From d8459ff67af8566583a4b33d151a182d48722078 Mon Sep 17 00:00:00 2001

From: Matej Habrnal <mhabrnal@redhat.com>

Date: Wed, 27 May 2015 14:45:20 +0200

Subject: [PATCH] ureport: add functionality to use consumer certificate

reporter-ureport uses consumer certificate instead of entitlement certificate,

if the rhsm authentication is enabled. Also uses

https://cert-api.access.redhat.com/rs/telemetry/abrt to report those

autenticated uReports.

Related to rhbz#1223805

Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>

---

 src/lib/ureport.c        | 121 +++++++++++++----------------------------------

 src/plugins/ureport.conf |   2 +-

 2 files changed, 33 insertions(+), 90 deletions(-)

diff --git a/src/lib/ureport.c b/src/lib/ureport.c

index 5065a52..990ace6 100644

--- a/src/lib/ureport.c

+++ b/src/lib/ureport.c

@@ -31,13 +31,11 @@

 #define BTHASH_URL_SFX "reports/bthash/"

-#define RHSM_WEB_SERVICE_URL "https://api.access.redhat.com/rs/telemetry/abrt"

+#define RHSM_WEB_SERVICE_URL "https://cert-api.access.redhat.com/rs/telemetry/abrt"

-#define RHSMENT_PEM_DIR_PATH "/etc/pki/entitlement"

-#define RHSMENT_ENT_DATA_BEGIN_TAG "-----BEGIN ENTITLEMENT DATA-----"

-#define RHSMENT_ENT_DATA_END_TAG "-----END ENTITLEMENT DATA-----"

-#define RHSMENT_SIG_DATA_BEGIN_TAG "-----BEGIN RSA SIGNATURE-----"

-#define RHSMENT_SIG_DATA_END_TAG "-----END RSA SIGNATURE-----"

+#define RHSMCON_PEM_DIR_PATH "/etc/pki/consumer"

+#define RHSMCON_CERT_NAME "cert.pem"

+#define RHSMCON_KEY_NAME "key.pem"

 static char *

@@ -71,14 +69,14 @@ ureport_server_config_set_url(struct ureport_server_config *config,

 }

 static char *

-rhsm_config_get_entitlement_cert_dir(void)

+rhsm_config_get_consumer_cert_dir(void)

 {

-    char *result = getenv("LIBREPORT_DEBUG_RHSMENT_PEM_DIR_PATH");

+    char *result = getenv("LIBREPORT_DEBUG_RHSMCON_PEM_DIR_PATH");

     if (result != NULL)

         return xstrdup(result);

     result = run_in_shell_and_save_output(0,

-            "python -c \"from rhsm.config import initConfig; print(initConfig().get('rhsm', 'entitlementCertDir'))\"",

+            "python -c \"from rhsm.config import initConfig; print(initConfig().get('rhsm', 'consumerCertDir'))\"",

             NULL, NULL);

     /* run_in_shell_and_save_output always returns non-NULL */

@@ -93,8 +91,19 @@ rhsm_config_get_entitlement_cert_dir(void)

     return result;

 error:

     free(result);

-    error_msg("Failed to get 'rhsm':'entitlementCertDir' from rhsm.config python module. Using "RHSMENT_PEM_DIR_PATH);

-    return xstrdup(RHSMENT_PEM_DIR_PATH);

+    error_msg("Failed to get 'rhsm':'consumerCertDir' from rhsm.config python module. Using "RHSMCON_PEM_DIR_PATH);

+    return xstrdup(RHSMCON_PEM_DIR_PATH);

+}

+

+static bool

+certificate_exist(char *cert_name)

+{

+    if (access(cert_name, F_OK) != 0)

+    {

+        log_notice("RHSM consumer certificate '%s' does not exist.", cert_name);

+        return false;

+    }

+    return true;

 }

 void

@@ -119,93 +128,27 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,

         if (config->ur_url == NULL)

             ureport_server_config_set_url(config, xstrdup(RHSM_WEB_SERVICE_URL));

-        char *rhsm_dir = rhsm_config_get_entitlement_cert_dir();

-        if (rhsm_dir == NULL)

-        {

-            log_notice("Not using client authentication");

-            return;

-        }

+        /* always returns non-NULL */

+        char *rhsm_dir = rhsm_config_get_consumer_cert_dir();

-        GList *certs = get_file_list(rhsm_dir, "pem");

-        if (g_list_length(certs) < 2)

-        {

-            g_list_free_full(certs, (GDestroyNotify)free_file_obj);

