Update output format for the new CLI commands

refs #5450
2025-07-29 00:24:23 +02:00 · 2017-09-05 14:16:26 +02:00 · 2017-09-05 14:16:26 +02:00 · 6a533796e5
commit 6a533796e5
parent 774936bfe8
5 changed files with 123 additions and 28 deletions
--- a/lib/cli/calistcommand.cpp
+++ b/lib/cli/calistcommand.cpp
@ -21,8 +21,10 @@
 #include "base/logger.hpp"
 #include "base/application.hpp"
 #include "base/tlsutility.hpp"
+#include "base/json.hpp"

 using namespace icinga;
+namespace po = boost::program_options;

 REGISTER_CLICOMMAND("ca/list", CAListCommand);

@ -36,34 +38,57 @@ String CAListCommand::GetShortDescription(void) const
 	return "lists all certificate signing requests";
 }

-void CAListCommand::PrintRequest(const String& requestFile)
+void CAListCommand::InitParameters(boost::program_options::options_description& visibleDesc,
+    boost::program_options::options_description& hiddenDesc) const
+{
+	visibleDesc.add_options()
+		("json", "encode output as JSON")
+	;
+}
+static void CollectRequestHandler(const Dictionary::Ptr& requests, const String& requestFile)
 {
 	Dictionary::Ptr request = Utility::LoadJsonFile(requestFile);

 	if (!request)
 		return;

+	Dictionary::Ptr result = new Dictionary();
+
 	String fingerprint = Utility::BaseName(requestFile);
 	fingerprint = fingerprint.SubStr(0, fingerprint.GetLength() - 5);

-	std::cout << "***\n";
-	std::cout << "Fingerprint: " << fingerprint << "\n";
-
 	String certRequestText = request->Get("cert_request");
+	result->Set("cert_request", certRequestText);
+
+	Value vcertResponseText;
+
+	if (request->Get("cert_response", &vcertResponseText)) {
+		String certResponseText = vcertResponseText;
+		result->Set("cert_response", certResponseText);
+	}

 	boost::shared_ptr<X509> certRequest = StringToCertificate(certRequestText);

-	String cn = GetCertificateCN(certRequest);
+	time_t now;
+	time(&now);
+	ASN1_TIME *tm = ASN1_TIME_adj(NULL, now, 0, 0);

-	String certResponseText = request->Get("cert_response");
+	int day, sec;
+	ASN1_TIME_diff(&day, &sec, tm, X509_get_notBefore(certRequest.get()));

-	if (!certResponseText.IsEmpty()) {
-		boost::shared_ptr<X509> certResponse = StringToCertificate(certResponseText);
-	}
+	result->Set("timestamp",  static_cast<double>(now) + day * 24 * 60 * 60 + sec);

-	std::cout << "CN: " << cn << "\n";
-	std::cout << "Certificate (request): " << certRequestText << "\n";
-	std::cout << "Certificate (response): " << certResponseText << "\n";
+	BIO *out = BIO_new(BIO_s_mem());
+	X509_NAME_print_ex(out, X509_get_subject_name(certRequest.get()), 0, XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
+
+	char *data;
+	long length;
+	length = BIO_get_mem_data(out, &data);
+
+	result->Set("subject", String(data, data + length));
+	BIO_free(out);
+
+	requests->Set(fingerprint, result);
 }

 /**
@ -73,7 +98,34 @@ void CAListCommand::PrintRequest(const String& requestFile)
 */
 int CAListCommand::Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const
 {
-	Utility::Glob(Application::GetLocalStateDir() + "/lib/icinga2/pki-requests/*.json", &CAListCommand::PrintRequest, GlobFile);
+	Dictionary::Ptr requests = new Dictionary();
+
+	String requestDir = Application::GetLocalStateDir() + "/lib/icinga2/pki-requests";
+
+	if (Utility::PathExists(requestDir))
+		Utility::Glob(requestDir + "/*.json", boost::bind(&CollectRequestHandler, requests, _1), GlobFile);
+
+	if (vm.count("json"))
+		std::cout << JsonEncode(requests);
+	else {
+		ObjectLock olock(requests);
+
+		std::cout << "Fingerprint                                                      | Timestamp           | Signed | Subject\n";
+		std::cout << "-----------------------------------------------------------------|---------------------|--------|--------\n";
+
+		for (auto& kv : requests) {
+			Dictionary::Ptr request = kv.second;
+
+			std::cout << kv.first
+			    << " | "
+			    << Utility::FormatDateTime("%Y/%m/%d %H:%M:%S", request->Get("timestamp"))
+			    << " | "
+			    << (request->Contains("cert_response") ? "*" : " ") << "     "
+			    << " | "
+			    << request->Get("subject")
+			    << "\n";
+		}
+	}

 	return 0;
 }
--- a/lib/cli/calistcommand.hpp
+++ b/lib/cli/calistcommand.hpp
@ -37,6 +37,8 @@ public:

 	virtual String GetDescription(void) const override;
 	virtual String GetShortDescription(void) const override;
+	virtual void InitParameters(boost::program_options::options_description& visibleDesc,
+	    boost::program_options::options_description& hiddenDesc) const override;
 	virtual int Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const override;

 private:
--- a/lib/cli/casigncommand.cpp
+++ b/lib/cli/casigncommand.cpp
@ -55,6 +55,12 @@ int CASignCommand::Run(const boost::program_options::variables_map& vm, const st
 {
 	String requestFile = Application::GetLocalStateDir() + "/lib/icinga2/pki-requests/" + ap[0] + ".json";

