tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-23 13:45:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

Node Wizard: Tell the user to put ca.crt if no connection to parent is selected

Browse Source 
This also fixes the choice tree for connection-less questions
and prevents empty tickets being stored on disk.

refs #5450
This commit is contained in:
Michael Friedrich 2017-09-07 14:29:04 +02:00 committed by Gunnar Beutner
parent 2fec16952d
commit 0a85977831
1 changed files with 65 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
lib/cli/nodewizardcommand.cpp
View File

@ -147,6 +147,7 @@ int NodeWizardCommand::ClientSetup(void) const
{ {
std::string answer; std::string answer;
String choice; String choice;
bool connectToParent = false;
std::cout << "Starting the Client/Satellite setup routine...\n\n"; std::cout << "Starting the Client/Satellite setup routine...\n\n";
@ -200,9 +201,15 @@ wizard_endpoint_loop_start:
String parentEndpointPort = "5665"; String parentEndpointPort = "5665";
if (choice.Contains("n")) { if (choice.Contains("n")) {
connectToParent = false;
Log(LogWarning, "cli", "Node to master/satellite connection setup skipped"); Log(LogWarning, "cli", "Node to master/satellite connection setup skipped");
std::cout << "Connection setup skipped. Please configure your parent node to connect to this node by setting the 'host' attribute for the node Endpoint object.\n"; std::cout << "Connection setup skipped. Please configure your parent node to\n"
<< "connect to this node by setting the 'host' attribute for the node Endpoint object.\n";
} else { } else {
connectToParent = true;
std::cout << ConsoleColorTag(Console_Bold) std::cout << ConsoleColorTag(Console_Bold)
<< "Please specify the master/satellite connection information:" << "Please specify the master/satellite connection information:"
<< ConsoleColorTag(Console_Normal) << "\n" << ConsoleColorTag(Console_Normal) << "\n"
@ -298,7 +305,8 @@ wizard_endpoint_loop_start:
boost::shared_ptr<X509> trustedParentCert; boost::shared_ptr<X509> trustedParentCert;
if (!parentHost.IsEmpty()) { /* Check whether we should connect to the parent node and present its trusted certificate. */
if (connectToParent) {
//save-cert and store the master certificate somewhere //save-cert and store the master certificate somewhere
Log(LogInformation, "cli") Log(LogInformation, "cli")
<< "Fetching public certificate from master (" << "Fetching public certificate from master ("
@ -326,24 +334,28 @@ wizard_endpoint_loop_start:
} }
wizard_ticket: wizard_ticket:
std::cout << ConsoleColorTag(Console_Bold) String nodeCA = certsDir + "/ca.crt";
<< "\nPlease specify the request ticket generated on your Icinga 2 master (optional)." String ticket;
<< ConsoleColorTag(Console_Normal) << "\n"
<< " (Hint: # icinga2 pki ticket --cn '" << cn << "'): ";
std::getline(std::cin, answer); /* Check whether we can connect to the parent node and fetch the client and CA certificate. */
if (connectToParent) {
std::cout << ConsoleColorTag(Console_Bold)
<< "\nPlease specify the request ticket generated on your Icinga 2 master (optional)."
<< ConsoleColorTag(Console_Normal) << "\n"
<< " (Hint: # icinga2 pki ticket --cn '" << cn << "'): ";
if (answer.empty()) { std::getline(std::cin, answer);
std::cout << ConsoleColorTag(Console_Bold) << "\n"
<< "No ticket was specified. Please approve the certificate signing request manually\n"
<< "on the master (see 'icinga2 ca list' and 'icinga2 ca sign --help' for details)."
<< ConsoleColorTag(Console_Normal) << "\n";
