99c2d69dc8
Handle boost::beast::http::basic_fields#operator[]() signature change (v1.81)
...
Use always working std::string(x), not broken x.to_string().
(x is a return value.)
2023-01-05 11:18:20 +01:00
ca328627cd
Merge pull request #9537 from Icinga/replace-some-raw-pointer-with-intrusive-ptr
...
FilterUtility: Replace some nested raw pointers by `unique_ptr<>*`
2022-12-06 13:07:24 +01:00
83021f8231
CONTEXT: use << everywhere to unify usages
2022-11-30 11:06:51 +01:00
145ee890df
Just get paths from existing objects for modification and deletion
...
instead of computing from scratch if they're in the _api package.
For now this changes literally nothing as paths of existing objects still follow
the scheme of paths of new objects which didn't change. Now Icinga only doesn't expect
existing objects at particular paths. However, with the latter in v2.14+ (agent,
satellite) we can just change the path scheme of new objects in v2.16+ (master)
as we wish. The child nodes will just follow the new scheme of paths of new objects.
2022-11-28 16:39:16 +01:00
c1f73fbc1d
FilterUtility: Replace some nested raw pointers by our `unique_ptr<X>*`
2022-11-28 14:50:54 +01:00
363f4d3fde
Merge pull request #9408 from Icinga/bugfix/match-api-permissions-against-join-relations
...
ObjectQueryHandler: Check user permissions on joined relations
2022-10-11 13:42:27 +02:00
72e6894bbb
Evaluate permission filters also on all joined relations
2022-10-10 12:33:33 +02:00
607f7ab5ca
ObjectQueryHandler: Check user permissions on joined relations
2022-10-10 12:33:33 +02:00
1bb2d65a8d
FilterUtility: Outsource permission matching from CheckPermission() to a separate method
2022-10-10 12:33:33 +02:00
28c29c1fbc
Don't allow to change object parent,host/service_name at runtime
2022-09-09 18:26:28 +02:00
178aaaeca9
Merge pull request #9332 from Icinga/bugfix/compare-cluster-tickets-in-constant-time
...
Compare cluster tickets in constant time
2022-04-11 15:32:32 +02:00
b24a2fa2a5
Merge pull request #9179 from Icinga/Al2Klimov-patch-3
...
Let new cluster certificates expire after 397 days, not 15 years
2022-04-11 15:29:05 +02:00
0e880048ee
Merge pull request #7961 from Icinga/bugfix/startup-log
...
Place startup.log and status in /var/lib/icinga2/api, not /var/lib/icinga2/api/zones-stage
2022-04-11 14:41:07 +02:00
b15763bd86
Compare cluster tickets in constant time
...
Just to be sure.
2022-04-11 11:17:05 +02:00
08a23f4035
Write also /var/lib/icinga2/api/zones-stage-startup-last-failed.log
...
in addition to /var/lib/icinga2/api/zones-stage-startup.log
to prevent the next success to overwrite the last failure.
2022-04-11 11:14:42 +02:00
c9e4c016e0
Protect ApiListener#m_SSLContext with a mutex
2022-04-11 11:02:45 +02:00
e490883577
Renew certificates also periodically
2022-04-11 11:02:39 +02:00
ce6d1b8961
Place startup.log and status in /var/lib/icinga2/api, not /var/lib/icinga2/api/zones-stage
...
not to loose them.
2022-04-07 11:24:24 +02:00
3753f86c80
ApiListener#Start(): auto-renew own cert if CA owner
...
otherwise that particular cert would expire.
2022-04-04 12:13:31 +02:00
6d470a3ca5
Introduce ApiListener#RenewCert()
2022-04-04 12:12:31 +02:00
6193a911bf
ConfigStagesHandler: Don't allow concurrent package updates anymore
...
To prevent Icinga2 from being restarted while
one or more requests are still in progress and end up
as corrupted stages without status file and startup logs.
2022-03-30 09:42:22 +02:00
362adcab1a
ConfigPackageUtility: Don't reset ongoing package updates on config validation success and process is going to be reloaded
2022-03-30 09:42:22 +02:00
9be2eb8e5e
Introduce IsCertUptodate()
2022-03-29 16:47:23 +02:00
5f2e021390
Request certificate renewal also master2->master1
...
not only sat->master to prevent master2's certificate from expiring.
2022-03-29 16:47:23 +02:00
a0607aceff
Fix compiler warnings don't move local variables
2022-02-22 17:51:43 +01:00
361807f7a9
Adjust incosistent pki log messages ( #8965 )
2021-11-22 16:06:55 +01:00
3bf180a341
Fix typo
...
refs #8766
2021-10-08 10:27:35 +02:00
3aa2289c59
Merge pull request #8946 from Icinga/bugfix/old-packages
...