+	if (!Utility::PathExists(requestFile)) {
+		Log(LogCritical, "cli")
+		    << "No request exists for fingerprint '" << ap[0] << "'.";
+		return 1;
+	}
+
 	Dictionary::Ptr request = Utility::LoadJsonFile(requestFile);

 	if (!request)
@ -64,11 +70,35 @@ int CASignCommand::Run(const boost::program_options::variables_map& vm, const st

 	boost::shared_ptr<X509> certRequest = StringToCertificate(certRequestText);

+	if (!certRequest) {
+		Log(LogCritical, "cli", "Certificate request is invalid. Could not parse X.509 certificate for the 'cert_request' attribute.");
+		return 1;
+	}
+
 	boost::shared_ptr<X509> certResponse = CreateCertIcingaCA(certRequest);

+	BIO *out = BIO_new(BIO_s_mem());
+	X509_NAME_print_ex(out, X509_get_subject_name(certRequest.get()), 0, XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
+
+	char *data;
+	long length;
+	length = BIO_get_mem_data(out, &data);
+
+	String subject = String(data, data + length);
+	BIO_free(out);
+
+	if (!certResponse) {
+		Log(LogCritical, "cli")
+		    << "Could not sign certificate for '" << subject << "'.";
+		return 1;
+	}
+
 	request->Set("cert_response", CertificateToString(certResponse));

 	Utility::SaveJsonFile(requestFile, 0600, request);

+	Log(LogInformation, "cli")
+	    << "Signed certificate for '" << subject << "'.";
+
 	return 0;
 }
--- a/lib/cli/pkiutility.cpp
+++ b/lib/cli/pkiutility.cpp
@ -367,6 +367,9 @@ String PkiUtility::GetCertificateInformation(const boost::shared_ptr<X509>& cert

 	std::stringstream info;
 	info << String(data, data + length);
+
+	BIO_free(out);
+
 	for (unsigned int i = 0; i < diglen; i++) {
 		info << std::setfill('0') << std::setw(2) << std::uppercase
 		    << std::hex << static_cast<int>(md[i]) << ' ';
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@ -54,6 +54,28 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	else
 		cert = StringToCertificate(certText);

+	ApiListener::Ptr listener = ApiListener::GetInstance();
+	boost::shared_ptr<X509> cacert = GetX509Certificate(listener->GetCaPath());
+
+	bool signedByCA = VerifyCertificate(cacert, cert);
+
+	if (signedByCA) {
+		time_t now;
+		time(&now);
+
+		/* auto-renew all certificates which were created before 2017 to force an update of the CA,
+		 * because Icinga versions older than 2.4 sometimes create certificates with an invalid
+		 * serial number. */
+		time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
+		time_t renewalStart = now + 30 * 24 * 60 * 60;
+
+		if (X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1) {
+			result->Set("status_code", 1);
+			result->Set("error", "The certificate cannot be renewed yet.");
+			return result;
+		}
+	}
+
 	unsigned int n;
 	unsigned char digest[EVP_MAX_MD_SIZE];

@ -72,9 +94,6 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	String requestDir = Application::GetLocalStateDir() + "/lib/icinga2/pki-requests";
 	String requestPath = requestDir + "/" + certFingerprint + ".json";

-	ApiListener::Ptr listener = ApiListener::GetInstance();
-
-	boost::shared_ptr<X509> cacert = GetX509Certificate(listener->GetCaPath());
 	result->Set("ca", CertificateToString(cacert));

 	if (Utility::PathExists(requestPath)) {
@ -104,7 +123,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
 		goto delayed_request;

-	if (!VerifyCertificate(cacert, cert)) {
+	if (!signedByCA) {
 		String salt = listener->GetTicketSalt();

 		String ticket = params->Get("ticket");
@ -119,19 +138,8 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 			result->Set("error", "Invalid ticket.");
 			return result;
 		}
-	} else {
-		time_t renewalStart;
-		time(&renewalStart);
-		renewalStart += 30 * 24 * 60 * 60;
-
-		if (X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart)) {
-			result->Set("status_code", 1);
-			result->Set("error", "The certificate cannot be renewed yet.");
-			return result;
-		}
 	}

-
 	pubkey = boost::shared_ptr<EVP_PKEY>(X509_get_pubkey(cert.get()), EVP_PKEY_free);
 	subject = X509_get_subject_name(cert.get());