From: Gunnar Beutner Date: Wed, 23 Aug 2017 13:11:32 +0000 (+0200) Subject: Implement support for sending pki::RequestCertificate messages in the cluster X-Git-Tag: v2.8.0~87^2~37 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a4684d1bfd06da629718ffed8c1944b267c2df60;p=icinga2 Implement support for sending pki::RequestCertificate messages in the cluster refs #5450 --- diff --git a/lib/cli/pkiutility.cpp b/lib/cli/pkiutility.cpp index aeb385f9f..3dcae4cb2 100644 --- a/lib/cli/pkiutility.cpp +++ b/lib/cli/pkiutility.cpp @@ -258,10 +258,41 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const Dictionary::Ptr result = response->Get("result"); + if (result->Contains("ca")) { + try { + StringToCertificate(result->Get("ca")); + } catch (const std::exception& ex) { + Log(LogCritical, "cli") + << "Could not write CA file: " << DiagnosticInformation(ex, false); + return 1; + } + + Log(LogInformation, "cli") + << "Writing CA certificate to file '" << cafile << "'."; + + std::ofstream fpca; + fpca.open(cafile.CStr()); + fpca << result->Get("ca"); + fpca.close(); + + if (fpca.fail()) { + Log(LogCritical, "cli") + << "Could not open CA certificate file '" << cafile << "' for writing."; + return 1; + } + } + if (result->Contains("error")) { LogSeverity severity; - if (result->Get("status_code") == 1) + Value vstatus; + + if (!result->Get("status_code", &vstatus)) + vstatus = 1; + + int status = vstatus; + + if (status == 1) severity = LogCritical; else { severity = LogInformation; @@ -271,7 +302,7 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const Log(severity, "cli") << "!!! " << result->Get("error"); - if (result->Get("status_code") == 1) + if (status == 1) return 1; else { Log(severity, "cli", "!!!!!!"); @@ -287,13 +318,8 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const return 1; } - try { - StringToCertificate(result->Get("ca")); - } catch (const std::exception& ex) { - Log(LogCritical, "cli") - << "Could not write CA file: " << DiagnosticInformation(ex, false); - return 1; - } + Log(LogInformation, "cli") + << "Writing signed certificate to file '" << certfile << "'."; std::ofstream fpcert; fpcert.open(certfile.CStr()); @@ -306,23 +332,6 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const return 1; } - Log(LogInformation, "cli") - << "Writing signed certificate to file '" << certfile << "'."; - - std::ofstream fpca; - fpca.open(cafile.CStr()); - fpca << result->Get("ca"); - fpca.close(); - - if (fpca.fail()) { - Log(LogCritical, "cli") - << "Could not open CA certificate file '" << cafile << "' for writing."; - return 1; - } - - Log(LogInformation, "cli") - << "Writing CA certificate to file '" << cafile << "'."; - return 0; } diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp index fd348edd9..bd6630dce 100644 --- a/lib/remote/apilistener.cpp +++ b/lib/remote/apilistener.cpp @@ -478,6 +478,15 @@ void ApiListener::SyncClient(const JsonRpcConnection::Ptr& aclient, const Endpoi endpoint->SetSyncing(true); } + Zone::Ptr myZone = Zone::GetLocalZone(); + + if (myZone->GetParent() == eZone) { + Log(LogInformation, "ApiListener") + << "Requesting new certificate for this Icinga instance from endpoint '" << endpoint->GetName() << "'."; + + SendCertificateRequest(aclient); + } + /* Make sure that the config updates are synced * before the logs are replayed. */ @@ -530,6 +539,19 @@ void ApiListener::SyncClient(const JsonRpcConnection::Ptr& aclient, const Endpoi << "Finished syncing endpoint '" << endpoint->GetName() << "' in zone '" << eZone->GetName() << "'."; } +void ApiListener::SendCertificateRequest(const JsonRpcConnection::Ptr& aclient) +{ + Dictionary::Ptr message = new Dictionary(); + message->Set("jsonrpc", "2.0"); + message->Set("method", "pki::RequestCertificate"); + + Dictionary::Ptr params = new Dictionary(); + + message->Set("params", params); + + JsonRpc::SendMessage(aclient->GetStream(), message); +} + void ApiListener::ApiTimerHandler(void) { double now = Utility::GetTime(); diff --git a/lib/remote/apilistener.hpp b/lib/remote/apilistener.hpp index 8e12f0dca..c16ed46c5 100644 --- a/lib/remote/apilistener.hpp +++ b/lib/remote/apilistener.hpp @@ -158,6 +158,7 @@ private: static void ConfigGlobHandler(ConfigDirInformation& config, const String& path, const String& file); void SendConfigUpdate(const JsonRpcConnection::Ptr& aclient); + void SendCertificateRequest(const JsonRpcConnection::Ptr& aclient); /* configsync */ void UpdateConfigObject(const ConfigObject::Ptr& object, const MessageOrigin::Ptr& origin, diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp index 14470806e..a0df4fa0b 100644 --- a/lib/remote/jsonrpcconnection-pki.cpp +++ b/lib/remote/jsonrpcconnection-pki.cpp @@ -94,10 +94,11 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona if (!origin->FromClient->IsAuthenticated()) { String salt = listener->GetTicketSalt(); - if (salt.IsEmpty()) + String ticket = params->Get("ticket"); + + if (salt.IsEmpty() || ticket.IsEmpty()) goto delayed_request; - String ticket = params->Get("ticket"); String realTicket = PBKDF2_SHA1(origin->FromClient->GetIdentity(), salt, 50000); if (ticket != realTicket) {