backend/rhn-conf/rhn.conf | 3
backend/server/rhnSQL/__init__.py | 18 +++--
backend/server/rhnSQL/driver_cx_Oracle.py | 9 +-
backend/server/rhnSQL/driver_postgresql.py | 32 +++++-----
java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java | 16 +----
java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java | 2
search-server/spacewalk-search/src/java/com/redhat/satellite/search/db/DatabaseManager.java | 8 --
web/modules/rhn/RHN/DBI.pm | 6 -
8 files changed, 48 insertions(+), 46 deletions(-)
New commits:
commit 7a22df856e85d474132dfd667b1b5e24b6e66041
Author: Matej Kollar <mkollar(a)redhat.com>
Date: Thu Oct 31 09:42:49 2013 +0100
1020952 - Single db root cert + option name change
- Root ca certificate won't be stored multiple times,
path can be configured
- Option enabling SSL for db connections is now "db_ssl_enabled",
and it is 1/0 option, as this better captures what does it do.
Both changes tightly coupled and related to given bz
diff --git a/backend/rhn-conf/rhn.conf b/backend/rhn-conf/rhn.conf
index c02896d..c6c24b3 100644
--- a/backend/rhn-conf/rhn.conf
+++ b/backend/rhn-conf/rhn.conf
@@ -15,3 +15,6 @@ log_file = /var/log/rhn/rhn.log
enable_snapshots = 1
+## SSL for database (PostgreSQL) connection
+db_ssl_enabled = 0
+db_sslrootcert = /etc/rhn/postgresql-db-root-ca.cert
diff --git a/backend/server/rhnSQL/__init__.py b/backend/server/rhnSQL/__init__.py
index f3f4dbf..c7d6c16 100644
--- a/backend/server/rhnSQL/__init__.py
+++ b/backend/server/rhnSQL/__init__.py
@@ -41,7 +41,7 @@ from sql_base import SQLError, SQLSchemaError, SQLConnectError, \
# EVER be exposed to the calling applications.
-def __init__DB(backend, host, port, username, password, database, sslmode):
+def __init__DB(backend, host, port, username, password, database, sslmode, sslrootcert):
"""
Establish and check the connection so we can wrap it and handle
exceptions.
@@ -52,14 +52,14 @@ def __init__DB(backend, host, port, username, password, database, sslmode):
my_db = __DB
except NameError: # __DB has not been set up
db_class = dbi.get_database_class(backend=backend)
- __DB = db_class(host, port, username, password, database, sslmode)
+ __DB = db_class(host, port, username, password, database, sslmode, sslrootcert)
__DB.connect()
return
else:
del my_db
if __DB.is_connected_to(backend, host, port, username, password,
- database, sslmode):
+ database, sslmode, sslrootcert):
__DB.check_connection()
return
@@ -67,13 +67,13 @@ def __init__DB(backend, host, port, username, password, database, sslmode):
__DB.close()
# now we have to get a different connection
__DB = dbi.get_database_class(backend=backend)(
- host, port, username, password, database, sslmode)
+ host, port, username, password, database, sslmode, sslrootcert)
__DB.connect()
return 0
def initDB(backend=None, host=None, port=None, username=None,
- password=None, database=None, sslmode=None):
+ password=None, database=None, sslmode=None, sslrootcert=None):
"""
Initialize the database.
@@ -91,7 +91,11 @@ def initDB(backend=None, host=None, port=None, username=None,
database = CFG.DB_NAME
username = CFG.DB_USER
password = CFG.DB_PASSWORD
- sslmode = CFG.DB_SSLMODE
+ sslmode = None
+ sslrootcert = None
+ if CFG.DB_SSL_ENABLED:
+ sslmode = 'verify-full'
+ sslrootcert = CFG.DB_SSLROOTCERT
if backend not in SUPPORTED_BACKENDS:
raise rhnException("Unsupported database backend", backend)
@@ -102,7 +106,7 @@ def initDB(backend=None, host=None, port=None, username=None,
# Hide the password
add_to_seclist(password)
try:
- __init__DB(backend, host, port, username, password, database, sslmode)
+ __init__DB(backend, host, port, username, password, database, sslmode, sslrootcert)
# except (rhnException, SQLError):
# raise # pass on, we know those ones
# except (KeyboardInterrupt, SystemExit):
diff --git a/backend/server/rhnSQL/driver_cx_Oracle.py b/backend/server/rhnSQL/driver_cx_Oracle.py
index 8bad31d..d4892f0 100644
--- a/backend/server/rhnSQL/driver_cx_Oracle.py
+++ b/backend/server/rhnSQL/driver_cx_Oracle.py
@@ -358,13 +358,15 @@ class Database(sql_base.Database):
OracleError = cx_Oracle.DatabaseError
def __init__(self, host=None, port=None, username=None,
- password=None, database=None, sslmode=None):
+ password=None, database=None, sslmode=None, sslrootcert=None):
# Oracle requires enough info to connect
if not (username and password and database):
raise AttributeError("A valid Oracle username, password, and SID are required.")
if sslmode is not None:
raise AttributeError("Option sslmode is not supported for Oracle database backend.")
