summaryrefslogtreecommitdiffstats
path: root/src/main/java/org/openslx
diff options
context:
space:
mode:
authorSimon Rettberg2015-10-29 15:56:03 +0100
committerSimon Rettberg2015-10-29 15:56:03 +0100
commit0c1d9fbfb40620857a1e80b6b021623acbf15327 (patch)
tree05ff431b52ee037d6061a98c8d563b802647a181 /src/main/java/org/openslx
parent[ldadp-launcher] Move logs to /var/log/ldadp (diff)
downloadtmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.gz
tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.xz
tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.zip
[CreateLdapConfig] Only regen local certs if CN changed; handle ca-bundle based server verification
Diffstat (limited to 'src/main/java/org/openslx')
-rw-r--r--src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java56
1 files changed, 54 insertions, 2 deletions
diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
index 8ec5c19..99db07c 100644
--- a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
+++ b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java
@@ -5,12 +5,14 @@ import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
+import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
import org.apache.commons.io.FileUtils;
import org.openslx.satserver.util.Archive;
import org.openslx.satserver.util.Constants;
import org.openslx.satserver.util.Exec;
+import org.openslx.satserver.util.Exec.ExecCallback;
import org.openslx.satserver.util.Template;
import org.openslx.satserver.util.Util;
import org.openslx.taskmanager.api.AbstractTask;
@@ -19,6 +21,8 @@ import com.google.gson.annotations.Expose;
public class CreateLdapConfig extends AbstractTask
{
+ public static final String DEFAULT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
+
@Expose
private int moduleid = 0;
@Expose
@@ -40,7 +44,9 @@ public class CreateLdapConfig extends AbstractTask
@Expose
private String home = null;
@Expose
- private String fingerprint = "";
+ private String fingerprint;
+ @Expose
+ private String certificate;
@Expose
private boolean plainldap = false;
@@ -61,6 +67,10 @@ public class CreateLdapConfig extends AbstractTask
this.binddn = "";
if ( this.bindpw == null )
this.bindpw = "";
+ if ( this.certificate == null )
+ this.certificate = "";
+ if ( this.fingerprint == null )
+ this.fingerprint = "";
return true;
}
@@ -70,14 +80,39 @@ public class CreateLdapConfig extends AbstractTask
TarArchiveOutputStream outArchive = null;
File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" );
File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" );
+ File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" );
String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/";
String cacertPath = "/etc/ldap-proxy.pem";
+ String caPath = "";
+ final String subject = "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip;
try {
+ // If cert already exists, check if the subject (most importantly the CN) matches the desired one
+ if ( certFile.exists() ) {
+ final AtomicBoolean subjectStillGood = new AtomicBoolean( false );
+ Exec.sync( 4, new ExecCallback() {
+ @Override
+ public void processStdOut( String line )
+ {
+ if ( line.trim().endsWith( subject ) ) {
+ subjectStillGood.set( true );
+ }
+ }
+
+ @Override
+ public void processStdErr( String line )
+ {
+ }
+ }, "openssl", "x509", "-noout", "-in", certFile.getAbsolutePath(), "-subject" );
+ if ( !subjectStillGood.get() ) {
+ certFile.delete();
+ keyFile.delete();
+ }
+ }
// Generate keys if not existent
if ( !keyFile.exists() || !certFile.exists() ) {
int ret = Exec.sync( 20, "openssl", "req",
"-x509", "-new", "-newkey", "rsa:4096", "-keyout", keyFile.getAbsolutePath(), "-out", certFile.getAbsolutePath(),
- "-days", "5000", "-nodes", "-subj", "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip );
+ "-days", "5000", "-nodes", "-subj", subject );
if ( ret == -1 ) {
status.error = "openssl process didn't finish in time.";
} else if ( ret == -2 ) {
@@ -88,6 +123,21 @@ public class CreateLdapConfig extends AbstractTask
if ( ret != 0 )
return false;
}
+ // Handle ca-bundle; write to file if custom one is passed
+ if ( this.certificate.equals( "default" ) ) {
+ caPath = DEFAULT_CA_BUNDLE;
+ this.fingerprint = "";
+ } else if ( !this.certificate.isEmpty() ) {
+ // Write out
+ try {
+ FileUtils.writeStringToFile( caFile, this.certificate );
+ } catch ( Exception e ) {
+ status.error = "Could not write trusted certificate(s) to file " + caFile.getAbsolutePath();
+ return false;
+ }
+ caPath = caFile.getAbsolutePath();
+ this.fingerprint = "";
+ }
// ldadp config
String ldadpConf = String.format(
"[%s]\n"
@@ -97,6 +147,7 @@ public class CreateLdapConfig extends AbstractTask
+ "home=%s\n"
+ "port=%s\n"
+ "fingerprint=%s\n"
+ + "cabundle=%s\n"
+ "plainldap=%s\n"
+ "[local]\n"
+ "port=%s\n"
@@ -110,6 +161,7 @@ public class CreateLdapConfig extends AbstractTask
this.home,
this.adport,
this.fingerprint,
+ caPath,
Boolean.toString( this.plainldap ),
this.proxyport,
certFile,