[CreateLdapConfig] Only regen local certs if CN changed; handle ca-bundle based server verification

author: Simon Rettberg 2015-10-29 15:56:03 +0100
committer: Simon Rettberg 2015-10-29 15:56:03 +0100
commit: 0c1d9fbfb40620857a1e80b6b021623acbf15327 (patch)
tree: 05ff431b52ee037d6061a98c8d563b802647a181
parent: [ldadp-launcher] Move logs to /var/log/ldadp (diff)
download: tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.gz
tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.xz
tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.zip
1 files changed, 54 insertions, 2 deletions
diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
index 8ec5c19..99db07c 100644
--- a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
+++ b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
@@ -5,12 +5,14 @@ import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
 import org.apache.commons.io.FileUtils;
 import org.openslx.satserver.util.Archive;
 import org.openslx.satserver.util.Constants;
 import org.openslx.satserver.util.Exec;
+import org.openslx.satserver.util.Exec.ExecCallback;
 import org.openslx.satserver.util.Template;
 import org.openslx.satserver.util.Util;
 import org.openslx.taskmanager.api.AbstractTask;
@@ -19,6 +21,8 @@ import com.google.gson.annotations.Expose;
 
 public class CreateLdapConfig extends AbstractTask
 {
+	public static final String DEFAULT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
+
 	@Expose
 	private int moduleid = 0;
 	@Expose
@@ -40,7 +44,9 @@ public class CreateLdapConfig extends AbstractTask
 	@Expose
 	private String home = null;
 	@Expose
-	private String fingerprint = "";
+	private String fingerprint;
+	@Expose
+	private String certificate;
 	@Expose
 	private boolean plainldap = false;
 
@@ -61,6 +67,10 @@ public class CreateLdapConfig extends AbstractTask
 			this.binddn = "";
 		if ( this.bindpw == null )
 			this.bindpw = "";
+		if ( this.certificate == null )
+			this.certificate = "";
+		if ( this.fingerprint == null )
+			this.fingerprint = "";
 		return true;
 	}
 
@@ -70,14 +80,39 @@ public class CreateLdapConfig extends AbstractTask
 		TarArchiveOutputStream outArchive = null;
 		File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" );
 		File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" );
+		File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" );
 		String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/";
 		String cacertPath = "/etc/ldap-proxy.pem";
+		String caPath = "";
+		final String subject = "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip;
 		try {
+			// If cert already exists, check if the subject (most importantly the CN) matches the desired one
+			if ( certFile.exists() ) {
+				final AtomicBoolean subjectStillGood = new AtomicBoolean( false );
+				Exec.sync( 4, new ExecCallback() {
+					@Override
+					public void processStdOut( String line )
+					{
+						if ( line.trim().endsWith( subject ) ) {
+							subjectStillGood.set( true );
+						}
+					}
+
+					@Override
+					public void processStdErr( String line )
+					{
+					}
+				}, "openssl", "x509", "-noout", "-in", certFile.getAbsolutePath(), "-subject" );
+				if ( !subjectStillGood.get() ) {
+					certFile.delete();
+					keyFile.delete();
+				}
+			}
 			// Generate keys if not existent
 			if ( !keyFile.exists() || !certFile.exists() ) {
 				int ret = Exec.sync( 20, "openssl", "req",
 						"-x509", "-new", "-newkey", "rsa:4096", "-keyout", keyFile.getAbsolutePath(), "-out", certFile.getAbsolutePath(),
-						"-days", "5000", "-nodes", "-subj", "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip );
+						"-days", "5000", "-nodes", "-subj", subject );
 				if ( ret == -1 ) {
 					status.error = "openssl process didn't finish in time.";
 				} else if ( ret == -2 ) {
@@ -88,6 +123,21 @@ public class CreateLdapConfig extends AbstractTask
 				if ( ret != 0 )
 					return false;
 			}
+			// Handle ca-bundle; write to file if custom one is passed
+			if ( this.certificate.equals( "default" ) ) {
+				caPath = DEFAULT_CA_BUNDLE;
+				this.fingerprint = "";
+			} else if ( !this.certificate.isEmpty() ) {
+				// Write out
+				try {
+					FileUtils.writeStringToFile( caFile, this.certificate );
+				} catch ( Exception e ) {
+					status.error = "Could not write trusted certificate(s) to file " + caFile.getAbsolutePath();
+					return false;
+				}
+				caPath = caFile.getAbsolutePath();
+				this.fingerprint = "";
+			}
 			// ldadp config
 			String ldadpConf = String.format(
 					"[%s]\n"
@@ -97,6 +147,7 @@ public class CreateLdapConfig extends AbstractTask
 							+ "home=%s\n"
 							+ "port=%s\n"
 							+ "fingerprint=%s\n"
+							+ "cabundle=%s\n"
 							+ "plainldap=%s\n"
 							+ "[local]\n"
 							+ "port=%s\n"
@@ -110,6 +161,7 @@ public class CreateLdapConfig extends AbstractTask
 					this.home,
 					this.adport,
 					this.fingerprint,
+					caPath,
 					Boolean.toString( this.plainldap ),
 					this.proxyport,
 					certFile,
author	Simon Rettberg	2015-10-29 15:56:03 +0100
committer	Simon Rettberg	2015-10-29 15:56:03 +0100
commit	0c1d9fbfb40620857a1e80b6b021623acbf15327 (patch)
tree	05ff431b52ee037d6061a98c8d563b802647a181
parent	[ldadp-launcher] Move logs to /var/log/ldadp (diff)
download	tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.gz tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.xz tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.zip