rpms / libreport

Clone
Source Code
GIT

Blame SOURCES/0139-ureport-add-functionality-to-use-consumer-certificat.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   28bab82c64c1941bd207416550c6ad7a67b56012
  2.   SOURCES
  3.   0139-ureport-add-functionality-to-use-consumer-certificat.patch
Blob History Raw
28bab8 
From d8459ff67af8566583a4b33d151a182d48722078 Mon Sep 17 00:00:00 2001
28bab8 
From: Matej Habrnal <mhabrnal@redhat.com>
28bab8 
Date: Wed, 27 May 2015 14:45:20 +0200
28bab8 
Subject: [PATCH] ureport: add functionality to use consumer certificate
28bab8
28bab8 
reporter-ureport uses consumer certificate instead of entitlement certificate,
28bab8 
if the rhsm authentication is enabled. Also uses
28bab8 
https://cert-api.access.redhat.com/rs/telemetry/abrt to report those
28bab8 
autenticated uReports.
28bab8
28bab8 
Related to rhbz#1223805
28bab8
28bab8 
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
28bab8 
---
28bab8 
 src/lib/ureport.c        | 121 +++++++++++++----------------------------------
28bab8 
 src/plugins/ureport.conf |   2 +-
28bab8 
 2 files changed, 33 insertions(+), 90 deletions(-)
28bab8
28bab8 
diff --git a/src/lib/ureport.c b/src/lib/ureport.c
28bab8 
index 5065a52..990ace6 100644
28bab8 
--- a/src/lib/ureport.c
28bab8 
+++ b/src/lib/ureport.c
28bab8 
@@ -31,13 +31,11 @@
28bab8
28bab8 
 #define BTHASH_URL_SFX "reports/bthash/"
28bab8
28bab8 
-#define RHSM_WEB_SERVICE_URL "https://api.access.redhat.com/rs/telemetry/abrt"
28bab8 
+#define RHSM_WEB_SERVICE_URL "https://cert-api.access.redhat.com/rs/telemetry/abrt"
28bab8
28bab8 
-#define RHSMENT_PEM_DIR_PATH "/etc/pki/entitlement"
28bab8 
-#define RHSMENT_ENT_DATA_BEGIN_TAG "-----BEGIN ENTITLEMENT DATA-----"
28bab8 
-#define RHSMENT_ENT_DATA_END_TAG "-----END ENTITLEMENT DATA-----"
28bab8 
-#define RHSMENT_SIG_DATA_BEGIN_TAG "-----BEGIN RSA SIGNATURE-----"
28bab8 
-#define RHSMENT_SIG_DATA_END_TAG "-----END RSA SIGNATURE-----"
28bab8 
+#define RHSMCON_PEM_DIR_PATH "/etc/pki/consumer"
28bab8 
+#define RHSMCON_CERT_NAME "cert.pem"
28bab8 
+#define RHSMCON_KEY_NAME "key.pem"
28bab8
28bab8
28bab8 
 static char *
28bab8 
@@ -71,14 +69,14 @@ ureport_server_config_set_url(struct ureport_server_config *config,
28bab8 
 }
28bab8
28bab8 
 static char *
28bab8 
-rhsm_config_get_entitlement_cert_dir(void)
28bab8 
+rhsm_config_get_consumer_cert_dir(void)
28bab8 
 {
28bab8 
-    char *result = getenv("LIBREPORT_DEBUG_RHSMENT_PEM_DIR_PATH");
28bab8 
+    char *result = getenv("LIBREPORT_DEBUG_RHSMCON_PEM_DIR_PATH");
28bab8 
     if (result != NULL)
28bab8 
         return xstrdup(result);
28bab8
28bab8 
     result = run_in_shell_and_save_output(0,
28bab8 
-            "python -c \"from rhsm.config import initConfig; print(initConfig().get('rhsm', 'entitlementCertDir'))\"",
28bab8 
+            "python -c \"from rhsm.config import initConfig; print(initConfig().get('rhsm', 'consumerCertDir'))\"",
28bab8 
             NULL, NULL);
28bab8
28bab8 
     /* run_in_shell_and_save_output always returns non-NULL */
28bab8 
@@ -93,8 +91,19 @@ rhsm_config_get_entitlement_cert_dir(void)
28bab8 
     return result;
28bab8 
 error:
28bab8 
     free(result);
28bab8 
-    error_msg("Failed to get 'rhsm':'entitlementCertDir' from rhsm.config python module. Using "RHSMENT_PEM_DIR_PATH);
