fixed importing SSL certificate (bnc#891940)

- log errors in the SSL verify callback - 3.1.103
yast · Aug 14, 2014 · f5079cd · f5079cd
1 parent 4c416e2
commit f5079cd
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 12 deletions.
diff --git a/package/yast2-registration.changes b/package/yast2-registration.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Aug 14 15:23:54 UTC 2014 - lslezak@suse.cz
+
+- fixed importing SSL certificate, log errors in the SSL verify
+  callback (bnc#891940)
+- 3.1.103
+
 -------------------------------------------------------------------
 Thu Aug 14 12:34:50 UTC 2014 - lslezak@suse.cz
 

diff --git a/package/yast2-registration.spec b/package/yast2-registration.spec
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-registration
-Version:        3.1.102
+Version:        3.1.103
 Release:        0
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

diff --git a/src/lib/registration/registration.rb b/src/lib/registration/registration.rb
@@ -149,21 +149,29 @@ def service_for_product(product, &block)
     # returns SSL verify callback
     def verify_callback
       lambda do |verify_ok, context|
-        # we cannot raise an exception with details here (all exceptions in
-        # verify_callback are caught and ignored), we need to store the error
-        # details in a global instance
-        if !verify_ok
-          log.error "SSL verification failed: #{context.error}: #{context.error_string}"
-          Storage::SSLErrors.instance.ssl_error_code = context.error
-          Storage::SSLErrors.instance.ssl_error_msg = context.error_string
-          Storage::SSLErrors.instance.ssl_failed_cert = context.current_cert ?
-            SslCertitificate.load(context.current_cert) : nil
+        begin
+          # we cannot raise an exception with details here (all exceptions in
+          # verify_callback are caught and ignored), we need to store the error
+          # details in a global instance
+          store_ssl_error(context) unless verify_ok
+
+          verify_ok
+        rescue Exception => e
+          log.error "Exception in SSL verify callback: #{e.class}: #{e.message} : #{e.backtrace}"
+          # the exception will be ignored, but reraise anyway...
+          raise e
         end
-
-        verify_ok
       end
     end
 
+    def store_ssl_error(context)
+      log.error "SSL verification failed: #{context.error}: #{context.error_string}"
+      Storage::SSLErrors.instance.ssl_error_code = context.error
+      Storage::SSLErrors.instance.ssl_error_msg = context.error_string
+      Storage::SSLErrors.instance.ssl_failed_cert = context.current_cert ?
+        SslCertificate.load(context.current_cert) : nil
+    end
+
     def connect_params(params)
       default_params = {
         :language => ::Registration::Helpers.language,

diff --git a/test/registration_spec.rb b/test/registration_spec.rb
@@ -9,6 +9,7 @@
   before do
     stub_yast_require
     require "registration/registration"
+    require "registration/storage"
 
     stub_const("Yast::WFM", yast_wfm)
     allow(yast_wfm).to receive(:GetLanguage).and_return("en")
@@ -111,4 +112,43 @@
     end
   end
 
+  describe "#verify_callback" do
+    let(:registration) { Registration::Registration.new }
+    let(:callback) { registration.send(:verify_callback) }
+    let(:error_code) { 19 }
+    let(:error_string) { "self signed certificate in certificate chain" }
+    # SSL error context
+    let(:context) { double(:error => error_code, :error_string => error_string) }
+
+    it "stores the SSL error details" do
+      certificate = File.read(fixtures_file("test.pem"))
+      expect(context).to receive(:current_cert).and_return(certificate).twice
+
+      storage = Registration::Storage::SSLErrors.instance
+      expect(storage).to receive(:ssl_error_code=).with(error_code)
+      expect(storage).to receive(:ssl_error_msg=).with(error_string)
+      expect(storage).to receive(:ssl_failed_cert=)\
+        .with(an_instance_of(Registration::SslCertificate))
+
+      expect { callback.call(false, context) }.to_not raise_error
+    end
+
+    it "logs the exception raised inside" do
+      # set an invalid certificate to throw an exception in the callback
+      expect(context).to receive(:current_cert)\
+        .and_return("INVALID CERTIFICATE").twice
+
+      logger = double
+      expect(logger).to receive(:error).with(/SSL verification failed:/)
+      # the exception is logged
+      expect(logger).to receive(:error).with(
+        /Exception in SSL verify callback: OpenSSL::X509::CertificateError/)
+
+      allow(registration).to receive(:log).and_return(logger)
+
+      # the exception is re-raised
+      expect { callback.call(false, context) }.to raise_error OpenSSL::X509::CertificateError
+    end
+  end
+
 end