+ if sslrootcert is not None:
+ raise AttributeError("Option sslrootcert is not supported for Oracle database backend.")
sql_base.Database.__init__(self)
@@ -419,10 +421,11 @@ class Database(sql_base.Database):
return dbh
def is_connected_to(self, backend, host, port, username, password,
- database, sslmode):
+ database, sslmode, sslrootcert):
# NOTE: host and port are unused for Oracle:
return (backend == ORACLE) and (self.username == username) and \
- (self.password == password) and (self.database == database)
+ (self.password == password) and (self.database == database) and \
+ (sslmode is None) and (sslrootcert is None)
# try to close it first nicely
def close(self):
diff --git a/backend/server/rhnSQL/driver_postgresql.py b/backend/server/rhnSQL/driver_postgresql.py
index 3a9eb8d..e38a890 100644
--- a/backend/server/rhnSQL/driver_postgresql.py
+++ b/backend/server/rhnSQL/driver_postgresql.py
@@ -137,12 +137,13 @@ class Database(sql_base.Database):
""" Class for PostgreSQL database operations. """
def __init__(self, host=None, port=None, username=None,
- password=None, database=None, sslmode=None):
+ password=None, database=None, sslmode=None, sslrootcert=None):
self.username = username
self.password = password
self.database = database
self.sslmode = sslmode
+ self.sslrootcert = sslrootcert
# Minimum requirements to connect to a PostgreSQL db:
if not (self.username and self.database):
@@ -163,25 +164,28 @@ class Database(sql_base.Database):
def connect(self, reconnect=1):
try:
- kwargs = {
- 'database': str(self.database),
- 'user': str(self.username),
- 'password': str(self.password)}
+ dsndata = {
+ 'dbname': self.database,
+ 'user': self.username,
+ 'password': self.password}
if self.host is not None:
- kwargs['host'] = self.host
- kwargs['port'] = self.port
- if self.sslmode is not None and self.sslmode == 'verify-full':
- kwargs['sslmode'] = str(self.sslmode)
+ dsndata['host'] = self.host
+ dsndata['port'] = self.port
+ if self.sslmode is not None and self.sslmode == 'verify-full' and self.sslrootcert is not None:
+ dsndata['sslmode'] = self.sslmode
+ dsndata['sslrootcert'] = self.sslrootcert
elif self.sslmode is not None:
- raise AttributeError("Only sslmode=verify-full is supported.")
+ raise AttributeError("Only sslmode=\"verify-full\" (or None) is supported.")
+ if self.sslmode is not None and self.sslrootcert is None:
+ raise AttributeError("Attribute sslrootcert needs to be set if sslmode is set.")
- self.dbh = psycopg2.connect(**kwargs)
+ self.dbh = psycopg2.connect(" ".join("%s=%s" % (k, re.escape(str(v))) for k, v in dsndata.iteritems()))
# convert all DECIMAL types to float (let Python to choose one)
DEC2INTFLOAT = psycopg2.extensions.new_type(psycopg2._psycopg.DECIMAL.values,
'DEC2INTFLOAT', decimal2intfloat)
psycopg2.extensions.register_type(DEC2INTFLOAT)
- except Exception, e:
+ except psycopg2.Error, e:
if reconnect > 0:
# Try one more time:
return self.connect(reconnect=reconnect - 1)
@@ -192,7 +196,7 @@ class Database(sql_base.Database):
"Attempting Re-Connect to the database failed"), None, sys.exc_info()[2]
def is_connected_to(self, backend, host, port, username, password,
- database, sslmode):
+ database, sslmode, sslrootcert):
if host is None or host == '' or host == 'localhost':
host = None
port = None
@@ -201,7 +205,7 @@ class Database(sql_base.Database):
return (backend == POSTGRESQL) and (self.host == host) and \
(self.port == port) and (self.username == username) and \
(self.password == password) and (self.database == database) and \
- (self.sslmode == sslmode)
+ (self.sslmode == sslmode) and (self.sslrootcert == sslrootcert)
def check_connection(self):
try:
diff --git a/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java b/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java
index c847f32..46a1b34 100644
--- a/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java
+++ b/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java
@@ -145,7 +145,7 @@ public class ConfigDefaults {
public static final String DB_NAME = "db_name";
public static final String DB_HOST = "db_host";
