"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/remote/jsonrpcconnection-pki.cpp" between
icinga2-2.11.5.tar.gz and icinga2-2.12.0.tar.gz

About: Icinga 2 is an enterprise grade monitoring system which keeps watch over networks and any conceivable network resource.

jsonrpcconnection-pki.cpp  (icinga2-2.11.5):jsonrpcconnection-pki.cpp  (icinga2-2.12.0)
skipping to change at line 56 skipping to change at line 56
result->Set("error", "No certificate or CSR received."); result->Set("error", "No certificate or CSR received.");
return result; return result;
} }
ApiListener::Ptr listener = ApiListener::GetInstance(); ApiListener::Ptr listener = ApiListener::GetInstance();
std::shared_ptr<X509> cacert = GetX509Certificate(listener->GetDefaultCaP ath()); std::shared_ptr<X509> cacert = GetX509Certificate(listener->GetDefaultCaP ath());
String cn = GetCertificateCN(cert); String cn = GetCertificateCN(cert);
bool signedByCA = VerifyCertificate(cacert, cert); bool signedByCA = false;
try {
signedByCA = VerifyCertificate(cacert, cert);
} catch (const std::exception&) { } /* Swallow the exception on purpose,
cacert will never be a non-CA certificate. */
Log(LogInformation, "JsonRpcConnection") Log(LogInformation, "JsonRpcConnection")
<< "Received certificate request for CN '" << cn << "'" << "Received certificate request for CN '" << cn << "'"
<< (signedByCA ? "" : " not") << " signed by our CA."; << (signedByCA ? "" : " not") << " signed by our CA.";
if (signedByCA) { if (signedByCA) {
time_t now; time_t now;
time(&now); time(&now);
/* auto-renew all certificates which were created before 2017 to force an update of the CA, /* auto-renew all certificates which were created before 2017 to force an update of the CA,
skipping to change at line 202 skipping to change at line 206
pubkey = std::shared_ptr<EVP_PKEY>(X509_get_pubkey(cert.get()), EVP_PKEY_ free); pubkey = std::shared_ptr<EVP_PKEY>(X509_get_pubkey(cert.get()), EVP_PKEY_ free);
subject = X509_get_subject_name(cert.get()); subject = X509_get_subject_name(cert.get());
newcert = CreateCertIcingaCA(pubkey.get(), subject); newcert = CreateCertIcingaCA(pubkey.get(), subject);
/* verify that the new cert matches the CA we're using for the ApiListene r; /* verify that the new cert matches the CA we're using for the ApiListene r;
* this ensures that the CA we have in /var/lib/icinga2/ca matches the on e * this ensures that the CA we have in /var/lib/icinga2/ca matches the on e
* we're using for cluster connections (there's no point in sending a cli ent * we're using for cluster connections (there's no point in sending a cli ent
* a certificate it wouldn't be able to use to connect to us anyway) */ * a certificate it wouldn't be able to use to connect to us anyway) */
if (!VerifyCertificate(cacert, newcert)) { try {
Log(LogWarning, "JsonRpcConnection") if (!VerifyCertificate(cacert, newcert)) {
<< "The CA in '" << listener->GetDefaultCaPath() << "' do Log(LogWarning, "JsonRpcConnection")
es not match the CA which Icinga uses " << "The CA in '" << listener->GetDefaultCaPath()
<< "for its own cluster connections. This is most likely << "' does not match the CA which Icinga uses "
a configuration problem."; << "for its own cluster connections. This is most
goto delayed_request; likely a configuration problem.";
} goto delayed_request;
}
} catch (const std::exception&) { } /* Swallow the exception on purpose,
cacert will never be a non-CA certificate. */
/* Send the signed certificate update. */ /* Send the signed certificate update. */
Log(LogInformation, "JsonRpcConnection") Log(LogInformation, "JsonRpcConnection")
<< "Sending certificate response for CN '" << cn << "' to endpoin t '" << "Sending certificate response for CN '" << cn << "' to endpoin t '"
<< client->GetIdentity() << "'" << (!ticket.IsEmpty() ? " (auto-s igning ticket)" : "" ) << "."; << client->GetIdentity() << "'" << (!ticket.IsEmpty() ? " (auto-s igning ticket)" : "" ) << ".";
result->Set("cert", CertificateToString(newcert)); result->Set("cert", CertificateToString(newcert));
result->Set("status_code", 0); result->Set("status_code", 0);
skipping to change at line 246 skipping to change at line 252
Utility::SaveJsonFile(requestPath, 0600, request); Utility::SaveJsonFile(requestPath, 0600, request);
JsonRpcConnection::SendCertificateRequest(nullptr, origin, requestPath); JsonRpcConnection::SendCertificateRequest(nullptr, origin, requestPath);
result->Set("status_code", 2); result->Set("status_code", 2);
result->Set("error", "Certificate request for CN '" + cn + "' is pending. Waiting for approval from the parent Icinga instance."); result->Set("error", "Certificate request for CN '" + cn + "' is pending. Waiting for approval from the parent Icinga instance.");
Log(LogInformation, "JsonRpcConnection") Log(LogInformation, "JsonRpcConnection")
<< "Certificate request for CN '" << cn << "' is pending. Waiting for approval."; << "Certificate request for CN '" << cn << "' is pending. Waiting for approval.";
if (origin) {
auto client (origin->FromClient);
if (client && !client->GetEndpoint()) {
client->Disconnect();
}
}
return result; return result;
} }
void JsonRpcConnection::SendCertificateRequest(const JsonRpcConnection::Ptr& acl ient, const MessageOrigin::Ptr& origin, const String& path) void JsonRpcConnection::SendCertificateRequest(const JsonRpcConnection::Ptr& acl ient, const MessageOrigin::Ptr& origin, const String& path)
{ {
Dictionary::Ptr message = new Dictionary(); Dictionary::Ptr message = new Dictionary();
message->Set("jsonrpc", "2.0"); message->Set("jsonrpc", "2.0");
message->Set("method", "pki::RequestCertificate"); message->Set("method", "pki::RequestCertificate");
ApiListener::Ptr listener = ApiListener::GetInstance(); ApiListener::Ptr listener = ApiListener::GetInstance();
 End of changes. 3 change blocks. 
9 lines changed or deleted 25 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)