From d205021ca37d35ef394eeed31c9628f100852054 Mon Sep 17 00:00:00 2001 From: William Bradford Clark Date: Tue, 2 Jun 2020 15:06:17 -0400 Subject: [PATCH] Fixes #29803 - Move --certs* to hooks/ --- hooks/boot/20-certs_update.rb | 36 +++++++++++++++ hooks/pre/20-certs_update.rb | 51 +++++++++++++++++++++ hooks/pre_commit/20-certs_update.rb | 15 +++++++ katello/hooks/boot/20-certs_update.rb | 34 -------------- katello/hooks/pre/20-certs_update.rb | 64 --------------------------- 5 files changed, 102 insertions(+), 98 deletions(-) create mode 100644 hooks/boot/20-certs_update.rb create mode 100644 hooks/pre/20-certs_update.rb create mode 100644 hooks/pre_commit/20-certs_update.rb delete mode 100644 katello/hooks/boot/20-certs_update.rb delete mode 100644 katello/hooks/pre/20-certs_update.rb diff --git a/hooks/boot/20-certs_update.rb b/hooks/boot/20-certs_update.rb new file mode 100644 index 000000000..4bc322632 --- /dev/null +++ b/hooks/boot/20-certs_update.rb @@ -0,0 +1,36 @@ +# Add options around regenerating certificates +if module_present?('certs') + app_option( + '--certs-update-server', + :flag, + "This option will enforce an update of the HTTPS certificates", + :default => false + ) + app_option( + '--certs-update-server-ca', + :flag, + "This option will enforce an update of the CA used for HTTPS certificates.", + :default => false + ) + app_option( + '--certs-update-all', + :flag, + "This option will enforce an update of all the certificates for given host", + :default => false + ) + app_option( + '--certs-reset', + :flag, + "This option will reset any custom certificates and use the self-signed CA " \ + "instead. Note that any clients will need to be updated with the latest " \ + "katello-ca-consumer RPM, and any external proxies will need to have the " \ + "certs updated by generating a new certs tarball.", + :default => false + ) + app_option( + '--certs-skip-check', + :flag, + "This option will cause skipping the certificates sanity check. Use with caution", + :default => false + ) +end diff --git a/hooks/pre/20-certs_update.rb b/hooks/pre/20-certs_update.rb new file mode 100644 index 000000000..3b328e393 --- /dev/null +++ b/hooks/pre/20-certs_update.rb @@ -0,0 +1,51 @@ +require 'fileutils' +require 'English' + +if module_enabled?('certs') + SSL_BUILD_DIR = param('certs', 'ssl_build_dir').value + + def mark_for_update(cert_name, hostname = nil) + path = File.join(*[SSL_BUILD_DIR, hostname, cert_name].compact) + if app_value(:noop) + puts "Marking certificate #{path} for update (noop)" + else + puts "Marking certificate #{path} for update" + FileUtils.touch("#{path}.update") + end + end + + ca_file = param('certs', 'server_ca_cert').value + cert_file = param('certs', 'server_cert').value + key_file = param('certs', 'server_key').value + + if param('foreman_proxy_certs', 'foreman_proxy_fqdn') + hostname = param('foreman_proxy_certs', 'foreman_proxy_fqdn').value + else + hostname = param('certs', 'node_fqdn').value + end + + if app_value('certs_update_server') + mark_for_update("#{hostname}-apache", hostname) + mark_for_update("#{hostname}-foreman-proxy", hostname) + end + + if app_value('certs_update_all') || app_value('certs_update_default_ca') || app_value('certs_reset') + all_cert_names = Dir.glob(File.join(SSL_BUILD_DIR, hostname, '*.noarch.rpm')).map do |rpm| + File.basename(rpm).sub(/-1\.0-\d+\.noarch\.rpm/, '') + end.uniq + + all_cert_names.each do |cert_name| + mark_for_update(cert_name, hostname) + end + end + + if app_value('certs_update_server_ca') || app_value('certs_reset') + mark_for_update('katello-server-ca') + end + + if app_value('certs_reset') && !app_value(:noop) + param('certs', 'server_cert').unset_value + param('certs', 'server_key').unset_value + param('certs', 'server_ca_cert').unset_value + end +end diff --git a/hooks/pre_commit/20-certs_update.rb b/hooks/pre_commit/20-certs_update.rb new file mode 100644 index 000000000..eb8b95057 --- /dev/null +++ b/hooks/pre_commit/20-certs_update.rb @@ -0,0 +1,15 @@ +if module_enabled?('certs') + if app_value('certs_update_server_ca') && !module_enabled?