From: Michael Friedrich <michael.friedrich@netways.de>
Date: Sun, 2 Nov 2014 18:38:35 +0000 (+0100)
Subject: Cli: Fix serial.txt permissions for 'node setup/wizard'
X-Git-Tag: v2.2.0~144
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f69527599f2348bc811cea3b59bf2dadbd4ad4ef;p=icinga2

Cli: Fix serial.txt permissions for 'node setup/wizard'

fixes #7546
---

diff --git a/lib/cli/nodesetupcommand.cpp b/lib/cli/nodesetupcommand.cpp
index 550caa9e4..cde3afd14 100644
--- a/lib/cli/nodesetupcommand.cpp
+++ b/lib/cli/nodesetupcommand.cpp
@@ -167,6 +167,7 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
 	String ca_path = PkiUtility::GetLocalCaPath();
 	String ca = ca_path + "/ca.crt";
 	String ca_key = ca_path + "/ca.key";
+	String serial = ca_path + "/serial.txt";
 	String target_ca = pki_path + "/ca.crt";
 
 	Log(LogInformation, "cli")
@@ -188,6 +189,10 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
 		Log(LogWarning, "cli")
 		    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!";
 	}
+	if (!Utility::SetFileOwnership(serial, user, group)) {
+		Log(LogWarning, "cli")
+		    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!";
+	}
 	if (!Utility::SetFileOwnership(target_ca, user, group)) {
 		Log(LogWarning, "cli")
 		    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!";
@@ -363,7 +368,6 @@ int NodeSetupCommand::SetupNode(const boost::program_options::variables_map& vm,
 	String cert = pki_path + "/" + cn + ".crt";
 	String ca = pki_path + "/ca.crt";
 
-
 	if (!Utility::MkDirP(pki_path, 0700)) {
 		Log(LogCritical, "cli")
 		    << "Could not create local pki directory '" << pki_path << "'.";
diff --git a/lib/cli/nodewizardcommand.cpp b/lib/cli/nodewizardcommand.cpp
index 406b93cb0..48f3278a8 100644
--- a/lib/cli/nodewizardcommand.cpp
+++ b/lib/cli/nodewizardcommand.cpp
@@ -254,6 +254,7 @@ wizard_master_host:
 		String ca_path = PkiUtility::GetLocalCaPath();
 		String ca_key = ca_path + "/ca.key";
 		String ca = ca_path + "/ca.crt";
+		String serial = ca_path + "/serial.txt";
 
 		/* fix permissions: root -> icinga daemon user */
 		if (!Utility::SetFileOwnership(ca_path, user, group)) {
@@ -268,6 +269,10 @@ wizard_master_host:
 			Log(LogWarning, "cli")
 			    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!";
 		}
+		if (!Utility::SetFileOwnership(serial, user, group)) {
+			Log(LogWarning, "cli")
+			    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!";
+		}
 		if (!Utility::SetFileOwnership(node_cert, user, group)) {
 			Log(LogWarning, "cli")
 			    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << node_cert << "'. Verify it yourself!";
@@ -351,7 +356,7 @@ wizard_ticket:
 		String bind_port = answer;
 		bind_port.Trim();
 
-		std::cout << "Enabling the APIlistener feature.\n";
+		Log(LogInformation, "cli", "Enabling the Apilistener feature.");
 
 		std::vector<std::string> enable;
 		enable.push_back("api");
@@ -396,7 +401,7 @@ wizard_ticket:
 		}
 
 		/* apilistener config */
-		std::cout << "Generating local zones.conf.\n";
+		Log(LogInformation, "cli", "Generating local zones.conf.");
 
 		NodeUtility::GenerateNodeIcingaConfig(endpoints, cn, local_zone);
 
@@ -405,12 +410,17 @@ wizard_ticket:
 			    << "CN '" << cn << "' does not match the default FQDN '" << Utility::GetFQDN() << "'. Requires update for NodeName constant in constants.conf!";
 		}
 
