From ffcf1a30ebb720dcf721f04630aae171c058ca4f Mon Sep 17 00:00:00 2001 From: Till Maas Date: Tue, 17 Feb 2015 19:16:47 +0100 Subject: [PATCH] Remove dead client CA code The client CA is only needed to for authentication on the server side, not for authentication on the client side. Therefore remove it from all client login code. --- builder/kojid | 4 ++-- builder/kojid.conf | 3 --- cli/koji | 6 +++--- cli/koji.conf | 3 --- koji/__init__.py | 3 ++- koji/ssl/SSLCommon.py | 4 +--- koji/ssl/XMLRPCServerProxy.py | 3 +-- util/koji-gc | 8 ++++---- util/kojira | 6 +++--- util/kojira.conf | 3 --- vm/kojivmd | 4 ++-- vm/kojivmd.conf | 3 --- www/conf/web.conf | 1 - www/kojiweb/index.py | 3 +-- www/kojiweb/wsgi_publisher.py | 1 - 15 files changed, 19 insertions(+), 36 deletions(-) diff --git a/builder/kojid b/builder/kojid index 33bf9409..9c594cab 100755 --- a/builder/kojid +++ b/builder/kojid @@ -4543,7 +4543,7 @@ def get_options(): 'failed_buildroot_lifetime' : 3600 * 4, 'rpmbuild_timeout' : 3600 * 24, 'cert': '/etc/kojid/client.crt', - 'ca': '/etc/kojid/clientca.crt', + 'ca': '', # FIXME: Unused, remove in next major release 'serverca': '/etc/kojid/serverca.crt'} if config.has_section('kojid'): for name, value in config.items('kojid'): @@ -4642,7 +4642,7 @@ if __name__ == "__main__": if os.path.isfile(options.cert): try: # authenticate using SSL client certificates - session.ssl_login(options.cert, options.ca, + session.ssl_login(options.cert, None, options.serverca) except koji.AuthError, e: quit("Error: Unable to log in: %s" % e) diff --git a/builder/kojid.conf b/builder/kojid.conf index 5f0aaec3..8f2a811d 100644 --- a/builder/kojid.conf +++ b/builder/kojid.conf @@ -81,8 +81,5 @@ from_addr=Koji Build System ;client certificate ;cert = /etc/kojid/client.crt -;certificate of the CA that issued the client certificate -;ca = /etc/kojid/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = /etc/kojid/serverca.crt diff --git a/cli/koji b/cli/koji index 94ee4afb..f383c6fa 100755 --- a/cli/koji +++ b/cli/koji @@ -211,7 +211,7 @@ def get_options(): 'poll_interval': 5, 'krbservice': 'host', 'cert': '~/.koji/client.crt', - 'ca': '~/.koji/clientca.crt', + 'ca': '', # FIXME: remove in next major release 'serverca': '~/.koji/serverca.crt', 'authtype': None } @@ -265,7 +265,7 @@ def get_options(): for name, value in defaults.iteritems(): if getattr(options, name, None) is None: setattr(options, name, value) - dir_opts = ('topdir', 'cert', 'ca', 'serverca') + dir_opts = ('topdir', 'cert', 'serverca') for name in dir_opts: # expand paths here, so we don't have to worry about it later value = os.path.expanduser(getattr(options, name)) @@ -6831,7 +6831,7 @@ def activate_session(session): pass elif options.authtype == "ssl" or os.path.isfile(options.cert) and options.authtype is None: # authenticate using SSL client cert - session.ssl_login(options.cert, options.ca, options.serverca, proxyuser=options.runas) + session.ssl_login(options.cert, None, options.serverca, proxyuser=options.runas) elif options.authtype == "password" or options.user and options.authtype is None: # authenticate using user/password session.login() diff --git a/cli/koji.conf b/cli/koji.conf index 01ac7ee1..42946036 100644 --- a/cli/koji.conf +++ b/cli/koji.conf @@ -24,8 +24,5 @@ ;client certificate ;cert = ~/.koji/client.crt -;certificate of the CA that issued the client certificate -;ca = ~/.koji/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = ~/.koji/serverca.crt diff --git a/koji/__init__.py b/koji/__init__.py index 8e297dc6..2406a027 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -1745,8 +1745,9 @@ class ClientSession(object): def