('katello') + fail_and_exit("--certs-update-server-ca needs to be used with katello", 101) + end + + if !app_value('certs_skip_check') && + cert_file.to_s != "" && + (app_value('certs_update_server_ca') || app_value('certs_update_server')) + check_cmd = %(katello-certs-check -c "#{cert_file}" -k "#{key_file}" -b "#{ca_file}") + output = `#{check_cmd} 2>&1` + unless $CHILD_STATUS.success? + fail_and_exit("Command '#{check_cmd}' exited with #{$CHILD_STATUS.exitstatus}:\n #{output}", 101) + end + end +end diff --git a/katello/hooks/boot/20-certs_update.rb b/katello/hooks/boot/20-certs_update.rb deleted file mode 100644 index 3b3813644..000000000 --- a/katello/hooks/boot/20-certs_update.rb +++ /dev/null @@ -1,34 +0,0 @@ -# Add options around regenerating certificates -app_option( - '--certs-update-server', - :flag, - "This option will enforce an update of the HTTPS certificates", - :default => false -) -app_option( - '--certs-update-server-ca', - :flag, - "This option will enforce an update of the CA used for HTTPS certificates.", - :default => false -) -app_option( - '--certs-update-all', - :flag, - "This option will enforce an update of all the certificates for given host", - :default => false -) -app_option( - '--certs-reset', - :flag, - "This option will reset any custom certificates and use the self-signed CA " \ - "instead. Note that any clients will need to be updated with the latest " \ - "katello-ca-consumer RPM, and any external proxies will need to have the " \ - "certs updated by generating a new certs tarball.", - :default => false -) -app_option( - '--certs-skip-check', - :flag, - "This option will cause skipping the certificates sanity check. Use with caution", - :default => false -) diff --git a/katello/hooks/pre/20-certs_update.rb b/katello/hooks/pre/20-certs_update.rb deleted file mode 100644 index ada146403..000000000 --- a/katello/hooks/pre/20-certs_update.rb +++ /dev/null @@ -1,64 +0,0 @@ -require 'fileutils' -require 'English' - -SSL_BUILD_DIR = param('certs', 'ssl_build_dir').value -CHECK_SCRIPT = `which katello-certs-check`.strip - -def mark_for_update(cert_name, hostname = nil) - path = File.join(*[SSL_BUILD_DIR, hostname, cert_name].compact) - puts "Marking certificate #{path} for update" - if app_value(:noop) - puts "skipping in noop mode" - else - FileUtils.touch("#{path}.update") - end -end - -ca_file = param('certs', 'server_ca_cert').value -cert_file = param('certs', 'server_cert').value -key_file = param('certs', 'server_key').value - -if app_value('certs_update_server_ca') && !module_enabled?('katello') - fail_and_exit("--certs-update-server-ca needs to be used with katello", 101) -end - -if param('foreman_proxy_certs', 'foreman_proxy_fqdn') - hostname = param('foreman_proxy_certs', 'foreman_proxy_fqdn').value -else - hostname = param('certs', 'node_fqdn').value -end - -if app_value('certs_update_server') - mark_for_update("#{hostname}-apache", hostname) - mark_for_update("#{hostname}-foreman-proxy", hostname) -end - -if app_value('certs_update_all') || app_value('certs_update_default_ca') || app_value('certs_reset') - all_cert_names = Dir.glob(File.join(SSL_BUILD_DIR, hostname, '*.noarch.rpm')).map do |rpm| - File.basename(rpm).sub(/-1\.0-\d+\.noarch\.rpm/, '') - end.uniq - - all_cert_names.each do |cert_name| - mark_for_update(cert_name, hostname) - end -end - -if app_value('certs_update_server_ca') || app_value('certs_reset') - mark_for_update('katello-server-ca') -end - -if !app_value('certs_skip_check') && - cert_file.to_s != "" && - (app_value('certs_update_server_ca') || app_value('certs_update_server')) - check_cmd = %(#{CHECK_SCRIPT} -c "#{cert_file}" -k "#{key_file}" -b "#{ca_file}") - output = `#{check_cmd} 2>&1` - unless $CHILD_STATUS.success? - fail_and_exit("Command '#{check_cmd}' exited with #{$CHILD_STATUS.exitstatus}:\n #{output}", 101) - end -end - -if app_value('certs_reset') && !app_value(:noop) - param('certs', 'server_cert').unset_value - param('certs', 'server_key').unset_value - param('certs', 'server_ca_cert').unset_value -end