From 2d7f81d679a595dc674b4a9c4e604b7e56c51262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Ne=C4=8Das?= Date: Mon, 1 Jun 2015 12:19:29 -0400 Subject: [PATCH] Fixes #10670 - preffer the katello-default-ca.pem as the client ca cert Followed by candlepin-local.pem for backward compatibility and the repo_ca_cert as fallback. --- .gitignore | 2 ++ src/katello/agent/katelloplugin.py | 17 ++++++++++++++++- test/test_plugin.py | 15 +++++++++++---- 3 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..dd3f630c9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.pyc +test/data diff --git a/src/katello/agent/katelloplugin.py b/src/katello/agent/katelloplugin.py index d0553d59b..9cc62d1ab 100644 --- a/src/katello/agent/katelloplugin.py +++ b/src/katello/agent/katelloplugin.py @@ -154,7 +154,22 @@ def update_settings(): """ rhsm_conf = Config(RHSM_CONFIG_PATH) certificate = ConsumerIdentity.read() - plugin.cfg.messaging.cacert = rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm'] + ca_cert_dir = rhsm_conf['rhsm']['ca_cert_dir'] + # the 'katello-default-ca.pem' is the ca used for generating the CA certs. + # the 'candlepin-local.pem' is there for compatibility reasons (the old path where the + # legacy installer was putting this file. If none of them is present, there is still + # a chance the rhsm_conf['rhsm']['repo_ca_cert'] is serving as the CA for issuing + # the client certs + ca_candidates = [ca_cert_dir + 'katello-default-ca.pem', ca_cert_dir + 'candlepin-local.pem', rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm']] + existing_ca_certs = [cert for cert in ca_candidates if os.path.exists(cert)] + if not existing_ca_certs: + log.warn('None of the ca cert files %s found for the qpid connection' % ca_candidates) + + raise + else: + log.info('Using %s as the ca cert for qpid connection' % existing_ca_certs[0]) + + plugin.cfg.messaging.cacert = existing_ca_certs[0] plugin.cfg.messaging.url = 'proton+amqps://%s:5647' % rhsm_conf['server']['hostname'] plugin.cfg.messaging.uuid = 'pulp.agent.%s' % certificate.getConsumerId() bundle(certificate) diff --git a/test/test_plugin.py b/test/test_plugin.py index f4f29c471..06088363f 100644 --- a/test/test_plugin.py +++ b/test/test_plugin.py @@ -179,8 +179,15 @@ class TestUpdateSettings(PluginTest): def test_call(self, fake_read, fake_conf, fake_bundle): consumer_id = '1234' host = 'redhat.com' - ca_cert_dir = '/etc/rhsm/ca/' - ca_cert = '%(ca_cert_dir)skatello-server-ca.pem' + ca_cert_dir = os.path.join(os.path.dirname(__file__), 'data/ca/') + if not os.path.exists(ca_cert_dir): + os.makedirs(ca_cert_dir) + + default_ca_cert = os.path.join(ca_cert_dir, 'katello-default-ca.pem') + if not os.path.exists(default_ca_cert): + open(default_ca_cert, 'a').close() + + server_ca_cert = '%(ca_cert_dir)skatello-server-ca.pem' fake_certificate = Mock() fake_certificate.getConsumerId.return_value = consumer_id fake_read.return_value = fake_certificate @@ -189,7 +196,7 @@ def test_call(self, fake_read, fake_conf, fake_bundle): 'hostname': host }, 'rhsm': { - 'repo_ca_cert': ca_cert, + 'repo_ca_cert': server_ca_cert, 'ca_cert_dir': ca_cert_dir } } @@ -201,7 +208,7 @@ def test_call(self, fake_read, fake_conf, fake_bundle): fake_read.assert_called_with() fake_bundle.assert_called_with(fake_certificate) plugin_cfg = self.plugin.plugin.cfg - self.assertEqual(plugin_cfg.messaging.cacert, '/etc/rhsm/ca/katello-server-ca.pem') + self.assertEqual(plugin_cfg.messaging.cacert, default_ca_cert) self.assertEqual(plugin_cfg.messaging.url, 'proton+amqps://%s:5647' % host) self.assertEqual(plugin_cfg.messaging.uuid, 'pulp.agent.%s' % consumer_id)