Fixes #18987 - Check ueber certs on each proxy sync #6728
Conversation
|
@johnpmitsch, thanks for your PR! By analyzing the history of the files in this pull request, we identified @bbuckingham, @jlsherrill and @iNecas to be potential reviewers. |
|
@jlsherrill is this testable? Would we be able to get a cert and CA that could be verified in a test env? |
|
We likely could write a test that includes some certs with say a 30 year expiration for this test (most likely any ca and ueber cert from some sample install would suffice along with some stubs). |
test/services/cert/certs_test.rb
Outdated
|
|
||
| def test_verify_ueber_cert | ||
| Setting.stubs(:[]).with(:ssl_ca_file).returns("/home/vagrant/foreman/test/services/cert/helpers/ca.crt") | ||
| cert_valid = Cert::Certs.verify_ueber_cert(@org) |
test/services/cert/certs_test.rb
Outdated
|
|
||
| def test_verify_ueber_cert | ||
| Setting.stubs(:[]).with(:ssl_ca_file).returns("/home/vagrant/foreman/test/services/cert/helpers/ca.crt") | ||
| cert_valid = Cert::Certs.verify_ueber_cert(@org) |
johnpmitsch
force-pushed
the
verify_ueber_certs
branch
from
1f2678a
to
4f29933
Compare
|
There were the following issues with the commit message:
If you don't have a ticket number, please create an issue in Redmine. More guidelines are available in Coding Standards or on the Foreman wiki. This message was auto-generated by Foreman's prprocessor |
test/services/cert/certs_test.rb
Outdated
| end | ||
|
|
||
| def test_verify_ueber_cert | ||
| Setting.stubs(:[]).with(:ssl_ca_file).returns(File.join("#{Rails.root}", "/test/services/cert/helpers/ca.crt")) |
There was a problem hiding this comment.
@jlsherrill @stbenjam I keep getting this error on a test run:
Katello::CertsTest#test_verify_ueber_cert:
OpenSSL::X509::StoreError: system lib
/home/vagrant/katello/app/services/cert/certs.rb:22:in `add_file'
/home/vagrant/katello/app/services/cert/certs.rb:22:in `verify_ueber_cert'
/home/vagrant/katello/test/services/cert/certs_test.rb:20:in `test_verify_ueber_cert'
any ideas why that is? I've even tried the hardcoded full path
There was a problem hiding this comment.
Because Rails.root refers to the foreman dir, not the katello dir. You want Katello::Engine.root
Also the assert won't work, you'd want to use:
@org.expects(:regenerate_ueber_cert).never
instead of the assert()
There was a problem hiding this comment.
I'd also like to see a 'bad' case. you might use the included redhat ca cert (ca/redhat-uep.pem) to test a bad caes
johnpmitsch
force-pushed
the
verify_ueber_certs
branch
from
4f29933
to
71bad28
Compare
|
There were the following issues with the commit message:
If you don't have a ticket number, please create an issue in Redmine. More guidelines are available in Coding Standards or on the Foreman wiki. This message was auto-generated by Foreman's prprocessor |
theforeman-bot
added
Needs testing
Waiting on contributor
and removed
Waiting on contributor
labels
johnpmitsch
changed the title
johnpmitsch
force-pushed
the
verify_ueber_certs
branch
from
71bad28
to
31c84b9
Compare
johnpmitsch
changed the title
|
@jlsherrill thanks for the suggestions, updated! |
|
[test] |
1 similar comment
|
[test] |
|
APJ |
When the CA changes for any reason (like a hostname change), we need to regenerate the ueber certs for organizations. This will automatically verify the ueber cert against the ca cert on each proxy sync.
To-do