icinga-cert-service 0.18.4 → 0.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c3dc1c0ef720fdba4d9853fd323f36ade465f6682a227bfdfc9e4614982386c
-  data.tar.gz: 9aa415a38d990a51bb0656f9bee4d6599427b089f367948bf8b84fb4fd6b748e
+  metadata.gz: 859374a9a0babbeac29da3e0bbaaf8728d1577f62da0084f96e9137bcab41937
+  data.tar.gz: 91077b678f06f00b26748ecbf32ae26dd9325fc72d37a9acfa2d4a445255f9cc
 SHA512:
-  metadata.gz: 39231fd95943f5bcfa1b8d5ebb0d2fa6a06eb3a6cce1b274281dfc9d89f9bdef4e1ff5fff061ddaa9bd19cd5d3a086423008bfa04fca082388feab5801a15c69
-  data.tar.gz: 2b0bcb1eb4e7fd4083c24ae4eb6066c96e9eddbf3898806c5e6cf6bf010c6e76ee8e98b9b1abfb3988593e5a4451089acfa36325a3093a20c37d4e9455ae8d7e
+  metadata.gz: ba2d51aeb1f6f670e17d369910f145ea5c9b6546352bacfba4f91810e6cac836f3fcb3b10e9c0b80a653f8910298d195cc21099ab4dd3d17041f75088d6fd083
+  data.tar.gz: 472ecdd2c342c81d9d803210f16c946737d95f97cbf90de84354280203e9de6985c02197234b50802f68d5f1fa9ab2d0fb4590cbfc2b7bda024b61b7ff80543d

data/bin/icinga2-cert-service.rb

@@ -20,7 +20,9 @@ require_relative '../lib/logging'
 # -----------------------------------------------------------------------------
 
 module Sinatra
+
   class CertServiceRest < Base
+
     register Sinatra::BasicAuth
 
     include Logging
@@ -36,7 +38,14 @@ module Sinatra
 
     config_file           = ENV.fetch('CONFIG_FILE'         , '/etc/icinga2-cert-service.yaml')
 
+    #unless( File.exist?(config_file) )
+    #  logger.debug( format('INFO: The configuration file \'%s\' is missing. I use the default parameter.', config_file ) )
+    #else
+    #  logger.debug( format('INFO: Use the configuration file \'%s\'', config_file ) )
+    #end
+
     configure do
+
       set :environment, :production
 
       # default configuration
@@ -169,6 +178,41 @@ module Sinatra
       end
     end
 
+    # create an PKI ticket
+    #
+    protect 'API' do
+      get '/v2/ticket/:host' do
+        result = ics.pki_ticket( host: params[:host], request: request.env )
+
+#         logger.debug(result)
+
+        result_status, result_message = result.values
+
+        status result_status
+        result_message + "\n"
+      end
+    end
+
+    # enable endpoint
+    #
+    protect 'API' do
+      get '/v2/enable_endpoint/:host' do
+        result = ics.enable_endpoint( host: params[:host], request: request.env )
+
+#         logger.debug(result)
+
+        result_status = result.dig(:status).to_i
+
+        status result_status
+
+        JSON.pretty_generate(result) + "\n"
+
+#        result_status, result_message = result.values
+#
+#        status result_status
+#        result_message + "\n"
+      end
+    end
 
     # download an certificate
     #
@@ -176,7 +220,7 @@ module Sinatra
       get '/v2/cert/:host' do
         result = ics.check_certificate( host: params[:host], request: request.env )
 
-        logger.debug(result)
+#         logger.debug(result)
 
         result_status = result.dig(:status).to_i
 
@@ -238,7 +282,7 @@ module Sinatra
 
         result = ics.download(file_name: params[:file_name], request: request.env)
 
-        logger.debug(result)
+#         logger.debug(result)
 
         result_status = result.dig(:status).to_i
 

data/bin/installer.sh

@@ -1,4 +1,6 @@
-#!/bin/sh
+#!/bin/bash
+
+set -e
 
 DESTINATION_DIR="/usr/local/icinga2-cert-service"
 SOURCE_DIR="/tmp/ruby-icinga-cert-service"
@@ -11,23 +13,53 @@ echo "install icinga2-cert-service .."
 