ConfigPackageUtility::ValidatePackageName(): always tolerate already existing packages
2021-08-02 20:27:27 +02:00
57df803e35
ConfigPackageUtility::ValidatePackageName(): always tolerate already existing packages
...
... not to require migrating invalid ones.
2021-08-02 15:40:14 +02:00
c1df4b70f5
ConfigPackageUtility::PackageExists(): accept invalid package names, too
2021-08-02 15:40:14 +02:00
c666f81361
De-couple package and stage name validation
2021-08-02 15:40:14 +02:00
504fdda76c
Introduce DEFAULT_CONNECT_TIMEOUT
2021-07-27 21:57:02 +02:00
7f7637c9b8
Introduce DEFAULT_TLS_CIPHERS and DEFAULT_TLS_PROTOCOLMIN
2021-07-22 11:12:33 +02:00
80a1128ec7
Introduce SetupSslContext()
2021-07-22 11:12:33 +02:00
9f43c143d7
Merge pull request from GHSA-98wp-jc6q-x5q5
...
API: hide ApiListener#ticket_salt
2021-07-15 11:13:35 +02:00
07d768f166
API: hide ApiListener#ticket_salt
2021-07-02 16:29:53 +02:00
692f5aa615
Merge pull request #8718 from Icinga/feature/tls-1.3
...
Support TLS 1.3
2021-06-29 17:52:55 +02:00
0e7a05ad7a
Support TLS 1.3
2021-06-29 11:08:47 +02:00
8af66ce44c
Merge pull request #8710 from Icinga/feature/windows-event-log
...
Add support for Windows Event Log and write early log messages to it
2021-06-24 09:19:50 +02:00
1fae2f3974
Merge pull request #8769 from Icinga/bugfix/new-connection-timeout
...
Add timeout for full Icinga connection handshake
2021-06-24 09:18:37 +02:00
2cd9c1d902
Merge pull request #8835 from Icinga/bugfix/api-filename-truncation
...
Fix/restrict truncation of filenames for API-created objects
2021-06-23 12:06:31 +02:00
56060bc8d5
ApiListener: Deprecate tls_handshake_timeout in favor of connect_timeout
2021-06-23 11:21:42 +02:00
84d778580f
Add timeout for all new connections
...
This commit adds a timeout for both establishing new outgoing and incoming
connections. This timeout applies to everything until the connection is in a
state where either JsonRpcConnection or HttpServerConnection takes over.
2021-06-23 11:21:42 +02:00
36ce7d961f
Rename silent parameter of ConfigItem::ActivateItems()
...
As silent now no longer only controls the generation of log messages, a better
name is required. This changes its name, inverts its value to reflect the new
name and adds a documentation comment.
2021-06-21 16:07:36 +02:00
118df982f1
GetObjectConfigPath: only truncate and hash comment and downtime filenames
...
This partially reverts 68a0079c26
2021-06-17 16:21:01 +02:00
e079762c8e
GetObjectPath: ensure use of escaped name in all cases and use TruncateUsingHash()
...
68a0079c26
2021-06-17 16:21:01 +02:00
c40b18ef61
ConfigPackageUtility::ValidateName: replace broken regex
...
The old validation regex matched if the name consists only of invalid
character, not that it does not contain them, i.e. something like "foo/bar" was
considered valid.
This commit replaces the regex with a check that all characters in the name are
allowed characters.
2021-06-15 12:16:54 +02:00
f346a9eea4
Merge pull request #8652 from Icinga/bugfix/l_appversionint-0-8628
...
l_AppVersionInt: respect versions like r2.12.0, not just v2.12.0
2021-06-07 16:07:04 +02:00
ee705bb110
Merge pull request #8547 from Icinga/bugfix/unable-to-toggle-notifications-from-icingaweb2-8533
...
Fix runtime config updates not working for objects without zone
2021-03-26 17:18:22 +01:00
ef8619f76b
Merge pull request #8601 from Icinga/feature/replace-std-boost-bind-with-lambdas-7006
...
Feature: Replace std/boost::bind() with lambdas
2021-03-18 17:56:13 +01:00
43ba2da39c
Replace std/boost::bind() function with lambda expression
2021-03-10 16:29:40 +01:00
f60758dc7c
JsonRpcConnection: always log errors
2021-03-04 16:23:07 +01:00
1c5f69683f
l_AppVersionInt: respect versions like r2.12.0, not just v2.12.0
...
refs #8628
2021-02-25 15:31:07 +01:00
c3388e9af6
Use std::mutex, not boost::mutex
2021-02-03 09:54:57 +01:00
986bedd9a0
Merge pull request #8594 from Icinga/feature/remove-upq-from-activate-items
...
