From a20693c750ddecc3053dcfc024b35fa5272838f6 Mon Sep 17 00:00:00 2001 From: mbussolotto Date: Wed, 21 Jun 2023 06:45:45 +0200 Subject: [PATCH] Set CA bundle path depends on distro --- ...sh.changes.mbussolotto.rhnpush_ca_cerfificate_path | 1 + client/tools/mgr-push/rhnpush_config.py | 11 ++++++++++- client/tools/mgr-push/rhnpushrc | 3 --- python/rhn/transports.py | 4 ++-- testsuite/features/step_definitions/common_steps.rb | 2 +- 5 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 client/tools/mgr-push/mgr-push.changes.mbussolotto.rhnpush_ca_cerfificate_path diff --git a/client/tools/mgr-push/mgr-push.changes.mbussolotto.rhnpush_ca_cerfificate_path b/client/tools/mgr-push/mgr-push.changes.mbussolotto.rhnpush_ca_cerfificate_path new file mode 100644 index 000000000000..33b637be9091 --- /dev/null +++ b/client/tools/mgr-push/mgr-push.changes.mbussolotto.rhnpush_ca_cerfificate_path @@ -0,0 +1 @@ +- Use bundle CA certificate in rhnpush diff --git a/client/tools/mgr-push/rhnpush_config.py b/client/tools/mgr-push/rhnpush_config.py index 938ff841d75b..059d240213dd 100644 --- a/client/tools/mgr-push/rhnpush_config.py +++ b/client/tools/mgr-push/rhnpush_config.py @@ -20,6 +20,7 @@ # import sys +import os # pylint: disable=F0401 if sys.version_info[0] == 3: @@ -36,6 +37,14 @@ class rhnpushConfigParser: # pylint: disable=W0201 _instance = None + def get_ca_bundle_path(self): + if os.system("grep -iq '^ID_LIKE=.*suse' /etc/os-release") == 0: + return '/etc/ssl/ca-bundle.pem' + if os.system("grep -iq '^ID_LIKE=.*rhel' /etc/os-release") == 0: + return '/etc/pki/tls/certs/ca-bundle.crt' + if os.system("grep -iq '^ID_LIKE=.*debian' /etc/os-release") == 0: + return '/etc/ssl/certs/ca-certificates.crt' + def __init__(self, filename=None, ensure_consistency=False): # Defaults that are used if the ensure_consistency parameter of the constructor is true @@ -66,7 +75,7 @@ def __init__(self, filename=None, ensure_consistency=False): 'no_session_caching': '0', 'proxy': '', 'tolerant': '0', - 'ca_chain': '/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT', + 'ca_chain': self.get_ca_bundle_path(), 'timeout': None } diff --git a/client/tools/mgr-push/rhnpushrc b/client/tools/mgr-push/rhnpushrc index 1d63522f73a9..f42ab1f7bc83 100644 --- a/client/tools/mgr-push/rhnpushrc +++ b/client/tools/mgr-push/rhnpushrc @@ -73,8 +73,5 @@ no_session_caching = 0 #Have rhnpush be tolerant of errors when pushing a large number of packages. tolerant = 0 -#The CA cert used to verify the ssl server -ca_chain = /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT - #Default connection timeout, (no value for default) timeout = 300 diff --git a/python/rhn/transports.py b/python/rhn/transports.py index 00277b04c649..1fd6ad147545 100644 --- a/python/rhn/transports.py +++ b/python/rhn/transports.py @@ -261,7 +261,7 @@ def __init__(self, transfer=0, encoding=0, refreshCallback=None, def add_trusted_cert(self, certfile): if not os.access(certfile, os.R_OK): - raise ValueError("Certificate file %s is not accessible" % certfile) + raise ValueError("SafeTransport: Certificate file %s is not accessible" % certfile) self.trusted_certs.append(certfile) def get_connection(self, host): @@ -316,7 +316,7 @@ def __init__(self, proxy, proxyUsername=None, proxyPassword=None, def add_trusted_cert(self, certfile): if not os.access(certfile, os.R_OK): - raise ValueError("Certificate file %s is not accessible" % certfile) + raise ValueError("SafeProxyTransport:Certificate file %s is not accessible" % certfile) self.trusted_certs.append(certfile) def get_connection(self, host): diff --git a/testsuite/features/step_definitions/common_steps.rb b/testsuite/features/step_definitions/common_steps.rb index 349842f7da31..0c67cfd6eb67 100644 --- a/testsuite/features/step_definitions/common_steps.rb +++ b/testsuite/features/step_definitions/common_steps.rb @@ -507,7 +507,7 @@ end When(/^I push package "([^"]*)" into "([^"]*)" channel$/) do |arg1, arg2| - srvurl = "http://#{ENV['SERVER']}/APP" + srvurl = "https://#{ENV['SERVER']}/APP" command = "rhnpush --server=#{srvurl} -u admin -p admin --nosig -c #{arg2} #{arg1} " get_target('server').run(command, timeout: 500) get_target('server').run('ls -lR /var/spacewalk/packages', timeout: 500)