Commit Graph

862 Commits

Author SHA1 Message Date
Michael Friedrich b32d818d1b CLI: Allow to list removed CSRs with 'ca list' 2019-06-07 10:33:55 +02:00
Andrew Jaffie 429f1ed317 Ignore repeated requests from client after using ca remove command 2019-06-07 10:33:55 +02:00
Michael Friedrich 6a8823f879 Avoid concurrent cluster config sync transactions
fixes #6660
2019-06-05 15:23:28 +02:00
Michael Friedrich ef72cd4442
Merge pull request #7220 from Icinga/bugfix/asio-error-handling
Improve error handling with network connections (Boost ASIO)
2019-06-05 14:43:31 +02:00
Michael Friedrich 18211ddd23
Merge pull request #7209 from Icinga/bugfix/immediately-close-sockets
Close server connections and shutdown coroutines immediately on disconnect
2019-06-05 14:40:24 +02:00
Alexander A. Klimov ad28380884 Close server connections and shutdown coroutines immediately on disconnect 2019-06-05 10:42:03 +02:00
Michael Friedrich fd9887c5af API: Harden default cipher list
According to https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
2019-06-05 09:55:43 +02:00
Michael Friedrich 3798089642 Improve error handling with network connections (Boost ASIO)
refs #7041
2019-06-05 09:42:51 +02:00
Michael Friedrich 146b337d4d
Merge pull request #7211 from Icinga/feature/asio-tls-version
Require TLS 1.2 for Cluster & REST API
2019-06-03 16:19:22 +02:00
Michael Friedrich d82c067555 Require TLS 1.2 for Cluster & REST API
refs #7041
2019-05-29 17:08:36 +02:00
Michael Friedrich 438da67209
Merge pull request #7210 from Icinga/bugfix/boost-asio-deprecated
Quality: Replace deprecated get_io_service() with get_executor().context() for Boost ASIO
2019-05-29 15:40:19 +02:00
Michael Friedrich 59b95ed1f0 Quality: Replace deprecated get_io_service() with get_executor().context() for Boost ASIO
refs #7041
2019-05-29 14:36:10 +02:00
Michael Friedrich 120aba3919 Quality: Removed unused HttpChunkedEncoding class 2019-05-28 13:46:19 +02:00
Michael Friedrich e606d14705 Quality: Clean JsonRPC class and add function docs 2019-05-24 15:50:43 +02:00
Michael Friedrich f933aafd29 Quality: Purge old HTTP code in lib/remote 2019-05-24 15:50:43 +02:00
Michael Friedrich af42e2dfc0
Merge pull request #7178 from Icinga/bugfix/api-package-repair
API: Automatically repair broken _api package
2019-05-10 14:40:48 +02:00
Michael Friedrich 6c9c65323e Workaround for boost::filesystem and Visual Studio on Windows 2019-05-10 13:38:12 +02:00
Michael Friedrich 6cce9c0fdd API: Automatically repair broken packages
This partially reverts #7150 and avoids exceptions
inside the flow. Each time an empty active stage
is detected, Icinga tries to repair it from the
the given directory tree.

Also, the code now takes into account that it should
create the package storage on startup, whether within
the API object, or if disabled, inside the application.

Caching the active stages for packages in memory
only is in effect with the API feature being enabled.
This is useful for other deployed config packages,
not only the internal one.