ssl_login(self, cert, ca, serverca, proxyuser=None): certs = {} certs['key_and_cert'] = cert - certs['ca_cert'] = ca certs['peer_ca_cert'] = serverca + # FIXME: ca is not useful here and therefore ignored, can be removed + # when API is changed ctx = ssl.SSLCommon.CreateSSLContext(certs) self._cnxOpts = {'ssl_context' : ctx} diff --git a/koji/ssl/SSLCommon.py b/koji/ssl/SSLCommon.py index 0d3fb947..5a9a5e40 100644 --- a/koji/ssl/SSLCommon.py +++ b/koji/ssl/SSLCommon.py @@ -31,16 +31,14 @@ def our_verify(connection, x509, errNum, errDepth, preverifyOK): def CreateSSLContext(certs): key_and_cert = certs['key_and_cert'] - ca_cert = certs['ca_cert'] peer_ca_cert = certs['peer_ca_cert'] - for f in key_and_cert, ca_cert, peer_ca_cert: + for f in key_and_cert, peer_ca_cert: if f and not os.access(f, os.R_OK): raise StandardError, "%s does not exist or is not readable" % f ctx = SSL.Context(SSL.SSLv23_METHOD) # Use best possible TLS Method ctx.use_certificate_file(key_and_cert) ctx.use_privatekey_file(key_and_cert) - ctx.load_client_ca(ca_cert) ctx.load_verify_locations(peer_ca_cert) verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT ctx.set_verify(verify, our_verify) diff --git a/koji/ssl/XMLRPCServerProxy.py b/koji/ssl/XMLRPCServerProxy.py index 16de6195..78273c81 100644 --- a/koji/ssl/XMLRPCServerProxy.py +++ b/koji/ssl/XMLRPCServerProxy.py @@ -146,12 +146,11 @@ class TimeoutCounter: if __name__ == '__main__': if len(sys.argv) < 4: - print "Usage: python XMLRPCServerProxy.py key_and_cert ca_cert peer_ca_cert" + print "Usage: python XMLRPCServerProxy.py key_and_cert peer_ca_cert" sys.exit(1) certs = {} certs['key_and_cert'] = sys.argv[1] - certs['ca_cert'] = sys.argv[2] certs['peer_ca_cert'] = sys.argv[3] tm = TimeoutCounter() diff --git a/util/koji-gc b/util/koji-gc index 2d61aa49..6678f387 100755 --- a/util/koji-gc +++ b/util/koji-gc @@ -91,8 +91,8 @@ def get_options(): help=_("enable hackish workaround for broken networks")) parser.add_option("--cert", default='/etc/koji-gc/client.crt', help=_("Client SSL certificate file for authentication")) - parser.add_option("--ca", default='/etc/koji-gc/clientca.crt', - help=_("CA cert file that issued the client certificate")) + parser.add_option("--ca", default='', + help=_("ignored")) # FIXME: remove in next major release parser.add_option("--serverca", default='/etc/koji-gc/serverca.crt', help=_("CA cert file that issued the hub certificate")) parser.add_option("-n", "--test", action="store_true", default=False, @@ -165,7 +165,7 @@ def get_options(): ['password', None, 'string'], ['noauth', None, 'boolean'], ['cert', None, 'string'], - ['ca', None, 'string'], + ['ca', None, 'string'], # FIXME: remove in next major release ['serverca', None, 'string'], ['server', None, 'string'], ['weburl', None, 'string'], @@ -373,7 +373,7 @@ def activate_session(session): pass elif os.path.isfile(options.cert): # authenticate using SSL client cert - session.ssl_login(options.cert, options.ca, options.serverca, proxyuser=options.runas) + session.ssl_login(options.cert, None, options.serverca, proxyuser=options.runas) elif options.user: #authenticate using user/password session.login() diff --git a/util/kojira b/util/kojira index c18f63b6..006b10f4 100755 --- a/util/kojira +++ b/util/kojira @@ -727,7 +727,7 @@ def get_options(): #XXX should really be called expired_repo_lifetime 'sleeptime' : 15, 'cert': '/etc/kojira/client.crt', - 'ca': '/etc/kojira/clientca.crt', + 'ca': '', # FIXME: unused, remove in next major release 'serverca': '/etc/kojira/serverca.crt' } if config.has_section(section): @@ -735,7 +735,7 @@ def get_options(): 'retry_interval', 'max_retries', 'offline_retry_interval', 'max_delete_processes', 'max_repo_tasks_maven', 'delete_batch_size', ) str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab', 'krbservice', - 'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags') + 'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags') # FIXME: remove ca here bool_opts = ('with_src','verbose','debug','ignore_stray_repos', 'offline_retry') for name in config.options(section): if name in int_opts: @@ -797,7 +797,7 @@ if __name__ == "__main__": session = koji.ClientSession(options.server,session_opts) if os.path.isfile(options.cert): # authenticate using SSL client certificates - session.ssl_login(options.cert, options.ca, options.serverca) + session.ssl_login(options.cert, None, options.serverca) elif options.user: # authenticate using user/password session.login() diff --git a/util/kojira.conf b/util/kojira.conf index a79dc823..def53700 100644 --- a/util/kojira.conf +++ b/util/kojira.conf @@ -37,8 +37,5 @@ with_src=no ;client certificate ;cert = /etc/kojira/client.crt -;certificate of the CA that issued the client certificate -;ca = /etc/kojira/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = /etc/kojira/serverca.crt diff --git a/vm/kojivmd b/vm/kojivmd index cf44f0c4..40e88af2 100755 --- a/vm/kojivmd +++ b/vm/kojivmd @@ -130,7 +130,7 @@ def get_options(): 'offline_retry_interval': 120, 'allowed_scms': '', 'cert': '/etc/kojivmd/client.crt', - 'ca': '/etc/kojivmd/clientca.crt', + 'ca': '', # FIXME: Remove in next major release 'serverca': '/etc/kojivmd/serverca.crt'} if config.has_section('kojivmd'): for name, value in config.items('kojivmd'): @@ -1066,7 +1066,7 @@ if __name__ == "__main__": if os.path.isfile(options.cert): try: # authenticate using SSL client certificates - session.ssl_login(options.cert, options.ca, + session.ssl_login(options.cert, None, options.serverca) except koji.AuthError, e: quit("Error: Unable to log in: %s" % e) diff --git a/vm/kojivmd.conf b/vm/kojivmd.conf index 82c61f26..2b431b28 100644 --- a/vm/kojivmd.conf +++ b/vm/kojivmd.conf @@ -50,8 +50,5 @@ from_addr=Koji Build System ;client certificate ;cert = /etc/kojivmd/client.crt -;certificate of the CA that issued the client certificate -;ca = /etc/kojivmd/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = /etc/kojivmd/serverca.crt diff --git a/www/conf/web.conf b/www/conf/web.conf index 38f0b619..3bd6f914 100644 --- a/www/conf/web.conf +++ b/www/conf/web.conf @@ -15,7 +15,6 @@ KojiFilesURL = http://server.example.com/kojifiles # SSL authentication options # WebCert = /etc/kojiweb/kojiweb.crt -# ClientCA = /etc/kojiweb/clientca.crt # KojiHubCA = /etc/kojiweb/kojihubca.crt LoginTimeout = 72 diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py index a5505d1a..876d9567 100644 --- a/www/kojiweb/index.py +++ b/www/kojiweb/index.py @@ -122,10 +122,9 @@ def _krbLogin(environ, session, principal): def _sslLogin(environ, session, username): options = environ['koji.options'] client_cert = options['WebCert'] - client_ca = options['ClientCA'] server_ca = options['KojiHubCA'] - return session.ssl_login(client_cert, client_ca, server_ca, + return session.ssl_login(client_cert, None, server_ca, proxyuser=username) def _assertLogin(environ): diff --git a/www/kojiweb/wsgi_publisher.py b/www/kojiweb/wsgi_publisher.py index e7908152..41387341 100644 --- a/www/kojiweb/wsgi_publisher.py +++ b/www/kojiweb/wsgi_publisher.py @@ -77,7 +77,6 @@ class Dispatcher(object): ['KrbService', 'string', 'host'], ['WebCert', 'string', None], - ['ClientCA', 'string', '/etc/kojiweb/clientca.crt'], ['KojiHubCA', 'string', '/etc/kojiweb/kojihubca.crt'], ['PythonDebug', 'boolean', False],