 cd ${SOURCE_DIR}
 
+echo "[i] update gems"
 bundle update --quiet
-gem uninstall --quiet io-console bundler
 
 for i in lib bin templates assets
 do
-  cp -a ${SOURCE_DIR}/${i} ${DESTINATION_DIR}/
+  cp -av ${SOURCE_DIR}/${i} ${DESTINATION_DIR}/
 done
 
-if [[ -e /sbin/openrc-run ]]
+if [[ -e /.dockerenv ]]
 then
-  cat << EOF >> /etc/conf.d/icinga2-cert-service
+  echo "[i] docker environment ..."
+
+  gem uninstall --quiet io-console bundler 2> /dev/null
+
+else
+
+  if [[ ! -e /.dockerenv ]] && [[ ! -e /etc/icinga2-cert-service.yaml ]]
+  then
+    echo "[i] install config"
+    cp -v config_example.yaml /etc/icinga2-cert-service.yaml
+  fi
+
+
+  if [[ $(command -v openrc-run | wc -l) -eq 1 ]]
+  then
+    echo "[i] install openrc init and configuration files"
+
+    cp ${SOURCE_DIR}/init-script/openrc/icinga2-cert-service /etc/init.d/
+
+    cat << EOF > /etc/conf.d/icinga2-cert-service
 
 # Icinga2 cert service
 CERT_SERVICE_BIN="/usr/local/icinga2-cert-service/bin/icinga2-cert-service.rb"
 
 EOF
-  cp ${SOURCE_DIR}/init-script/openrc/icinga2-cert-service /etc/init.d/
+  fi
+
+  if [[ $(command -v systemctl | wc -l) -eq 1 ]]
+  then
+    echo "[i] install system unit file"
+
+    cp ${SOURCE_DIR}/init-script/systemd/icinga-cert-service.service /etc/systemd/system/
+
+    systemctl daemon-reload
+    systemctl enable icinga-cert-service
+    systemctl start icinga-cert-service
+  fi
 fi
 
 export CERT_SERVICE=${DESTINATION_DIR}

data/lib/cert-service.rb

@@ -76,13 +76,13 @@ module IcingaCertService
       @tmp_directory       = '/tmp/icinga-pki'
 
       version       = IcingaCertService::VERSION
-      date          = '2018-08-20'
+      date          = '2019-05-12'
       detect_version
 
       logger.info('-----------------------------------------------------------------')
       logger.info('  certificate service for Icinga2')
       logger.info(format('    Version %s (%s)', version, date))
-      logger.info('    Copyright 2017-2018 Bodo Schulz')
+      logger.info('    Copyright 2017-2020 Bodo Schulz')
       logger.info(format('    Icinga2 base version %s', @icinga_version))
       logger.info('-----------------------------------------------------------------')
       logger.info('')
@@ -126,7 +126,8 @@ module IcingaCertService
           @icinga_version = parts['v'].to_s.strip if(parts)
         end
 
-      rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e
+      rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::EADDRNOTAVAIL => e
+        logger.debug( "#{e}" )
         sleep( sleep_between_retries )
         retry
       rescue RestClient::ExceptionWithResponse => e
@@ -305,6 +306,22 @@ module IcingaCertService
       { status: 200, message: 'service restarted' }
     end
 
+    def read_ticket_salt
+
+      file_name    = '/etc/icinga2/constants.conf'
+
+      return { status: 500, message: format( 'icinga2 not successful configured! file %s missing', file_name ) } unless( File.exist?(file_name) )
+
+      file     = File.open(file_name, 'r')
+      contents = file.read
+
+      salt = contents.scan(/const TicketSalt(.*)=(.*)"(?<salt>.+\S)"/)
+      # salt = salt.flatten.first
+
+      salt.flatten.first
+    end
+
+
     # returns the hostname of itself
     #
     def icinga2_server_name

data/lib/cert-service/certificate_handler.rb

@@ -26,10 +26,12 @@ module IcingaCertService
     #
     def create_certificate( params )
 