+        char *cert_full_name = concat_path_file(rhsm_dir, RHSMCON_CERT_NAME);

+        char *key_full_name = concat_path_file(rhsm_dir, RHSMCON_KEY_NAME);

-            log_notice("'%s' does not contain a cert-key files pair", rhsm_dir);

-            log_notice("Not using client authentication");

-            free(rhsm_dir);

-            return;

-        }

-

-        /* Use the last non-key file found. */

-        file_obj_t *cert = NULL;

-        for (GList *iter = certs; iter != NULL; iter = g_list_next(iter))

+        if (certificate_exist(cert_full_name) && certificate_exist(key_full_name))

         {

-            file_obj_t *tmp = (file_obj_t *)iter->data;

-            const char *file_name = fo_get_filename(tmp);

-

-            if (suffixcmp(file_name, "-key"))

-                cert = tmp;

+            config->ur_client_cert = cert_full_name;

+            config->ur_client_key = key_full_name;

+            log_debug("Using cert files: '%s' : '%s'", config->ur_client_cert, config->ur_client_key);

         }

-

-        if (cert == NULL)

+        else

         {

-            g_list_free_full(certs, (GDestroyNotify)free_file_obj);

-

-            log_notice("'%s' does not contain a cert file (only keys)", rhsm_dir);

-            log_notice("Not using client authentication");

-            free(rhsm_dir);

-            return;

+            free(cert_full_name);

+            free(key_full_name);

+            log_notice("Using the default configuration for uReports.");

         }

-        config->ur_client_cert = xstrdup(fo_get_fullpath(cert));

-        /* Yes, the key file may not exists. I over took this code from

-         * sos-uploader and they are pretty happy with this approach, so why

-         * shouldn't we?. */

-        config->ur_client_key = xasprintf("%s/%s-key.pem", rhsm_dir, fo_get_filename(cert));

         free(rhsm_dir);

-        log_debug("Using cert files: '%s' : '%s'", config->ur_client_cert, config->ur_client_key);

-

-        g_list_free_full(certs, (GDestroyNotify)free_file_obj);

-

-        char *certdata = xmalloc_open_read_close(config->ur_client_cert, /*no size limit*/NULL);

-        if (certdata != NULL)

-        {

-            char *ent_data = xstrdup_between(certdata,

-                    RHSMENT_ENT_DATA_BEGIN_TAG, RHSMENT_ENT_DATA_END_TAG);

-

-            char *sig_data = xstrdup_between(certdata,

-                    RHSMENT_SIG_DATA_BEGIN_TAG, RHSMENT_SIG_DATA_END_TAG);

-

-            if (ent_data != NULL && sig_data != NULL)

-            {

-                ent_data = strremovech(ent_data, '\n');

-                insert_map_string(config->ur_http_headers,

-                        xstrdup("X-RH-Entitlement-Data"),

-                        xasprintf(RHSMENT_ENT_DATA_BEGIN_TAG"%s"RHSMENT_ENT_DATA_END_TAG, ent_data));

-

-                sig_data = strremovech(sig_data, '\n');

-                insert_map_string(config->ur_http_headers,

-                        xstrdup("X-RH-Entitlement-Sig"),

-                        xasprintf(RHSMENT_SIG_DATA_BEGIN_TAG"%s"RHSMENT_SIG_DATA_END_TAG, sig_data));

-            }

-            else

-            {

-                log_notice("Cert file '%s' doesn't contain Entitlement and RSA Signature sections", config->ur_client_cert);

-                log_notice("Not using client authentication");

-

-                free(config->ur_client_cert);

-                config->ur_client_cert = NULL;

-

-                free(config->ur_client_key);

-                config->ur_client_key = NULL;

-            }

-

-            free(sig_data);

-            free(ent_data);

-            free(certdata);

-        }

     }

     else if (strcmp(client_auth, "puppet") == 0)

     {

diff --git a/src/plugins/ureport.conf b/src/plugins/ureport.conf

index e04bf56..2256a7f 100644

--- a/src/plugins/ureport.conf

+++ b/src/plugins/ureport.conf

@@ -22,7 +22,7 @@ AuthDataItems = hostname, machineid

 # 'IncludeAuthData' to 'yes'.

 # None (default):

 # SSLClientAuth =

-# Using RH subscription management entitlement certificate:

+# Using RH subscription management consumer certificate:

 # SSLClientAuth = rhsm

 # Using Puppet certificate:

 # SSLClientAuth = puppet

-- 

2.4.3