From 48289b660db459c05c5730e905bf6eb1afd0c6d7 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Fri, 10 Jul 2020 20:38:54 +0200
Subject: [PATCH] Fixes #30368 - Change Candlepin and Pulp 3 CA handling

This change makes the Candlepin CA file optional by falling back to the
Foreman CA file. The result is a reduced configuration in most
deployments.

For Pulp the certificate is now read in the same way as Candlepin.
Previously it partly relied on the CA being in the global allowed CA.
This may be an issue in some cases, but in the default deployment it
isn't. Following the general SSL config makes the configuration more
predictable for users. It can also be easier in a containerized setup or
on a system where the admin is not allowed to modify the system CA
certificates. The example config is now also consistent with reality.

The verify_ssl option is dropped from the ping model. This isn't
respected elsewhere and it's misleading to have a valid ping only to
have it fail at runtime.
---
 app/lib/katello/resources/candlepin.rb             |  2 +-
 app/lib/katello/resources/registry.rb              |  1 -
 .../katello/concerns/smart_proxy_extensions.rb     |  1 +
 app/models/katello/ping.rb                         |  4 +---
 app/services/cert/certs.rb                         |  8 ++++++--
 app/services/katello/pulp/server.rb                |  5 ++---
 config/katello.yaml.example                        | 14 ++++----------
 7 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/app/lib/katello/resources/candlepin.rb b/app/lib/katello/resources/candlepin.rb
index 8cf753d379b..93a0f199cec 100644
--- a/app/lib/katello/resources/candlepin.rb
+++ b/app/lib/katello/resources/candlepin.rb
@@ -11,7 +11,7 @@ class CandlepinResource < HttpResource
         self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
         self.consumer_secret = cfg[:oauth_secret]
         self.consumer_key = cfg[:oauth_key]
-        self.ca_cert_file = cfg[:ca_cert_file]
+        self.ca_cert_file = ::Cert::Certs.backend_ca_cert_file(:candlepin)
 
         class << self
           def process_response(response)
diff --git a/app/lib/katello/resources/registry.rb b/app/lib/katello/resources/registry.rb
index 61e16d77163..ed6e9b9c107 100644
--- a/app/lib/katello/resources/registry.rb
+++ b/app/lib/katello/resources/registry.rb
@@ -31,7 +31,6 @@ def load_class
             uri = URI.parse(content_app_url)
             self.prefix = "/pulpcore_registry/"
             self.site = "#{uri.scheme}://#{uri.host}:#{uri.port}"
-            self.ca_cert_file = Setting[:ssl_ca_file]
             pulp_primary.pulp3_ssl_configuration(self, :net_http)
 
             self
diff --git a/app/models/katello/concerns/smart_proxy_extensions.rb b/app/models/katello/concerns/smart_proxy_extensions.rb
index f6f667160f6..09993f1b418 100644
--- a/app/models/katello/concerns/smart_proxy_extensions.rb
+++ b/app/models/katello/concerns/smart_proxy_extensions.rb
@@ -188,6 +188,7 @@ def pulp3_configuration(config_class)
       end
 
       def pulp3_ssl_configuration(config, connection_adapter = Faraday.default_adapter)
+        config.ssl_ca_file = ::Cert::Certs.backend_ca_cert_file(:pulp)
         if connection_adapter == :excon
           config.ssl_client_cert = ::Cert::Certs.ssl_client_cert_filename
           config.ssl_client_key = ::Cert::Certs.ssl_client_key_filename
diff --git a/app/models/katello/ping.rb b/app/models/katello/ping.rb
index 5074e802699..53909faa70b 100644
--- a/app/models/katello/ping.rb
+++ b/app/models/katello/ping.rb
@@ -263,12 +263,10 @@ def fetch_proxy(capsule_id)
       end
 
       def backend_status(url, backend)
-        ca_file = SETTINGS[:katello][backend][:ca_cert_file]
+        ca_file = ::Cert::Certs.backend_ca_cert_file(backend)
         request_id = ::Logging.mdc['request']
 
