Blame SOURCES/0155-ureport-use-Red-Hat-Certificate-Authority-to-make-rh.patch

057568
From fc56c987058558d47d6bfe64ec11d2819b7886fe Mon Sep 17 00:00:00 2001
057568
From: Matej Habrnal <mhabrnal@redhat.com>
057568
Date: Thu, 3 Sep 2015 13:55:07 +0200
057568
Subject: [PATCH] ureport: use Red Hat Certificate Authority to make rhsm cert
057568
 trusted
057568
057568
In the case we use authenticated auto reporting by rhsm the cert is not trusted
057568
and it breaks Auto-reporting feature. This commit feeds curl with the
057568
cert-api.access.redhat.com.pem file which make the cert trusted.
057568
057568
Related to rhbz#1223805
057568
057568
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
057568
---
057568
 src/include/ureport.h |  1 +
057568
 src/lib/ureport.c     | 42 ++++++++++++++++++++++++++++++++++++++++++
057568
 2 files changed, 43 insertions(+)
057568
057568
diff --git a/src/include/ureport.h b/src/include/ureport.h
057568
index 780b898..a1d03f6 100644
057568
--- a/src/include/ureport.h
057568
+++ b/src/include/ureport.h
057568
@@ -52,6 +52,7 @@ struct ureport_server_config
057568
     char *ur_client_cert; ///< Path to certificate used for client
057568
                           ///< authentication (or NULL)
057568
     char *ur_client_key;  ///< Private key for the certificate
057568
+    char *ur_cert_authority_cert; ///< Certificate authority certificate
057568
     char *ur_username;    ///< username for basic HTTP auth
057568
     char *ur_password;    ///< password for basic HTTP auth
057568
     map_string_t *ur_http_headers; ///< Additional HTTP headers
057568
diff --git a/src/lib/ureport.c b/src/lib/ureport.c
057568
index 990ace6..76bcc95 100644
057568
--- a/src/lib/ureport.c
057568
+++ b/src/lib/ureport.c
057568
@@ -37,6 +37,12 @@
057568
 #define RHSMCON_CERT_NAME "cert.pem"
057568
 #define RHSMCON_KEY_NAME "key.pem"
057568
 
057568
+/* Using the same template as for RHSM certificate, macro for cert dir path and
057568
+ * macro for cert name. Cert path can be easily modified for example by reading
057568
+ * an environment variable LIBREPORT_DEBUG_AUTHORITY_CERT_DIR_PATH
057568
+ */
057568
+#define CERT_AUTHORITY_CERT_PATH "/etc/redhat-access-insights"
057568
+#define CERT_AUTHORITY_CERT_NAME "cert-api.access.redhat.com.pem"
057568
 
057568
 static char *
057568
 puppet_config_print(const char *key)
057568
@@ -106,6 +112,17 @@ certificate_exist(char *cert_name)
057568
     return true;
057568
 }
057568
 
057568
+static bool
057568
+cert_authority_cert_exist(char *cert_name)
057568
+{
057568
+    if (access(cert_name, F_OK) != 0)
057568
+    {
057568
+        log_notice("Certs validating the server '%s' does not exist.", cert_name);
057568
+        return false;
057568
+    }
057568
+    return true;
057568
+}
057568
+
057568
 void
057568
 ureport_server_config_set_client_auth(struct ureport_server_config *config,
057568
                                       const char *client_auth)
057568
@@ -134,6 +151,16 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
057568
         char *cert_full_name = concat_path_file(rhsm_dir, RHSMCON_CERT_NAME);
057568
         char *key_full_name = concat_path_file(rhsm_dir, RHSMCON_KEY_NAME);
057568
 
057568
+        /* get authority certificate dir path from environment variable, if it
057568
+         * is not set, use CERT_AUTHORITY_CERT_PATH
057568
+         */
057568
+        const char *authority_cert_dir_path = getenv("LIBREPORT_DEBUG_AUTHORITY_CERT_DIR_PATH");
057568
+        if (authority_cert_dir_path == NULL)
057568
+           authority_cert_dir_path = CERT_AUTHORITY_CERT_PATH;
057568
+
057568
+        char *cert_authority_cert_full_name = concat_path_file(authority_cert_dir_path,
057568
+                                                                 CERT_AUTHORITY_CERT_NAME);
057568
+
057568
         if (certificate_exist(cert_full_name) && certificate_exist(key_full_name))
057568
         {
057568
             config->ur_client_cert = cert_full_name;
057568
@@ -147,6 +174,16 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
057568
             log_notice("Using the default configuration for uReports.");
057568
         }
057568
 
057568
+        if (cert_authority_cert_exist(cert_authority_cert_full_name))
057568
+        {
057568
+            config->ur_cert_authority_cert = cert_authority_cert_full_name;
057568
+            log_debug("Using validating server cert: '%s'", config->ur_cert_authority_cert);
057568
+        }
057568
+        else
057568
+        {
057568
+            free(cert_authority_cert_full_name);
057568
+        }
057568
+
057568
         free(rhsm_dir);
057568
 
057568
     }
057568
@@ -286,6 +323,7 @@ ureport_server_config_init(struct ureport_server_config *config)
057568
     config->ur_ssl_verify = true;
057568
     config->ur_client_cert = NULL;
057568
     config->ur_client_key = NULL;
057568
+    config->ur_cert_authority_cert = NULL;
057568
     config->ur_username = NULL;
057568
     config->ur_password = NULL;
057568
     config->ur_http_headers = new_map_string();
057568
@@ -304,6 +342,9 @@ ureport_server_config_destroy(struct ureport_server_config *config)
057568
     free(config->ur_client_key);
057568
     config->ur_client_key = DESTROYED_POINTER;
057568
 
057568
+    free(config->ur_cert_authority_cert);
057568
+    config->ur_cert_authority_cert = DESTROYED_POINTER;
057568
+
057568
     free(config->ur_username);
057568
     config->ur_username = DESTROYED_POINTER;
057568
 
057568
@@ -701,6 +742,7 @@ ureport_do_post(const char *json, struct ureport_server_config *config,
057568
     {
057568
         post_state->client_cert_path = config->ur_client_cert;
057568
         post_state->client_key_path = config->ur_client_key;
057568
+        post_state->cert_authority_cert_path = config->ur_cert_authority_cert;
057568
     }
057568
     else if (config->ur_username && config->ur_password)
057568
     {
057568
-- 
057568
2.4.3
057568