tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Icinga DB: support TLS

This commit is contained in:
Alexander A. Klimov 2021-07-22 14:34:07 +02:00
parent 7f7637c9b8
commit 37e53eaa68
7 changed files with 161 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/09-object-types.md
View File

@ -1410,6 +1410,14 @@ Configuration Attributes:
port | Number | **Optional.** Redis port for IcingaDB. Defaults to `6380`. port | Number | **Optional.** Redis port for IcingaDB. Defaults to `6380`.
path | String | **Optional.** Redix unix socket path. Can be used instead of `host` and `port` attributes. path | String | **Optional.** Redix unix socket path. Can be used instead of `host` and `port` attributes.
password | String | **Optional.** Redis auth password for IcingaDB. password | String | **Optional.** Redis auth password for IcingaDB.
enable\_tls | Boolean | **Optional.** Whether to use TLS.
cert\_path | String | **Optional.** Path to the certificate.
key\_path | String | **Optional.** Path to the private key.
ca\_path | String | **Optional.** Path to the CA certificate to use instead of the system's root CAs.
crl\_path | String | **Optional.** Path to the CRL file.
cipher\_list | String | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256`.
tls\_protocolmin | String | **Optional.** Minimum TLS protocol version. Defaults to `TLSv1.2`.
insecure\_noverify | Boolean | **Optional.** Whether not to verify the peer.
### IdoMySqlConnection <a id="objecttype-idomysqlconnection"></a> ### IdoMySqlConnection <a id="objecttype-idomysqlconnection"></a>

2
lib/base/tlsutility.cpp
View File

@ -144,7 +144,7 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
<< "Error loading system's root CAs: " << ERR_peek_error() << ", \"" << errbuf << "\""; << "Error loading system's root CAs: " << ERR_peek_error() << ", \"" << errbuf << "\"";
BOOST_THROW_EXCEPTION(openssl_error() BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_set_default_verify_paths") << boost::errinfo_api_function("SSL_CTX_set_default_verify_paths")
<< errinfo_openssl_error(ERR_peek_error()); << errinfo_openssl_error(ERR_peek_error()));
} }
} else { } else {
if (!SSL_CTX_load_verify_locations(sslContext, cakey.CStr(), nullptr)) { if (!SSL_CTX_load_verify_locations(sslContext, cakey.CStr(), nullptr)) {