-		std::cout << "Updating constants.conf\n";
+		Log(LogInformation, "cli", "Updating constants.conf.");
+
+		String constants_file = Application::GetSysconfDir() + "/icinga2/constants.conf";
 
-		NodeUtility::CreateBackupFile(Application::GetSysconfDir() + "/icinga2/constants.conf");
+		NodeUtility::CreateBackupFile(constants_file);
 
 		NodeUtility::UpdateConstant("NodeName", cn);
 
+		Log(LogInformation, "cli")
+		    << "Edit the constants.conf file '" << constants_file << "' and set a secure 'TicketSalt' constant.";
+
 	} else {
 		/* master setup */
 		std::cout << "Starting the Master setup routine...\n";
@@ -474,6 +484,7 @@ wizard_ticket:
 		String ca_path = PkiUtility::GetLocalCaPath();
 		String ca = ca_path + "/ca.crt";
 		String ca_key = ca_path + "/ca.key";
+		String serial = ca_path + "/serial.txt";
 		String target_ca = pki_path + "/ca.crt";
 
 		Log(LogInformation, "cli")
@@ -495,6 +506,10 @@ wizard_ticket:
 			Log(LogWarning, "cli")
 			    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!";
 		}
+		if (!Utility::SetFileOwnership(serial, user, group)) {
+			Log(LogWarning, "cli")
+			    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!";
+		}
 		if (!Utility::SetFileOwnership(target_ca, user, group)) {
 			Log(LogWarning, "cli")
 			    << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!";
diff --git a/lib/cli/pkiutility.cpp b/lib/cli/pkiutility.cpp
index 140a30619..842b55543 100644
--- a/lib/cli/pkiutility.cpp
+++ b/lib/cli/pkiutility.cpp
@@ -24,6 +24,7 @@
 #include "base/tlsutility.hpp"
 #include "base/tlsstream.hpp"
 #include "base/tcpsocket.hpp"
+#include "base/json.hpp"
 #include "base/utility.hpp"
 #include "remote/jsonrpc.hpp"
 #include <fstream>
@@ -239,14 +240,23 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const
 	for (;;) {
 		response = JsonRpc::ReadMessage(stream);
 
-		if (response->Get("id") != msgid)
+		if (response && response->Contains("error")) {
+			Log(LogCritical, "cli", "Could not fetch valid response. Please check the master log (notice or debug).");
+#ifdef _DEBUG
+			/* we shouldn't expose master errors to the user in production environments */
+			Log(LogCritical, "cli", response->Get("error"));
+#endif /* _DEBUG */
+			return 1;
+		}
+
+		if (response && (response->Get("id") != msgid))
 			continue;
 
 		break;
 	}
 
-	if (!response->Contains("result")) {
-		Log(LogCritical, "cli", "Request certificate did not return a valid result. Check the master log for details!");
+	if (!response) {
+		Log(LogCritical, "cli", "Could not fetch valid response. Please check the master log.");
 		return 1;
 	}
 
diff --git a/lib/remote/apiclient.cpp b/lib/remote/apiclient.cpp
index 13fe72efd..5429599c8 100644
--- a/lib/remote/apiclient.cpp
+++ b/lib/remote/apiclient.cpp
@@ -184,7 +184,14 @@ bool ApiClient::ProcessMessage(void)
 
 		resultMessage->Set("result", afunc->Invoke(origin, message->Get("params")));
 	} catch (const std::exception& ex) {
+		//TODO: Add a user readable error message for the remote caller
 		resultMessage->Set("error", DiagnosticInformation(ex));
+		std::ostringstream info;
+		info << "Error while processing message for identity '" << m_Identity << "'";
+		Log(LogWarning, "ApiClient")
+		    << info.str();
+		Log(LogDebug, "ApiClient")
+		    << info.str() << "\n" << DiagnosticInformation(ex);
 	}
 
 	if (message->Contains("id")) {