Self-signed certificate support #2270
Conversation
|
@joseivanlopez thanks, changed popup looks really good. So now only rest of backend part for unattended support is missing. |
| <Popup.Actions> | ||
| <QuestionActions | ||
| actions={question.options} | ||
| defaultAction={question.defaultOption} |
There was a problem hiding this comment.
NP: Probably not in the scope of this PR, but reveleaded here.
I believe we have to look for a way for not having a "primary" action but just the focused one for prompts like this where Agama shouldn't use a call to action. Agama should just prevent users trusting in the self certificate by accident focusing the Reject by default, but not encouraging/inviting users to reject it by using a primary action look&feel.
imobachgs
left a comment
imobachgs
left a comment
There was a problem hiding this comment.
I have reviewed the Rust part.
|
|
||
| pub async fn set_registration_url(&self, url: &String) -> Result<(), ServiceError> { | ||
| self.client | ||
| .put_void("/software/registration/url", url) |
There was a problem hiding this comment.
It looks weird to me to have separate endpoints to set the registration code/email and the URL.
Perhaps in the future we might consider to add the URL to the registration params.
There was a problem hiding this comment.
yeap, but code+email is together registration...not sure if it should be also part of registration method param and expect that all following registration of addons is forced to be on identical url.
Co-authored-by: Imobach González Sosa <[email protected]>
imobachgs
left a comment
imobachgs
left a comment
There was a problem hiding this comment.
Apart from two minor comments, the Rust part is looking good.
| Ok(SSLFingerprint { | ||
| fingerprint: value, | ||
| algorithm: alg.try_into()?, | ||
| algorithm: super::model::SSLFingerprintAlgorithm::from_str(&alg)?, |
There was a problem hiding this comment.
I would prefer to import the SSLFingerprintAlgorithm as you did with SSLFingerprint and SecuritryProxy.
| let dbus_list: Vec<(&str, &str)> = list | ||
| .iter() | ||
| .map(|s| (s.algorithm.to_str(), s.fingerprint.as_str())) | ||
| .map(|s| (s.algorithm.clone().into(), s.fingerprint.as_str())) |
There was a problem hiding this comment.
You can save the explicit clone if you derive Copy. In an enum, it makes sense.
|
|
||
| def self.download(url, insecure: false) | ||
| # TODO | ||
| # result = Downloader.download(url, insecure: insecure) |
There was a problem hiding this comment.
Is something missing here?
There was a problem hiding this comment.
no, it is just for future download of certificate from URL if we decide to implement it. It is using Yast downloader, so I kind of expect that we will do it differently in agama.
Co-authored-by: Imobach González Sosa <[email protected]>
The Rust part of the project was introduced just as a command-line interface. However, it has turned into a full blown HTTP/API server (with a command-line) and we plan to move more code from Ruby to Rust. We are learning Rust as we go, so some old decisions might need to be revisited. I have started by trying to simplify the [ServiceError](https://github.com/agama-project/agama/blob/70e7d987c9478f1c0ed3d1bf0c851485b9b88d84/rust/agama-lib/src/error.rs#L29-L78) enum, which represents an error but includes variants for many different situation (even unrelated ones). We even have an "anyhow" variant! This first round includes: - Defining an error for each HTTP client. - Defining an error for each store. - Defining an error for the storage, which includes one variant for each store. - Remove some `ServiceError` variants. - Make use of `anyhow` in more places of the binary. Once we have put everything into a better place, we can decide to simplify the whole thing if needed. Let's go step by step. ## To do - [x] Test the changes - [ ] Convert errors with a single variant into structs (?) - [x] Adapt changes from #2270. - [x] Update the changes file ## Follow-up - There is another whole category errors that are related to D-Bus. Let's move them to their own error and finish the `ServiceError` clean-up. - The HTTP client constructors do not need to be async. - The D-Bus clients are the "special cases". Perhaps we should consider moving from DomainHTTPClient to DomainClient (and DomainClient to DomainDBusClient). > [!WARNING] > Do not merge before #2270. We need to fix some conflicts first.
## Problem We recently implemented support for specifying a certificate to be used during registration. See #2270. Conversion of the fingerprints in an AutoYaST profile to the new Agama configuration format is still missing. ## Solution Implement the conversion of AutoYaST `reg_server_cert_fingerprint` and `reg_server_cert_fingerprint_type` to the Agama format: ```json { "security": { "sslCertificates": [ { "fingerprint": "01:12:34:45:56:67:78:89:90", "algorithm": "SHA1" } ] } } ``` ## Testing Added new unit tests
Prepare to release Agama 15: * #2258 * #2270 * #2277 * #2279 * #2283 * #2284 * #2285 * #2286 * #2287 * #2288 * #2291 * #2292 * #2293 * #2295 * #2297 * #2299 * #2300 * #2301 * #2302 * #2303 * #2305 * #2306 * #2307 * #2308 * #2309 * #2313 * #2314 * #2315 * #2317 * #2318 * #2319 * #2320 * #2321 * #2322 * #2323 * #2324 * #2325 * #2328 * #2329 * #2330 * #2331 * #2335 * #2336 * #2337 * #2338 * #2339 * #2340 * #2342 * #2345 * #2346 * #2348 * #2349 * #2350 * #2351 * #2352 * #2353 * #2354 * #2355 * #2357 * #2358 * #2359 * #2360 * #2361 * #2362 * #2363 * #2364 * #2365 * #2366 * #2368 * #2369 * #2370 * #2371 * #2372 * #2374 * #2377 * #2378 * #2379 * #2380 * #2381 * #2382 * #2384 * #2385 * #2386 * #2388 * #2389 * #2390 * #2391 * #2392 * #2394 * #2397 * #2398 * #2401 * #2403
Problem
Using registration server that uses self-signed certificate is not possible.
Solution
In this initial pull request implement question for user if certificate should be imported or not.
Testing
json used to invoke popup:
{ "product": { "id": "SLES", "registrationCode": "test", "registrationUrl": "https://migration-rmt2.qe.nue2.suse.org" } }json to test unattended ( will return product not found on server instead of certificate product as I do not have any rmt with SLES16 support)
{ "product": { "id": "SLES", "registrationCode": "test", "registrationUrl": "https://migration-rmt2.qe.nue2.suse.org" }, "security": { "sslCertificates": [{ "fingerprint": "F6:7A:ED:BB:BC:94:CF:55:9D:B3:BA:74:7A:87:05:EF:67:4E:C2:DB", "algorithm": "SHA1" } ] } }Screenshots
Documentation
Remember to look at it from the user's perspective. Yes you have made the compiler happy.
But will the humans even know about your contribution? Sometimes they cannot miss it,
other times they need advertisement and explanation.
Look for relevant sections and adjust:
git ls-files '*.md'