31
lib/icingadb/icingadb.cpp
View File

@ -33,6 +33,18 @@ IcingaDB::IcingaDB()
m_PrefixConfigCheckSum = "icinga:checksum:"; m_PrefixConfigCheckSum = "icinga:checksum:";
} }
void IcingaDB::Validate(int types, const ValidationUtils& utils)
{
ObjectImpl<IcingaDB>::Validate(types, utils);
if (!(types & FAConfig))
return;
if (GetEnableTls() && GetCertPath().IsEmpty() != GetKeyPath().IsEmpty()) {
BOOST_THROW_EXCEPTION(ValidationError(this, std::vector<String>(), "Validation failed: Either both a client certificate (cert_path) and its private key (key_path) or none of them must be given."));
}
}
/** /**
* Starts the component. * Starts the component.
*/ */
@ -52,7 +64,9 @@ void IcingaDB::Start(bool runtimeCreated)
m_WorkQueue.SetExceptionCallback([this](boost::exception_ptr exp) { ExceptionHandler(std::move(exp)); }); m_WorkQueue.SetExceptionCallback([this](boost::exception_ptr exp) { ExceptionHandler(std::move(exp)); });
m_Rcon = new RedisConnection(GetHost(), GetPort(), GetPath(), GetPassword(), GetDbIndex()); m_Rcon = new RedisConnection(GetHost(), GetPort(), GetPath(), GetPassword(), GetDbIndex(),
GetEnableTls(), GetInsecureNoverify(), GetCertPath(), GetKeyPath(), GetCaPath(), GetCrlPath(),
GetTlsProtocolmin(), GetCipherList(), GetDebugInfo());
m_Rcon->SetConnectedCallback([this](boost::asio::yield_context& yc) { m_Rcon->SetConnectedCallback([this](boost::asio::yield_context& yc) {
m_WorkQueue.Enqueue([this]() { OnConnectedHandler(); }); m_WorkQueue.Enqueue([this]() { OnConnectedHandler(); });
}); });
@ -63,7 +77,9 @@ void IcingaDB::Start(bool runtimeCreated)
if (!ctype) if (!ctype)
continue; continue;
RedisConnection::Ptr rCon (new RedisConnection(GetHost(), GetPort(), GetPath(), GetPassword(), GetDbIndex(), m_Rcon)); RedisConnection::Ptr rCon (new RedisConnection(GetHost(), GetPort(), GetPath(), GetPassword(), GetDbIndex(),
GetEnableTls(), GetInsecureNoverify(), GetCertPath(), GetKeyPath(), GetCaPath(), GetCrlPath(),
GetTlsProtocolmin(), GetCipherList(), GetDebugInfo(), m_Rcon));
rCon->Start(); rCon->Start();
m_Rcons[ctype] = std::move(rCon); m_Rcons[ctype] = std::move(rCon);
} }
@ -140,6 +156,17 @@ void IcingaDB::Stop(bool runtimeRemoved)
ObjectImpl<IcingaDB>::Stop(runtimeRemoved); ObjectImpl<IcingaDB>::Stop(runtimeRemoved);
} }
void IcingaDB::ValidateTlsProtocolmin(const Lazy<String>& lvalue, const ValidationUtils& utils)
{
ObjectImpl<IcingaDB>::ValidateTlsProtocolmin(lvalue, utils);
try {
ResolveTlsProtocolVersion(lvalue());
} catch (const std::exception& ex) {
BOOST_THROW_EXCEPTION(ValidationError(this, { "tls_protocolmin" }, ex.what()));
}
}
void IcingaDB::AssertOnWorkQueue() void IcingaDB::AssertOnWorkQueue()
{ {
ASSERT(m_WorkQueue.IsWorkerThread()); ASSERT(m_WorkQueue.IsWorkerThread());

4
lib/icingadb/icingadb.hpp
View File

@ -35,9 +35,13 @@ public:
static void ConfigStaticInitialize(); static void ConfigStaticInitialize();
void Validate(int types, const ValidationUtils& utils) override;
virtual void Start(bool runtimeCreated) override; virtual void Start(bool runtimeCreated) override;
virtual void Stop(bool runtimeRemoved) override; virtual void Stop(bool runtimeRemoved) override;
protected:
void ValidateTlsProtocolmin(const Lazy<String>& lvalue, const ValidationUtils& utils) override;
private: private:
class DumpedGlobals class DumpedGlobals
{ {

20
lib/icingadb/icingadb.ti
View File

@ -1,6 +1,7 @@
/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */ /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
#include "base/configobject.hpp" #include "base/configobject.hpp"
#include "base/tlsutility.hpp"
library icingadb; library icingadb;
@ -20,6 +21,25 @@ class IcingaDB : ConfigObject
[config] String path; [config] String path;
[config, no_user_view, no_user_modify] String password; [config, no_user_view, no_user_modify] String password;
[config] int db_index; [config] int db_index;
[config] bool enable_tls {
default {{{ return false; }}}
};
[config] bool insecure_noverify {
default {{{ return false; }}}
};
[config] String cert_path;
[config] String key_path;
[config] String ca_path;
[config] String crl_path;
[config] String cipher_list {
default {{{ return DEFAULT_TLS_CIPHERS; }}}
};
[config] String tls_protocolmin {
default {{{ return DEFAULT_TLS_PROTOCOLMIN; }}}
};
}; };
} }

