Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #30368 - Make Candlepin CA file optional #8832

Merged
merged 3 commits into from
Oct 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions app/lib/katello/http_resource.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ def initialize(params)

include Katello::Concerns::FilterSensitiveData

class_attribute :consumer_secret, :consumer_key, :ca_cert_file, :prefix, :site, :default_headers,
:ssl_client_cert, :ssl_client_key
class_attribute :consumer_secret, :consumer_key, :prefix, :site, :default_headers,
:ssl_client_cert, :ssl_client_key, :ssl_ca_file
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I now see there already is ca_cert_file for this. I don't know what other classes can be passes into pulp3_ssl_configuration so I'm looking for guidance here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included a commit to rename it for consistency with other tools and naming for the other ssl_ attrs.


attr_reader :json

Expand Down Expand Up @@ -128,7 +128,7 @@ def rest_client(http_type, method, path)
:authorize_path => "",
:access_token_path => ""}

params[:ca_file] = self.ca_cert_file unless self.ca_cert_file.nil?
params[:ca_file] = self.ssl_ca_file unless self.ssl_ca_file.nil?
# New OAuth consumer to setup signing the request
consumer = OAuth::Consumer.new(self.consumer_key,
self.consumer_secret,
Expand All @@ -147,7 +147,7 @@ def rest_client(http_type, method, path)
:open_timeout => SETTINGS[:katello][:rest_client_timeout],
:timeout => SETTINGS[:katello][:rest_client_timeout]
}
options[:ssl_ca_file] = self.ca_cert_file unless self.ca_cert_file.nil?
options[:ssl_ca_file] = self.ssl_ca_file unless self.ssl_ca_file.nil?
options[:ssl_client_cert] = self.ssl_client_cert unless self.ssl_client_cert.nil?
options[:ssl_client_key] = self.ssl_client_key unless self.ssl_client_key.nil?

Expand Down
2 changes: 1 addition & 1 deletion app/lib/katello/resources/candlepin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
self.consumer_secret = cfg[:oauth_secret]
self.consumer_key = cfg[:oauth_key]
self.ca_cert_file = cfg[:ca_cert_file]
self.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:candlepin)

class << self
def process_response(response)
Expand Down
1 change: 0 additions & 1 deletion app/lib/katello/resources/registry.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@ def load_class
uri = URI.parse(content_app_url)
self.prefix = "/pulpcore_registry/"
self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
self.ca_cert_file = Setting[:ssl_ca_file]
pulp_primary.pulp3_ssl_configuration(self, :net_http)

self
Expand Down
3 changes: 2 additions & 1 deletion app/models/katello/concerns/smart_proxy_extensions.rb
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,7 @@ def pulp3_configuration(config_class)
end

def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter)
config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp)
case connection_adapter
when :excon
config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename
Expand All @@ -260,7 +261,7 @@ def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter
config.ssl_client_cert = ::Cert::Certs.ssl_client_cert
config.ssl_client_key = ::Cert::Certs.ssl_client_key
else
fail "Unexpected connection_adapter #{Faraday.default_adapter}! Cannot continue, this is likely a bug."
fail "Unexpected connection_adapter #{connection_adapter}! Cannot continue, this is likely a bug."
end
end

Expand Down
3 changes: 1 addition & 2 deletions app/models/katello/ping.rb
Original file line number Diff line number Diff line change
Expand Up @@ -252,12 +252,11 @@ def fetch_proxy(capsule_id)
end

def backend_status(url, backend)
ca_file = SETTINGS[:katello][backend][:ca_cert_file]
ca_file = ::Cert::Certs.backend_ca_cert_file(backend)
request_id = ::Logging.mdc['request']

options = {}
options[:ssl_ca_file] = ca_file unless ca_file.nil?
options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)
options[:headers] = { 'Correlation-ID' => request_id } if request_id
client = RestClient::Resource.new("#{url}/status/", options)

Expand Down
8 changes: 6 additions & 2 deletions app/services/cert/certs.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ def self.ca_cert
end

def self.candlepin_client_ca_cert
File.read(SETTINGS[:katello][:candlepin][:ca_cert_file])
File.read(backend_ca_cert_file(:candlepin))
end

def self.ssl_client_cert
Expand All @@ -28,10 +28,14 @@ def self.ssl_client_key_filename
Setting[:ssl_priv_key]
end

def self.backend_ca_cert_file(backend)
SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file]
ehelms marked this conversation as resolved.
Show resolved Hide resolved
end

def self.verify_ueber_cert(organization)
ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
cert_store = OpenSSL::X509::Store.new
cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
cert_store.add_file backend_ca_cert_file(:candlepin)
organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
end
end
Expand Down
14 changes: 4 additions & 10 deletions config/katello.yaml.example
Original file line number Diff line number Diff line change
Expand Up @@ -17,22 +17,16 @@
:oauth_key: katello
:oauth_secret: katello

# refers to the candlepin-ca.crt location that is needed
# to connect to candlepin over https.This is not necessary
# if the candlepin server is running on the same machine as katello
# but required if the server is on a different machine.
# In the different machine case the katello host needs to have a
# copy of /etc/candlepin/certs/candlepin-ca.crt copied from
# the candlepin host and the location of the copied file needs to be
# specified here..
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
# specified, Foreman's ssl_ca_file setting is used.
:ca_cert_file:
# :bulk_load_size: 1000
# Setup your pulp environment here
:pulp:
:sync_threads: 4
# refers to the apache certificate
# (typically /etc/pki/tls/certs/localhost.crt) location that is needed
# to connect to pulp over https.
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Optional CA file to user to verify HTTPS connections to Candlepin. If not
# Optional CA file to user to verify HTTPS connections to Pulp. If not

# specified, Foreman's ssl_ca_file setting is used.
:ca_cert_file:
:default_login: admin
:sync_KBlimit:
Expand Down
Loading