From 9213056e8ec7bce3d512fa494904717804c1a067 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Fri, 10 Jul 2020 20:38:54 +0200 Subject: [PATCH] Fixes #30368 - Change Candlepin and Pulp 3 CA handling This change makes the Candlepin CA file optional by falling back to the Foreman CA file. The result is a reduced configuration in most deployments. For Pulp the certificate is now read in the same way as Candlepin. Previously it partly relied on the CA being in the global allowed CA. This may be an issue in some cases, but in the default deployment it isn't. Following the general SSL config makes the configuration more predictable for users. It can also be easier in a containerized setup or on a system where the admin is not allowed to modify the system CA certificates. The example config is now also consistent with reality. The verify_ssl option is dropped from the ping model. This isn't respected elsewhere and it's misleading to have a valid ping only to have it fail at runtime. --- app/lib/katello/resources/candlepin.rb | 2 +- app/lib/katello/resources/registry.rb | 3 +-- .../katello/concerns/smart_proxy_extensions.rb | 1 + app/models/katello/ping.rb | 3 +-- app/services/cert/certs.rb | 8 ++++++-- config/katello.yaml.example | 14 ++++---------- 6 files changed, 14 insertions(+), 17 deletions(-) diff --git a/app/lib/katello/resources/candlepin.rb b/app/lib/katello/resources/candlepin.rb index ad70118f1c3..f9c3b0f5bfe 100644 --- a/app/lib/katello/resources/candlepin.rb +++ b/app/lib/katello/resources/candlepin.rb @@ -11,7 +11,7 @@ class CandlepinResource < HttpResource self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}" self.consumer_secret = cfg[:oauth_secret] self.consumer_key = cfg[:oauth_key] - self.ssl_ca_file = cfg[:ca_cert_file] + self.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:candlepin) class << self def process_response(response) diff --git a/app/lib/katello/resources/registry.rb b/app/lib/katello/resources/registry.rb index d7c74acc548..86ce3bdba45 100644 --- a/app/lib/katello/resources/registry.rb +++ b/app/lib/katello/resources/registry.rb @@ -54,8 +54,7 @@ def load_class uri = URI.parse(content_app_url) self.prefix = "/pulpcore_registry/" self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}" - self.ssl_ca_file = Setting[:ssl_ca_file] - pulp_primary.pulp3_ssl_configuration(self, :net_http) + self.ssl_ca_file = pulp_primary.pulp3_ssl_configuration(self, :net_http) self end diff --git a/app/models/katello/concerns/smart_proxy_extensions.rb b/app/models/katello/concerns/smart_proxy_extensions.rb index 5d3aa9f1d59..f13bc57889c 100644 --- a/app/models/katello/concerns/smart_proxy_extensions.rb +++ b/app/models/katello/concerns/smart_proxy_extensions.rb @@ -252,6 +252,7 @@ def pulp3_configuration(config_class) end def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter) + config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp) case connection_adapter when :excon config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename diff --git a/app/models/katello/ping.rb b/app/models/katello/ping.rb index 3d78229167f..3eb1bac4500 100644 --- a/app/models/katello/ping.rb +++ b/app/models/katello/ping.rb @@ -252,12 +252,11 @@ def fetch_proxy(capsule_id) end def backend_status(url, backend) - ca_file = SETTINGS[:katello][backend][:ca_cert_file] + ca_file = ::Cert::Certs.backend_ca_cert_file(backend) request_id = ::Logging.mdc['request'] options = {} options[:ssl_ca_file] = ca_file unless ca_file.nil? - options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl) options[:headers] = { 'Correlation-ID' => request_id } if request_id client = RestClient::Resource.new("#{url}/status/", options) diff --git a/app/services/cert/certs.rb b/app/services/cert/certs.rb index a611f8b5aa8..4ccc60b4276 100644 --- a/app/services/cert/certs.rb +++ b/app/services/cert/certs.rb @@ -9,7 +9,7 @@ def self.ca_cert end def self.candlepin_client_ca_cert - File.read(SETTINGS[:katello][:candlepin][:ca_cert_file]) + File.read(backend_ca_cert_file(:candlepin)) end def self.ssl_client_cert @@ -28,10 +28,14 @@ def self.ssl_client_key_filename Setting[:ssl_priv_key] end + def self.backend_ca_cert_file(backend) + SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file] + end + def self.verify_ueber_cert(organization) ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert]) cert_store = OpenSSL::X509::Store.new - cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file] + cert_store.add_file backend_ca_cert_file(:candlepin) organization.regenerate_ueber_cert unless cert_store.verify ueber_cert end end diff --git a/config/katello.yaml.example b/config/katello.yaml.example index e7de21ac536..2ce31b9e1f1 100644 --- a/config/katello.yaml.example +++ b/config/katello.yaml.example @@ -17,22 +17,16 @@ :oauth_key: katello :oauth_secret: katello - # refers to the candlepin-ca.crt location that is needed - # to connect to candlepin over https.This is not necessary - # if the candlepin server is running on the same machine as katello - # but required if the server is on a different machine. - # In the different machine case the katello host needs to have a - # copy of /etc/candlepin/certs/candlepin-ca.crt copied from - # the candlepin host and the location of the copied file needs to be - # specified here.. + # Optional CA file to user to verify HTTPS connections to Candlepin. If not + # specified, Foreman's ssl_ca_file setting is used. :ca_cert_file: # :bulk_load_size: 1000 # Setup your pulp environment here :pulp: :sync_threads: 4 # refers to the apache certificate - # (typically /etc/pki/tls/certs/localhost.crt) location that is needed - # to connect to pulp over https. + # Optional CA file to user to verify HTTPS connections to Candlepin. If not + # specified, Foreman's ssl_ca_file setting is used. :ca_cert_file: :default_login: admin :sync_KBlimit: