Bug 2190022

Summary: Stacktrace displayed when running rct against an inaccessible file
Product: Red Hat Enterprise Linux 9 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: Pino Toscano <ptoscano>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3Keywords: AutoVerified, Regression, Triaged
Target Milestone: rc   
Target Release: 9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.29.35-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:51:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Sefler 2023-04-26 20:18:05 UTC 
Description of problem:
This is a regression for a fix for former RHEL7 Bug 1315901.
Attempts to use the rct tool as a non-root user is throwing a traceback when trying to open root's /etc/pki/consumer/cert.pem


Version-Release number of selected component (if applicable):
[root@kvm-02-guest13 ~]# rpm -q subscription-manager
subscription-manager-1.29.34-1.el9.x86_64


How reproducible:


Steps to Reproduce:
[root@kvm-02-guest13 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: stage_rhsmqe_testuser01
Password: 
The system has been registered with ID: b85449c0-de28-4e94-8ba1-4238077e9116
The registered system name is: kvm-02-guest13.lab.eng.rdu2.redhat.com
[root@kvm-02-guest13 ~]# 
[root@kvm-02-guest13 ~]# useradd non-root-user
[root@kvm-02-guest13 ~]# 
[root@kvm-02-guest13 ~]# su - non-root-user --command 'rct cat-cert /etc/pki/consumer/cert.pem'
Traceback (most recent call last):
  File "/usr/lib64/python3.9/site-packages/rhsm/certificate2.py", line 102, in create_from_file
    pem: str = open(path, "r").read()
PermissionError: [Errno 13] Permission denied: '/etc/pki/consumer/cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.9/site-packages/rct/cert_commands.py", line 38, in _create_cert
    return certificate.create_from_file(cert_file)
  File "/usr/lib64/python3.9/site-packages/rhsm/certificate.py", line 60, in create_from_file
    return _CertFactory().create_from_file(path)
  File "/usr/lib64/python3.9/site-packages/rhsm/certificate2.py", line 104, in create_from_file
    raise CertificateException("Error loading certificate: %s" % err)
rhsm.certificate.CertificateException: Error loading certificate: [Errno 13] Permission denied: '/etc/pki/consumer/cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/rct", line 33, in <module>
    sys.exit(load_entry_point('subscription-manager==1.29.34', 'console_scripts', 'rct')())
  File "/usr/lib64/python3.9/site-packages/subscription_manager/scripts/rct.py", line 29, in main
    return RctCLI().main()
  File "/usr/lib64/python3.9/site-packages/subscription_manager/cli.py", line 197, in main
    return cmd.main()
  File "/usr/lib64/python3.9/site-packages/rct/commands.py", line 35, in main
    return_code = self._do_command()
  File "/usr/lib64/python3.9/site-packages/rct/cert_commands.py", line 82, in _do_command
    cert = self._create_cert()
  File "/usr/lib64/python3.9/site-packages/rct/cert_commands.py", line 40, in _create_cert
    raise InvalidCLIOptionError(
subscription_manager.cli.InvalidCLIOptionError: Unable to read certificate file '/etc/pki/consumer/cert.pem': Error loading certificate: [Errno 13] Permission denied: '/etc/pki/consumer/cert.pem'


Actual results:
 above

Expected results:
 stdout should display the following with exitCode=0...
Unable to read certificate file '/etc/pki/consumer/cert.pem': Error loading certificate: [Errno 13] Permission denied: '/etc/pki/consumer/cert.pem' 

Additional info:
Comment 1 Pino Toscano 2023-04-27 03:39:01 UTC 
Thanks for the report; this is a regression in the handling of invalid command line options in tools different than 'subscription-manager'.
Sent a PR to hopefully fix it:
https://github.com/candlepin/subscription-manager/pull/3251

Note: as result of this, the return value of 'rhsm-debug' for invalid command line options will change from 0 to 1: while this can be seen as behaviour change, I'd argue that errors ought to not cause a clean exit.
Comment 7 errata-xmlrpc 2023-11-07 08:51:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6606