2015-06-24 15:09:22 +02:00
|
|
|
/******************************************************************************
|
|
|
|
* Icinga 2 *
|
2017-01-10 15:54:22 +01:00
|
|
|
* Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/) *
|
2015-06-24 15:09:22 +02:00
|
|
|
* *
|
|
|
|
* This program is free software; you can redistribute it and/or *
|
|
|
|
* modify it under the terms of the GNU General Public License *
|
|
|
|
* as published by the Free Software Foundation; either version 2 *
|
|
|
|
* of the License, or (at your option) any later version. *
|
|
|
|
* *
|
|
|
|
* This program is distributed in the hope that it will be useful, *
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
|
|
|
|
* GNU General Public License for more details. *
|
|
|
|
* *
|
|
|
|
* You should have received a copy of the GNU General Public License *
|
|
|
|
* along with this program; if not, write to the Free Software Foundation *
|
|
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
|
|
|
|
******************************************************************************/
|
|
|
|
|
|
|
|
#include "cli/apisetuputility.hpp"
|
|
|
|
#include "cli/nodeutility.hpp"
|
|
|
|
#include "cli/featureutility.hpp"
|
2017-09-05 14:21:30 +02:00
|
|
|
#include "remote/apilistener.hpp"
|
2017-09-05 14:44:56 +02:00
|
|
|
#include "remote/pkiutility.hpp"
|
2015-06-24 15:09:22 +02:00
|
|
|
#include "base/logger.hpp"
|
|
|
|
#include "base/console.hpp"
|
|
|
|
#include "base/application.hpp"
|
|
|
|
#include "base/tlsutility.hpp"
|
|
|
|
#include "base/scriptglobal.hpp"
|
|
|
|
#include "base/exception.hpp"
|
|
|
|
#include <boost/algorithm/string/join.hpp>
|
|
|
|
#include <boost/algorithm/string/replace.hpp>
|
|
|
|
#include <boost/algorithm/string/case_conv.hpp>
|
|
|
|
#include <iostream>
|
|
|
|
#include <string>
|
|
|
|
#include <fstream>
|
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
using namespace icinga;
|
|
|
|
|
|
|
|
String ApiSetupUtility::GetConfdPath(void)
|
|
|
|
{
|
|
|
|
return Application::GetSysconfDir() + "/icinga2/conf.d";
|
|
|
|
}
|
|
|
|
|
2015-10-26 07:03:41 +01:00
|
|
|
bool ApiSetupUtility::SetupMaster(const String& cn, bool prompt_restart)
|
2015-06-24 15:09:22 +02:00
|
|
|
{
|
2015-10-22 15:56:27 +02:00
|
|
|
if (!SetupMasterCertificates(cn))
|
|
|
|
return false;
|
2015-07-08 15:32:11 +02:00
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
if (!SetupMasterApiUser())
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!SetupMasterEnableApi())
|
|
|
|
return false;
|
|
|
|
|
2015-10-26 07:03:41 +01:00
|
|
|
if (prompt_restart) {
|
|
|
|
std::cout << "Done.\n\n";
|
|
|
|
std::cout << "Now restart your Icinga 2 daemon to finish the installation!\n\n";
|
|
|
|
}
|
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
return true;
|
2015-07-08 15:32:11 +02:00
|
|
|
}
|
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
bool ApiSetupUtility::SetupMasterCertificates(const String& cn)
|
2015-07-08 15:32:11 +02:00
|
|
|
{
|
2015-10-26 07:03:41 +01:00
|
|
|
Log(LogInformation, "cli", "Generating new CA.");
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
if (PkiUtility::NewCa() > 0)
|
2015-06-24 15:09:22 +02:00
|
|
|
Log(LogWarning, "cli", "Found CA, skipping and using the existing one.");
|
|
|
|
|
2017-09-06 12:11:48 +02:00
|
|
|
String pki_path = ApiListener::GetCertsDir();
|
2015-08-24 15:11:49 +02:00
|
|
|
Utility::MkDirP(pki_path, 0700);
|
2015-06-24 15:09:22 +02:00
|
|
|
|
|
|
|
String user = ScriptGlobal::Get("RunAsUser");
|
|
|
|
String group = ScriptGlobal::Get("RunAsGroup");