public static final String DB_PORT = "db_port";
- public static final String DB_SSLMODE = "db_sslmode";
+ public static final String DB_SSL_ENABLED = "db_ssl_enabled";
public static final String DB_PROTO = "hibernate.connection.driver_proto";
public static final String DB_CLASS = "hibernate.connection.driver_class";
@@ -554,7 +554,7 @@ public class ConfigDefaults {
String dbHost = Config.get().getString(DB_HOST);
String dbPort = Config.get().getString(DB_PORT);
String dbProto = Config.get().getString(DB_PROTO);
- String dbSslmode = Config.get().getString(DB_SSLMODE);
+ boolean dbSslEnabled = Config.get().getBoolean(DB_SSL_ENABLED);
String connectionUrl;
@@ -565,9 +565,9 @@ public class ConfigDefaults {
}
connectionUrl += dbName;
- if (dbSslmode != null) {
+ if (dbSslEnabled) {
throw new ConfigException(
- "Option sslmode is not supported for Oracle database backend");
+ "SSL is not supported for Oracle database backend");
}
}
else if (isPostgresql()) {
@@ -581,16 +581,10 @@ public class ConfigDefaults {
}
connectionUrl += dbName;
- if (dbSslmode != null && dbSslmode.equals("verify-full")) {
+ if (dbSslEnabled) {
connectionUrl += "?ssl=true";
setSslTrustStore();
}
- else if (dbSslmode != null) {
- throw new ConfigException("Unsuported value for " +
- DB_SSLMODE +
- ". Only 'verify-full' is supported.");
- }
-
}
else {
throw new ConfigException(
diff --git a/search-server/spacewalk-search/src/java/com/redhat/satellite/search/db/DatabaseManager.java b/search-server/spacewalk-search/src/java/com/redhat/satellite/search/db/DatabaseManager.java
index 7ecb7b1..3cfe695 100644
--- a/search-server/spacewalk-search/src/java/com/redhat/satellite/search/db/DatabaseManager.java
+++ b/search-server/spacewalk-search/src/java/com/redhat/satellite/search/db/DatabaseManager.java
@@ -86,8 +86,7 @@ public class DatabaseManager {
}
connectionUrl += "/" + overrides.getProperty("db_name");
- String sslmode = config.getString("db_sslmode");
- if (sslmode != null && sslmode.equals("verify-full")) {
+ if (config.getBoolean("db_ssl_enabled")) {
connectionUrl += "?ssl=true";
String trustStore = config.getString("java.ssl_truststore");
if (trustStore == null || ! new File(trustStore).isFile()) {
@@ -95,10 +94,7 @@ public class DatabaseManager {
trustStore + ". Path can be changed with java.ssl_truststore option.");
}
System.setProperty("javax.net.ssl.trustStore", trustStore);
- }
- else if (sslmode != null) {
- throw new ConfigException(
- "Unsuported value for db_sslmode. Only 'verify-full' is supported.");
+ overrides.setProperty("db_name", connectionUrl);
}
}
}
diff --git a/web/modules/rhn/RHN/DBI.pm b/web/modules/rhn/RHN/DBI.pm
index d49873f..9de2330 100644
--- a/web/modules/rhn/RHN/DBI.pm
+++ b/web/modules/rhn/RHN/DBI.pm
@@ -54,11 +54,9 @@ sub _get_dbi_connect_parameters {
if (defined $port and $port ne '' and $port ne '5432') {
$DSN .= ";port=$port";
}
- my sslmode = PXT::Config->get("db_sslmode");
- if (defined $sslmode and $sslmode eq "verify-full") {
+ if (PXT::Config->get("db_ssl_enabled")) {
$DSN .= ";sslmode=verify-full";
- } elsif (defined $sslmode) {
- die "Unsuported value for db_sslmode. Only 'verify-full' is supported.\n";
+ $DSN .= ";sslrootcert=" . PXT::Config->get("db_sslrootcert");
}
}
}
commit 1a966c26270047dd7da058a7dde476c979e67c36
Author: Matej Kollar <mkollar(a)redhat.com>
Date: Thu Oct 31 18:21:40 2013 +0100
Checkstyle fix, follow JSL for method modifiers
diff --git a/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java b/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java
index 312c8ed..4dc8f5c 100644
--- a/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java
+++ b/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java
@@ -1188,7 +1188,7 @@ public class PackageManager extends BaseManager {
* Create all repoentries for a channel's packages if needed
* @param cid the channel id
*/
- public synchronized static void createRepoEntrys(Long cid) {
+ public static synchronized void createRepoEntrys(Long cid) {
Map params = new HashMap();
params.put("cid", cid);
try {