From d8459ff67af8566583a4b33d151a182d48722078 Mon Sep 17 00:00:00 2001
From: Matej Habrnal <mhabrnal@redhat.com>
Date: Wed, 27 May 2015 14:45:20 +0200
Subject: [PATCH] ureport: add functionality to use consumer certificate
reporter-ureport uses consumer certificate instead of entitlement certificate,
if the rhsm authentication is enabled. Also uses
https://cert-api.access.redhat.com/rs/telemetry/abrt to report those
autenticated uReports.
Related to rhbz#1223805
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
---
src/lib/ureport.c | 121 +++++++++++++----------------------------------
src/plugins/ureport.conf | 2 +-
2 files changed, 33 insertions(+), 90 deletions(-)
diff --git a/src/lib/ureport.c b/src/lib/ureport.c
index 5065a52..990ace6 100644
--- a/src/lib/ureport.c
+++ b/src/lib/ureport.c
@@ -31,13 +31,11 @@
#define BTHASH_URL_SFX "reports/bthash/"
-#define RHSM_WEB_SERVICE_URL "https://api.access.redhat.com/rs/telemetry/abrt"
+#define RHSM_WEB_SERVICE_URL "https://cert-api.access.redhat.com/rs/telemetry/abrt"
-#define RHSMENT_PEM_DIR_PATH "/etc/pki/entitlement"
-#define RHSMENT_ENT_DATA_BEGIN_TAG "-----BEGIN ENTITLEMENT DATA-----"
-#define RHSMENT_ENT_DATA_END_TAG "-----END ENTITLEMENT DATA-----"
-#define RHSMENT_SIG_DATA_BEGIN_TAG "-----BEGIN RSA SIGNATURE-----"
-#define RHSMENT_SIG_DATA_END_TAG "-----END RSA SIGNATURE-----"
+#define RHSMCON_PEM_DIR_PATH "/etc/pki/consumer"
+#define RHSMCON_CERT_NAME "cert.pem"
+#define RHSMCON_KEY_NAME "key.pem"
static char *
@@ -71,14 +69,14 @@ ureport_server_config_set_url(struct ureport_server_config *config,
}
static char *
-rhsm_config_get_entitlement_cert_dir(void)
+rhsm_config_get_consumer_cert_dir(void)
{
- char *result = getenv("LIBREPORT_DEBUG_RHSMENT_PEM_DIR_PATH");
+ char *result = getenv("LIBREPORT_DEBUG_RHSMCON_PEM_DIR_PATH");
if (result != NULL)
return xstrdup(result);
result = run_in_shell_and_save_output(0,
- "python -c \"from rhsm.config import initConfig; print(initConfig().get('rhsm', 'entitlementCertDir'))\"",
+ "python -c \"from rhsm.config import initConfig; print(initConfig().get('rhsm', 'consumerCertDir'))\"",
NULL, NULL);
/* run_in_shell_and_save_output always returns non-NULL */
@@ -93,8 +91,19 @@ rhsm_config_get_entitlement_cert_dir(void)
return result;
error:
free(result);
- error_msg("Failed to get 'rhsm':'entitlementCertDir' from rhsm.config python module. Using "RHSMENT_PEM_DIR_PATH);
- return xstrdup(RHSMENT_PEM_DIR_PATH);
+ error_msg("Failed to get 'rhsm':'consumerCertDir' from rhsm.config python module. Using "RHSMCON_PEM_DIR_PATH);
+ return xstrdup(RHSMCON_PEM_DIR_PATH);
+}
+
+static bool
+certificate_exist(char *cert_name)
+{
+ if (access(cert_name, F_OK) != 0)
+ {
+ log_notice("RHSM consumer certificate '%s' does not exist.", cert_name);
+ return false;
+ }
+ return true;
}
void
@@ -119,93 +128,27 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
if (config->ur_url == NULL)
ureport_server_config_set_url(config, xstrdup(RHSM_WEB_SERVICE_URL));
- char *rhsm_dir = rhsm_config_get_entitlement_cert_dir();
- if (rhsm_dir == NULL)
- {
- log_notice("Not using client authentication");
- return;
- }
+ /* always returns non-NULL */
+ char *rhsm_dir = rhsm_config_get_consumer_cert_dir();
- GList *certs = get_file_list(rhsm_dir, "pem");
- if (g_list_length(certs) < 2)
- {
- g_list_free_full(certs, (GDestroyNotify)free_file_obj);
+ char *cert_full_name = concat_path_file(rhsm_dir, RHSMCON_CERT_NAME);
+ char *key_full_name = concat_path_file(rhsm_dir, RHSMCON_KEY_NAME);
- log_notice("'%s' does not contain a cert-key files pair", rhsm_dir);
- log_notice("Not using client authentication");
- free(rhsm_dir);
- return;
- }
-
- /* Use the last non-key file found. */
- file_obj_t *cert = NULL;
- for (GList *iter = certs; iter != NULL; iter = g_list_next(iter))
+ if (certificate_exist(cert_full_name) && certificate_exist(key_full_name))
{
- file_obj_t *tmp = (file_obj_t *)iter->data;
- const char *file_name = fo_get_filename(tmp);
-
- if (suffixcmp(file_name, "-key"))
- cert = tmp;
+ config->ur_client_cert = cert_full_name;
+ config->ur_client_key = key_full_name;
+ log_debug("Using cert files: '%s' : '%s'", config->ur_client_cert, config->ur_client_key);
}
-
- if (cert == NULL)
+ else
{
- g_list_free_full(certs, (GDestroyNotify)free_file_obj);
-
- log_notice("'%s' does not contain a cert file (only keys)", rhsm_dir);
- log_notice("Not using client authentication");
- free(rhsm_dir);
- return;
+ free(cert_full_name);
+ free(key_full_name);
+ log_notice("Using the default configuration for uReports.");
}
- config->ur_client_cert = xstrdup(fo_get_fullpath(cert));
- /* Yes, the key file may not exists. I over took this code from
- * sos-uploader and they are pretty happy with this approach, so why
- * shouldn't we?. */
- config->ur_client_key = xasprintf("%s/%s-key.pem", rhsm_dir, fo_get_filename(cert));
free(rhsm_dir);
- log_debug("Using cert files: '%s' : '%s'", config->ur_client_cert, config->ur_client_key);
-
- g_list_free_full(certs, (GDestroyNotify)free_file_obj);
-
- char *certdata = xmalloc_open_read_close(config->ur_client_cert, /*no size limit*/NULL);
- if (certdata != NULL)
- {
- char *ent_data = xstrdup_between(certdata,
- RHSMENT_ENT_DATA_BEGIN_TAG, RHSMENT_ENT_DATA_END_TAG);
-
- char *sig_data = xstrdup_between(certdata,
- RHSMENT_SIG_DATA_BEGIN_TAG, RHSMENT_SIG_DATA_END_TAG);
-
- if (ent_data != NULL && sig_data != NULL)
- {
- ent_data = strremovech(ent_data, '\n');
- insert_map_string(config->ur_http_headers,
- xstrdup("X-RH-Entitlement-Data"),
- xasprintf(RHSMENT_ENT_DATA_BEGIN_TAG"%s"RHSMENT_ENT_DATA_END_TAG, ent_data));
-
- sig_data = strremovech(sig_data, '\n');
- insert_map_string(config->ur_http_headers,
- xstrdup("X-RH-Entitlement-Sig"),
- xasprintf(RHSMENT_SIG_DATA_BEGIN_TAG"%s"RHSMENT_SIG_DATA_END_TAG, sig_data));
- }
- else
- {
- log_notice("Cert file '%s' doesn't contain Entitlement and RSA Signature sections", config->ur_client_cert);
- log_notice("Not using client authentication");
-
- free(config->ur_client_cert);
- config->ur_client_cert = NULL;
-
- free(config->ur_client_key);
- config->ur_client_key = NULL;
- }
-
- free(sig_data);
- free(ent_data);
- free(certdata);
- }
}
else if (strcmp(client_auth, "puppet") == 0)
{
diff --git a/src/plugins/ureport.conf b/src/plugins/ureport.conf
index e04bf56..2256a7f 100644
--- a/src/plugins/ureport.conf
+++ b/src/plugins/ureport.conf
@@ -22,7 +22,7 @@ AuthDataItems = hostname, machineid
# 'IncludeAuthData' to 'yes'.
# None (default):
# SSLClientAuth =
-# Using RH subscription management entitlement certificate:
+# Using RH subscription management consumer certificate:
# SSLClientAuth = rhsm
# Using Puppet certificate:
# SSLClientAuth = puppet
--
2.4.3