92
lib/icingadb/redisconnection.cpp
View File

@ -4,11 +4,13 @@
#include "base/array.hpp" #include "base/array.hpp"
#include "base/convert.hpp" #include "base/convert.hpp"
#include "base/defer.hpp" #include "base/defer.hpp"
#include "base/exception.hpp"
#include "base/io-engine.hpp" #include "base/io-engine.hpp"
#include "base/logger.hpp" #include "base/logger.hpp"
#include "base/objectlock.hpp" #include "base/objectlock.hpp"
#include "base/string.hpp" #include "base/string.hpp"
#include "base/tcpsocket.hpp" #include "base/tcpsocket.hpp"
#include "base/tlsutility.hpp"
#include "base/utility.hpp" #include "base/utility.hpp"
#include <boost/asio.hpp> #include <boost/asio.hpp>
#include <boost/coroutine/exceptions.hpp> #include <boost/coroutine/exceptions.hpp>
@ -19,23 +21,39 @@
#include <future> #include <future>
#include <iterator> #include <iterator>
#include <memory> #include <memory>
#include <openssl/ssl.h>
#include <openssl/x509_vfy.h>
#include <utility> #include <utility>
using namespace icinga; using namespace icinga;
namespace asio = boost::asio; namespace asio = boost::asio;
RedisConnection::RedisConnection(const String& host, const int port, const String& path, RedisConnection::RedisConnection(const String& host, int port, const String& path, const String& password, int db,
const String& password, const int db, const RedisConnection::Ptr& parent) : bool useTls, bool insecure, const String& certPath, const String& keyPath, const String& caPath, const String& crlPath,
RedisConnection(IoEngine::Get().GetIoContext(), host, port, path, password, db, parent) const String& tlsProtocolmin, const String& cipherList, DebugInfo di, const RedisConnection::Ptr& parent)
: RedisConnection(IoEngine::Get().GetIoContext(), host, port, path, password, db,
useTls, insecure, certPath, keyPath, caPath, crlPath, tlsProtocolmin, cipherList, std::move(di), parent)
{ {
} }
RedisConnection::RedisConnection(boost::asio::io_context& io, String host, int port, String path, RedisConnection::RedisConnection(boost::asio::io_context& io, String host, int port, String path, String password,
String password, int db, const RedisConnection::Ptr& parent) int db, bool useTls, bool insecure, String certPath, String keyPath, String caPath, String crlPath,
: m_Host(std::move(host)), m_Port(port), m_Path(std::move(path)), m_Password(std::move(password)), m_DbIndex(db), String tlsProtocolmin, String cipherList, DebugInfo di, const RedisConnection::Ptr& parent)
m_Connecting(false), m_Connected(false), m_Started(false), m_Strand(io), : m_Host(std::move(host)), m_Port(port), m_Path(std::move(path)), m_Password(std::move(password)),
m_QueuedWrites(io), m_QueuedReads(io), m_LogStatsTimer(io), m_Parent(parent) m_DbIndex(db), m_CertPath(std::move(certPath)), m_KeyPath(std::move(keyPath)), m_Insecure(insecure),
m_CaPath(std::move(caPath)), m_CrlPath(std::move(crlPath)), m_TlsProtocolmin(std::move(tlsProtocolmin)),
m_CipherList(std::move(cipherList)), m_DebugInfo(std::move(di)), m_Connecting(false), m_Connected(false),
m_Started(false), m_Strand(io), m_QueuedWrites(io), m_QueuedReads(io), m_LogStatsTimer(io), m_Parent(parent)
{ {
if (useTls && m_Path.IsEmpty()) {
UpdateTLSContext();
}
}
void RedisConnection::UpdateTLSContext()
{
m_TLSContext = SetupSslContext(m_CertPath, m_KeyPath, m_CaPath,
m_CrlPath, m_CipherList, m_TlsProtocolmin, m_DebugInfo);
} }
void RedisConnection::Start() void RedisConnection::Start()
@ -245,12 +263,48 @@ void RedisConnection::Connect(asio::yield_context& yc)
for (;;) { for (;;) {
try { try {
if (m_Path.IsEmpty()) { if (m_Path.IsEmpty()) {
Log(m_Parent ? LogNotice : LogInformation, "IcingaDB") if (m_TLSContext) {
<< "Trying to connect to Redis server (async) on host '" << m_Host << ":" << m_Port << "'"; Log(m_Parent ? LogNotice : LogInformation, "IcingaDB")
<< "Trying to connect to Redis server (async, TLS) on host '" << m_Host << ":" << m_Port << "'";
auto conn (Shared<TcpConn>::Make(m_Strand.context())); auto conn (Shared<AsioTlsStream>::Make(m_Strand.context(), *m_TLSContext, m_Host));
icinga::Connect(conn->next_layer(), m_Host, Convert::ToString(m_Port), yc); auto& tlsConn (conn->next_layer());
m_TcpConn = std::move(conn);
if (!m_Insecure) {
auto native (tlsConn.native_handle());
X509_VERIFY_PARAM_set1_host(SSL_get0_param(native), m_Host.CStr(), 0);
SSL_set_verify(native, SSL_VERIFY_PEER, NULL);
}
icinga::Connect(conn->lowest_layer(), m_Host, Convert::ToString(m_Port), yc);
tlsConn.async_handshake(tlsConn.client, yc);
if (!m_Insecure) {
std::shared_ptr<X509> cert (tlsConn.GetPeerCertificate());
if (!cert) {
BOOST_THROW_EXCEPTION(std::runtime_error(
"Redis didn't present any TLS certificate."
));
}
if (!tlsConn.IsVerifyOK()) {
BOOST_THROW_EXCEPTION(std::runtime_error(
"TLS certificate validation failed: " + std::string(tlsConn.GetVerifyError())
));
}
}
m_TlsConn = std::move(conn);
} else {
Log(m_Parent ? LogNotice : LogInformation, "IcingaDB")
<< "Trying to connect to Redis server (async) on host '" << m_Host << ":" << m_Port << "'";
auto conn (Shared<TcpConn>::Make(m_Strand.context()));
icinga::Connect(conn->next_layer(), m_Host, Convert::ToString(m_Port), yc);
m_TcpConn = std::move(conn);
}
} else { } else {
Log(LogInformation, "IcingaDB") Log(LogInformation, "IcingaDB")
<< "Trying to connect to Redis server (async) on unix socket path '" << m_Path << "'"; << "Trying to connect to Redis server (async) on unix socket path '" << m_Path << "'";
@ -560,7 +614,11 @@ void RedisConnection::WriteItem(boost::asio::yield_context& yc, RedisConnection:
RedisConnection::Reply RedisConnection::ReadOne(boost::asio::yield_context& yc) RedisConnection::Reply RedisConnection::ReadOne(boost::asio::yield_context& yc)
{ {
if (m_Path.IsEmpty()) { if (m_Path.IsEmpty()) {
return ReadOne(m_TcpConn, yc); if (m_TLSContext) {
return ReadOne(m_TlsConn, yc);
} else {
return ReadOne(m_TcpConn, yc);
}
} else { } else {
return ReadOne(m_UnixConn, yc); return ReadOne(m_UnixConn, yc);
} }
@ -574,7 +632,11 @@ RedisConnection::Reply RedisConnection::ReadOne(boost::asio::yield_context& yc)
void RedisConnection::WriteOne(RedisConnection::Query& query, asio::yield_context& yc) void RedisConnection::WriteOne(RedisConnection::Query& query, asio::yield_context& yc)
{ {
if (m_Path.IsEmpty()) { if (m_Path.IsEmpty()) {
WriteOne(m_TcpConn, query, yc); if (m_TLSContext) {
WriteOne(m_TlsConn, query, yc);
} else {
WriteOne(m_TcpConn, query, yc);
}
} else { } else {
WriteOne(m_UnixConn, query, yc); WriteOne(m_UnixConn, query, yc);
} }

