Module: check_mk
Branch: master
Commit: 36cef0036e7d65d89ad17c098ceb25826de2a4d6
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=36cef0036e7d65…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jun 14 17:07:37 2017 +0200
Moved trusted CA management code to cmk git
Change-Id: I248e144454ae1f52234410b098e8df6208bd9814
---
web/htdocs/watolib.py | 62 ++++++++++++++++++++++++++++++
web/plugins/wato/check_mk_configuration.py | 36 +++++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py
index 599e1e2..c5e9cd3 100644
--- a/web/htdocs/watolib.py
+++ b/web/htdocs/watolib.py
@@ -395,6 +395,68 @@ class ConfigDomainEventConsole(ConfigDomain):
call_hook_mkeventd_activate_changes()
+
+class ConfigDomainCACertificates(ConfigDomain):
+ needs_sync = True
+ needs_activation = True
+ ident = "ca-certificates"
+
+ trusted_cas_file = "%s/var/ssl/ca-certificates.crt" % cmk.paths.omd_root
+
+ # This is a list of directories that may contain .pem files of trusted CAs.
+ # The contents of all .pem files will be contantenated together and written
+ # to "trusted_cas_file". This is done by the function
update_trusted_cas().
+ # On a system only a single directory, the first existing one is processed.
+ system_wide_trusted_ca_search_paths = [
+ "/etc/ssl/certs", # Ubuntu/Debian/SLES
+ "/etc/pki/tls/certs", # CentOS/RedHat
+ ]
+
+ def config_dir(self):
+ return multisite_dir
+
+
+ def config_file(self, site_specific=False):
+ return os.path.join(self.config_dir(), "ca-certificates.mk")
+
+
+ def activate(self):
+ try:
+ self._update_trusted_cas()
+ except Exception, e:
+ log_exception()
+ return ["Failed to create trusted CA file '%s': %s" %
+ (self.trusted_cas_file, traceback.format_exc())]
+
+
+ def _update_trusted_cas(self):
+ trusted_cas = []
+
+ if config.trusted_certificate_authorities["use_system_wide_cas"]:
+ trusted_cas += self._get_system_wide_trusted_ca_certificates()
+
+ trusted_cas += config.trusted_certificate_authorities["trusted_cas"]
+
+ store.save_file(self.trusted_cas_file, "\n".join(trusted_cas))
+
+
+ def _get_system_wide_trusted_ca_certificates(self):
+ trusted_cas = []
+ for cert_path in self.system_wide_trusted_ca_search_paths:
+ if not os.path.isdir(cert_path):
+ continue
+
+ for entry in os.listdir(cert_path):
+ ext = os.path.splitext(entry)[-1]
+ if ext != ".pem":
+ continue
+
+ trusted_cas.append(file(os.path.join(cert_path, entry)).read())
+
+ break
+
+ return trusted_cas
+
#.
# .--Hosts & Folders-----------------------------------------------------.
# | _ _ _ ___ _____ _ _ |
diff --git a/web/plugins/wato/check_mk_configuration.py
b/web/plugins/wato/check_mk_configuration.py
index 9637b20..1cb61fb 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -903,6 +903,42 @@ register_configvar(group,
)
+register_configvar(_("Site Management"),
+ "trusted_certificate_authorities",
+ Dictionary(
+ title = _("Trusted certificate authorities for SSL"),
+ help = _("Whenever a server component of Check_MK opens a SSL connection it
uses the "
+ "certificate authorities configured here for verifying the SSL
certificate of "
+ "the destination server. This is used for example when performing
WATO "
+ "replication to slave sites or when special agents are
communicating via HTTPS. "
+ "The CA certificates configured here will be written to the CA
bundle %s.") %
+ site_neutral_path(ConfigDomainCACertificates.trusted_cas_file),
+ elements = [
+ ("use_system_wide_cas", Checkbox(
+ title = _("Use system wide CAs"),
+ help = _("All supported linux distributions provide a mechanism of
managing "
+ "trusted CAs. Depending on your linux distributions the
paths where "
+ "these CAs are stored and the commands to manage the CAs
differ. "
+ "Please checko out the documentation of your linux
distribution "
+ "in case you want to customize trusted CAs system wide. You
can "
+ "choose here to trust the system wide CAs here. Check_MK
will search "
+ "these directories for system wide CAs: %s") %
+ ",
".join(ConfigDomainCACertificates.system_wide_trusted_ca_search_paths),
+ label = _("Trust system wide configured CAs"),
+ default_value = True,
+ )),
+ ("trusted_cas", ListOfCAs(
+ title = _("Check_MK specific"),
+ allow_empty = True,
+ default_value = [],
+ )),
+ ],
+ optional_keys = False,
+ ),
+ domain = ConfigDomainCACertificates,
+ need_restart = True,
+)
+
#.
# .--WATO----------------------------------------------------------------.
# | __ ___ _____ ___ |