Blob Blame History Raw
From c0e4f8f27f0becd93c7abd9f20224232d5f1a5cf Mon Sep 17 00:00:00 2001
From: Martin Milata <mmilata@redhat.com>
Date: Thu, 16 Jan 2014 20:02:05 +0100
Subject: [LIBREPORT PATCH 12/14] ureport: add support for client-side
 authentication

Please note that the libreport_curl api is changed and since we're not
bumping sonames ABRT has to explicitly depend on this version in spec.

Related to rhbz#1053042.

Signed-off-by: Martin Milata <mmilata@redhat.com>
---
 doc/reporter-ureport.txt     | 18 ++++++++++
 src/include/libreport_curl.h |  2 ++
 src/lib/curl.c               |  7 ++++
 src/lib/json.c               | 48 ++++++++++++-------------
 src/lib/ureport.h            |  7 ++--
 src/plugins/ureport.c        | 85 ++++++++++++++++++++++++++++++++++++++++++--
 src/plugins/ureport.conf     | 10 ++++++
 7 files changed, 149 insertions(+), 28 deletions(-)

diff --git a/doc/reporter-ureport.txt b/doc/reporter-ureport.txt
index b739b6d..54823ae 100644
--- a/doc/reporter-ureport.txt
+++ b/doc/reporter-ureport.txt
@@ -27,6 +27,20 @@ Configuration file lines should have 'PARAM = VALUE' format. The parameters are:
 'SSLVerify'::
    Use no/false/off/0 to disable verification of server's SSL certificate. (default: yes)
 
+'SSLClientAuth'::
+   If this option is set, client-side SSL certificate is used to authenticate
+   to the server so that it knows which machine it came from. Possible values
+   are:
+
+   'rhsm';;
+      Uses the system certificate that is used for Red Hat subscription management.
+
+   'puppet';;
+      Uses the certificate that is used by the Puppet configuration management tool.
+
+   '<cert_path>:<key_path>';;
+      Manually supply paths to certificate and the corresponding key in PEM format.
+
 'ContactEmail'::
    Email address attached to a bthash on the server.
 
@@ -61,6 +75,10 @@ OPTIONS
 -k, --insecure::
    Allow insecure connection to ureport server
 
+-t, --auth SOURCE::
+   Enables client authentication. See 'SSLClientAuth' configuration file
+   option for list of possible values.
+
 -v::
    Be more verbose. Can be given multiple times.
 
diff --git a/src/include/libreport_curl.h b/src/include/libreport_curl.h
index 4cd855f..7d6fa02 100644
--- a/src/include/libreport_curl.h
+++ b/src/include/libreport_curl.h
@@ -35,6 +35,8 @@ typedef struct post_state {
     int         flags;
     const char  *username;
     const char  *password;
+    const char  *client_cert_path;
+    const char  *client_key_path;
     /* Results of POST transaction: */
     int         http_resp_code;
     /* cast from CURLcode enum.
diff --git a/src/lib/curl.c b/src/lib/curl.c
index 6722b4a..662a2cf 100644
--- a/src/lib/curl.c
+++ b/src/lib/curl.c
@@ -532,6 +532,13 @@ post(post_state_t *state,
         xcurl_easy_setopt_long(handle, CURLOPT_SSL_VERIFYPEER, 0);
         xcurl_easy_setopt_long(handle, CURLOPT_SSL_VERIFYHOST, 0);
     }
+    if (state->client_cert_path && state->client_key_path)
+    {
+        xcurl_easy_setopt_ptr(handle, CURLOPT_SSLCERTTYPE, "PEM");
+        xcurl_easy_setopt_ptr(handle, CURLOPT_SSLKEYTYPE, "PEM");
+        xcurl_easy_setopt_ptr(handle, CURLOPT_SSLCERT, state->client_cert_path);
+        xcurl_easy_setopt_ptr(handle, CURLOPT_SSLKEY, state->client_key_path);
+    }
 
