rhsm: remove CA from consumer secrets
The `/etc/rhsm/ca/redhat-uep.pem` CA is not valid for consumer certificates. As a result resolving the ostree ref should use the system's CA cert pool.
This commit is contained in:
Sanne Raymaekers
parent
6f37df7777
commit
44f4225c02
3 changed files with 21 additions and 19 deletions
|
|
@ -59,7 +59,7 @@ func VerifyRef(ref string) bool {
|
|||
// ResolveRef resolves the URL path specified by the location and ref
|
||||
// (location+"refs/heads/"+ref) and returns the commit ID for the named ref. If
|
||||
// there is an error, it will be of type ResolveRefError.
|
||||
func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions) (string, error) {
|
||||
func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions, ca *string) (string, error) {
|
||||
u, err := url.Parse(location)
|
||||
if err != nil {
|
||||
return "", NewResolveRefError(fmt.Sprintf("error parsing ostree repository location: %v", err))
|
||||
|
|
@ -74,28 +74,33 @@ func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptio
|
|||
return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
|
||||
}
|
||||
}
|
||||
caCertPEM, err := ioutil.ReadFile(subs.Consumer.CACert)
|
||||
if err != nil {
|
||||
return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
|
||||
|
||||
tlsConf := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
|
||||
roots := x509.NewCertPool()
|
||||
ok := roots.AppendCertsFromPEM(caCertPEM)
|
||||
if !ok {
|
||||
return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
|
||||
if ca != nil {
|
||||
caCertPEM, err := ioutil.ReadFile(*ca)
|
||||
if err != nil {
|
||||
return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
|
||||
}
|
||||
roots := x509.NewCertPool()
|
||||
ok := roots.AppendCertsFromPEM(caCertPEM)
|
||||
if !ok {
|
||||
return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
|
||||
}
|
||||
tlsConf.RootCAs = roots
|
||||
}
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(subs.Consumer.ConsumerCert, subs.Consumer.ConsumerKey)
|
||||
if err != nil {
|
||||
return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
|
||||
}
|
||||
tlsConf.Certificates = []tls.Certificate{cert}
|
||||
|
||||
client = &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
RootCAs: roots,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
},
|
||||
TLSClientConfig: tlsConf,
|
||||
},
|
||||
Timeout: 300 * time.Second,
|
||||
}
|
||||
|
|
@ -166,7 +171,7 @@ func ResolveParams(params RequestParams) (ref, checksum string, err error) {
|
|||
// Resolve parent checksum
|
||||
if params.URL != "" {
|
||||
// If a URL is specified, we need to fetch the commit at the URL.
|
||||
parent, err := ResolveRef(params.URL, parentRef, params.RHSM, nil)
|
||||
parent, err := ResolveRef(params.URL, parentRef, params.RHSM, nil, nil)
|
||||
if err != nil {
|
||||
return "", "", err // ResolveRefError
|
||||
}
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ func TestOstreeResolveRef(t *testing.T) {
|
|||
defer srv2.Close()
|
||||
subs := &rhsm.Subscriptions{
|
||||
Consumer: &rhsm.ConsumerSecrets{
|
||||
CACert: mTLSSrv.CAPath,
|
||||
ConsumerKey: mTLSSrv.ClientKeyPath,
|
||||
ConsumerCert: mTLSSrv.ClientCrtPath,
|
||||
},
|
||||
|
|
@ -79,7 +78,7 @@ func TestOstreeResolveRef(t *testing.T) {
|
|||
{srvConf.Srv.URL, "valid/ostree/ref"}: goodRef,
|
||||
}
|
||||
for in, expOut := range validCases {
|
||||
out, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs)
|
||||
out, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs, &mTLSSrv.CAPath)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, expOut, out)
|
||||
}
|
||||
|
|
@ -92,7 +91,7 @@ func TestOstreeResolveRef(t *testing.T) {
|
|||
{srvConf.Srv.URL, "get_bad_ref"}: fmt.Sprintf("ostree repository \"%s/refs/heads/get_bad_ref\" returned invalid reference", srvConf.Srv.URL),
|
||||
}
|
||||
for in, expMsg := range errCases {
|
||||
_, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs)
|
||||
_, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs, &mTLSSrv.CAPath)
|
||||
assert.EqualError(t, err, expMsg)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,7 +38,6 @@ type RHSMSecrets struct {
|
|||
|
||||
// These secrets are present on any subscribed system and uniquely identify the host
|
||||
type ConsumerSecrets struct {
|
||||
CACert string
|
||||
ConsumerKey string
|
||||
ConsumerCert string
|
||||
}
|
||||
|
|
@ -86,7 +85,6 @@ func getListOfSubscriptions() ([]subscription, error) {
|
|||
|
||||
func getConsumerSecrets() (*ConsumerSecrets, error) {
|
||||
res := ConsumerSecrets{
|
||||
CACert: "/etc/rhsm/ca/redhat-uep.pem",
|
||||
ConsumerKey: "/etc/pki/consumer/key.pem",
|
||||
ConsumerCert: "/etc/pki/consumer/cert.pem",
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue