From 44f4225c02d1a82f177dcd5e69bec0b12545b8dc Mon Sep 17 00:00:00 2001
From: Sanne Raymaekers <sanne.raymaekers@gmail.com>
Date: Fri, 18 Nov 2022 15:44:59 +0100
Subject: [PATCH] rhsm: remove CA from consumer secrets

The `/etc/rhsm/ca/redhat-uep.pem` CA is not valid for consumer
certificates.

As a result resolving the ostree ref should use the system's CA cert
pool.
---
 internal/ostree/ostree.go      | 33 +++++++++++++++++++--------------
 internal/ostree/ostree_test.go |  5 ++---
 internal/rhsm/secrets.go       |  2 --
 3 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/internal/ostree/ostree.go b/internal/ostree/ostree.go
index 2a6dfd5c9..a027ff3ac 100644
--- a/internal/ostree/ostree.go
+++ b/internal/ostree/ostree.go
@@ -59,7 +59,7 @@ func VerifyRef(ref string) bool {
 // ResolveRef resolves the URL path specified by the location and ref
 // (location+"refs/heads/"+ref) and returns the commit ID for the named ref. If
 // there is an error, it will be of type ResolveRefError.
-func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions) (string, error) {
+func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions, ca *string) (string, error) {
 	u, err := url.Parse(location)
 	if err != nil {
 		return "", NewResolveRefError(fmt.Sprintf("error parsing ostree repository location: %v", err))
@@ -74,28 +74,33 @@ func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptio
 				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
 			}
 		}
-		caCertPEM, err := ioutil.ReadFile(subs.Consumer.CACert)
-		if err != nil {
-			return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+
+		tlsConf := &tls.Config{
+			MinVersion: tls.VersionTLS12,
 		}
 
-		roots := x509.NewCertPool()
-		ok := roots.AppendCertsFromPEM(caCertPEM)
-		if !ok {
-			return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+		if ca != nil {
+			caCertPEM, err := ioutil.ReadFile(*ca)
+			if err != nil {
+				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+			}
+			roots := x509.NewCertPool()
+			ok := roots.AppendCertsFromPEM(caCertPEM)
+			if !ok {
+				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+			}
+			tlsConf.RootCAs = roots
 		}
 
 		cert, err := tls.LoadX509KeyPair(subs.Consumer.ConsumerCert, subs.Consumer.ConsumerKey)
 		if err != nil {
 			return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
 		}
+		tlsConf.Certificates = []tls.Certificate{cert}
+
 		client = &http.Client{
 			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					Certificates: []tls.Certificate{cert},
-					RootCAs:      roots,
-					MinVersion:   tls.VersionTLS12,
-				},
+				TLSClientConfig: tlsConf,
 			},
 			Timeout: 300 * time.Second,
 		}
@@ -166,7 +171,7 @@ func ResolveParams(params RequestParams) (ref, checksum string, err error) {
 	// Resolve parent checksum
 	if params.URL != "" {
 		// If a URL is specified, we need to fetch the commit at the URL.
-		parent, err := ResolveRef(params.URL, parentRef, params.RHSM, nil)
+		parent, err := ResolveRef(params.URL, parentRef, params.RHSM, nil, nil)
 		if err != nil {
 			return "", "", err // ResolveRefError
 		}
diff --git a/internal/ostree/ostree_test.go b/internal/ostree/ostree_test.go
index 5b7e27474..ca8abdf9e 100644
--- a/internal/ostree/ostree_test.go
+++ b/internal/ostree/ostree_test.go
@@ -44,7 +44,6 @@ func TestOstreeResolveRef(t *testing.T) {
 	defer srv2.Close()
 	subs := &rhsm.Subscriptions{
 		Consumer: &rhsm.ConsumerSecrets{
-			CACert:       mTLSSrv.CAPath,
 			ConsumerKey:  mTLSSrv.ClientKeyPath,
 			ConsumerCert: mTLSSrv.ClientCrtPath,
 		},
@@ -79,7 +78,7 @@ func TestOstreeResolveRef(t *testing.T) {
 			{srvConf.Srv.URL, "valid/ostree/ref"}: goodRef,
 		}
 		for in, expOut := range validCases {
-			out, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs)
+			out, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs, &mTLSSrv.CAPath)
 			assert.NoError(t, err)
 			assert.Equal(t, expOut, out)
 		}
@@ -92,7 +91,7 @@ func TestOstreeResolveRef(t *testing.T) {
 			{srvConf.Srv.URL, "get_bad_ref"}:        fmt.Sprintf("ostree repository \"%s/refs/heads/get_bad_ref\" returned invalid reference", srvConf.Srv.URL),
 		}
 		for in, expMsg := range errCases {
-			_, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs)
+			_, err := ResolveRef(in.location, in.ref, srvConf.RHSM, srvConf.Subs, &mTLSSrv.CAPath)
 			assert.EqualError(t, err, expMsg)
 		}
 	}
diff --git a/internal/rhsm/secrets.go b/internal/rhsm/secrets.go
index 1b6fc6fb7..9934847a7 100644
--- a/internal/rhsm/secrets.go
+++ b/internal/rhsm/secrets.go
@@ -38,7 +38,6 @@ type RHSMSecrets struct {
 
 // These secrets are present on any subscribed system and uniquely identify the host
 type ConsumerSecrets struct {
-	CACert       string
 	ConsumerKey  string
 	ConsumerCert string
 }
@@ -86,7 +85,6 @@ func getListOfSubscriptions() ([]subscription, error) {
 
 func getConsumerSecrets() (*ConsumerSecrets, error) {
 	res := ConsumerSecrets{
-		CACert:       "/etc/rhsm/ca/redhat-uep.pem",
 		ConsumerKey:  "/etc/pki/consumer/key.pem",
 		ConsumerCert: "/etc/pki/consumer/cert.pem",
 	}