[checkmk-commits] Moved trusted CA management code to cmk git

14 Jun 2017

Module: check_mk
Branch: master
Commit: 36cef0036e7d65d89ad17c098ceb25826de2a4d6
URL:   
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=36cef0036e7d65…

Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt;
Date:   Wed Jun 14 17:07:37 2017 +0200

Moved trusted CA management code to cmk git

Change-Id: I248e144454ae1f52234410b098e8df6208bd9814

---

 web/htdocs/watolib.py                      | 62 ++++++++++++++++++++++++++++++
 web/plugins/wato/check_mk_configuration.py | 36 +++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py
index 599e1e2..c5e9cd3 100644
--- a/web/htdocs/watolib.py
+++ b/web/htdocs/watolib.py
@@ -395,6 +395,68 @@ class ConfigDomainEventConsole(ConfigDomain):
             call_hook_mkeventd_activate_changes()
 
 
+
+class ConfigDomainCACertificates(ConfigDomain):
+    needs_sync       = True
+    needs_activation = True
+    ident            = "ca-certificates"
+
+    trusted_cas_file = "%s/var/ssl/ca-certificates.crt" % cmk.paths.omd_root
+
+    # This is a list of directories that may contain .pem files of trusted CAs.
+    # The contents of all .pem files will be contantenated together and written
+    # to "trusted_cas_file". This is done by the function
update_trusted_cas().
+    # On a system only a single directory, the first existing one is processed.
+    system_wide_trusted_ca_search_paths = [
+        "/etc/ssl/certs", # Ubuntu/Debian/SLES
+        "/etc/pki/tls/certs", # CentOS/RedHat
+    ]
+
+    def config_dir(self):
+        return multisite_dir
+
+
+    def config_file(self, site_specific=False):
+        return os.path.join(self.config_dir(), "ca-certificates.mk")
+
+
+    def activate(self):
+        try:
+            self._update_trusted_cas()
+        except Exception, e:
+            log_exception()
+            return ["Failed to create trusted CA file '%s': %s" %
+                        (self.trusted_cas_file, traceback.format_exc())]
+
+
+    def _update_trusted_cas(self):
+        trusted_cas = []
+
+        if config.trusted_certificate_authorities["use_system_wide_cas"]:
+            trusted_cas += self._get_system_wide_trusted_ca_certificates()
+
+        trusted_cas += config.trusted_certificate_authorities["trusted_cas"]
+
+        store.save_file(self.trusted_cas_file, "\n".join(trusted_cas))
+
+
+    def _get_system_wide_trusted_ca_certificates(self):
+        trusted_cas = []
+        for cert_path in self.system_wide_trusted_ca_search_paths:
+            if not os.path.isdir(cert_path):
+                continue
+
+            for entry in os.listdir(cert_path):
+                ext = os.path.splitext(entry)[-1]
+                if ext != ".pem":
+                    continue
+
+                trusted_cas.append(file(os.path.join(cert_path, entry)).read())
+
+            break
+
+        return trusted_cas
+
 #.
 #   .--Hosts & Folders-----------------------------------------------------.
 #   | _   _           _          ___     _____     _     _                 |
diff --git a/web/plugins/wato/check_mk_configuration.py
b/web/plugins/wato/check_mk_configuration.py
index 9637b20..1cb61fb 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -903,6 +903,42 @@ register_configvar(group,
 )
 
 
+register_configvar(_("Site Management"),
+    "trusted_certificate_authorities",
+    Dictionary(
+        title = _("Trusted certificate authorities for SSL"),
+        help = _("Whenever a server component of Check_MK opens a SSL connection it
uses the "
+                 "certificate authorities configured here for verifying the SSL
certificate of "
+                 "the destination server. This is used for example when performing
WATO "
+                 "replication to slave sites or when special agents are
communicating via HTTPS. "
+                 "The CA certificates configured here will be written to the CA
bundle %s.") %
+                    site_neutral_path(ConfigDomainCACertificates.trusted_cas_file),
+        elements = [
+            ("use_system_wide_cas", Checkbox(
+                title = _("Use system wide CAs"),
+                help = _("All supported linux distributions provide a mechanism of
managing "
+                         "trusted CAs. Depending on your linux distributions the
paths where "
+                         "these CAs are stored and the commands to manage the CAs
differ. "
+                         "Please checko out the documentation of your linux
distribution "
+                         "in case you want to customize trusted CAs system wide. You
can "
+                         "choose here to trust the system wide CAs here. Check_MK
will search "
+                         "these directories for system wide CAs: %s") %
+                            ",
".join(ConfigDomainCACertificates.system_wide_trusted_ca_search_paths),
+                label = _("Trust system wide configured CAs"),
+                default_value = True,
+            )),
+            ("trusted_cas", ListOfCAs(
+                title = _("Check_MK specific"),
+                allow_empty = True,
+                default_value = [],
+            )),
+        ],
+        optional_keys = False,
+    ),
+    domain = ConfigDomainCACertificates,
+    need_restart = True,
+)
+
 #.
 #   .--WATO----------------------------------------------------------------.
 #   |                     __        ___  _____ ___                         |


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[checkmk-commits] Moved trusted CA management code to cmk git