From c0e4f8f27f0becd93c7abd9f20224232d5f1a5cf Mon Sep 17 00:00:00 2001
From: Martin Milata <mmilata@redhat.com>
Date: Thu, 16 Jan 2014 20:02:05 +0100
Subject: [LIBREPORT PATCH 12/14] ureport: add support for client-side
authentication
Please note that the libreport_curl api is changed and since we're not
bumping sonames ABRT has to explicitly depend on this version in spec.
Related to rhbz#1053042.
Signed-off-by: Martin Milata <mmilata@redhat.com>
---
doc/reporter-ureport.txt | 18 ++++++++++
src/include/libreport_curl.h | 2 ++
src/lib/curl.c | 7 ++++
src/lib/json.c | 48 ++++++++++++-------------
src/lib/ureport.h | 7 ++--
src/plugins/ureport.c | 85 ++++++++++++++++++++++++++++++++++++++++++--
src/plugins/ureport.conf | 10 ++++++
7 files changed, 149 insertions(+), 28 deletions(-)
diff --git a/doc/reporter-ureport.txt b/doc/reporter-ureport.txt
index b739b6d..54823ae 100644
--- a/doc/reporter-ureport.txt
+++ b/doc/reporter-ureport.txt
@@ -27,6 +27,20 @@ Configuration file lines should have 'PARAM = VALUE' format. The parameters are:
'SSLVerify'::
Use no/false/off/0 to disable verification of server's SSL certificate. (default: yes)
+'SSLClientAuth'::
+ If this option is set, client-side SSL certificate is used to authenticate
+ to the server so that it knows which machine it came from. Possible values
+ are:
+
+ 'rhsm';;
+ Uses the system certificate that is used for Red Hat subscription management.
+
+ 'puppet';;
+ Uses the certificate that is used by the Puppet configuration management tool.
+
+ '<cert_path>:<key_path>';;
+ Manually supply paths to certificate and the corresponding key in PEM format.
+
'ContactEmail'::
Email address attached to a bthash on the server.
@@ -61,6 +75,10 @@ OPTIONS
-k, --insecure::
Allow insecure connection to ureport server
+-t, --auth SOURCE::
+ Enables client authentication. See 'SSLClientAuth' configuration file
+ option for list of possible values.
+
-v::
Be more verbose. Can be given multiple times.
diff --git a/src/include/libreport_curl.h b/src/include/libreport_curl.h
index 4cd855f..7d6fa02 100644
--- a/src/include/libreport_curl.h
+++ b/src/include/libreport_curl.h
@@ -35,6 +35,8 @@ typedef struct post_state {
int flags;
const char *username;
const char *password;
+ const char *client_cert_path;
+ const char *client_key_path;
/* Results of POST transaction: */
int http_resp_code;
/* cast from CURLcode enum.
diff --git a/src/lib/curl.c b/src/lib/curl.c
index 6722b4a..662a2cf 100644
--- a/src/lib/curl.c
+++ b/src/lib/curl.c
@@ -532,6 +532,13 @@ post(post_state_t *state,
xcurl_easy_setopt_long(handle, CURLOPT_SSL_VERIFYPEER, 0);
xcurl_easy_setopt_long(handle, CURLOPT_SSL_VERIFYHOST, 0);
}
+ if (state->client_cert_path && state->client_key_path)
+ {
+ xcurl_easy_setopt_ptr(handle, CURLOPT_SSLCERTTYPE, "PEM");
+ xcurl_easy_setopt_ptr(handle, CURLOPT_SSLKEYTYPE, "PEM");
+ xcurl_easy_setopt_ptr(handle, CURLOPT_SSLCERT, state->client_cert_path);
+ xcurl_easy_setopt_ptr(handle, CURLOPT_SSLKEY, state->client_key_path);
+ }
// This is the place where everything happens.
// Here errors are not limited to "out of memory", can't just die.
diff --git a/src/lib/json.c b/src/lib/json.c
index eb8e5ed..66db537 100644
--- a/src/lib/json.c
+++ b/src/lib/json.c
@@ -68,7 +68,7 @@ char *new_json_attachment(const char *bthash, const char *type, const char *data
return result;
}
-struct post_state *post_ureport(const char *json_ureport, struct ureport_server_config *config)
+struct post_state *post_ureport(const char *json, struct ureport_server_config *config)
{
int flags = POST_WANT_BODY | POST_WANT_ERROR_MSG;
@@ -77,6 +77,12 @@ struct post_state *post_ureport(const char *json_ureport, struct ureport_server_
struct post_state *post_state = new_post_state(flags);
+ if (config->ur_client_cert && config->ur_client_key)
+ {
+ post_state->client_cert_path = config->ur_client_cert;
+ post_state->client_key_path = config->ur_client_key;
+ }
+
static const char *headers[] = {
"Accept: application/json",
"Connection: close",
@@ -84,30 +90,24 @@ struct post_state *post_ureport(const char *json_ureport, struct ureport_server_
};
post_string_as_form_data(post_state, config->ur_url, "application/json",
- headers, json_ureport);
+ headers, json);
- return post_state;
-}
+ /* Client authentication failed. Try again without client auth.
