tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add ApiListener#tls_handshake_timeout option 

This allows to specify the previously hardcoded
timeout of 10s.

refs #6517
This commit is contained in:
Michael Friedrich 2018-09-13 18:05:31 +02:00
parent c8d4e785a1
commit 29701b4db5
8 changed files with 53 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/09-object-types.md
View File

@ -64,6 +64,7 @@ Configuration Attributes:
max\_anonymous\_clients | Number | **Optional.** Limit the number of anonymous client connections (not configured endpoints and signing requests). max\_anonymous\_clients | Number | **Optional.** Limit the number of anonymous client connections (not configured endpoints and signing requests).
cipher\_list | String | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL`. cipher\_list | String | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL`.
tls\_protocolmin | String | **Optional.** Minimum TLS protocol version. Must be one of `TLSv1`, `TLSv1.1` or `TLSv1.2`. Defaults to `TLSv1`. tls\_protocolmin | String | **Optional.** Minimum TLS protocol version. Must be one of `TLSv1`, `TLSv1.1` or `TLSv1.2`. Defaults to `TLSv1`.
tls\_handshake\_timeout | Number | **Optional.** TLS Handshake timeout. Defaults to `10s`.
access\_control\_allow\_origin | Array | **Optional.** Specifies an array of origin URLs that may access the API. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Origin) access\_control\_allow\_origin | Array | **Optional.** Specifies an array of origin URLs that may access the API. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Origin)
access\_control\_allow\_credentials | Boolean | **Deprecated.** Indicates whether or not the actual request can be made using credentials. Defaults to `true`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials) access\_control\_allow\_credentials | Boolean | **Deprecated.** Indicates whether or not the actual request can be made using credentials. Defaults to `true`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials)
access\_control\_allow\_headers | String | **Deprecated.** Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Defaults to `Authorization`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers) access\_control\_allow\_headers | String | **Deprecated.** Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Defaults to `Authorization`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers)

11
lib/base/configuration.cpp
View File

@ -49,6 +49,7 @@ String Configuration::RunAsGroup;
String Configuration::RunAsUser; String Configuration::RunAsUser;
String Configuration::SpoolDir; String Configuration::SpoolDir;
String Configuration::StatePath; String Configuration::StatePath;
double Configuration::TlsHandshakeTimeout{10};
String Configuration::VarsPath; String Configuration::VarsPath;
String Configuration::ZonesDir; String Configuration::ZonesDir;
@ -309,6 +310,16 @@ void Configuration::SetStatePath(const String& val, bool suppress_events, const
HandleUserWrite("StatePath", &Configuration::StatePath, val, m_ReadOnly); HandleUserWrite("StatePath", &Configuration::StatePath, val, m_ReadOnly);
} }
double Configuration::GetTlsHandshakeTimeout() const
{
return Configuration::TlsHandshakeTimeout;
}
void Configuration::SetTlsHandshakeTimeout(double val, bool suppress_events, const Value& cookie)
{
HandleUserWrite("TlsHandshakeTimeout", &Configuration::TlsHandshakeTimeout, val, m_ReadOnly);
}
String Configuration::GetVarsPath() const String Configuration::GetVarsPath() const
{ {
return Configuration::VarsPath; return Configuration::VarsPath;

4
lib/base/configuration.hpp
View File

@ -108,6 +108,9 @@ public:
String GetStatePath() const override; String GetStatePath() const override;
void SetStatePath(const String& value, bool suppress_events = false, const Value& cookie = Empty) override; void SetStatePath(const String& value, bool suppress_events = false, const Value& cookie = Empty) override;
double GetTlsHandshakeTimeout() const override;
void SetTlsHandshakeTimeout(double value, bool suppress_events = false, const Value& cookie = Empty) override;
String GetVarsPath() const override; String GetVarsPath() const override;
void SetVarsPath(const String& value, bool suppress_events = false, const Value& cookie = Empty) override; void SetVarsPath(const String& value, bool suppress_events = false, const Value& cookie = Empty) override;
@ -151,6 +154,7 @@ public:
static String RunAsUser; static String RunAsUser;
static String SpoolDir; static String SpoolDir;
static String StatePath; static String StatePath;
static double TlsHandshakeTimeout;
static String VarsPath; static String VarsPath;
static String ZonesDir; static String ZonesDir;

5
lib/base/configuration.ti
View File

@ -146,6 +146,11 @@ abstract class Configuration
set; set;
}; };
[config, no_storage, virtual] double TlsHandshakeTimeout {
get;
set;
};
[config, no_storage, virtual] String VarsPath { [config, no_storage, virtual] String VarsPath {
get; get;
set; set;