28bab8 
-    return xstrdup(RHSMENT_PEM_DIR_PATH);
28bab8 
+    error_msg("Failed to get 'rhsm':'consumerCertDir' from rhsm.config python module. Using "RHSMCON_PEM_DIR_PATH);
28bab8 
+    return xstrdup(RHSMCON_PEM_DIR_PATH);
28bab8 
+}
28bab8 
+
28bab8 
+static bool
28bab8 
+certificate_exist(char *cert_name)
28bab8 
+{
28bab8 
+    if (access(cert_name, F_OK) != 0)
28bab8 
+    {
28bab8 
+        log_notice("RHSM consumer certificate '%s' does not exist.", cert_name);
28bab8 
+        return false;
28bab8 
+    }
28bab8 
+    return true;
28bab8 
 }
28bab8
28bab8 
 void
28bab8 
@@ -119,93 +128,27 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
28bab8 
         if (config->ur_url == NULL)
28bab8 
             ureport_server_config_set_url(config, xstrdup(RHSM_WEB_SERVICE_URL));
28bab8
28bab8 
-        char *rhsm_dir = rhsm_config_get_entitlement_cert_dir();
28bab8 
-        if (rhsm_dir == NULL)
28bab8 
-        {
28bab8 
-            log_notice("Not using client authentication");
28bab8 
-            return;
28bab8 
-        }
28bab8 
+        /* always returns non-NULL */
28bab8 
+        char *rhsm_dir = rhsm_config_get_consumer_cert_dir();
28bab8
28bab8 
-        GList *certs = get_file_list(rhsm_dir, "pem");
28bab8 
-        if (g_list_length(certs) < 2)
28bab8 
-        {
28bab8 
-            g_list_free_full(certs, (GDestroyNotify)free_file_obj);
28bab8 
+        char *cert_full_name = concat_path_file(rhsm_dir, RHSMCON_CERT_NAME);
28bab8 
+        char *key_full_name = concat_path_file(rhsm_dir, RHSMCON_KEY_NAME);
28bab8
28bab8 
-            log_notice("'%s' does not contain a cert-key files pair", rhsm_dir);
28bab8 
-            log_notice("Not using client authentication");
28bab8 
-            free(rhsm_dir);
28bab8 
-            return;
28bab8 
-        }
28bab8 
-
28bab8 
-        /* Use the last non-key file found. */
28bab8 
-        file_obj_t *cert = NULL;
28bab8 
-        for (GList *iter = certs; iter != NULL; iter = g_list_next(iter))
28bab8 
+        if (certificate_exist(cert_full_name) && certificate_exist(key_full_name))
28bab8 
         {
28bab8 
-            file_obj_t *tmp = (file_obj_t *)iter->data;
28bab8 
-            const char *file_name = fo_get_filename(tmp);
28bab8 
-
28bab8 
-            if (suffixcmp(file_name, "-key"))
28bab8 
-                cert = tmp;
28bab8 
+            config->ur_client_cert = cert_full_name;
28bab8 
+            config->ur_client_key = key_full_name;
28bab8 
+            log_debug("Using cert files: '%s' : '%s'", config->ur_client_cert, config->ur_client_key);
28bab8 
         }
28bab8 
-
28bab8 
-        if (cert == NULL)
28bab8 
+        else
28bab8 
         {
28bab8 
-            g_list_free_full(certs, (GDestroyNotify)free_file_obj);
28bab8 
-
28bab8 
-            log_notice("'%s' does not contain a cert file (only keys)", rhsm_dir);
28bab8 
-            log_notice("Not using client authentication");
28bab8 
-            free(rhsm_dir);
28bab8 
-            return;
28bab8 
+            free(cert_full_name);
28bab8 
+            free(key_full_name);
28bab8 
+            log_notice("Using the default configuration for uReports.");
28bab8 
         }
28bab8
28bab8 
