diff options
author | Simon Rettberg | 2015-10-29 15:56:03 +0100 |
---|---|---|
committer | Simon Rettberg | 2015-10-29 15:56:03 +0100 |
commit | 0c1d9fbfb40620857a1e80b6b021623acbf15327 (patch) | |
tree | 05ff431b52ee037d6061a98c8d563b802647a181 /src/main/java/org/openslx | |
parent | [ldadp-launcher] Move logs to /var/log/ldadp (diff) | |
download | tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.gz tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.tar.xz tmlite-bwlp-0c1d9fbfb40620857a1e80b6b021623acbf15327.zip |
[CreateLdapConfig] Only regen local certs if CN changed; handle ca-bundle based server verification
Diffstat (limited to 'src/main/java/org/openslx')
-rw-r--r-- | src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java | 56 |
1 files changed, 54 insertions, 2 deletions
diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java index 8ec5c19..99db07c 100644 --- a/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java +++ b/src/main/java/org/openslx/taskmanager/tasks/CreateLdapConfig.java @@ -5,12 +5,14 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Paths; +import java.util.concurrent.atomic.AtomicBoolean; import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream; import org.apache.commons.io.FileUtils; import org.openslx.satserver.util.Archive; import org.openslx.satserver.util.Constants; import org.openslx.satserver.util.Exec; +import org.openslx.satserver.util.Exec.ExecCallback; import org.openslx.satserver.util.Template; import org.openslx.satserver.util.Util; import org.openslx.taskmanager.api.AbstractTask; @@ -19,6 +21,8 @@ import com.google.gson.annotations.Expose; public class CreateLdapConfig extends AbstractTask { + public static final String DEFAULT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; + @Expose private int moduleid = 0; @Expose @@ -40,7 +44,9 @@ public class CreateLdapConfig extends AbstractTask @Expose private String home = null; @Expose - private String fingerprint = ""; + private String fingerprint; + @Expose + private String certificate; @Expose private boolean plainldap = false; @@ -61,6 +67,10 @@ public class CreateLdapConfig extends AbstractTask this.binddn = ""; if ( this.bindpw == null ) this.bindpw = ""; + if ( this.certificate == null ) + this.certificate = ""; + if ( this.fingerprint == null ) + this.fingerprint = ""; return true; } @@ -70,14 +80,39 @@ public class CreateLdapConfig extends AbstractTask TarArchiveOutputStream outArchive = null; File keyFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".key.pem" ); File certFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".crt.pem" ); + File caFile = new File( "/opt/ldadp/configs/" + this.moduleid + ".ca-bundle.pem" ); String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/"; String cacertPath = "/etc/ldap-proxy.pem"; + String caPath = ""; + final String subject = "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip; try { + // If cert already exists, check if the subject (most importantly the CN) matches the desired one + if ( certFile.exists() ) { + final AtomicBoolean subjectStillGood = new AtomicBoolean( false ); + Exec.sync( 4, new ExecCallback() { + @Override + public void processStdOut( String line ) + { + if ( line.trim().endsWith( subject ) ) { + subjectStillGood.set( true ); + } + } + + @Override + public void processStdErr( String line ) + { + } + }, "openssl", "x509", "-noout", "-in", certFile.getAbsolutePath(), "-subject" ); + if ( !subjectStillGood.get() ) { + certFile.delete(); + keyFile.delete(); + } + } // Generate keys if not existent if ( !keyFile.exists() || !certFile.exists() ) { int ret = Exec.sync( 20, "openssl", "req", "-x509", "-new", "-newkey", "rsa:4096", "-keyout", keyFile.getAbsolutePath(), "-out", certFile.getAbsolutePath(), - "-days", "5000", "-nodes", "-subj", "/C=DE/ST=Nowhere/L=Springfield/O=Dis/CN=" + this.proxyip ); + "-days", "5000", "-nodes", "-subj", subject ); if ( ret == -1 ) { status.error = "openssl process didn't finish in time."; } else if ( ret == -2 ) { @@ -88,6 +123,21 @@ public class CreateLdapConfig extends AbstractTask if ( ret != 0 ) return false; } + // Handle ca-bundle; write to file if custom one is passed + if ( this.certificate.equals( "default" ) ) { + caPath = DEFAULT_CA_BUNDLE; + this.fingerprint = ""; + } else if ( !this.certificate.isEmpty() ) { + // Write out + try { + FileUtils.writeStringToFile( caFile, this.certificate ); + } catch ( Exception e ) { + status.error = "Could not write trusted certificate(s) to file " + caFile.getAbsolutePath(); + return false; + } + caPath = caFile.getAbsolutePath(); + this.fingerprint = ""; + } // ldadp config String ldadpConf = String.format( "[%s]\n" @@ -97,6 +147,7 @@ public class CreateLdapConfig extends AbstractTask + "home=%s\n" + "port=%s\n" + "fingerprint=%s\n" + + "cabundle=%s\n" + "plainldap=%s\n" + "[local]\n" + "port=%s\n" @@ -110,6 +161,7 @@ public class CreateLdapConfig extends AbstractTask this.home, this.adport, this.fingerprint, + caPath, Boolean.toString( this.plainldap ), this.proxyport, certFile, |