}
String ticket = answer; if (answer.empty()) {
ticket = ticket.Trim(); std::cout << ConsoleColorTag(Console_Bold) << "\n"
<< "No ticket was specified. Please approve the certificate signing request manually\n"
<< "on the master (see 'icinga2 ca list' and 'icinga2 ca sign --help' for details)."
<< ConsoleColorTag(Console_Normal) << "\n";
}
ticket = answer;
ticket = ticket.Trim();
if (!parentHost.IsEmpty()) {
if (ticket.IsEmpty()) { if (ticket.IsEmpty()) {
Log(LogInformation, "cli") Log(LogInformation, "cli")
<< "Requesting certificate without a ticket."; << "Requesting certificate without a ticket.";
@ -352,8 +364,6 @@ wizard_ticket:
<< "Requesting certificate with ticket '" << ticket << "'."; << "Requesting certificate with ticket '" << ticket << "'.";
} }
String nodeCA = certsDir + "/ca.crt";
if (Utility::PathExists(nodeCA)) if (Utility::PathExists(nodeCA))
NodeUtility::CreateBackupFile(nodeCA); NodeUtility::CreateBackupFile(nodeCA);
if (Utility::PathExists(nodeCert)) if (Utility::PathExists(nodeCert))
@ -375,6 +385,25 @@ wizard_ticket:
<< "' group '" << group << "' on file '" << "' group '" << group << "' on file '"
<< nodeCert << "'. Verify it yourself!"; << nodeCert << "'. Verify it yourself!";
} }
} else {
/* We cannot retrieve the parent certificate.
* Tell the user to manually copy the ca.crt file
* into LocalStateDir + "/lib/icinga2/certs"
*/
std::cout << ConsoleColorTag(Console_Bold)
<< "\nNo connection to the parent node was specified.\n\n"
<< "Please copy the public CA certificate from your master/satellite\n"
<< "into '" << nodeCA << "' before starting Icinga 2.\n"
<< ConsoleColorTag(Console_Normal);
if (Utility::PathExists(nodeCA)) {
std::cout << ConsoleColorTag(Console_Bold)
<< "\nFound public CA certificate in '" << nodeCA << "'.\n"
<< "Please verify that it is the same as on your master/satellite.\n"
<< ConsoleColorTag(Console_Normal);
}
} }
/* apilistener config */ /* apilistener config */
@ -490,30 +519,32 @@ wizard_ticket:
NodeUtility::UpdateConstant("NodeName", cn); NodeUtility::UpdateConstant("NodeName", cn);
NodeUtility::UpdateConstant("ZoneName", cn); NodeUtility::UpdateConstant("ZoneName", cn);
String ticketPath = ApiListener::GetCertsDir() + "/ticket"; if (!ticket.IsEmpty()) {
String ticketPath = ApiListener::GetCertsDir() + "/ticket";
String tempTicketPath = Utility::CreateTempFile(ticketPath + ".XXXXXX", 0600, fp); String tempTicketPath = Utility::CreateTempFile(ticketPath + ".XXXXXX", 0600, fp);
if (!Utility::SetFileOwnership(tempTicketPath, user, group)) { if (!Utility::SetFileOwnership(tempTicketPath, user, group)) {
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "Cannot set ownership for user '" << user
<< "' group '" << group << "' group '" << group
<< "' on file '" << tempTicketPath << "'. Verify it yourself!"; << "' on file '" << tempTicketPath << "'. Verify it yourself!";
} }
fp << ticket; fp << ticket;
fp.close(); fp.close();
#ifdef _WIN32 #ifdef _WIN32
_unlink(ticketPath.CStr()); _unlink(ticketPath.CStr());
#endif /* _WIN32 */ #endif /* _WIN32 */
if (rename(tempTicketPath.CStr(), ticketPath.CStr()) < 0) { if (rename(tempTicketPath.CStr(), ticketPath.CStr()) < 0) {
BOOST_THROW_EXCEPTION(posix_error() BOOST_THROW_EXCEPTION(posix_error()
<< boost::errinfo_api_function("rename") << boost::errinfo_api_function("rename")
<< boost::errinfo_errno(errno) << boost::errinfo_errno(errno)
<< boost::errinfo_file_name(tempTicketPath)); << boost::errinfo_file_name(tempTicketPath));
}
} }
return 0; return 0;