-      host         = params.dig(:host)
-      api_user     = params.dig(:request, 'HTTP_X_API_USER')
-      api_password = params.dig(:request, 'HTTP_X_API_PASSWORD')
-      remote_addr  = params.dig(:request, 'REMOTE_ADDR')
+      host            = params.dig(:host)
+      api_user        = params.dig(:request, 'HTTP_X_API_USER')
+      api_password    = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      api_hostname    = params.dig(:request, 'HTTP_X_API_HOSTNAME')
+      api_ticketsalt  = params.dig(:request, 'HTTP_X_API_TICKETSALT')
+      remote_addr     = params.dig(:request, 'REMOTE_ADDR')
 
       return { status: 500, message: 'no hostname' } if( host.nil? )
       return { status: 500, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
@@ -41,64 +43,78 @@ module IcingaCertService
 
       logger.info(format('got certificate request from %s', remote_addr))
 
-      if( @icinga_master.nil? )
-        begin
-          server_name = icinga2_server_name
-        rescue => e
-          logger.error(e)
-          server_name = @icinga_master
-        else
-          server_ip    = icinga2_server_ip
-        end
-      else
-        server_name = @icinga_master
-        begin
-          server_ip    = icinga2_server_ip(server_name)
-        rescue => e
-          logger.error(server_name)
-          logger.error(e)
-
-          server_ip = '127.0.0.1'
-        end
-      end
+      server_ip, server_name = icinga_server_name
+
+#      if( @icinga_master.nil? )
+#        begin
+#          server_name = icinga2_server_name
+#        rescue => e
+#          logger.error(e)
+#          server_name = @icinga_master
+#        else
+#          server_ip    = icinga2_server_ip
+#        end
+#      else
+#        server_name = @icinga_master
+#        begin
+#          server_ip    = icinga2_server_ip(server_name)
+#        rescue => e
+#          logger.error(server_name)
+#          logger.error(e)
+#
+#          server_ip = '127.0.0.1'
+#        end
+#      end
+
+      status, message = ensure_master_certificate_exists( server_name, host ).values
+
+      return { status: status, message: message } unless( status == 200 )
 
       pki_base_directory = '/etc/icinga2/pki'
       pki_base_directory = '/var/lib/icinga2/certs' if( @icinga_version != '2.7' )
 
-      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } if( pki_base_directory.nil? )
-
       pki_master_key = format('%s/%s.key', pki_base_directory, server_name)
       pki_master_csr = format('%s/%s.csr', pki_base_directory, server_name)
       pki_master_crt = format('%s/%s.crt', pki_base_directory, server_name)
       pki_master_ca  = format('%s/ca.crt', pki_base_directory)
 