fixes #7173
refs #7150
refs #7119
fixes #6959
2019-05-10 12:48:34 +02:00
Elias Ohm 4c86c370bb fixup errbuf length in the other files and avoid using the static buffer in one place (for thread safety and code consistency reasons) 2019-05-09 09:30:12 +02:00
Michael Friedrich 03324b2fb6 Config packages: Catch active stage exceptions in rare cases
Typically this already is detected on startup.
2019-05-08 16:43:27 +02:00
Michael Friedrich 704aabcb63 Avoid dead-lock with config packages and active stages 2019-05-08 16:06:46 +02:00
Elias Ohm c10ff9dd72 try without initialization of frame Locals which are not used for permissions filter and as far as I can see also not for query filters 2019-05-02 09:03:30 +02:00
Elias Ohm 53febdea81 use current frame scope for permission filter function calls 2019-05-02 07:35:19 +02:00
Michael Friedrich 502c43fb12 Active packages: Don't try to fix broken config packages which are not cached yet 2019-04-30 12:19:35 +02:00
Michael Friedrich 2bca7a5bb5 Repair broken API config packages at runtime
This means a new timer which checks every 5m whether the
active-stage can be read, and if not, it overwrites the
file on disk with the details from memory.
2019-04-26 14:53:36 +02:00
Michael Friedrich f92c134b0a Cluster: Don't try to sync objects from broken _api package 2019-04-26 14:43:38 +02:00
Michael Friedrich c821e73364 Cache the API package stage name with a active-stage fallback
This prevents reading the file everytime the stageName is required
for when creating a runtime object via REST API.
2019-04-26 13:40:27 +02:00
Michael Friedrich 37de1a919b
Merge pull request #7088 from Icinga/feature/asio-event-queue
Implement new event queue for ASIO consumers
2019-04-25 16:54:43 +02:00
Michael Friedrich a7873da89d Eventqueue: Remove unused code 2019-04-25 16:21:07 +02:00
Alexander A. Klimov e86e3cc234 EventsFilter#Push(): ensure not to modify the global namespace 2019-04-25 15:56:38 +02:00
Alexander A. Klimov c209cf830b /v1/events: don't over-consume CPU-bound threads 2019-04-25 15:56:38 +02:00
Alexander A. Klimov 5e8b4280bc New event queue: handle empty filter 2019-04-25 15:56:38 +02:00
Alexander A. Klimov 94db282fd1 /v1/events: remove anti-deadlock hack 2019-04-25 15:56:38 +02:00
Alexander A. Klimov 81713d0509 /v1/events: use new event queue 2019-04-25 15:56:38 +02:00
Alexander A. Klimov 7688994601 Implement new event queue for ASIO consumers 2019-04-25 15:56:38 +02:00
Michael Friedrich 0438c866f8
Merge pull request #7102 from Icinga/feature/boost-fs-7101
Replace self-written filesystem ops with boost.filesystem
2019-04-25 15:53:55 +02:00
Alexander A. Klimov 5afef1015d Replace unlink() with boost::filesystem::remove()
refs #7101
2019-04-25 09:53:02 +02:00
Alexander A. Klimov 5a17722c1f Replace _unlink() + rename() with boost::filesystem::rename()
refs #7101
2019-04-25 09:53:02 +02:00
Alexander A. Klimov ba842403ce Fix circular #include
refs #6985
2019-04-25 08:25:28 +02:00
Michael Friedrich 1ac693bf13
Merge pull request #7137 from Icinga/bugfix/disconnect-log-more-spam
JsonRpcConnection: reduce log spam on disconnect
2019-04-23 14:50:18 +02:00
Michael Friedrich 0f804d126b
Merge pull request #7133 from Icinga/feature/boost-asio-pki
Use new I/O engine in PkiUtility::FetchCert() and PkiUtility::RequestCertificate()
2019-04-23 14:27:48 +02:00
Alexander A. Klimov a6cd3e65cb JsonRpcConnection: reduce log spam on disconnect 2019-04-23 14:09:07 +02:00
Michael Friedrich 20d51d21dc
Merge pull request #7127 from Icinga/bugfix/replay-log
ApiListener#RotateLogFile(): don't overwrite previous log
2019-04-23 12:08:12 +02:00
Michael Friedrich 5fb191bbeb
Merge pull request #7126 from Icinga/bugfix/replay-logs-6932
ApiListener#ApiTimerHandler(): delete all replayed logs
2019-04-23 12:07:02 +02:00
Alexander A. Klimov 407e77883c ApiListener#ReplayLog(): read current log file too instead of rotating 2019-04-18 17:22:36 +02:00
Alexander A. Klimov 997d84bfa0 ApiListener#RotateLogFile(): don't overwrite previous log 2019-04-18 17:22:33 +02:00
Alexander A. Klimov 9b489cf9b9 ApiListener#ApiTimerHandler(): delete all replayed logs
refs #6932
2019-04-18 17:00:40 +02:00
Alexander A. Klimov f44e847717 Rotate replay log on shutdown, not on startup 2019-04-17 14:18:20 +02:00
Michael Friedrich 64568f5966
Merge pull request #7121 from Icinga/bugfix/concurrent-checks
Fix that MaxConcurrentChecks constant is overridden from 'checker' feature
2019-04-17 13:14:32 +02:00
Michael Friedrich ab97d606db
Merge pull request #7122 from Icinga/bugfix/evaluatefilter-change-globals
FilterUtility::EvaluateFilter(): ensure not to modify the global namespace
2019-04-16 17:40:20 +02:00
Alexander A. Klimov bdadb53940 FilterUtility::EvaluateFilter(): ensure not to modify the global namespace 2019-04-16 15:53:44 +02:00
Michael Friedrich b906714254 Fix that MaxConcurrentChecks constant is overridden from 'checker' feature
Note: This drops the deprecated concurrent_checks setting from the checker feature
entirely and refactors the underlaying code handling.