-        config->ur_client_cert = xstrdup(fo_get_fullpath(cert));
28bab8 
-        /* Yes, the key file may not exists. I over took this code from
28bab8 
-         * sos-uploader and they are pretty happy with this approach, so why
28bab8 
-         * shouldn't we?. */
28bab8 
-        config->ur_client_key = xasprintf("%s/%s-key.pem", rhsm_dir, fo_get_filename(cert));
28bab8 
         free(rhsm_dir);
28bab8
28bab8 
-        log_debug("Using cert files: '%s' : '%s'", config->ur_client_cert, config->ur_client_key);
28bab8 
-
28bab8 
-        g_list_free_full(certs, (GDestroyNotify)free_file_obj);
28bab8 
-
28bab8 
-        char *certdata = xmalloc_open_read_close(config->ur_client_cert, /*no size limit*/NULL);
28bab8 
-        if (certdata != NULL)
28bab8 
-        {
28bab8 
-            char *ent_data = xstrdup_between(certdata,
28bab8 
-                    RHSMENT_ENT_DATA_BEGIN_TAG, RHSMENT_ENT_DATA_END_TAG);
28bab8 
-
28bab8 
-            char *sig_data = xstrdup_between(certdata,
28bab8 
-                    RHSMENT_SIG_DATA_BEGIN_TAG, RHSMENT_SIG_DATA_END_TAG);
28bab8 
-
28bab8 
-            if (ent_data != NULL && sig_data != NULL)
28bab8 
-            {
28bab8 
-                ent_data = strremovech(ent_data, '\n');
28bab8 
-                insert_map_string(config->ur_http_headers,
28bab8 
-                        xstrdup("X-RH-Entitlement-Data"),
28bab8 
-                        xasprintf(RHSMENT_ENT_DATA_BEGIN_TAG"%s"RHSMENT_ENT_DATA_END_TAG, ent_data));
28bab8 
-
28bab8 
-                sig_data = strremovech(sig_data, '\n');
28bab8 
-                insert_map_string(config->ur_http_headers,
28bab8 
-                        xstrdup("X-RH-Entitlement-Sig"),
28bab8 
-                        xasprintf(RHSMENT_SIG_DATA_BEGIN_TAG"%s"RHSMENT_SIG_DATA_END_TAG, sig_data));
28bab8 
-            }
28bab8 
-            else
28bab8 
-            {
28bab8 
-                log_notice("Cert file '%s' doesn't contain Entitlement and RSA Signature sections", config->ur_client_cert);
28bab8 
-                log_notice("Not using client authentication");
28bab8 
-
28bab8 
-                free(config->ur_client_cert);
28bab8 
-                config->ur_client_cert = NULL;
28bab8 
-
28bab8 
-                free(config->ur_client_key);
28bab8 
-                config->ur_client_key = NULL;
28bab8 
-            }
28bab8 
-
28bab8 
-            free(sig_data);
28bab8 
-            free(ent_data);
28bab8 
-            free(certdata);
28bab8 
-        }
28bab8 
     }
28bab8 
     else if (strcmp(client_auth, "puppet") == 0)
28bab8 
     {
28bab8 
diff --git a/src/plugins/ureport.conf b/src/plugins/ureport.conf
28bab8 
index e04bf56..2256a7f 100644
28bab8 
--- a/src/plugins/ureport.conf
28bab8 
+++ b/src/plugins/ureport.conf
28bab8 
@@ -22,7 +22,7 @@ AuthDataItems = hostname, machineid
28bab8 
 # 'IncludeAuthData' to 'yes'.
28bab8 
 # None (default):
28bab8 
 # SSLClientAuth =
28bab8 
-# Using RH subscription management entitlement certificate:
28bab8 
+# Using RH subscription management consumer certificate:
28bab8 
 # SSLClientAuth = rhsm
28bab8 
 # Using Puppet certificate:
28bab8 
 # SSLClientAuth = puppet
28bab8 
--
28bab8 
2.4.3
28bab8

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation