tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-08-22 18:18:16 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,612 Commits 275 Branches 124 Tags
Commit Graph

1948 Commits

Author SHA1 Message Date
Julian Brost
2febc5e18a Security: fix TLS certificate validation bypass 
The previous validation in set_verify_callback() could be bypassed, tricking
Icinga 2 into treating invalid certificates as valid. To fix this, the
validation checks were moved into the IsVerifyOK() function.

This is tracked as CVE-2024-49369, more details will be published at a later time.
 2024-10-22 10:41:00 +02:00
Alexander Aleksandrovič Klimov
3ddbbebc63
Merge pull request #9946 from Icinga/2141backport 
Disable TLS renegotiation, bump Windows deps and fix Icinga DB crashes
 2023-12-20 12:40:41 +01:00
Alexander A. Klimov
ec77b6f1e3 Disable TLS renegotiation 
The API doesn't need it and a customer's security scanner
is afraid of a potential DoS attack vector.
 2023-12-20 10:14:00 +01:00
Alexander Aleksandrovič Klimov
bbb45894dd
Merge pull request #9944 from Icinga/targeted-api-filter-214 
FilterUtility::GetFilterTargets(): don't run filter for specific object(s) for all objects
 2023-12-19 17:40:59 +01:00
Alexander A. Klimov
5c10bad86f Introduce Dictionary#GetRef() 2023-12-19 15:19:20 +01:00
Alexander A. Klimov
6b000fbce6 CertificateToString(): allow raw pointer input 2023-12-18 17:04:59 +01:00
Alexander A. Klimov
0cb037c698 CreateCertIcingaCA(EVP_PKEY*, X509_NAME*): enable optional CA creation 2023-12-18 17:04:59 +01:00
Alexander A. Klimov
0f4723e567 Introduce IsCaUptodate() by splitting IsCertUptodate() 2023-12-18 17:04:59 +01:00
Alexander A. Klimov
8f8a6ee2a0 Application::m_LastReloadFailed: if double isn't always lock free, use uint32_t 
which will overflow in 2106, not 2038.
This fixes a compile failure on 32-bit Raspbian.
 2023-07-10 10:51:02 +02:00
Julian Brost
fe13b96226
Merge pull request #9809 from Icinga/reevaluate-and-update-default-tls-cipher-list-9808 
Copy and paste global default TLS cipher set from ssl-config.mozilla.org
 2023-07-03 19:13:10 +02:00
Alexander A. Klimov
617dda61fb Re-order global default TLS cipher list to prefer AES256 over AES128 2023-07-03 15:36:11 +02:00
Julian Brost
a2e05f89e8 Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers 
Non-ECC DHE ciphers in the `cipher_list` attribute of `ApiListener` (the
default value includes these) had no effect as no DH parameters were available
and therefore the server wouldn't offer these ciphers. OpenSSL provides
built-in DH parameters starting from version 1.1.0, however, these have to be
enables explicitly using the `SSL_CTX_set_dh_auto()` function. This commit does
so and thereby makes it possible to establish a connection to an Icinga 2
server using a DHE cipher.
 2023-06-29 12:06:26 +02:00
Alexander A. Klimov
2e053b0e06 Copy and paste global default TLS cipher set from ssl-config.mozilla.org 
which got more secure by now, but still overlaps with v2.13.x' set.
 2023-06-28 14:49:08 +02:00
Julian Brost
b0899d9ab4
Merge pull request #8429 from Icinga/bugfix/last-reload-attempt-failed-8428 
Share "Last reload attempt failed" time across Icinga process tree on *nix
 2023-05-30 11:42:21 +02:00
Julian Brost
2470e930eb
Merge pull request #9643 from Icinga/hardware_concurrency 
Always use Configuration#Concurrency, not `std:🧵:hardware_concurrency()`
 2023-05-23 19:23:14 +02:00
Alexander A. Klimov
3fae41ef22 Restart thread pool after freezing Configuration 
The user (-D) or we could have changed Configuration.Concurrency,
so correct the thread pool's thread amount.
 2023-05-23 14:41:35 +02:00
Alexander A. Klimov
32eb1680f7 Configuration.Concurrency: default to 1 until Configuration freeze 
not to start many threads before the user could override their amount (-D).
 2023-05-11 16:59:47 +02:00
Alexander A. Klimov
8fb5d53118 Track Configuration.Concurrency modifications 2023-05-11 15:41:35 +02:00
Alexander A. Klimov
5c330e9d4f Share "Last reload attempt failed" time across Icinga process tree on *nix 
... as only the umbrella process knows that time,
but the icinga check running in the main process also needs to know it.