Also affects ReloadTimeout which is new for 2.11.

fixes #7111
2019-04-16 15:04:57 +02:00
Elias Ohm 1e7cd4afc8 * use dedicated permissions namespace for scriptframe in filterutility to allow proper parallel execution
* fixes issue https://github.com/Icinga/icinga2/issues/6785 where permission checks get wrong result because permissions checks are done within a shared namespaces without using only unique keys
  * mitigates issue https://github.com/Icinga/icinga2/issues/6874 where segmentation faults occur because of concurrent access to non threadsafe parts of namespace (a fix for thread safety of namespaces which would be an alternative approach to get rid of these segfaults is out of scope of this fix as 6785 needs to be fixed anyway and this is the straight-forwards) way to fix that
* do the same for eventqueue (not certain whether events can be processed in parallel but I expect it is the case)
2019-04-12 08:10:57 +02:00
Michael Friedrich 973b03dcb2
Merge pull request #7109 from Icinga/feature/enhance-cluster-message-send-code-docs
Improve code docs for cluster message routing conditions
2019-04-11 11:20:46 +02:00
Michael Friedrich b24a3be083 Improve code docs for cluster message routing conditions
refs #6781
2019-04-10 14:17:36 +02:00
Alexander A. Klimov de04bb13a8 JsonRpcConnection: reduce log spam on disconnect 2019-04-09 13:53:41 +02:00
Michael Friedrich f177d8786d HttpServerConnection: Log the user agent field for new requests too
refs #7041
2019-04-05 15:08:09 +02:00
Michael Friedrich b1042c3689
Merge pull request #7076 from Icinga/bugfix/eventqueue-leak
/v1/events: terminate on disconnect
2019-04-05 10:31:30 +02:00
Alexander A. Klimov 2e4e2e1a79 /v1/events: don't deadlock other coroutines 2019-04-05 09:22:42 +02:00
Michael Friedrich 5c3a9b77d7 Always update object authority, even w/o API feature
Regression from #7062

