Module: check_mk
Branch: master
Commit: bbc9edaa700488d34882b4e4432e65bb0a9b5adf
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=bbc9edaa700488…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Jan 4 22:44:49 2019 +0100
Addition to 7017: Made liveproxy TLS aware
CMK-1535
Change-Id: I61758cb60feeec419457b0af755afbf9f0b67731
---
cmk/gui/watolib/sites.py | 20 +++++++------
livestatus/api/python/livestatus.py | 58 ++++++++++++++++++++-----------------
2 files changed, 43 insertions(+), 35 deletions(-)
diff --git a/cmk/gui/watolib/sites.py b/cmk/gui/watolib/sites.py
index 664f19f..340d5f7 100644
--- a/cmk/gui/watolib/sites.py
+++ b/cmk/gui/watolib/sites.py
@@ -530,17 +530,19 @@ class CEESiteManagement(SiteManagement):
conf = {}
for siteid, siteconf in sites.items():
- family_spec, address_spec = siteconf["socket"]
- if family_spec == "proxy":
- conf[siteid] = {
- "socket": address_spec["socket"],
- }
+ socket_type, params = siteconf["socket"]
+ if socket_type != "proxy":
+ continue
- if "tcp" in address_spec:
- conf[siteid]["tcp"] = address_spec["tcp"]
+ conf[siteid] = {
+ "socket": params["socket"],
+ }
+
+ if "tcp" in params:
+ conf[siteid]["tcp"] = params["tcp"]
- if address_spec["params"]:
- conf[siteid].update(address_spec["params"])
+ if params["params"]:
+ conf[siteid].update(params["params"])
store.save_to_mk_file(path, "sites", conf)
diff --git a/livestatus/api/python/livestatus.py b/livestatus/api/python/livestatus.py
index 871fec5..1448388 100644
--- a/livestatus/api/python/livestatus.py
+++ b/livestatus/api/python/livestatus.py
@@ -100,6 +100,36 @@ def lqencode(s):
return s.replace('\n', '')
+def site_local_ca_path():
+ """Path to the site local CA bundle"""
+ omd_root = os.getenv("OMD_ROOT")
+ if not omd_root:
+ raise MKLivestatusConfigError("OMD_ROOT is not set. You are not running in
OMD context.")
+
+ return os.path.join(omd_root, "etc/ssl/ca.pem")
+
+
+def create_client_socket(family, tls, verify, ca_file_path):
+ """Create a client socket object for the livestatus
connection"""
+ sock = socket.socket(family, socket.SOCK_STREAM)
+
+ if not tls:
+ return sock
+
+ context = ssl.create_default_context()
+ context.check_hostname = False
+ context.verify_mode = ssl.CERT_REQUIRED if verify else ssl.CERT_NONE
+ context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+
+ ca_file_path = ca_file_path if ca_file_path is not None else site_local_ca_path()
+ try:
+ context.load_verify_locations(ca_file_path)
+ except Exception as e:
+ raise MKLivestatusConfigError("Failed to load CA file '%s': %s"
% (ca_file_path, e))
+
+ return context.wrap_socket(sock)
+
+
#.
# .--Helpers-------------------------------------------------------------.
# | _ _ _ |
@@ -277,17 +307,9 @@ class SingleSiteConnection(Helpers):
# type: () -> str
"""CA file bundle to use for certificate
verification"""
if self._tls_ca_file_path is None:
- return self._site_local_ca_path()
+ return site_local_ca_path()
return self._tls_ca_file_path
- def _site_local_ca_path(self):
- omd_root = os.getenv("OMD_ROOT")
- if not omd_root:
- raise MKLivestatusConfigError(
- "OMD_ROOT is not set. You are not running in OMD context.")
-
- return os.path.join(omd_root, "etc/ssl/ca.pem")
-
def successfully_persisted(self):
# type: () -> bool
return self.successful_persistence
@@ -374,23 +396,7 @@ class SingleSiteConnection(Helpers):
It ensures that either a TLS secured socket or a plain text socket
is being created."""
- sock = socket.socket(family, socket.SOCK_STREAM)
-
- if not self.tls:
- return sock
-
- context = ssl.create_default_context()
- context.check_hostname = False
- context.verify_mode = ssl.CERT_REQUIRED if self.tls_verify else ssl.CERT_NONE
- context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
-
- try:
- context.load_verify_locations(cafile=self.tls_ca_file_path)
- except Exception as e:
- raise MKLivestatusConfigError(
- "Failed to load CA file '%s': %s" %
(self.tls_ca_file_path, e))
-
- return context.wrap_socket(sock)
+ return create_client_socket(family, self.tls, self.tls_verify,
self._tls_ca_file_path)
def disconnect(self):
self.socket = None