|
|
|
|
|
|
|
|
if (!Utility::SetFileOwnership(pki_path, user, group)) {
|
|
|
|
Log(LogWarning, "cli")
|
2015-10-26 07:03:41 +01:00
|
|
|
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << pki_path << "'.";
|
2015-06-24 15:09:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
String key = pki_path + "/" + cn + ".key";
|
|
|
|
String csr = pki_path + "/" + cn + ".csr";
|
|
|
|
|
2015-11-08 14:19:06 +01:00
|
|
|
if (Utility::PathExists(key)) {
|
|
|
|
Log(LogInformation, "cli")
|
2016-02-09 15:53:40 +01:00
|
|
|
<< "Private key file '" << key << "' already exists, not generating new certificate.";
|
2015-11-08 14:19:06 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2015-06-24 15:09:22 +02:00
|
|
|
Log(LogInformation, "cli")
|
2015-10-26 07:03:41 +01:00
|
|
|
<< "Generating new CSR in '" << csr << "'.";
|
2015-06-24 15:09:22 +02:00
|
|
|
|
|
|
|
if (Utility::PathExists(key))
|
|
|
|
NodeUtility::CreateBackupFile(key, true);
|
|
|
|
if (Utility::PathExists(csr))
|
|
|
|
NodeUtility::CreateBackupFile(csr);
|
|
|
|
|
|
|
|
if (PkiUtility::NewCert(cn, key, csr, "") > 0) {
|
|
|
|
Log(LogCritical, "cli", "Failed to create certificate signing request.");
|
2015-10-22 15:56:27 +02:00
|
|
|
return false;
|
2015-06-24 15:09:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Sign the CSR with the CA key */
|
|
|
|
String cert = pki_path + "/" + cn + ".crt";
|
|
|
|
|
|
|
|
Log(LogInformation, "cli")
|
2015-10-26 07:03:41 +01:00
|
|
|
<< "Signing CSR with CA and writing certificate to '" << cert << "'.";
|
2015-06-24 15:09:22 +02:00
|
|
|
|
|
|
|
if (Utility::PathExists(cert))
|
|
|
|
NodeUtility::CreateBackupFile(cert);
|
|
|
|
|
|
|
|
if (PkiUtility::SignCsr(csr, cert) != 0) {
|
|
|
|
Log(LogCritical, "cli", "Could not sign CSR.");
|
2015-10-22 15:56:27 +02:00
|
|
|
return false;
|
2015-06-24 15:09:22 +02:00
|
|
|
}
|
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
/* Copy CA certificate to /etc/icinga2/pki */
|
2017-09-05 14:21:30 +02:00
|
|
|
String ca_path = ApiListener::GetCaDir();
|
2015-06-24 15:09:22 +02:00
|
|
|
String ca = ca_path + "/ca.crt";
|
|
|
|
String ca_key = ca_path + "/ca.key";
|
|
|
|
String target_ca = pki_path + "/ca.crt";
|
|
|
|
|
|
|
|
Log(LogInformation, "cli")
|
2015-10-26 07:03:41 +01:00
|
|
|
<< "Copying CA certificate to '" << target_ca << "'.";
|
2015-06-24 15:09:22 +02:00
|
|
|
|
|
|
|
if (Utility::PathExists(target_ca))
|
|
|
|
NodeUtility::CreateBackupFile(target_ca);
|
|
|
|
|
|
|
|
/* does not overwrite existing files! */
|
|
|
|
Utility::CopyFile(ca, target_ca);
|
|
|
|
|
|
|
|
/* fix permissions: root -> icinga daemon user */
|
|
|
|
std::vector<String> files;
|
|
|
|
files.push_back(ca_path);
|
|
|
|
files.push_back(ca);
|
|
|
|
files.push_back(ca_key);
|
|
|
|
files.push_back(target_ca);
|
|
|
|
files.push_back(key);
|
|
|
|
files.push_back(csr);
|
|
|
|
files.push_back(cert);
|
|
|
|
|
2016-08-25 06:19:44 +02:00
|
|
|
for (const String& file : files) {
|
2015-06-24 15:09:22 +02:00
|
|
|
if (!Utility::SetFileOwnership(file, user, group)) {
|
|
|
|
Log(LogWarning, "cli")
|
2015-10-26 07:03:41 +01:00
|
|
|
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << file << "'.";
|
2015-06-24 15:09:22 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
return true;
|
2015-07-08 15:32:11 +02:00
|
|
|
}
|
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
bool ApiSetupUtility::SetupMasterApiUser(void)
|
2015-07-08 15:32:11 +02:00
|
|
|
{
|
2015-10-22 15:56:27 +02:00
|
|
|
String api_username = "root"; // TODO make this available as cli parameter?
