tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-24 22:24:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Cli: Fix serial.txt permissions for 'node setup/wizard'

Browse Source 
fixes #7546
This commit is contained in:
Michael Friedrich 2014-11-02 19:38:35 +01:00
parent 30718813c9
commit f69527599f
4 changed files with 44 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/cli/nodesetupcommand.cpp
View File

@ -167,6 +167,7 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
String ca_path = PkiUtility::GetLocalCaPath(); String ca_path = PkiUtility::GetLocalCaPath();
String ca = ca_path + "/ca.crt"; String ca = ca_path + "/ca.crt";
String ca_key = ca_path + "/ca.key"; String ca_key = ca_path + "/ca.key";
String serial = ca_path + "/serial.txt";
String target_ca = pki_path + "/ca.crt"; String target_ca = pki_path + "/ca.crt";
Log(LogInformation, "cli") Log(LogInformation, "cli")
@ -188,6 +189,10 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!";
} }
if (!Utility::SetFileOwnership(serial, user, group)) {
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!";
}
if (!Utility::SetFileOwnership(target_ca, user, group)) { if (!Utility::SetFileOwnership(target_ca, user, group)) {
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!";
@ -363,7 +368,6 @@ int NodeSetupCommand::SetupNode(const boost::program_options::variables_map& vm,
String cert = pki_path + "/" + cn + ".crt"; String cert = pki_path + "/" + cn + ".crt";
String ca = pki_path + "/ca.crt"; String ca = pki_path + "/ca.crt";
if (!Utility::MkDirP(pki_path, 0700)) { if (!Utility::MkDirP(pki_path, 0700)) {
Log(LogCritical, "cli") Log(LogCritical, "cli")
<< "Could not create local pki directory '" << pki_path << "'."; << "Could not create local pki directory '" << pki_path << "'.";

23
lib/cli/nodewizardcommand.cpp
View File

@ -254,6 +254,7 @@ wizard_master_host:
String ca_path = PkiUtility::GetLocalCaPath(); String ca_path = PkiUtility::GetLocalCaPath();
String ca_key = ca_path + "/ca.key"; String ca_key = ca_path + "/ca.key";
String ca = ca_path + "/ca.crt"; String ca = ca_path + "/ca.crt";
String serial = ca_path + "/serial.txt";
/* fix permissions: root -> icinga daemon user */ /* fix permissions: root -> icinga daemon user */
if (!Utility::SetFileOwnership(ca_path, user, group)) { if (!Utility::SetFileOwnership(ca_path, user, group)) {
@ -268,6 +269,10 @@ wizard_master_host:
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!";
} }
if (!Utility::SetFileOwnership(serial, user, group)) {
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!";
}
if (!Utility::SetFileOwnership(node_cert, user, group)) { if (!Utility::SetFileOwnership(node_cert, user, group)) {
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << node_cert << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << node_cert << "'. Verify it yourself!";
@ -351,7 +356,7 @@ wizard_ticket:
String bind_port = answer; String bind_port = answer;
bind_port.Trim(); bind_port.Trim();
std::cout << "Enabling the APIlistener feature.\n"; Log(LogInformation, "cli", "Enabling the Apilistener feature.");
std::vector<std::string> enable; std::vector<std::string> enable;
enable.push_back("api"); enable.push_back("api");
@ -396,7 +401,7 @@ wizard_ticket:
} }
/* apilistener config */ /* apilistener config */
std::cout << "Generating local zones.conf.\n"; Log(LogInformation, "cli", "Generating local zones.conf.");
NodeUtility::GenerateNodeIcingaConfig(endpoints, cn, local_zone); NodeUtility::GenerateNodeIcingaConfig(endpoints, cn, local_zone);
@ -405,12 +410,17 @@ wizard_ticket:
<< "CN '" << cn << "' does not match the default FQDN '" << Utility::GetFQDN() << "'. Requires update for NodeName constant in constants.conf!"; << "CN '" << cn << "' does not match the default FQDN '" << Utility::GetFQDN() << "'. Requires update for NodeName constant in constants.conf!";
} }
std::cout << "Updating constants.conf\n"; Log(LogInformation, "cli", "Updating constants.conf.");
NodeUtility::CreateBackupFile(Application::GetSysconfDir() + "/icinga2/constants.conf"); String constants_file = Application::GetSysconfDir() + "/icinga2/constants.conf";
NodeUtility::CreateBackupFile(constants_file);
NodeUtility::UpdateConstant("NodeName", cn); NodeUtility::UpdateConstant("NodeName", cn);
Log(LogInformation, "cli")
<< "Edit the constants.conf file '" << constants_file << "' and set a secure 'TicketSalt' constant.";
} else { } else {
/* master setup */ /* master setup */
std::cout << "Starting the Master setup routine...\n"; std::cout << "Starting the Master setup routine...\n";
@ -474,6 +484,7 @@ wizard_ticket:
String ca_path = PkiUtility::GetLocalCaPath(); String ca_path = PkiUtility::GetLocalCaPath();
String ca = ca_path + "/ca.crt"; String ca = ca_path + "/ca.crt";
String ca_key = ca_path + "/ca.key"; String ca_key = ca_path + "/ca.key";
String serial = ca_path + "/serial.txt";
String target_ca = pki_path + "/ca.crt"; String target_ca = pki_path + "/ca.crt";
Log(LogInformation, "cli") Log(LogInformation, "cli")
@ -495,6 +506,10 @@ wizard_ticket:
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << ca_key << "'. Verify it yourself!";
} }
if (!Utility::SetFileOwnership(serial, user, group)) {
Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << serial << "'. Verify it yourself!";
}
if (!Utility::SetFileOwnership(target_ca, user, group)) { if (!Utility::SetFileOwnership(target_ca, user, group)) {
Log(LogWarning, "cli") Log(LogWarning, "cli")
<< "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!"; << "Cannot set ownership for user '" << user << "' group '" << group << "' on file '" << target_ca << "'. Verify it yourself!";