7
lib/base/tlsstream.cpp
View File

@ -21,6 +21,8 @@
#include "base/utility.hpp" #include "base/utility.hpp"
#include "base/exception.hpp" #include "base/exception.hpp"
#include "base/logger.hpp" #include "base/logger.hpp"
#include "base/configuration.hpp"
#include "base/convert.hpp"
#include <iostream> #include <iostream>
#ifndef _WIN32 #ifndef _WIN32
@ -315,14 +317,13 @@ void TlsStream::Handshake()
m_CurrentAction = TlsActionHandshake; m_CurrentAction = TlsActionHandshake;
ChangeEvents(POLLOUT); ChangeEvents(POLLOUT);
boost::system_time const timeout = boost::get_system_time() + boost::posix_time::seconds(TLS_TIMEOUT_SECONDS); boost::system_time const timeout = boost::get_system_time() + boost::posix_time::milliseconds(long(Configuration::TlsHandshakeTimeout * 1000));
while (!m_HandshakeOK && !m_ErrorOccurred && !m_Eof && timeout > boost::get_system_time()) while (!m_HandshakeOK && !m_ErrorOccurred && !m_Eof && timeout > boost::get_system_time())
m_CV.timed_wait(lock, timeout); m_CV.timed_wait(lock, timeout);
// We should _NOT_ (underline, bold, itallic and wordart) throw an exception for a timeout.
if (timeout < boost::get_system_time()) if (timeout < boost::get_system_time())
BOOST_THROW_EXCEPTION(std::runtime_error("Timeout during handshake.")); BOOST_THROW_EXCEPTION(std::runtime_error("Timeout was reached (" + Convert::ToString(Configuration::TlsHandshakeTimeout) + ") during TLS handshake."));
if (m_Eof) if (m_Eof)
BOOST_THROW_EXCEPTION(std::runtime_error("Socket was closed during TLS handshake.")); BOOST_THROW_EXCEPTION(std::runtime_error("Socket was closed during TLS handshake."));

18
lib/remote/apilistener.cpp
View File

@ -89,6 +89,16 @@ String ApiListener::GetDefaultCaPath()
return GetCertsDir() + "/ca.crt"; return GetCertsDir() + "/ca.crt";
} }
double ApiListener::GetTlsHandshakeTimeout() const
{
return Configuration::TlsHandshakeTimeout;
}
void ApiListener::SetTlsHandshakeTimeout(double value, bool suppress_events, const Value& cookie)
{
Configuration::TlsHandshakeTimeout = value;
}
void ApiListener::CopyCertificateFile(const String& oldCertPath, const String& newCertPath) void ApiListener::CopyCertificateFile(const String& oldCertPath, const String& newCertPath)
{ {
struct stat st1, st2; struct stat st1, st2;
@ -1453,6 +1463,14 @@ void ApiListener::ValidateTlsProtocolmin(const Lazy<String>& lvalue, const Valid
} }
} }
void ApiListener::ValidateTlsHandshakeTimeout(const Lazy<double>& lvalue, const ValidationUtils& utils)
{
ObjectImpl<ApiListener>::ValidateTlsHandshakeTimeout(lvalue, utils);
if (lvalue() <= 0)
BOOST_THROW_EXCEPTION(ValidationError(this, { "tls_handshake_timeout" }, "Value must be greater than 0."));
}
bool ApiListener::IsHACluster() bool ApiListener::IsHACluster()
{ {
Zone::Ptr zone = Zone::GetLocalZone(); Zone::Ptr zone = Zone::GetLocalZone();

4
lib/remote/apilistener.hpp
View File

@ -108,6 +108,9 @@ public:
static String GetDefaultKeyPath(); static String GetDefaultKeyPath();
static String GetDefaultCaPath(); static String GetDefaultCaPath();
double GetTlsHandshakeTimeout() const override;
void SetTlsHandshakeTimeout(double value, bool suppress_events, const Value& cookie) override;
protected: protected:
void OnConfigLoaded() override; void OnConfigLoaded() override;
void OnAllConfigLoaded() override; void OnAllConfigLoaded() override;
@ -115,6 +118,7 @@ protected:
void Stop(bool runtimeDeleted) override; void Stop(bool runtimeDeleted) override;
void ValidateTlsProtocolmin(const Lazy<String>& lvalue, const ValidationUtils& utils) override; void ValidateTlsProtocolmin(const Lazy<String>& lvalue, const ValidationUtils& utils) override;
void ValidateTlsHandshakeTimeout(const Lazy<double>& lvalue, const ValidationUtils& utils) override;
private: private:
std::shared_ptr<SSL_CTX> m_SSLContext; std::shared_ptr<SSL_CTX> m_SSLContext;

6
lib/remote/apilistener.ti
View File

@ -54,6 +54,12 @@ class ApiListener : ConfigObject
default {{{ return -1; }}} default {{{ return -1; }}}
}; };
[config] double tls_handshake_timeout {
get;
set;
default {{{ return Configuration::TlsHandshakeTimeout; }}}
};
[config] String ticket_salt; [config] String ticket_salt;
[config] Array::Ptr access_control_allow_origin; [config] Array::Ptr access_control_allow_origin;