat.com>
|
||
|
Date: Thu, 11 Sep 2014 12:33:05 +0200
|
||
|
Subject: [LIBREPORT PATCH 67/93] ureport: use additional HTTP headers with
|
||
|
'rhsm-entitlement' cert auth
|
||
|
|
||
|
Related to rhbz#1140224
|
||
|
|
||
|
Signed-off-by: Jakub Filak <jfilak@redhat.com>
|
||
|
|
||
|
Conflicts:
|
||
|
src/plugins/ureport.conf
|
||
|
---
|
||
|
src/lib/json.c | 29 +++++++++++----
|
||
|
src/lib/ureport.h | 1 +
|
||
|
src/plugins/ureport.c | 94 +++++++++++++++++++++++++++++++++++++++++++++++-
|
||
|
src/plugins/ureport.conf | 4 ++-
|
||
|
4 files changed, 119 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/src/lib/json.c b/src/lib/json.c
|
||
|
index 8935ef8..6fbbf39 100644
|
||
|
--- a/src/lib/json.c
|
||
|
+++ b/src/lib/json.c
|
||
|
@@ -113,14 +113,25 @@ struct post_state *post_ureport(const char *json, struct ureport_server_config *
|
||
|
post_state->client_key_path = config->ur_client_key;
|
||
|
}
|
||
|
|
||
|
- static const char *headers[] = {
|
||
|
- "Accept: application/json",
|
||
|
- "Connection: close",
|
||
|
- NULL,
|
||
|
- };
|
||
|
+ char **headers = xmalloc(sizeof(char *) * (3 + size_map_string(config->ur_http_headers)));
|
||
|
+ headers[0] = (char *)"Accept: application/json";
|
||
|
+ headers[1] = (char *)"Connection: close";
|
||
|
+ headers[2] = NULL;
|
||
|
+
|
||
|
+ if (config->ur_http_headers != NULL)
|
||
|
+ {
|
||
|
+ unsigned i = 2;
|
||
|
+ const char *header;
|
||
|
+ const char *value;
|
||
|
+ map_string_iter_t iter;
|
||
|
+ init_map_string_iter(&iter, config->ur_http_headers);
|
||
|
+ while (next_map_string_iter(&iter, &header, &value))
|
||
|
+ headers[i++] = xasprintf("%s: %s", header, value);
|
||
|
+ headers[i] = NULL;
|
||
|
+ }
|
||
|
|
||
|
post_string_as_form_data(post_state, config->ur_url, "application/json",
|
||
|
- headers, json);
|
||
|
+ (const char **)headers, json);
|
||
|
|
||
|
/* Client authentication failed. Try again without client auth.
|
||
|
* CURLE_SSL_CONNECT_ERROR - cert not found/server doesnt trust the CA
|
||
|
@@ -135,10 +146,14 @@ struct post_state *post_ureport(const char *json, struct ureport_server_config *
|
||
|
post_state = new_post_state(flags);
|
||
|
|
||
|
post_string_as_form_data(post_state, config->ur_url, "application/json",
|
||
|
- headers, json);
|
||
|
+ (const char **)headers, json);
|
||
|
|
||
|
}
|
||
|
|
||
|
+ for (unsigned i = size_map_string(config->ur_http_headers); i != 0; --i)
|
||
|
+ free(headers[i + 1]);
|
||
|
+ free(headers);
|
||
|
+
|
||
|
return post_state;
|
||
|
}
|
||
|
|
||
|
diff --git a/src/lib/ureport.h b/src/lib/ureport.h
|
||
|
index ca1d538..319aca9 100644
|
||
|
--- a/src/lib/ureport.h
|
||
|
+++ b/src/lib/ureport.h
|
||
|
@@ -43,6 +43,7 @@ struct ureport_server_config
|
||
|
char *ur_client_cert; ///< Path to certificate used for client
|
||
|
///< authentication (or NULL)
|
||
|
char *ur_client_key; ///< Private key for the certificate
|
||
|
+ map_string_t *ur_http_headers; ///< Additional HTTP headers
|
||
|
|
||
|
struct ureport_preferences ur_prefs; ///< configuration for uReport generation
