particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

internal/rhsm: implement fallback to the previous mechanism

Browse source 
It turns out there are edge cases where the previous mechanism worked
and the new one doesn't. Employee subscription is one example, where the
key can be used to access basically any content, yet nothing it written
in the redhat.repo file. This should have no effect on hosts running
RHSM the usual way.
This commit is contained in:
Martin Sehnoutka 2021-07-21 14:15:22 +02:00 committed by msehnout
parent 1227633e7c
commit 130e357268
1 changed files with 47 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

51
internal/rhsm/secrets.go
View file

@ -4,6 +4,7 @@ import (
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"gopkg.in/ini.v1"
@ -21,6 +22,7 @@ type subscription struct {
// host system.
type Subscriptions struct {
available []subscription
secrets *RHSMSecrets // secrets are used in there is no matching subscription
}
// RHSMSecrets represents a set of CA certificate, client key, and
@ -31,8 +33,25 @@ type RHSMSecrets struct {
SSLClientCert string
}
// LoadSystemSubscriptions loads all the available subscriptions.
func LoadSystemSubscriptions() (*Subscriptions, error) {
func getRHSMSecrets() (*RHSMSecrets, error) {
keys, err := filepath.Glob("/etc/pki/entitlement/*-key.pem")
if err != nil {
return nil, err
}
for _, key := range keys {
cert := strings.TrimSuffix(key, "-key.pem") + ".pem"
if _, err := os.Stat(cert); err == nil {
return &RHSMSecrets{
SSLCACert: "/etc/rhsm/ca/redhat-uep.pem",
SSLClientKey: key,
SSLClientCert: cert,
}, nil
}
}
return nil, fmt.Errorf("no matching key and certificate pair")
}
func getListOfSubscriptions() ([]subscription, error) {
// This file has a standard syntax for yum repositories which is
// documented in `man yum.conf`. The same parsing mechanism could
// be used for any other repo file in /etc/yum.repos.d/.
@ -45,15 +64,35 @@ func LoadSystemSubscriptions() (*Subscriptions, error) {
return nil, nil
}
}
return nil, fmt.Errorf("Failed to open the file with subscriptions: %w", err)
return nil, fmt.Errorf("failed to open the file with subscriptions: %w", err)
}
subscriptions, err := parseRepoFile(content)
if err != nil {
return nil, fmt.Errorf("Failed to parse the file with subscriptions: %w", err)
return nil, fmt.Errorf("failed to parse the file with subscriptions: %w", err)
}
return subscriptions, nil
}
// LoadSystemSubscriptions loads all the available subscriptions.
func LoadSystemSubscriptions() (*Subscriptions, error) {
subscriptions, err1 := getListOfSubscriptions()
secrets, err2 := getRHSMSecrets()
if subscriptions == nil && secrets == nil {
// Neither works, return an error because at least one has to be available
if err1 != nil {
return nil, err1
}
if err2 != nil {
return nil, err2
}
return nil, fmt.Errorf("failed to load subscriptions")
}
return &Subscriptions{
available: subscriptions,
secrets: secrets,
}, nil
}
@ -112,5 +151,9 @@ func (s *Subscriptions) GetSecretsForBaseurl(baseurl string, arch, releasever st
}, nil
}
}
// If there is no matching URL, fall back to the global secrets
if s.secrets != nil {
return s.secrets, nil
}
return nil, fmt.Errorf("no such baseurl in the available subscriptions")
}