Thanks @nilmerg :)
2019-04-03 13:48:24 +02:00
Alexander A. Klimov 2e5af2922b /v1/events: terminate on disconnect 2019-04-03 09:59:45 +02:00
Alexander A. Klimov 4c5ee0dbbf EventQueue#WaitForEvent(): re-add timeout 2019-04-03 09:53:45 +02:00
Alexander A. Klimov 28d46052b0 HttpServerConnection#StartStreaming(): auto-detect disconnection 2019-04-03 09:50:52 +02:00
Alexander A. Klimov c284cf0b68 HttpServerConnection: encapsulate streaming start indicator 2019-04-02 17:37:29 +02:00
Alexander A. Klimov 09a2e04f4b EventQueue#WaitForEvent(): don't lock I/O thread while locking mutex 2019-04-02 14:38:06 +02:00
Alexander A. Klimov 00d859234e Use new I/O engine in PkiUtility::FetchCert() and PkiUtility::RequestCertificate() 2019-04-01 17:18:00 +02:00
Alexander A. Klimov 6e7932f157 Add non-async overloads for JsonRpc::ReadMessage() and JsonRpc::SendMessage() 2019-04-01 17:11:10 +02:00
Alexander A. Klimov f2d9d91e83 Introduce UnbufferedAsioTlsStream#GetPeerCertificate() 2019-04-01 17:11:09 +02:00
Michael Friedrich 5c2aaf6380 Improve error logging on connection failure (cluster) 2019-04-01 16:13:37 +02:00
Alexander A. Klimov 64b2ac4b30 ApiListener: drop unused thread pool 2019-04-01 15:06:17 +02:00
Alexander A. Klimov 3a6caa2800 Respect Accept:application/json where possible 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 24c9542b5b HttpServerConnection: fix side effect of HTTP parser's default body limit 2019-04-01 13:31:16 +02:00
Alexander A. Klimov d428bdf384 Add missing includes 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 5b2c1f023d Rename preventGc to keepAlive 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 5208448b76 Restore the previous performance of replaying logs 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 79e95d2355 Introduce JsonRpcConnection#SendMessageInternal() 2019-04-01 13:31:16 +02:00
Alexander A. Klimov e6d78bf361 Move some TCP/TLS logic out of ApiListener
... for re-using it
2019-04-01 13:31:16 +02:00
Alexander A. Klimov 8b3efe5759 Introduce AsioConditionVariable 2019-04-01 13:31:16 +02:00
Alexander A. Klimov e129c561d5 HttpServerConnection: don't disconnect during sending response 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 326bf66255 ApiListener: use setsockopt(), not tcp::acceptor#set_option() 2019-04-01 13:31:16 +02:00
Alexander A. Klimov b5fddaf3ce ApiListener: log why bind(2) failed 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 19625e62ef ApiListener: fix self-made security hole 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 87b0c452db HttpServerConnection: re-add automatic disconnect 2019-04-01 13:31:16 +02:00
Alexander A. Klimov f029fd4884 Re-add HttpServerConnection#Disconnect() 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 16913cb977 JsonRpcConnection: add missing CpuBoundWork 2019-04-01 13:31:16 +02:00
Alexander A. Klimov a451327b81 JsonRpcConnection: re-add num_json_rpc_work_queue_item_rate 2019-04-01 13:31:16 +02:00
Alexander A. Klimov a54bd9d5c4 JsonRpcConnection: re-add automatic disconnect 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 7aae8bd265 JsonRpcConnection: re-add heartbeats 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 84b411501b Re-add JsonRpcConnection#Disconnect() 2019-04-01 13:31:16 +02:00
Alexander A. Klimov 2d16b02520 ApiListener#NewClientHandlerInternal(): shut down TLS stream 2019-04-01 13:30:42 +02:00
Alexander A. Klimov c46157d552 ApiListener: fix self-made security hole 2019-04-01 11:40:14 +02:00
Alexander A. Klimov f9fff54da2 ApiListener: don't require a valid certificate for the TLS handshake to complete 2019-04-01 11:40:14 +02:00
Alexander A. Klimov 6c86c127f1 Port JsonRpcConnection to Boost ASIO 2019-04-01 11:40:14 +02:00
Alexander A. Klimov c76947e8b9 JsonRpc::ReadMessage(): add Boost ASIO overload 2019-04-01 11:40:14 +02:00
Alexander A. Klimov 48b5824e37 ApiListener: send icinga::Hello message 2019-04-01 11:40:14 +02:00
Alexander A. Klimov 49ac7777e0 JsonRpc::SendMessage(): add Boost ASIO overload 2019-04-01 11:40:14 +02:00
Alexander A. Klimov 832365195d ApiListener: connect(2) via Boost ASIO 2019-04-01 11:40:14 +02:00
Alexander A. Klimov e9a64abd09 ApiListener#ListenerCoroutineProc(): catch more edge cases 2019-04-01 11:40:14 +02:00
Alexander A. Klimov a6813ec786 ApiListener: restore previous bind(2) behavior 2019-04-01 11:40:14 +02:00
Alexander A. Klimov 493a97f4f3 EnsureAcceptHeader(): fix wrong condition 2019-04-01 11:40:14 +02:00