|
||
|
};
|
||
|
diff --git a/src/plugins/ureport.c b/src/plugins/ureport.c
|
||
|
index d23cc79..9c69cad 100644
|
||
|
--- a/src/plugins/ureport.c
|
||
|
+++ b/src/plugins/ureport.c
|
||
|
@@ -31,6 +31,12 @@
|
||
|
#define RHSM_CERT_PATH "/etc/pki/consumer/cert.pem"
|
||
|
#define RHSM_KEY_PATH "/etc/pki/consumer/key.pem"
|
||
|
|
||
|
+#define RHAP_PEM_DIR_PATH "/etc/pki/entitlement"
|
||
|
+#define RHAP_ENT_DATA_BEGIN_TAG "-----BEGIN ENTITLEMENT DATA-----"
|
||
|
+#define RHAP_ENT_DATA_END_TAG "-----END ENTITLEMENT DATA-----"
|
||
|
+#define RHAP_SIG_DATA_BEGIN_TAG "-----BEGIN RSA SIGNATURE-----"
|
||
|
+#define RHAP_SIG_DATA_END_TAG "-----END RSA SIGNATURE-----"
|
||
|
+
|
||
|
#define VALUE_FROM_CONF(opt, var, tr) do { const char *value = getenv("uReport_"opt); \
|
||
|
if (!value) { value = get_map_string_item_or_NULL(settings, opt); } if (value) { var = tr(value); } \
|
||
|
} while(0)
|
||
|
@@ -72,6 +78,88 @@ static void parse_client_auth_paths(struct ureport_server_config *config, const
|
||
|
config->ur_client_cert = xstrdup(RHSM_CERT_PATH);
|
||
|
config->ur_client_key = xstrdup(RHSM_KEY_PATH);
|
||
|
}
|
||
|
+ else if (strcmp(client_auth, "rhsm-entitlement") == 0)
|
||
|
+ {
|
||
|
+ GList *certs = get_file_list(RHAP_PEM_DIR_PATH, "pem");
|
||
|
+ if (g_list_length(certs) != 2)
|
||
|
+ {
|
||
|
+ log_notice(RHAP_PEM_DIR_PATH" does not contain unique cert-key files pair");
|
||
|
+ log_notice("Not using client authentication");
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
+ const char *cert = NULL;
|
||
|
+ const char *key = NULL;
|
||
|
+
|
||
|
+ file_obj_t *fst = (file_obj_t *)certs->data;
|
||
|
+ file_obj_t *scn = (file_obj_t *)certs->next->data;
|
||
|
+
|
||
|
+ if (strlen(fo_get_filename(fst)) < strlen(fo_get_filename(scn)))
|
||
|
+ {
|
||
|
+ cert = fo_get_filename(fst);
|
||
|
+ key = fo_get_filename(scn);
|
||
|
+
|
||
|
+ config->ur_client_cert = xstrdup(fo_get_fullpath(fst));
|
||
|
+ config->ur_client_key = xstrdup(fo_get_fullpath(scn));
|
||
|
+ }
|
||
|
+ else
|
||
|
+ {
|
||
|
+ cert = fo_get_filename(scn);
|
||
|
+ key = fo_get_filename(fst);
|
||
|
+
|
||
|
+ config->ur_client_cert = xstrdup(fo_get_fullpath(scn));
|
||
|
+ config->ur_client_key = xstrdup(fo_get_fullpath(fst));
|
||
|
+ }
|
||
|
+
|
||
|
+ const bool iscomplement = prefixcmp(key, cert) != 0 || strcmp("-key", key + strlen(cert)) != 0;
|
||
|
+ g_list_free_full(certs, (GDestroyNotify)free_file_obj);
|
||
|
+
|
||
|
+ if (iscomplement)
|
||
|
+ {
|
||
|
+ log_notice("Key file '%s' isn't complement to cert file '%s'",
|
||
|
+ config->ur_client_key, config->ur_client_cert);
|
||
|
+ log_notice("Not using client authentication");
|
||
|
+
|
||
|
+ free(config->ur_client_cert);
|
||
|
+ free(config->ur_client_key);
|
||
|
+ config->ur_client_cert = NULL;
|
||
|
+ config->ur_client_key = NULL;
|
||
|
+
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
+ char *certdata = xmalloc_open_read_close(config->ur_client_cert, /*no size limit*/NULL);