     // This is the place where everything happens.
     // Here errors are not limited to "out of memory", can't just die.
diff --git a/src/lib/json.c b/src/lib/json.c
index eb8e5ed..66db537 100644
--- a/src/lib/json.c
+++ b/src/lib/json.c
@@ -68,7 +68,7 @@ char *new_json_attachment(const char *bthash, const char *type, const char *data
     return result;
 }
 
-struct post_state *post_ureport(const char *json_ureport, struct ureport_server_config *config)
+struct post_state *post_ureport(const char *json, struct ureport_server_config *config)
 {
     int flags = POST_WANT_BODY | POST_WANT_ERROR_MSG;
 
@@ -77,6 +77,12 @@ struct post_state *post_ureport(const char *json_ureport, struct ureport_server_
 
     struct post_state *post_state = new_post_state(flags);
 
+    if (config->ur_client_cert && config->ur_client_key)
+    {
+        post_state->client_cert_path = config->ur_client_cert;
+        post_state->client_key_path = config->ur_client_key;
+    }
+
     static const char *headers[] = {
         "Accept: application/json",
         "Connection: close",
@@ -84,30 +90,24 @@ struct post_state *post_ureport(const char *json_ureport, struct ureport_server_
     };
 
     post_string_as_form_data(post_state, config->ur_url, "application/json",
-                     headers, json_ureport);
+                     headers, json);
 
-    return post_state;
-}
+    /* Client authentication failed. Try again without client auth.
+     * CURLE_SSL_CONNECT_ERROR - cert not found/server doesnt trust the CA
+     * CURLE_SSL_CERTPROBLEM - malformed certificate/no permission
+     */
+    if ((post_state->curl_result == CURLE_SSL_CONNECT_ERROR
+         || post_state->curl_result == CURLE_SSL_CERTPROBLEM)
+            && config->ur_client_cert && config->ur_client_key)
+    {
+        warn_msg("Authentication failed. Retrying unauthenticated.");
+        free_post_state(post_state);
+        post_state = new_post_state(flags);
 
-static
-struct post_state *ureport_attach(const char *json_attachment,
-                                  struct ureport_server_config *config)
-{
-    int flags = POST_WANT_BODY | POST_WANT_ERROR_MSG;
+        post_string_as_form_data(post_state, config->ur_url, "application/json",
+                         headers, json);
 
-    if (config->ur_ssl_verify)
-        flags |= POST_WANT_SSL_VERIFY;
-
-    struct post_state *post_state = new_post_state(flags);
-
-    static const char *headers[] = {
-        "Accept: application/json",
-        "Connection: close",
-        NULL,
-    };
-
-    post_string_as_form_data(post_state, config->ur_url, "application/json",
-                             headers, json_attachment);
+    }
 
     return post_state;
 }
@@ -117,7 +117,7 @@ struct post_state *ureport_attach_rhbz(const char *bthash, int rhbz_bug_id,
 {
     char *str_bug_id = xasprintf("%d", rhbz_bug_id);
     char *json_attachment = new_json_attachment(bthash, "RHBZ", str_bug_id);
-    struct post_state *post_state = ureport_attach(json_attachment, config);
+    struct post_state *post_state = post_ureport(json_attachment, config);
     free(str_bug_id);
     free(json_attachment);
 
@@ -128,7 +128,7 @@ struct post_state *ureport_attach_email(const char *bthash, const char *email,
                                        struct ureport_server_config *config)
 {
     char *json_attachment = new_json_attachment(bthash, "email", email);
-    struct post_state *post_state = ureport_attach(json_attachment, config);
+    struct post_state *post_state = post_ureport(json_attachment, config);
     free(json_attachment);
 