refs #8428
 2023-05-08 14:42:21 +02:00
Julian Brost
af9d67b262
Merge pull request #9726 from Icinga/43624b 
Remove -and notify- expired downtimes immediately, not every 60s II
 2023-05-02 11:25:03 +02:00
Alexander A. Klimov
ba7102cae3 Explicitly stop started timers and wait for them 
before permitting their parent objects' destruction.
For the cases where the handlers have raw pointers to these objects.
 2023-04-14 14:52:04 +02:00
Alexander A. Klimov
a66ace7245 Introduce SharedMemory 2023-04-04 13:40:27 +02:00
Alexander A. Klimov
c41e5fd05d Support multiple redundant Timer#Start() calls 
so that only the first one changes l_AliveTimers (as in Timer#Stop()).
 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
298f3b1973 Timer: actually support non-periodic timers 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
3933502739 Timer#Start(): don't unnecessarily unlock/lock l_TimerMutex 
via new Timer#InternalRescheduleUnlocked()
 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
13b9cfda41 Timer::TimerThreadProc(): don't unnecessarily unlock and lock l_TimerMutex 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
1badbab002 Timer::TimerThreadProc(): keep a Timer alive while it's running 
to prevent the case: Timer callback destroys parent object -> destroys
Timer -> ~Timer() -> Stop(true) -> waits for the Timer callback to finish
-> deadlock.
 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
9b00c1c4dd Timer: drop unnecessary base class 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
24681b30f6 Make Timer::Ptr a std::shared_ptr 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
9ee4d08722 Make Timer#Timer() private to enforce Timer::Create() usage 2023-04-04 10:35:22 +02:00
Alexander A. Klimov
21b68455ce Use Timer::Create() instead of new Timer() 
git ls-files -z |xargs -0 perl -pi -e 's/\bnew Timer\b/Timer::Create/g'

ex. in Timer::Create() itself.
 2023-04-04 10:35:20 +02:00
Alexander A. Klimov
bb1f574b69 Introduce factory method Timer::Create() 2023-04-04 10:35:10 +02:00
Alexander A. Klimov
335688909b Document why Timer::TimerThreadProc() can use Timer members during Timer#~Timer() call 2023-03-29 18:04:19 +02:00
Julian Brost
66b039df9c
Merge pull request #9497 from Icinga/9249 
Application::Exit(): don't exit(), but _exit(), even in debug build mode
 2023-03-10 16:04:54 +01:00
Alexander Aleksandrovič Klimov
55930c8042
ProcessSpawnImpl(): remove redundant _exit(128); 
Now this if doesn’t _exit(128) by itself, but "return" to the outer if which immediately _exit(128)s.
 2023-03-02 12:45:15 +01:00
Julian Brost
cf517050bc
Merge pull request #9711 from Icinga/connect-cancel 
Connect(): don't try next DNS record if operation is canceled
 2023-03-01 15:49:53 +01:00
Alexander A. Klimov
79f1e0666a Connect(): don't try next DNS record if operation is canceled 
Instead return immediately to meet the caller's expectations.
 2023-02-28 10:57:54 +01:00
Julian Brost
bda8be343b
Merge pull request #9662 from Icinga/Repair#9627 
Repair DSL Namespace values being constant broken in #9627
 2023-02-20 16:35:36 +01:00
Julian Brost
d9767cff3f
Merge pull request #9675 from Icinga/third-party/nlohmann_json 
Update third-party/nlohmann_json to v3.9.1
 2023-02-20 15:31:32 +01:00
Julian Brost
3023009804
Merge pull request #9653 from Icinga/9631 
Setup all signal handlers with SA_RESTART flag
 2023-02-14 17:55:09 +01:00
Alexander A. Klimov
34d0b942b9 Update third-party/nlohmann_json to v3.9.1 
the latest version w/o Apache 2.0 licensed code which conflicts with GPL 2.
 2023-02-14 16:19:44 +01:00
Julian Brost
e074e892ce
Merge pull request #9658 from Icinga/unfreeze 
Dictionary#*(): remove bool overrideFrozen if unused
 2023-02-10 19:42:00 +01:00
Alexander A. Klimov
f3f2c943c7 ScriptGlobal::Set(): don't explicitly give Namespace#Set() its default values 2023-02-10 15:55:10 +01:00
Alexander A. Klimov
e61b380808 Call Namespace#Set(), not #SetFieldByName() 
Namespace#SetFieldByName() calls #Set() anyway.
 2023-02-10 15:53:30 +01:00
Alexander A. Klimov
683095a165 Make globals.Internal values non-const by default 
That namespace is internal anyway.

Previous commit, icinga2 console:
Error: Constants must not be removed.

This commit fixes it.
 2023-02-10 15:47:25 +01:00
Alexander A. Klimov
02df94a46a Repair DSL Namespace values being constant broken in #9627 
master before #9627 (a0286e9c6):

<1> => namespace n { x = 42; x = 42 }
                             ^^^^^^
Constant must not be modified.
<2> =>

HEAD of #9627 (24b57f0d3):

<1> => namespace n { x = 42; x = 42 }
null
<2> =>
 2023-02-10 15:43:01 +01:00
Julian Brost
0dd35bb960
Merge pull request #9657 from Icinga/shared_mutex-Dictionary 
Use a shared_mutex for read `Dictionary` operations
 2023-02-10 15:15:52 +01:00
Alexander A. Klimov
e9846f1827 ScriptGlobal::Set(): remove unused bool overrideFrozen 2023-02-10 11:33:46 +01:00
Alexander A. Klimov
cd78da13d3 Dictionary#Clear(): remove unused bool overrideFrozen 2023-02-10 11:33:46 +01:00
Alexander A. Klimov
270c6392d4 Dictionary#Remove(): remove unused bool overrideFrozen 2023-02-10 11:33:46 +01:00