16
lib/cli/pkiutility.cpp
View File

@ -24,6 +24,7 @@
#include "base/tlsutility.hpp" #include "base/tlsutility.hpp"
#include "base/tlsstream.hpp" #include "base/tlsstream.hpp"
#include "base/tcpsocket.hpp" #include "base/tcpsocket.hpp"
#include "base/json.hpp"
#include "base/utility.hpp" #include "base/utility.hpp"
#include "remote/jsonrpc.hpp" #include "remote/jsonrpc.hpp"
#include <fstream> #include <fstream>
@ -239,14 +240,23 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const
for (;;) { for (;;) {
response = JsonRpc::ReadMessage(stream); response = JsonRpc::ReadMessage(stream);
if (response->Get("id") != msgid) if (response && response->Contains("error")) {
Log(LogCritical, "cli", "Could not fetch valid response. Please check the master log (notice or debug).");
#ifdef _DEBUG
/* we shouldn't expose master errors to the user in production environments */
Log(LogCritical, "cli", response->Get("error"));
#endif /* _DEBUG */
return 1;
}
if (response && (response->Get("id") != msgid))
continue; continue;
break; break;
} }
if (!response->Contains("result")) { if (!response) {
Log(LogCritical, "cli", "Request certificate did not return a valid result. Check the master log for details!"); Log(LogCritical, "cli", "Could not fetch valid response. Please check the master log.");
return 1; return 1;
} }

7
lib/remote/apiclient.cpp
View File

@ -184,7 +184,14 @@ bool ApiClient::ProcessMessage(void)
resultMessage->Set("result", afunc->Invoke(origin, message->Get("params"))); resultMessage->Set("result", afunc->Invoke(origin, message->Get("params")));
} catch (const std::exception& ex) { } catch (const std::exception& ex) {
//TODO: Add a user readable error message for the remote caller
resultMessage->Set("error", DiagnosticInformation(ex)); resultMessage->Set("error", DiagnosticInformation(ex));
std::ostringstream info;
info << "Error while processing message for identity '" << m_Identity << "'";
Log(LogWarning, "ApiClient")
<< info.str();
Log(LogDebug, "ApiClient")
<< info.str() << "\n" << DiagnosticInformation(ex);
} }
if (message->Contains("id")) { if (message->Contains("id")) {