     return post_state;
diff --git a/src/lib/ureport.h b/src/lib/ureport.h
index 4cc4e10..16f40f1 100644
--- a/src/lib/ureport.h
+++ b/src/lib/ureport.h
@@ -30,8 +30,11 @@ extern "C" {
  */
 struct ureport_server_config
 {
-    const char *ur_url; ///< Web service URL
-    bool ur_ssl_verify; ///< Verify HOST and PEER certificates
+    const char *ur_url;   ///< Web service URL
+    bool ur_ssl_verify;   ///< Verify HOST and PEER certificates
+    char *ur_client_cert; ///< Path to certificate used for client
+                          ///< authentication (or NULL)
+    char *ur_client_key;  ///< Private key for the certificate
 };
 
 struct abrt_post_state;
diff --git a/src/plugins/ureport.c b/src/plugins/ureport.c
index 0168744..b57eada 100644
--- a/src/plugins/ureport.c
+++ b/src/plugins/ureport.c
@@ -28,10 +28,73 @@
 #define ATTACH_URL_SFX "reports/attach/"
 #define BTHASH_URL_SFX "reports/bthash/"
 
+#define RHSM_CERT_PATH "/etc/pki/consumer/cert.pem"
+#define RHSM_KEY_PATH "/etc/pki/consumer/key.pem"
+
 #define VALUE_FROM_CONF(opt, var, tr) do { const char *value = getenv("uReport_"opt); \
         if (!value) { value = get_map_string_item_or_NULL(settings, opt); } if (value) { var = tr(value); } \
     } while(0)
 
+static char *puppet_config_print(const char *key)
+{
+    char *command = xasprintf("puppet config print %s", key);
+    char *result = run_in_shell_and_save_output(0, command, NULL, NULL);
+    free(command);
+
+    /* run_in_shell_and_save_output always returns non-NULL */
+    if (result[0] != '/')
+        goto error;
+
+    char *newline = strchrnul(result, '\n');
+    if (!newline)
+        goto error;
+
+    *newline = '\0';
+    return result;
+error:
+    free(result);
+    error_msg_and_die("Unable to determine puppet %s path (puppet not installed?)", key);
+}
+
+static void parse_client_auth_paths(struct ureport_server_config *config, const char *client_auth)
+{
+    if (client_auth == NULL)
+        return;
+
+    if (strcmp(client_auth, "") == 0)
+    {
+        config->ur_client_cert = NULL;
+        config->ur_client_key = NULL;
+        log_notice("Not using client authentication");
+    }
+    else if (strcmp(client_auth, "rhsm") == 0)
+    {
+        config->ur_client_cert = xstrdup(RHSM_CERT_PATH);
+        config->ur_client_key = xstrdup(RHSM_KEY_PATH);
+    }
+    else if (strcmp(client_auth, "puppet") == 0)
+    {
+        config->ur_client_cert = puppet_config_print("hostcert");
+        config->ur_client_key = puppet_config_print("hostprivkey");
+    }
+    else
+    {
+        char *scratch = xstrdup(client_auth);
+        config->ur_client_cert = xstrdup(strtok(scratch, ":"));
+        config->ur_client_key = xstrdup(strtok(NULL, ":"));
+        free(scratch);
+
+        if (config->ur_client_cert == NULL || config->ur_client_key == NULL)
+            error_msg_and_die("Invalid client authentication specification");
+    }
+
+    if (config->ur_client_cert && config->ur_client_key)
+    {
+        log_notice("Using client certificate: %s", config->ur_client_cert);
+        log_notice("Using client private key: %s", config->ur_client_key);
+    }
+}
+
 /*
  * Loads uReport configuration from various sources.
  *
@@ -44,6 +107,10 @@ static void load_ureport_server_config(struct ureport_server_config *config, map
 {
     VALUE_FROM_CONF("URL", config->ur_url, (const char *));
     VALUE_FROM_CONF("SSLVerify", config->ur_ssl_verify, string_to_bool);
+
+    const char *client_auth = NULL;
+    VALUE_FROM_CONF("SSLClientAuth", client_auth, (const char *));
+    parse_client_auth_paths(config, client_auth);
 }
 
 struct ureport_server_response {
@@ -243,7 +310,12 @@ static struct ureport_server_response *ureport_server_parse_json(json_object *js
 