Remove upq from ConfigItem::ActivateItems
2021-01-15 12:09:57 +01:00
4063e39d5f
Merge pull request #8515 from Icinga/feature/update-ssl-context-after-accepting-new-connection-8501
...
API: Update the ssl context after each accepting incoming connection
2021-01-15 11:21:36 +01:00
d27f533e5f
ApiListener: Update the ssl cont after each accepting incoming connection
2021-01-14 18:40:20 +01:00
5efe3e662c
Merge pull request #8025 from Icinga/bugfix/downtime-for-host-service-with-long-name-8022
...
ConfigObjectUtility::GetObjectConfigPath(): hash names of not already existing objects
2021-01-14 10:42:04 +01:00
db30704d14
Merge pull request #8532 from Icinga/bugfix/do-not-override-error-codes-that-are-not-200
...
HTTP: Do not override status codes that are not 200
2021-01-14 09:34:04 +01:00
066db5ef60
HTTP: Don't override status codes that are not OK
2021-01-13 18:56:56 +01:00
0c6abc817b
Remove upq from ConfigItem::ActivateItems
...
Since commit d9010c7b9f
2021-01-13 15:19:55 +01:00
68a0079c26
ConfigObjectUtility::GetObjectConfigPath(): hash names of not already existing objects
...
... to avoid too long file names.
refs #8022
2021-01-12 18:03:22 +01:00
a6af5406f7
Merge pull request #8083 from Icinga/feature/Implement-new-API-events-7974
...
Implement new API event streams response
2021-01-12 12:26:05 +01:00
756abbb2ff
ApiEvents: Implement new API event streams response
2021-01-11 14:59:48 +01:00
635a8c5d4c
Merge pull request #8088 from Icinga/bugfix/log-two-nodes-run-on-different-versions-8075
...
Display logmessage if two nodes run on different versions
2021-01-11 12:30:30 +01:00
339b37a985
Use content_length method for setting the Content-Length header
...
Boost.Beast changed the signature of the previously used generic `set`
method so that it no longer accepts integer types, however there is
alreay a more specific method for setting the Content-Length header, so
use this one instead.
2020-12-22 16:27:38 +01:00
4051bc9c8f
ConfigObjectUtility#CreateObject(): check config objects for duplicates
...
... not to delete already existing objects during a trial of re-creation.
refs #7726
2020-12-16 16:45:22 +01:00
8eb4f2e062
ApiListener: Display log message if two nodes run on different versions
2020-12-16 16:09:28 +01:00
f7e368564f
Merge pull request from GHSA-pcmr-2p2f-r7j6
...
Verify certificates against CRL before renewing them (2.13)
2020-12-15 12:30:19 +01:00
2bad55efc7
Fix runtime config updates not working for objects without zone
...
refs #8533
2020-12-10 16:08:55 +01:00
e86bd24348
Verify certificates against CRL before renewing them
...
When a CRL is specified in the ApiListener configuration, Icinga 2 only
used it when connections were established so far, but not when a
certificate is requested. This allows a node to automatically renew a
revoked certificate if it meets the other conditions for auto-renewal
(issued before 2017 or expires in less than 30 days).
2020-12-09 12:10:59 +01:00
bbfd1ecfc8
Use ERR_error_string_n() instead of ERR_error_string()
...
Explicitly pass the actual length of the buffer to avoid overflows.
2020-12-08 13:08:18 +01:00
bee4ac7f7c
Merge pull request #8040 from Icinga/feature/v1-actions-execute-command-8034
...
Add API endpoint: /v1/actions/execute-command
2020-12-02 10:53:24 +01:00
3f4b09f01c
Merge pull request #8488 from Icinga/feature/improve-config-sync-locking
...
Improve config sync locking
2020-11-27 17:55:15 +01:00
81ed8d5629
Merge pull request #8321 from Icinga/bugfix/cant-create-api-user-w-password-8164
...
Allow to create API User w/ password
2020-11-25 15:40:07 +01:00
1343fd538d
Start ApiListener#SyncClient() in the thread pool
...
... not hosting the coroutines not to block them.
Otherwise a large replay log would block messages sending
until the peer disconnects us.
2020-11-24 17:25:43 +01:00
3dcc6c32f3
Merge pull request #8479 from Icinga/bugfix/close-anonymous-connections
...
Close anonymous connections after 10 seconds
2020-11-24 16:44:09 +01:00
2a2924855f
Merge pull request #7922 from Icinga/feature/http-status-codes-in-icinga-mainlog-7053
...
Include HTTP status codes in log
2020-11-24 16:35:58 +01:00
da407660f2
Merge pull request #8500 from Icinga/bugfix/config-sync-only-remove-files-if-timestamp-changed
...