|
||
|
+ if (certdata != NULL)
|
||
|
+ {
|
||
|
+ char *ent_data = xstrdup_between(certdata,
|
||
|
+ RHAP_ENT_DATA_BEGIN_TAG, RHAP_ENT_DATA_END_TAG);
|
||
|
+
|
||
|
+ char *sig_data = xstrdup_between(certdata,
|
||
|
+ RHAP_SIG_DATA_BEGIN_TAG, RHAP_SIG_DATA_END_TAG);
|
||
|
+
|
||
|
+ if (ent_data != NULL && sig_data != NULL)
|
||
|
+ {
|
||
|
+ ent_data = strremovech(ent_data, '\n');
|
||
|
+ insert_map_string(config->ur_http_headers,
|
||
|
+ xstrdup("X-RH-Entitlement-Data"),
|
||
|
+ xasprintf(RHAP_ENT_DATA_BEGIN_TAG"%s"RHAP_ENT_DATA_END_TAG, ent_data));
|
||
|
+
|
||
|
+ sig_data = strremovech(sig_data, '\n');
|
||
|
+ insert_map_string(config->ur_http_headers,
|
||
|
+ xstrdup("X-RH-Entitlement-Sig"),
|
||
|
+ xasprintf(RHAP_SIG_DATA_BEGIN_TAG"%s"RHAP_SIG_DATA_END_TAG, sig_data));
|
||
|
+ }
|
||
|
+ else
|
||
|
+ {
|
||
|
+ log_notice("Cert file '%s' doesn't contain Entitlement and RSA Signature sections", config->ur_client_cert);
|
||
|
+ log_notice("Not using HTTP authentication headers");
|
||
|
+ }
|
||
|
+
|
||
|
+ free(sig_data);
|
||
|
+ free(ent_data);
|
||
|
+ free(certdata);
|
||
|
+ }
|
||
|
+ }
|
||
|
else if (strcmp(client_auth, "puppet") == 0)
|
||
|
{
|
||
|
config->ur_client_cert = puppet_config_print("hostcert");
|
||
|
@@ -83,7 +171,6 @@ static void parse_client_auth_paths(struct ureport_server_config *config, const
|
||
|
config->ur_client_cert = xstrdup(strtok(scratch, ":"));
|
||
|
config->ur_client_key = xstrdup(strtok(NULL, ":"));
|
||
|
free(scratch);
|
||
|
-
|
||
|
if (config->ur_client_cert == NULL || config->ur_client_key == NULL)
|
||
|
error_msg_and_die("Invalid client authentication specification");
|
||
|
}
|
||
|
@@ -426,11 +513,14 @@ int main(int argc, char **argv)
|
||
|
.ur_ssl_verify = true,
|
||
|
.ur_client_cert = NULL,
|
||
|
.ur_client_key = NULL,
|
||
|
+ .ur_http_headers = NULL,
|
||
|
{
|
||
|
.urp_auth_items = NULL,
|
||
|
},
|
||
|
};
|
||
|
|
||
|
+ config.ur_http_headers = new_map_string();
|
||
|
+
|
||
|
enum {
|
||
|
OPT_v = 1 << 0,
|
||
|
OPT_d = 1 << 1,
|
||
|
@@ -677,6 +767,8 @@ finalize:
|
||
|
if (config.ur_prefs.urp_auth_items != auth_items)
|
||
|
g_list_free_full(config.ur_prefs.urp_auth_items, free);
|
||
|
|
||
|
+ free_map_string(config.ur_http_headers);
|
||
|
+
|
||
|
free_map_string(settings);
|
||
|
free(config.ur_client_cert);
|
||
|
free(config.ur_client_key);
|
||
|
diff --git a/src/plugins/ureport.conf b/src/plugins/ureport.conf
|
||
|
index 8abeb26..fc0dc21 100644
|
||
|
--- a/src/plugins/ureport.conf
|
||
|
+++ b/src/plugins/ureport.conf
|
||
|
@@ -19,7 +19,9 @@ AuthDataItems = hostname, machineid
|
||
|
# None (default):
|
||
|
# SSLClientAuth =
|
||
|
# Using RH subscription management certificate:
|
||
|
-SSLClientAuth = rhsm
|
||
|
+# SSLClientAuth = rhsm
|
||
|
+# Using RH subscription management entitlement certificate:
|
||
|
+# SSLClientAuth = rhsm-entitlement
|
||
|
# Using Puppet certificate:
|
||
|
# SSLClientAuth = puppet
|
||
|
# Using custom certificate:
|
||
|
--
|
||
|
1.8.3.1
|
||
|
|