 static struct ureport_server_response *get_server_response(post_state_t *post_state, struct ureport_server_config *config)
 {
-    if (post_state->errmsg[0] != '\0')
+    /* Previously, the condition here was (post_state->errmsg[0] != '\0')
+     * however when the server asks for optional client authentication and we do not have the certificates,
+     * then post_state->errmsg contains "NSS: client certificate not found (nickname not specified)" even though
+     * the request succeeded.
+     */
+    if (post_state->curl_result != CURLE_OK)
     {
         error_msg(_("Failed to upload uReport to the server '%s' with curl: %s"), config->ur_url, post_state->errmsg);
         return NULL;
@@ -349,6 +421,8 @@ int main(int argc, char **argv)
     struct ureport_server_config config = {
         .ur_url = NULL,
         .ur_ssl_verify = true,
+        .ur_client_cert = NULL,
+        .ur_client_key = NULL,
     };
 
     enum {
@@ -356,12 +430,14 @@ int main(int argc, char **argv)
         OPT_d = 1 << 1,
         OPT_u = 1 << 2,
         OPT_k = 1 << 3,
+        OPT_t = 1 << 4,
     };
 
     int ret = 1; /* "failure" (for now) */
     bool insecure = !config.ur_ssl_verify;
     const char *conf_file = CONF_FILE_PATH;
     const char *arg_server_url = NULL;
+    const char *client_auth = NULL;
     const char *dump_dir_path = ".";
     const char *ureport_hash = NULL;
     bool ureport_hash_from_rt = false;
@@ -376,6 +452,7 @@ int main(int argc, char **argv)
         OPT_STRING('u', "url", &arg_server_url, "URL", _("Specify server URL")),
         OPT_BOOL('k', "insecure", &insecure,
                           _("Allow insecure connection to ureport server")),
+        OPT_STRING('t', "auth", &client_auth, "SOURCE", _("Use client authentication")),
         OPT_STRING('c', NULL, &conf_file, "FILE", _("Configuration file")),
         OPT_STRING('a', "attach", &ureport_hash, "BTHASH",
                           _("bthash of uReport to attach (conflicts with -A)")),
@@ -393,7 +470,7 @@ int main(int argc, char **argv)
     };
 
     const char *program_usage_string = _(
-        "& [-v] [-c FILE] [-u URL] [-k] [-A -a bthash -B -b bug-id -E -e email] [-d DIR]\n"
+        "& [-v] [-c FILE] [-u URL] [-k] [-t SOURCE] [-A -a bthash -B -b bug-id -E -e email] [-d DIR]\n"
         "\n"
         "Upload micro report or add an attachment to a micro report\n"
         "\n"
@@ -411,6 +488,8 @@ int main(int argc, char **argv)
         config.ur_url = arg_server_url;
     if (opts & OPT_k)
         config.ur_ssl_verify = !insecure;
+    if (opts & OPT_t)
+        parse_client_auth_paths(&config, client_auth);
 
     if (!config.ur_url)
         error_msg_and_die("You need to specify server URL");
@@ -580,6 +659,8 @@ format_err:
 
 finalize:
     free_map_string(settings);
+    free(config.ur_client_cert);
+    free(config.ur_client_key);
 
     return ret;
 }
diff --git a/src/plugins/ureport.conf b/src/plugins/ureport.conf
index 1f3b33a..13b6386 100644
--- a/src/plugins/ureport.conf
+++ b/src/plugins/ureport.conf
@@ -6,3 +6,13 @@ URL = http://bug-report.itos.redhat.com
 
 # Contact email attached to an uploaded uReport if required
 # ContactEmail = foo@example.com
+
+# Client-side authentication
+# None (default):
+# SSLClientAuth =
+# Using RH subscription management certificate:
+# SSLClientAuth = rhsm
+# Using Puppet certificate:
+# SSLClientAuth = puppet
+# Using custom certificate:
+# SSLClientAuth = /path/to/cert.pem:/path/to/key.pem
-- 
1.8.3.1