[checkmk-commits] 5793 FIX Agent Encryption: No longer trying to decrypt all incoming tcp data when a "Encryption" rule with an arbitrary value was set

Module: check_mk Branch: master Commit: 95ce2db4b3da82bddeca9de71f8d5db73b5d9ba3 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=95ce2db4b3da82… Author: Andreas Boesl &lt;ab(a)mathias-kettner.de&gt; Date: Fri Mar 16 14:17:18 2018 +0100 5793 FIX Agent Encryption: No longer trying to decrypt all incoming tcp data when a "Encryption" rule with an arbitrary value was set The agent output decryption function was incorrectly called for hosts with a specifically "Encryption" rule set. In most scenarios the decryption failed, because the plain text was obviously not decrypted correctly. The fallback of the decryption error was to use the plain text instead for further processing - this was conincidentally the right bevhaviour. However, sometimes the decryption succeeded, which lead to garbled agent output and missing agent sections. Change-Id: Iac0f7df0f5e01f0485b8916e828aac3232b29df8 --- .werks/5793 | 18 ++++++++++++++++++ cmk_base/config.py | 2 +- cmk_base/data_sources/tcp.py | 13 ++++++++----- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/.werks/5793 b/.werks/5793 new file mode 100644 index 0000000..80da5ef --- /dev/null +++ b/.werks/5793 @@ -0,0 +1,18 @@ +Title: Agent Encryption: No longer trying to decrypt all incoming tcp data when a "Encryption" rule with an arbitrary value was set +Level: 1 +Component: checks +Compatible: compat +Edition: cre +Version: 1.5.0i4 +Date: 1521206167 +Class: fix + +The agent output decryption function was incorrectly called for hosts with a specifically "Encryption" rule set. +In most scenarios the decryption failed, because the plain text was obviously not decrypted correctly. +The fallback of the decryption error was to use the plain text instead for further processing - this was conincidentally the right bevhaviour. + + +However, sometimes the decryption succeeded, which lead to garbled agent output and missing agent sections. + + + diff --git a/cmk_base/config.py b/cmk_base/config.py index 45b7754..85c8d24 100644 --- a/cmk_base/config.py +++ b/cmk_base/config.py @@ -745,7 +745,7 @@ def agent_encryption_of(hostname): if settings: return settings[0] else: - return {'use_regular': 'disabled', + return {'use_regular': 'disable', 'use_realtime': 'enforce'} diff --git a/cmk_base/data_sources/tcp.py b/cmk_base/data_sources/tcp.py index 085fcc2..6b2070e 100644 --- a/cmk_base/data_sources/tcp.py +++ b/cmk_base/data_sources/tcp.py @@ -135,16 +135,19 @@ class TCPDataSource(CheckMKAgentDataSource): elif len(output) < 16: raise MKAgentError("Too short output from agent: %r" % output) - if encryption_settings["use_regular"] == "enforce" and \ - output.startswith("<<<check_mk>>>"): + + output_is_plaintext = output.startswith("<<<") + if encryption_settings["use_regular"] == "enforce" and output_is_plaintext: raise MKAgentError("Agent output is plaintext but encryption is enforced by configuration") - if encryption_settings["use_regular"] != "disabled": + if not output_is_plaintext and encryption_settings["use_regular"] in ["enforce", "allow"]: try: - # currently ignoring version and timestamp - #protocol_version = int(output[0:2]) + # simply check if the protocol is an actual number + protocol_version = int(output[0:2]) output = self._decrypt_package(output[2:], encryption_settings["passphrase"]) + except ValueError: + raise MKAgentError("Unsupported protocol version: %s" % output[:2]) except Exception, e: if encryption_settings["use_regular"] == "enforce": raise MKAgentError("Failed to decrypt agent output: %s" % e)