+ * CURLE_SSL_CONNECT_ERROR - cert not found/server doesnt trust the CA
+ * CURLE_SSL_CERTPROBLEM - malformed certificate/no permission
+ */
+ if ((post_state->curl_result == CURLE_SSL_CONNECT_ERROR
+ || post_state->curl_result == CURLE_SSL_CERTPROBLEM)
+ && config->ur_client_cert && config->ur_client_key)
+ {
+ warn_msg("Authentication failed. Retrying unauthenticated.");
+ free_post_state(post_state);
+ post_state = new_post_state(flags);
-static
-struct post_state *ureport_attach(const char *json_attachment,
- struct ureport_server_config *config)
-{
- int flags = POST_WANT_BODY | POST_WANT_ERROR_MSG;
+ post_string_as_form_data(post_state, config->ur_url, "application/json",
+ headers, json);
- if (config->ur_ssl_verify)
- flags |= POST_WANT_SSL_VERIFY;
-
- struct post_state *post_state = new_post_state(flags);
-
- static const char *headers[] = {
- "Accept: application/json",
- "Connection: close",
- NULL,
- };
-
- post_string_as_form_data(post_state, config->ur_url, "application/json",
- headers, json_attachment);
+ }
return post_state;
}
@@ -117,7 +117,7 @@ struct post_state *ureport_attach_rhbz(const char *bthash, int rhbz_bug_id,
{
char *str_bug_id = xasprintf("%d", rhbz_bug_id);
char *json_attachment = new_json_attachment(bthash, "RHBZ", str_bug_id);
- struct post_state *post_state = ureport_attach(json_attachment, config);
+ struct post_state *post_state = post_ureport(json_attachment, config);
free(str_bug_id);
free(json_attachment);
@@ -128,7 +128,7 @@ struct post_state *ureport_attach_email(const char *bthash, const char *email,
struct ureport_server_config *config)
{
char *json_attachment = new_json_attachment(bthash, "email", email);
- struct post_state *post_state = ureport_attach(json_attachment, config);
+ struct post_state *post_state = post_ureport(json_attachment, config);
free(json_attachment);
return post_state;
diff --git a/src/lib/ureport.h b/src/lib/ureport.h
index 4cc4e10..16f40f1 100644
--- a/src/lib/ureport.h
+++ b/src/lib/ureport.h
@@ -30,8 +30,11 @@ extern "C" {
*/
struct ureport_server_config
{
- const char *ur_url; ///< Web service URL
- bool ur_ssl_verify; ///< Verify HOST and PEER certificates
+ const char *ur_url; ///< Web service URL
+ bool ur_ssl_verify; ///< Verify HOST and PEER certificates
+ char *ur_client_cert; ///< Path to certificate used for client
+ ///< authentication (or NULL)
+ char *ur_client_key; ///< Private key for the certificate
};
struct abrt_post_state;
diff --git a/src/plugins/ureport.c b/src/plugins/ureport.c
index 0168744..b57eada 100644
--- a/src/plugins/ureport.c
+++ b/src/plugins/ureport.c
@@ -28,10 +28,73 @@
#define ATTACH_URL_SFX "reports/attach/"
#define BTHASH_URL_SFX "reports/bthash/"
+#define RHSM_CERT_PATH "/etc/pki/consumer/cert.pem"
+#define RHSM_KEY_PATH "/etc/pki/consumer/key.pem"
+
#define VALUE_FROM_CONF(opt, var, tr) do { const char *value = getenv("uReport_"opt); \
if (!value) { value = get_map_string_item_or_NULL(settings, opt); } if (value) { var = tr(value); } \
} while(0)
+static char *puppet_config_print(const char *key)
+{
+ char *command = xasprintf("puppet config print %s", key);
+ char *result = run_in_shell_and_save_output(0, command, NULL, NULL);
+ free(command);
+
+ /* run_in_shell_and_save_output always returns non-NULL */
+ if (result[0] != '/')
+ goto error;
+
+ char *newline = strchrnul(result, '\n');
+ if (!newline)
+ goto error;
+
+ *newline = '\0';
+ return result;
+error:
+ free(result);
+ error_msg_and_die("Unable to determine puppet %s path (puppet not installed?)", key);
+}
+
+static void parse_client_auth_paths(struct ureport_server_config *config, const char *client_auth)
+{
+ if (client_auth == NULL)
+ return;
+
+ if (strcmp(client_auth, "") == 0)
+ {
+ config->ur_client_cert = NULL;
+ config->ur_client_key = NULL;
+ log_notice("Not using client authentication");
+ }
+ else if (strcmp(client_auth, "rhsm") == 0)
+ {
+ config->ur_client_cert = xstrdup(RHSM_CERT_PATH);
+ config->ur_client_key = xstrdup(RHSM_KEY_PATH);
+ }
+ else if (strcmp(client_auth, "puppet") == 0)
+ {
+ config->ur_client_cert = puppet_config_print("hostcert");
+ config->ur_client_key = puppet_config_print("hostprivkey");
+ }
+ else
+ {
+ char *scratch = xstrdup(client_auth);
+ config->ur_client_cert = xstrdup(strtok(scratch, ":"));
+ config->ur_client_key = xstrdup(strtok(NULL, ":"));
+ free(scratch);
+
+ if (config->ur_client_cert == NULL || config->ur_client_key == NULL)
+ error_msg_and_die("Invalid client authentication specification");
+ }
+
+ if (config->ur_client_cert && config->ur_client_key)
+ {
+ log_notice("Using client certificate: %s", config->ur_client_cert);
+ log_notice("Using client private key: %s", config->ur_client_key);
+ }
+}
+
/*
* Loads uReport configuration from various sources.
