Skip to content

Commit ab0e53a

Browse files
aaannzaaannz
authored
Merge pull request #598 from aaannz/upgrade_ssl_ca_fix
Check for CA validity before doing any real upgrade work
2 parents b8b23ab + 55f227f commit ab0e53a

File tree

3 files changed

+39
-3
lines changed

3 files changed

+39
-3
lines changed

mgradm/shared/podman/podman.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -811,9 +811,6 @@ func configureSplitDBContainer(
811811
ssl adm_utils.InstallSSLFlags,
812812
tz string,
813813
) error {
814-
if err := RunPgsqlContainerMigration(serverImage, "db", "reportdb"); err != nil {
815-
return utils.Errorf(err, L("cannot run PostgreSQL version upgrade script"))
816-
}
817814
fqdn, err := utils.GetFqdn([]string{})
818815
if err != nil {
819816
return err
@@ -823,6 +820,10 @@ func configureSplitDBContainer(
823820
return err
824821
}
825822

823+
if err := RunPgsqlContainerMigration(serverImage, "db", "reportdb"); err != nil {
824+
return utils.Errorf(err, L("cannot run PostgreSQL version upgrade script"))
825+
}
826+
826827
// Create all the database credentials secrets
827828
if err := podman.CreateCredentialsSecrets(
828829
podman.DBUserSecret, db.User,

mgradm/shared/podman/ssl.go

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,22 @@ func PrepareSSLCertificates(image string, sslFlags *adm_utils.InstallSSLFlags, t
6868
return nil
6969
}
7070

71+
func validateCA(image string, sslFlags *adm_utils.InstallSSLFlags, tz string) error {
72+
tempDir, cleaner, err := utils.TempDir()
73+
defer cleaner()
74+
if err != nil {
75+
return err
76+
}
77+
env := map[string]string{
78+
"CERT_PASS": sslFlags.Password,
79+
}
80+
81+
if err := runSSLContainer(sslValidateCA, tempDir, image, tz, env); err != nil {
82+
return utils.Error(err, L("CA validation failed!"))
83+
}
84+
return nil
85+
}
86+
7187
func prepareServerSSLcertificates(image string, sslFlags *adm_utils.InstallSSLFlags, tz string, fqdn string) error {
7288
tempDir, cleaner, err := utils.TempDir()
7389
defer cleaner()
@@ -307,6 +323,10 @@ func generateDatabaseCertificate(image string, sslFlags *adm_utils.InstallSSLFla
307323
return err
308324
}
309325

326+
if err := validateCA(image, sslFlags, tz); err != nil {
327+
return utils.Error(err, L("Cannot generate database certificate"))
328+
}
329+
310330
env := map[string]string{
311331
"CERT_O": sslFlags.Org,
312332
"CERT_OU": sslFlags.OU,
@@ -399,3 +419,17 @@ const sslSetupDatabaseScript = `
399419
cp /root/ssl-build/reportdb/server.crt /ssl/reportdb.crt
400420
cp /root/ssl-build/reportdb/server.key /ssl/reportdb.key
401421
`
422+
const sslValidateCA = `
423+
CA_KEY=/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY
424+
CA_PASS_FILE=/ssl/ca_pass
425+
trap "test -f \"$CA_PASS_FILE\" && /bin/rm -f -- \"$CA_PASS_FILE\" " 0 1 2 3 13 15
426+
427+
echo "Validating CA..."
428+
echo "$CERT_PASS" > "$CA_PASS_FILE"
429+
430+
test -f $CA_KEY || (echo "CA key is not available" && exit 1)
431+
test -r "$CA_KEY" || (echo "CA key is not readable" && exit 2)
432+
433+
openssl rsa -noout -in "/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY" -passin "file:$CA_PASS_FILE" || \
434+
(echo "Wrong CA key password" && exit 3)
435+
`

uyuni-tools.changes.oholecek.upgrade_ca_check

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
- Check for valid CA before attempting DB upgrade

0 commit comments

Comments
 (0)