Config sync: Only remove files, if timestamp changed
2020-11-24 16:34:12 +01:00
c154d4d50e
Merge pull request #8466 from Icinga/feature/one-connection
...
ApiListener#NewClientHandlerInternal(): reject connections from already connected endpoints
2020-11-24 16:33:15 +01:00
83b4d8e69d
Config sync: Only remove files, if timestamp changed
2020-11-24 10:44:38 +01:00
39bc1590f6
Merge pull request #8440 from Icinga/bugfix/message-routing-for-global-zones
...
Fix cluster message routing for global zones
2020-11-24 10:41:17 +01:00
e84a4a290d
Merge pull request #8450 from Icinga/bugfix/do-not-accept-api-updates-for-unknown-zone
...
API: Don't accept object updates for unknown global zone
2020-11-24 10:40:20 +01:00
70c9d49ebc
ApiListener: merge new config validation and actication functions
...
Merge AsyncTryActivateZonesStage and TryActivateZonesStageCallback and
name the result TryActivateZonesStage. The old split was a leftover from
the one being a callback function with no actual meaningful separation.
2020-11-17 09:37:13 +01:00
2d1980c10d
Merge pull request #8476 from Icinga/docs/api-action-api-function
...
Clarify difference between API actions and functions in their docstrings
2020-11-17 08:17:05 +01:00
e4610e7dbd
Use std::mutex instead of Spinlock
2020-11-16 17:38:03 +01:00
74b65f1642
API filesync: wait for validation process to exit
...
This avoid having to pass a lock implictly using the captured variables
of a lambda.
2020-11-16 17:10:57 +01:00
d1edcb909c
Close anonymous connections after 10 seconds
...
Anonymous connections are normally only used for requesting a
certificate and are closed after this request is received. However, the
request is only sent if the child has successfully verified the
certificate of its parent so that it is an authenticated connection from
its perspective. In case this verification fails, both ends view it as
an anonymous connection and never actually use it but attempt a
reconnect after 10 seconds leaking the connection. Therefore close it
after a timeout.
2020-11-12 18:01:11 +01:00
8ca765d730
Merge pull request #8455 from Icinga/bugfix/replay-object-deletion
...
Log config object deletions to replay log
2020-11-12 15:08:55 +01:00
01a278bb5e
Clarify difference between API actions and functions in their docstrings
2020-11-12 14:23:41 +01:00
5f6042d92f
Fix 'emoving' typo
2020-11-09 16:35:16 +01:00
cb476172ec
Fix cluster message routing for global zones
...
RelayMessageOne used to relay the message only to one other endpoint for
other zones, which is fine, as long as the target zone is a child/parent
zone but breaks if the target zone is a global one. In this case, the
message has to be forwarded within the local zone as well as to one node
in each child zone.
2020-11-09 15:43:43 +01:00
be53b0af9e
Log config object deletions to replay log
...
The initial config object sync for each new connection (in
`ApiListener::SendRuntimeConfigObjects()`) only considers currently
existing objects and has no way to pass the information that objects
were deleted in the meantime.
This commit logs config object deletions to the replay log if required
so that there is a chance that it will be propagated to nodes that were
offline when the deletion happened.
Note that this can only be considered a workaround as the replay log
might be pruned or could even be completely disabled. Also, there still
seems to be a race-condition between the config sync and replay log of
multiple new connections at the same time.
2020-11-09 14:09:44 +01:00
29e5d7def7
Include HTTP status codes in log
...
refs #7053
2020-11-09 10:20:13 +01:00
8ba5f72533
API: Don't accept object updates for unknown zone
2020-11-06 17:27:10 +01:00
1450e1bb7f
Merge pull request #8108 from Icinga/bugfix/api-incorrect-response-header-6747
...
API: Send Content-Type as api response header too
2020-11-03 18:50:31 +01:00
939f4591a4
Merge pull request #8087 from Icinga/bugfix/log-cout-permission-error-8086
...
Display Logmessage if an permission error occurs
2020-11-03 17:23:06 +01:00
488e6bfb67
HTTP Request: Log an exception message if an error occurs
2020-11-02 15:01:48 +01:00
1e281b060a
Merge pull request #7952 from Icinga/fix/SO_REUSEPORT-optional
...
apilistener: Make SO_REUSEPORT optional
2020-10-29 15:56:56 +01:00
bb851b0558
Merge branch 'master' into feature/v1-actions-execute-command-8034
2020-10-28 18:37:08 +01:00
Alexander A. Klimov
Yonas Habteab
Julian Brost
Julian Brost
Noah Hilverling
Yonas Habteab
Noah Hilverling