*
@@ -44,6 +107,10 @@ static void load_ureport_server_config(struct ureport_server_config *config, map
{
VALUE_FROM_CONF("URL", config->ur_url, (const char *));
VALUE_FROM_CONF("SSLVerify", config->ur_ssl_verify, string_to_bool);
+
+ const char *client_auth = NULL;
+ VALUE_FROM_CONF("SSLClientAuth", client_auth, (const char *));
+ parse_client_auth_paths(config, client_auth);
}
struct ureport_server_response {
@@ -243,7 +310,12 @@ static struct ureport_server_response *ureport_server_parse_json(json_object *js
static struct ureport_server_response *get_server_response(post_state_t *post_state, struct ureport_server_config *config)
{
- if (post_state->errmsg[0] != '\0')
+ /* Previously, the condition here was (post_state->errmsg[0] != '\0')
+ * however when the server asks for optional client authentication and we do not have the certificates,
+ * then post_state->errmsg contains "NSS: client certificate not found (nickname not specified)" even though
+ * the request succeeded.
+ */
+ if (post_state->curl_result != CURLE_OK)
{
error_msg(_("Failed to upload uReport to the server '%s' with curl: %s"), config->ur_url, post_state->errmsg);
return NULL;
@@ -349,6 +421,8 @@ int main(int argc, char **argv)
struct ureport_server_config config = {
.ur_url = NULL,
.ur_ssl_verify = true,
+ .ur_client_cert = NULL,
+ .ur_client_key = NULL,
};
enum {
@@ -356,12 +430,14 @@ int main(int argc, char **argv)
OPT_d = 1 << 1,
OPT_u = 1 << 2,
OPT_k = 1 << 3,
+ OPT_t = 1 << 4,
};
int ret = 1; /* "failure" (for now) */
bool insecure = !config.ur_ssl_verify;
const char *conf_file = CONF_FILE_PATH;
const char *arg_server_url = NULL;
+ const char *client_auth = NULL;
const char *dump_dir_path = ".";
const char *ureport_hash = NULL;
bool ureport_hash_from_rt = false;
@@ -376,6 +452,7 @@ int main(int argc, char **argv)
OPT_STRING('u', "url", &arg_server_url, "URL", _("Specify server URL")),
OPT_BOOL('k', "insecure", &insecure,
_("Allow insecure connection to ureport server")),
+ OPT_STRING('t', "auth", &client_auth, "SOURCE", _("Use client authentication")),
OPT_STRING('c', NULL, &conf_file, "FILE", _("Configuration file")),
OPT_STRING('a', "attach", &ureport_hash, "BTHASH",
_("bthash of uReport to attach (conflicts with -A)")),
@@ -393,7 +470,7 @@ int main(int argc, char **argv)
};
const char *program_usage_string = _(
- "& [-v] [-c FILE] [-u URL] [-k] [-A -a bthash -B -b bug-id -E -e email] [-d DIR]\n"
+ "& [-v] [-c FILE] [-u URL] [-k] [-t SOURCE] [-A -a bthash -B -b bug-id -E -e email] [-d DIR]\n"
"\n"
"Upload micro report or add an attachment to a micro report\n"
"\n"
@@ -411,6 +488,8 @@ int main(int argc, char **argv)
config.ur_url = arg_server_url;
if (opts & OPT_k)
config.ur_ssl_verify = !insecure;
+ if (opts & OPT_t)
+ parse_client_auth_paths(&config, client_auth);
if (!config.ur_url)
error_msg_and_die("You need to specify server URL");
@@ -580,6 +659,8 @@ format_err:
finalize:
free_map_string(settings);
+ free(config.ur_client_cert);
+ free(config.ur_client_key);
return ret;
}
diff --git a/src/plugins/ureport.conf b/src/plugins/ureport.conf
index 1f3b33a..13b6386 100644
--- a/src/plugins/ureport.conf
+++ b/src/plugins/ureport.conf
@@ -6,3 +6,13 @@ URL = http://bug-report.itos.redhat.com
# Contact email attached to an uploaded uReport if required
# ContactEmail = foo@example.com
+
+# Client-side authentication
+# None (default):
+# SSLClientAuth =
+# Using RH subscription management certificate:
+# SSLClientAuth = rhsm
+# Using Puppet certificate:
+# SSLClientAuth = puppet
+# Using custom certificate:
+# SSLClientAuth = /path/to/cert.pem:/path/to/key.pem
--
1.8.3.1