|
2015-06-24 15:09:22 +02:00
|
|
|
String api_password = RandomString(8);
|
2016-02-22 16:47:41 +01:00
|
|
|
String apiUsersPath = GetConfdPath() + "/api-users.conf";
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2016-02-22 16:47:41 +01:00
|
|
|
if (Utility::PathExists(apiUsersPath)) {
|
2015-11-08 14:19:06 +01:00
|
|
|
Log(LogInformation, "cli")
|
2016-02-22 16:47:41 +01:00
|
|
|
<< "API user config file '" << apiUsersPath << "' already exists, not creating config file.";
|
2015-11-08 14:19:06 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2015-06-24 15:09:22 +02:00
|
|
|
Log(LogInformation, "cli")
|
2016-02-22 16:47:41 +01:00
|
|
|
<< "Adding new ApiUser '" << api_username << "' in '" << apiUsersPath << "'.";
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2016-02-22 16:47:41 +01:00
|
|
|
NodeUtility::CreateBackupFile(apiUsersPath);
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2016-02-22 16:47:41 +01:00
|
|
|
std::fstream fp;
|
2016-02-24 13:55:25 +01:00
|
|
|
String tempFilename = Utility::CreateTempFile(apiUsersPath + ".XXXXXX", 0644, fp);
|
2015-06-24 15:09:22 +02:00
|
|
|
|
|
|
|
fp << "/**\n"
|
2015-06-25 17:46:08 +02:00
|
|
|
<< " * The APIUser objects are used for authentication against the API.\n"
|
2015-06-24 15:09:22 +02:00
|
|
|
<< " */\n"
|
|
|
|
<< "object ApiUser \"" << api_username << "\" {\n"
|
|
|
|
<< " password = \"" << api_password << "\"\n"
|
2015-10-26 07:03:41 +01:00
|
|
|
<< " // client_cn = \"\"\n"
|
2015-09-28 08:57:25 +02:00
|
|
|
<< "\n"
|
|
|
|
<< " permissions = [ \"*\" ]\n"
|
2015-06-24 15:09:22 +02:00
|
|
|
<< "}\n";
|
|
|
|
|
|
|
|
fp.close();
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
2016-02-22 16:47:41 +01:00
|
|
|
_unlink(apiUsersPath.CStr());
|
2015-06-24 15:09:22 +02:00
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
2016-02-22 16:47:41 +01:00
|
|
|
if (rename(tempFilename.CStr(), apiUsersPath.CStr()) < 0) {
|
2015-06-24 15:09:22 +02:00
|
|
|
BOOST_THROW_EXCEPTION(posix_error()
|
|
|
|
<< boost::errinfo_api_function("rename")
|
|
|
|
<< boost::errinfo_errno(errno)
|
2016-02-22 16:47:41 +01:00
|
|
|
<< boost::errinfo_file_name(tempFilename));
|
2015-06-24 15:09:22 +02:00
|
|
|
}
|
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
return true;
|
2015-07-08 15:32:11 +02:00
|
|
|
}
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
bool ApiSetupUtility::SetupMasterEnableApi(void)
|
2015-07-08 15:32:11 +02:00
|
|
|
{
|
2015-10-26 07:03:41 +01:00
|
|
|
Log(LogInformation, "cli", "Enabling the 'api' feature.");
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
std::vector<std::string> features;
|
|
|
|
features.push_back("api");
|
|
|
|
FeatureUtility::EnableFeatures(features);
|
2015-06-24 15:09:22 +02:00
|
|
|
|
2015-10-22 15:56:27 +02:00
|
|
|
return true;
|
2015-06-24 15:09:22 +02:00
|
|
|
}
|