26
lib/icingadb/redisconnection.hpp
View File

@ -10,6 +10,7 @@
#include "base/ringbuffer.hpp" #include "base/ringbuffer.hpp"
#include "base/shared.hpp" #include "base/shared.hpp"
#include "base/string.hpp" #include "base/string.hpp"
#include "base/tlsstream.hpp"
#include "base/value.hpp" #include "base/value.hpp"
#include <boost/asio/buffer.hpp> #include <boost/asio/buffer.hpp>
#include <boost/asio/buffered_stream.hpp> #include <boost/asio/buffered_stream.hpp>
@ -20,6 +21,7 @@
#include <boost/asio/local/stream_protocol.hpp> #include <boost/asio/local/stream_protocol.hpp>
#include <boost/asio/read.hpp> #include <boost/asio/read.hpp>
#include <boost/asio/read_until.hpp> #include <boost/asio/read_until.hpp>
#include <boost/asio/ssl/context.hpp>
#include <boost/asio/streambuf.hpp> #include <boost/asio/streambuf.hpp>
#include <boost/asio/write.hpp> #include <boost/asio/write.hpp>
#include <boost/lexical_cast.hpp> #include <boost/lexical_cast.hpp>
@ -69,8 +71,11 @@ namespace icinga
SyncConnection = 255 SyncConnection = 255
}; };
RedisConnection(const String& host, const int port, const String& path, RedisConnection(const String& host, int port, const String& path, const String& password, int db,
const String& password = "", const int db = 0, const Ptr& parent = nullptr); bool useTls, bool insecure, const String& certPath, const String& keyPath, const String& caPath, const String& crlPath,
const String& tlsProtocolmin, const String& cipherList, DebugInfo di, const Ptr& parent = nullptr);
void UpdateTLSContext();
void Start(); void Start();
@ -134,6 +139,8 @@ namespace icinga
typedef boost::asio::buffered_stream<Tcp::socket> TcpConn; typedef boost::asio::buffered_stream<Tcp::socket> TcpConn;
typedef boost::asio::buffered_stream<Unix::socket> UnixConn; typedef boost::asio::buffered_stream<Unix::socket> UnixConn;
Shared<boost::asio::ssl::context>::Ptr m_TLSContext;
template<class AsyncReadStream> template<class AsyncReadStream>
static Value ReadRESP(AsyncReadStream& stream, boost::asio::yield_context& yc); static Value ReadRESP(AsyncReadStream& stream, boost::asio::yield_context& yc);
@ -143,8 +150,9 @@ namespace icinga
template<class AsyncWriteStream> template<class AsyncWriteStream>
static void WriteRESP(AsyncWriteStream& stream, const Query& query, boost::asio::yield_context& yc); static void WriteRESP(AsyncWriteStream& stream, const Query& query, boost::asio::yield_context& yc);
RedisConnection(boost::asio::io_context& io, String host, int port, String path, RedisConnection(boost::asio::io_context& io, String host, int port, String path, String password,
String password, int db, const Ptr& parent); int db, bool useTls, bool insecure, String certPath, String keyPath, String caPath, String crlPath,
String tlsProtocolmin, String cipherList, DebugInfo di, const Ptr& parent);
void Connect(boost::asio::yield_context& yc); void Connect(boost::asio::yield_context& yc);
void ReadLoop(boost::asio::yield_context& yc); void ReadLoop(boost::asio::yield_context& yc);
@ -169,9 +177,19 @@ namespace icinga
String m_Password; String m_Password;
int m_DbIndex; int m_DbIndex;
String m_CertPath;
String m_KeyPath;
bool m_Insecure;
String m_CaPath;
String m_CrlPath;
String m_TlsProtocolmin;
String m_CipherList;
DebugInfo m_DebugInfo;
boost::asio::io_context::strand m_Strand; boost::asio::io_context::strand m_Strand;
Shared<TcpConn>::Ptr m_TcpConn; Shared<TcpConn>::Ptr m_TcpConn;
Shared<UnixConn>::Ptr m_UnixConn; Shared<UnixConn>::Ptr m_UnixConn;
Shared<AsioTlsStream>::Ptr m_TlsConn;
Atomic<bool> m_Connecting, m_Connected, m_Started; Atomic<bool> m_Connecting, m_Connected, m_Started;
struct { struct {