foreman_maintain 1.7.9 → 1.7.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ef6daeffa7c5ac0f3f826b0cfadfd401989c2c0c07e55ff523cb517a558a167
-  data.tar.gz: 567bf5f018e6b059c65a3797469756d0fb86bd406831a075424782a8568c255f
+  metadata.gz: 74a80bff4334ff0e4d6a36e77200a71d94dd88f4083ac7f92d1cee35c5b77305
+  data.tar.gz: 26603e794c8c0ac12461c442511a15a2099630784df880fa5346f4a15b651707
 SHA512:
-  metadata.gz: f302f2c42d28400e31dcd05af5d6123bdaca0b714424057dd67de57a8350af10fedc92a53e66df3b7ab9cf633f5eacea1f0483c2cd4affb196a1312b3f904e51
-  data.tar.gz: 919a172809a07aeab718e332f59bcc93ec773510779134b5af6208b7904a9384b8851cb4d284883969fb115c255864c047c5890f2c99ea76931a748096e3d602
+  metadata.gz: 218380fc4a8508cc557a43a4953bf98bd4b60a746296d7dc55d8182d3fad97961b471411e04cd50b8ba5df30e175326469d98ee061c5875b4026ccd609430277
+  data.tar.gz: c3e00eef89608fd03c4a7337ccf318914e06688049f2143919c1682947b744d7d7a68965dcb0298c120406b919f905f8fc276556adcd7199653accde87520089

data/definitions/checks/check_sha1_certificate_authority.rb

@@ -16,14 +16,33 @@ class Checks::CheckSha1CertificateAuthority < ForemanMaintain::Check
 
     return unless server_ca
 
-    certificate = OpenSSL::X509::Certificate.new(File.read(server_ca))
+    begin
+      certificates = load_fullchain(server_ca)
+    rescue OpenSSL::X509::CertificateError
+      assert(false, "Error reading server CA certificate #{server_ca}.")
+    else
+      msg = <<~MSG
+        Server CA certificate #{server_ca} signed with sha1 which will break on upgrade.
+        Update the server CA certificate with one signed with sha256 or
+        stronger then proceed with the upgrade.
+      MSG
 
-    msg = <<~MSG
-      Server CA certificate signed with sha1 which will break on upgrade.
-      Update the server CA certificate with one signed with sha256 or
-      stronger then proceed with the upgrade.
-    MSG
+      assert(
+        certificates.all? { |cert| cert.signature_algorithm != 'sha1WithRSAEncryption' },
+        msg
+      )
+    end
+  end
 
-    assert(certificate.signature_algorithm != 'sha1WithRSAEncryption', msg)
+  def load_fullchain(bundle_pem)
+    if OpenSSL::X509::Certificate.respond_to?(:load_file)
+      OpenSSL::X509::Certificate.load_file(bundle_pem)
+    else
+      # Can be removed when only Ruby with load_file support is supported
+      File.binread(bundle_pem).
+        lines.
+        slice_after(/END CERTIFICATE/).
+        map { |pem| OpenSSL::X509::Certificate.new(pem.join) }
+    end
   end
 end

data/lib/foreman_maintain/version.rb

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.7.9'.freeze
+  VERSION = '1.7.10'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.7.9
+  version: 1.7.10
 platform: ruby
 authors:
 - Ivan Nečas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-06 00:00:00.000000000 Z
+date: 2024-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -411,7 +411,7 @@ homepage: https://github.com/theforeman/foreman_maintain
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -430,7 +430,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.27
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Foreman maintenance tool belt
 test_files: []