-        options = {}
         options[:ssl_ca_file] = ca_file unless ca_file.nil?
-        options[:verify_ssl] = SETTINGS[:katello][backend][:verify_ssl] if SETTINGS[:katello][backend].key?(:verify_ssl)
         options[:headers] = { 'Correlation-ID' => request_id } if request_id
         client = RestClient::Resource.new("#{url}/status", options)
 
diff --git a/app/services/cert/certs.rb b/app/services/cert/certs.rb
index a611f8b5aa8..4ccc60b4276 100644
--- a/app/services/cert/certs.rb
+++ b/app/services/cert/certs.rb
@@ -9,7 +9,7 @@ def self.ca_cert
     end
 
     def self.candlepin_client_ca_cert
-      File.read(SETTINGS[:katello][:candlepin][:ca_cert_file])
+      File.read(backend_ca_cert_file(:candlepin))
     end
 
     def self.ssl_client_cert
@@ -28,10 +28,14 @@ def self.ssl_client_key_filename
       Setting[:ssl_priv_key]
     end
 
+    def self.backend_ca_cert_file(backend)
+      SETTINGS.dig(:katello, backend, :ca_cert_file) || Setting[:ssl_ca_file]
+    end
+
     def self.verify_ueber_cert(organization)
       ueber_cert = OpenSSL::X509::Certificate.new(self.ueber_cert(organization)[:cert])
       cert_store = OpenSSL::X509::Store.new
-      cert_store.add_file SETTINGS[:katello][:candlepin][:ca_cert_file]
+      cert_store.add_file backend_ca_cert_file(:candlepin)
       organization.regenerate_ueber_cert unless cert_store.verify ueber_cert
     end
   end
diff --git a/app/services/katello/pulp/server.rb b/app/services/katello/pulp/server.rb
index 6c3fd3b2090..09dee16e51c 100644
--- a/app/services/katello/pulp/server.rb
+++ b/app/services/katello/pulp/server.rb
@@ -22,12 +22,11 @@ def self.config(url, user_remote_id)
           }
         }
 
-        if (ca_cert = SETTINGS[:katello][:pulp][:ca_cert_file])
+        if (ca_cert = ::Cert::Certs.backend_ca_cert_file(:pulp))
           runcible_params[:ca_cert_file] = ca_cert
+          runcible_params[:verify_ssl] = true
         end
 
-        runcible_params[:verify_ssl] = SETTINGS[:katello][:pulp][:verify_ssl] if SETTINGS[:katello][:pulp].key?(:verify_ssl)
-
         Runcible::Instance.new(runcible_params)
       end
     end
diff --git a/config/katello.yaml.example b/config/katello.yaml.example
index c8c94ce5cef..60ab750b1ae 100644
--- a/config/katello.yaml.example
+++ b/config/katello.yaml.example
@@ -17,22 +17,16 @@
     :oauth_key: katello
     :oauth_secret: katello
 
-    # refers to the candlepin-ca.crt location that is needed
-    # to connect to candlepin over https.This is not necessary
-    # if the candlepin server is running on the same machine as katello
-    # but required if the server is on a different machine.
-    # In the different machine case the katello host needs to have a
-    # copy of /etc/candlepin/certs/candlepin-ca.crt copied from
-    # the candlepin host and the location of the copied file needs to be
-    # specified here..
+    # Optional CA file to user to verify HTTPS connections to Candlepin. If not
+    # specified, Foreman's ssl_ca_file setting is used.
     :ca_cert_file:
     # :bulk_load_size: 1000
   # Setup your pulp environment here
   :pulp:
     :sync_threads: 4
     # refers to the apache certificate
-    # (typically /etc/pki/tls/certs/localhost.crt) location that is needed
-    # to connect to pulp over https.
+    # Optional CA file to user to verify HTTPS connections to Candlepin. If not
+    # specified, Foreman's ssl_ca_file setting is used.
     :ca_cert_file:
     :default_login: admin
     :sync_KBlimit: