Merge pull request #23 from iNecas/10670

Fixes #10670 - preffer the katello-default-ca.pem as the client ca cert

.gitignore

@@ -0,0 +1,2 @@
+*.pyc
+test/data

src/katello/agent/katelloplugin.py

@@ -154,7 +154,22 @@ def update_settings():
     """
     rhsm_conf = Config(RHSM_CONFIG_PATH)
     certificate = ConsumerIdentity.read()
-    plugin.cfg.messaging.cacert = rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm']
+    ca_cert_dir = rhsm_conf['rhsm']['ca_cert_dir']
+    # the 'katello-default-ca.pem' is the ca used for generating the CA certs.
+    # the 'candlepin-local.pem' is there for compatibility reasons (the old path where the
+    # legacy installer was putting this file. If none of them is present, there is still
+    # a chance the rhsm_conf['rhsm']['repo_ca_cert'] is serving as the CA for issuing
+    # the client certs
+    ca_candidates = [ca_cert_dir + 'katello-default-ca.pem', ca_cert_dir + 'candlepin-local.pem', rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm']]
+    existing_ca_certs = [cert for cert in ca_candidates if os.path.exists(cert)]
+    if not existing_ca_certs:
+       log.warn('None of the ca cert files %s found for the qpid connection' % ca_candidates)
+
+       raise
+    else:
+       log.info('Using %s as the ca cert for qpid connection' % existing_ca_certs[0])
+
+    plugin.cfg.messaging.cacert = existing_ca_certs[0]
     plugin.cfg.messaging.url = 'proton+amqps://%s:5647' % rhsm_conf['server']['hostname']
     plugin.cfg.messaging.uuid = 'pulp.agent.%s' % certificate.getConsumerId()
     bundle(certificate)

test/test_plugin.py

@@ -179,8 +179,15 @@ class TestUpdateSettings(PluginTest):
     def test_call(self, fake_read, fake_conf, fake_bundle):
         consumer_id = '1234'
         host = 'redhat.com'
-        ca_cert_dir = '/etc/rhsm/ca/'
-        ca_cert = '%(ca_cert_dir)skatello-server-ca.pem'
+        ca_cert_dir = os.path.join(os.path.dirname(__file__), 'data/ca/')
+        if not os.path.exists(ca_cert_dir):
+            os.makedirs(ca_cert_dir)
+
+        default_ca_cert = os.path.join(ca_cert_dir, 'katello-default-ca.pem')
+        if not os.path.exists(default_ca_cert):
+            open(default_ca_cert, 'a').close()
+
+        server_ca_cert = '%(ca_cert_dir)skatello-server-ca.pem'
         fake_certificate = Mock()
         fake_certificate.getConsumerId.return_value = consumer_id
         fake_read.return_value = fake_certificate
@@ -189,7 +196,7 @@ def test_call(self, fake_read, fake_conf, fake_bundle):
                 'hostname': host
             },
             'rhsm': {
-                'repo_ca_cert': ca_cert,
+                'repo_ca_cert': server_ca_cert,
                 'ca_cert_dir': ca_cert_dir
             }
         }
@@ -201,7 +208,7 @@ def test_call(self, fake_read, fake_conf, fake_bundle):
         fake_read.assert_called_with()
         fake_bundle.assert_called_with(fake_certificate)
         plugin_cfg = self.plugin.plugin.cfg
-        self.assertEqual(plugin_cfg.messaging.cacert, '/etc/rhsm/ca/katello-server-ca.pem')
+        self.assertEqual(plugin_cfg.messaging.cacert, default_ca_cert)
         self.assertEqual(plugin_cfg.messaging.url, 'proton+amqps://%s:5647' % host)
         self.assertEqual(plugin_cfg.messaging.uuid, 'pulp.agent.%s' % consumer_id)