-      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } unless( File.exist?(pki_base_directory) )
-
-      zone_base_directory = '/etc/icinga2/zone.d'
-
-      FileUtils.mkpath( format('%s/global-templates', zone_base_directory) )
-      FileUtils.mkpath( format('%s/%s', zone_base_directory, host) )
-
+      #pki_base_directory = '/etc/icinga2/pki'
+      #pki_base_directory = '/var/lib/icinga2/certs' if( @icinga_version != '2.7' )
       #
-      unless File.exist?(format('%s/global-templates/services.conf', zone_base_directory) )
-
-        if( File.exist?('/etc/icinga2/conf.d/services.conf') )
-          FileUtils.mv('/etc/icinga2/conf.d/services.conf', format('%s/global-templates/services.conf', zone_base_directory))
-        else
-          logger.error('missing services.conf under /etc/icinga2/conf.d')
-        end
-      end
-
-      logger.debug(format('search PKI files for the Master \'%s\'', server_name))
-
-      if( !File.exist?(pki_master_key) || !File.exist?(pki_master_csr) || !File.exist?(pki_master_crt) )
-        logger.error('missing file')
-        logger.debug(pki_master_key)
-        logger.debug(pki_master_csr)
-        logger.debug(pki_master_crt)
-
-        return { status: 500, message: format('missing PKI for Icinga2 Master \'%s\'', server_name) }
-      end
+      #return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } if( pki_base_directory.nil? )
+      #
+      #pki_master_key = format('%s/%s.key', pki_base_directory, server_name)
+      #pki_master_csr = format('%s/%s.csr', pki_base_directory, server_name)
+      #pki_master_crt = format('%s/%s.crt', pki_base_directory, server_name)
+      #pki_master_ca  = format('%s/ca.crt', pki_base_directory)
+      #
+      #return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } unless( File.exist?(pki_base_directory) )
+      #
+      #zone_base_directory = '/etc/icinga2/zone.d'
+      #
+      #FileUtils.mkpath( format('%s/global-templates', zone_base_directory) )
+      #FileUtils.mkpath( format('%s/%s', zone_base_directory, host) )
+      #
+      ##
+      #unless File.exist?(format('%s/global-templates/services.conf', zone_base_directory) )
+      #
+      #  if( File.exist?('/etc/icinga2/conf.d/services.conf') )
+      #    FileUtils.mv('/etc/icinga2/conf.d/services.conf', format('%s/global-templates/services.conf', zone_base_directory))
+      #  else
+      #    logger.error('missing services.conf under /etc/icinga2/conf.d')
+      #  end
+      #end
+      #
+      #logger.debug(format('search PKI files for the Master \'%s\'', server_name))
+      #
+      #if( !File.exist?(pki_master_key) || !File.exist?(pki_master_csr) || !File.exist?(pki_master_crt) )
+      #  logger.error('missing file')
+      #  logger.debug(pki_master_key)
+      #  logger.debug(pki_master_csr)
+      #  logger.debug(pki_master_crt)
+      #
+      #  return { status: 500, message: format('missing PKI for Icinga2 Master \'%s\'', server_name) }
+      #end
 
       tmp_host_directory = format('%s/%s', @tmp_directory, host)
       # uid         = File.stat('/etc/icinga2/conf.d').uid
@@ -115,7 +131,7 @@ module IcingaCertService
       pki_satellite_key = format('%s/%s.key', tmp_host_directory, host)
       pki_satellite_csr = format('%s/%s.csr', tmp_host_directory, host)
       pki_satellite_crt = format('%s/%s.crt', tmp_host_directory, host)
-      pki_ticket       = '%PKI_TICKET%'
+      pki_ticket        = '%PKI_TICKET%'
 
       commands = []
 
@@ -221,6 +237,133 @@ module IcingaCertService
     end
 
 
+    def pki_ticket( params )
+
+      host            = params.dig(:host)
+      api_user        = params.dig(:request, 'HTTP_X_API_USER')
+      api_password    = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      api_hostname    = params.dig(:request, 'HTTP_X_API_HOSTNAME')
+      api_ticketsalt  = params.dig(:request, 'HTTP_X_API_TICKETSALT')
+      remote_addr     = params.dig(:request, 'REMOTE_ADDR')
+      real_ip         = params.dig(:request, 'HTTP_X_REAL_IP')
+      forwarded_for   = params.dig(:request, 'HTTP_X_FORWARDED_FOR')
+
+      logger.error('no hostname') if( host.nil? )
+      logger.error('missing API Credentials - API_USER') if( api_user.nil? )
+      logger.error('missing API Credentials - API_PASSWORD') if( api_password.nil? )
+
+      return { status: 401, message: 'no hostname' } if( host.nil? )
+      return { status: 401, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
+      return { status: 401, message: 'missing API Credentials - API_PASSWORD' } if( api_password.nil? )
+
+      password     = read_api_credentials( api_user: api_user )
+      salt_passend = ( read_ticket_salt == api_ticketsalt )
+
+      logger.error('wrong API Credentials') if( password.nil? || api_password != password )
+      logger.error('wrong Icinga2 Version (the master required => 2.8)') if( @icinga_version == '2.7' )
+
+      return { status: 401, message: 'wrong API Credentials' } if( password.nil? || api_password != password )
+
+      auth_params = { remote_addr: remote_addr, real_ip: real_ip, forwarded_for: forwarded_for, host: host, salt_passend: salt_passend }
+
+#       logger.debug( "    - auth_params      : #{auth_params}" )
+#       logger.debug( "    - api ticketsalt   : #{api_ticketsalt}" )
+#       logger.debug( "    - ticketsalt passed: #{salt_passend}" )
+
+      authorized, remote_short, host_short = is_remote_clients_authorized( auth_params ).values
+
+      if( authorized == false )
+        logger.error(format('This client (%s/%s) cannot get an pki ticket for %s', remote_addr, real_ip, host ) ) unless( host_short == remote_short )
+
+        return { status: 409, message: format('This client cannot get an pki ticket for %s', host ) } unless( host_short == remote_short )
+      end
+
+      logger.info(format('got ticket request from %s (%s)', host, real_ip))
+
+      server_ip, server_name = icinga_server_name
+
+      status, message = ensure_master_certificate_exists( server_name, host ).values
+
+      return { status: status, message: message } unless( status == 200 )
+
+      command = format('icinga2 pki ticket --cn %s', host)
+
+      result       = exec_command(cmd: command)
+
+      logger.debug( "#{result} (#{result.class})")
+
+      exec_code, exec_message = result.values
+
+      logger.debug( format( '    - [%s]  %s', exec_code, exec_message.strip ) )
+
+      if( exec_code != true )
+        logger.error(exec_message)
+        logger.error(format('  command \'%s\'', command))
+        logger.error(format('  returned with exit-code \'%s\'', exec_code))
+
+        return { status: 500, message: format('Internal Error: \'%s\' - \'cmd %s\'', exec_message, command) }
+      end
+
+      { status: 200, message: exec_message.strip }
+    end
+
+
+    def enable_endpoint( params )
+
+      host           = params.dig(:host)
+      api_user       = params.dig(:request, 'HTTP_X_API_USER')
+      api_password   = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      api_hostname   = params.dig(:request, 'HTTP_X_API_HOSTNAME')
+      api_ticketsalt = params.dig(:request, 'HTTP_X_API_TICKETSALT')
+      remote_addr    = params.dig(:request, 'REMOTE_ADDR')
+      real_ip        = params.dig(:request, 'HTTP_X_REAL_IP')
+      forwarded_for  = params.dig(:request, 'HTTP_X_FORWARDED_FOR')
+
+      logger.error('no hostname') if( host.nil? )
+      logger.error('missing API Credentials - API_USER') if( api_user.nil? )
+      logger.error('missing API Credentials - API_PASSWORD') if( api_password.nil? )
+
+      return { status: 401, message: 'no hostname' } if( host.nil? )
+      return { status: 401, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
+      return { status: 401, message: 'missing API Credentials - API_PASSWORD' } if( api_password.nil? )
+
+      password     = read_api_credentials( api_user: api_user )
+      salt_passend = ( read_ticket_salt == api_ticketsalt )
+
+      logger.error('wrong API Credentials') if( password.nil? || api_password != password )
+      logger.error('wrong Icinga2 Version (the master required => 2.8)') if( @icinga_version == '2.7' )
+
+      return { status: 401, message: 'wrong API Credentials' } if( password.nil? || api_password != password )
+
+      auth_params = { remote_addr: remote_addr, real_ip: real_ip, forwarded_for: forwarded_for, host: host, salt_passend: salt_passend }
+
+      authorized, remote_short, host_short = is_remote_clients_authorized( auth_params ).values
+
+      if( authorized == false )
+        logger.error(format('This client (%s/%s) cannot enable an endpoint for %s', remote_addr, real_ip, host ) ) unless( host_short == remote_short )
+
+        return { status: 409, message: format('This client cannot enable an endpoint for %s', host ) } unless( host_short == remote_short )
+      end
+
+      # add params to create the endpoint not in zones.d
+      #
+      params[:satellite] = false
+
+      # add API User for this Endpoint
+      #
+      # add_api_user(params)
+
+      # add Endpoint (and API User)
+      # and create a backup of the generated files
+      #
+      result = add_endpoint(host: host, satellite: false)
+
+      logger.debug( result )
+
+      result
+    end
+
+
     # check the certificate Data
     #
     # @param [Hash, #read] params
@@ -241,11 +384,13 @@ module IcingaCertService
     #
     def check_certificate( params )
 
-      host         = params.dig(:host)
-      checksum     = params.dig(:request, 'HTTP_X_CHECKSUM')
-      api_user     = params.dig(:request, 'HTTP_X_API_USER')
-      api_password = params.dig(:request, 'HTTP_X_API_PASSWORD')
-      remote_addr  = params.dig(:request, 'REMOTE_ADDR')
+      host            = params.dig(:host)
+      checksum        = params.dig(:request, 'HTTP_X_CHECKSUM')
+      api_user        = params.dig(:request, 'HTTP_X_API_USER')
+      api_password    = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      api_hostname    = params.dig(:request, 'HTTP_X_API_HOSTNAME')
+      api_ticketsalt  = params.dig(:request, 'HTTP_X_API_TICKETSALT')
+      remote_addr     = params.dig(:request, 'REMOTE_ADDR')
 
       return { status: 500, message: 'no valid data to get the certificate' } if( host.nil? || checksum.nil? )
 
@@ -335,12 +480,14 @@ module IcingaCertService
     #
     def sign_certificate( params )
 
-      host          = params.dig(:host)
-      api_user      = params.dig(:request, 'HTTP_X_API_USER')
-      api_password  = params.dig(:request, 'HTTP_X_API_PASSWORD')
-      remote_addr   = params.dig(:request, 'REMOTE_ADDR')
-      real_ip       = params.dig(:request, 'HTTP_X_REAL_IP')
-      forwarded_for = params.dig(:request, 'HTTP_X_FORWARDED_FOR')
+      host            = params.dig(:host)
+      api_user        = params.dig(:request, 'HTTP_X_API_USER')
+      api_password    = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      api_hostname    = params.dig(:request, 'HTTP_X_API_HOSTNAME')
+      api_ticketsalt  = params.dig(:request, 'HTTP_X_API_TICKETSALT')
+      remote_addr     = params.dig(:request, 'REMOTE_ADDR')
+      real_ip         = params.dig(:request, 'HTTP_X_REAL_IP')
+      forwarded_for   = params.dig(:request, 'HTTP_X_FORWARDED_FOR')
 
       # logger.debug(params)
 
@@ -352,7 +499,8 @@ module IcingaCertService
       return { status: 401, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
       return { status: 401, message: 'missing API Credentials - API_PASSWORD' } if( api_password.nil? )
 
-      password = read_api_credentials( api_user: api_user )
+      password     = read_api_credentials( api_user: api_user )
+      salt_passend = ( read_ticket_salt == api_ticketsalt )
 
       logger.error('wrong API Credentials') if( password.nil? || api_password != password )
       logger.error('wrong Icinga2 Version (the master required => 2.8)') if( @icinga_version == '2.7' )
@@ -360,40 +508,51 @@ module IcingaCertService
       return { status: 401, message: 'wrong API Credentials' } if( password.nil? || api_password != password )
       return { status: 401, message: 'wrong Icinga2 Version (the master required => 2.8)' } if( @icinga_version == '2.7' )
 
-      unless(remote_addr.nil? && real_ip.nil?)
-        logger.info('we running behind a proxy')
+      auth_params = { remote_addr: remote_addr, real_ip: real_ip, forwarded_for: forwarded_for, host: host, salt_passend: salt_passend }
 
-        logger.debug("remote addr   #{remote_addr}")
-        logger.debug("real ip       #{real_ip}")
-        logger.debug("forwarded for #{forwarded_for}")
+      authorized, remote_short, host_short = is_remote_clients_authorized( auth_params ).values
 
-        remote_addr = forwarded_for
-      end
-
-      unless( remote_addr.nil? )
-        host_short   = host.split('.')
-        host_short   = if( host_short.count > 0 )
-          host_short.first
-        else
-          host
-        end
-
-        remote_fqdn    = Resolv.getnames(remote_addr).sort.last
-        remote_short   = remote_fqdn.split('.')
-        remote_short   = if( remote_short.count > 0 )
-          remote_short.first
-        else
-          remote_fqdn
-        end
+      if( authorized == false )
 
-        logger.debug( "host_short   #{host_short}" )
-        logger.debug( "remote_short #{remote_short}" )
-
-        logger.error(format('This client (%s) cannot sign the certificate for %s', remote_fqdn, host ) ) unless( host_short == remote_short )
+        logger.error(format('This client (%s) cannot sign the certificate for %s', remote_addr, host ) ) unless( host_short == remote_short )
 
         return { status: 409, message: format('This client cannot sign the certificate for %s', host ) } unless( host_short == remote_short )
       end
 
+#      unless(remote_addr.nil? && real_ip.nil?)
+#        logger.info('we running behind a proxy')
+#
+#        logger.debug("remote addr   #{remote_addr}")
+#        logger.debug("real ip       #{real_ip}")
+#        logger.debug("forwarded for #{forwarded_for}")
+#
+#        remote_addr = forwarded_for
+#      end
+#
+#      unless( remote_addr.nil? )
+#        host_short   = host.split('.')
+#        host_short   = if( host_short.count > 0 )
+#          host_short.first
+#        else
+#          host
+#        end
+#
+#        remote_fqdn    = Resolv.getnames(remote_addr).sort.last
+#        remote_short   = remote_fqdn.split('.')
+#        remote_short   = if( remote_short.count > 0 )
+#          remote_short.first
+#        else
+#          remote_fqdn
+#        end
+#
+#        logger.debug( "host_short   #{host_short}" )
+#        logger.debug( "remote_short #{remote_short}" )
+#
+#        logger.error(format('This client (%s) cannot sign the certificate for %s', remote_fqdn, host ) ) unless( host_short == remote_short )
+#
+#        return { status: 409, message: format('This client cannot sign the certificate for %s', host ) } unless( host_short == remote_short )
+#      end
+
       logger.info( format('sign certificate for %s', host) )
 
       # /etc/icinga2 # icinga2 ca list | grep icinga2-satellite-1.matrix.lan | sort -k2
@@ -462,5 +621,139 @@ module IcingaCertService
 
       { status: 204 }
     end
+
+
+    private
+    def ensure_master_certificate_exists( server_name, host )
+
+
+      pki_base_directory = '/etc/icinga2/pki'
+      pki_base_directory = '/var/lib/icinga2/certs' if( @icinga_version != '2.7' )
+
+      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } if( pki_base_directory.nil? )
+
+      pki_master_key = format('%s/%s.key', pki_base_directory, server_name)
+      pki_master_csr = format('%s/%s.csr', pki_base_directory, server_name)
+      pki_master_crt = format('%s/%s.crt', pki_base_directory, server_name)
+      #pki_master_ca  = format('%s/ca.crt', pki_base_directory)
+
+      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } unless( File.exist?(pki_base_directory) )
+
+      zone_base_directory = '/etc/icinga2/zone.d'
+
+      FileUtils.mkpath( format('%s/global-templates', zone_base_directory) )
+      FileUtils.mkpath( format('%s/%s', zone_base_directory, host) )
+
+      #
+      unless File.exist?(format('%s/global-templates/services.conf', zone_base_directory) )
+
+        if( File.exist?('/etc/icinga2/conf.d/services.conf') )
+          FileUtils.mv('/etc/icinga2/conf.d/services.conf', format('%s/global-templates/services.conf', zone_base_directory))
+        else
+          logger.error('missing services.conf under /etc/icinga2/conf.d')
+        end
+      end
+
+      logger.debug(format('search PKI files for the Master \'%s\'', server_name))
+
+      if( !File.exist?(pki_master_key) || !File.exist?(pki_master_csr) || !File.exist?(pki_master_crt) )
+        logger.error('missing file')
+        logger.error(format('  - %s', pki_master_key)) if( !File.exist?(pki_master_key))
+        logger.error(format('  - %s', pki_master_csr)) if( !File.exist?(pki_master_csr))
+        logger.error(format('  - %s', pki_master_crt)) if( !File.exist?(pki_master_crt))
+
+        return { status: 500, message: format('missing PKI for Icinga2 Master \'%s\'', server_name) }
+      end
+
+      return { status: 200 }
+
+    end
+
+
+    def icinga_server_name
+
+      if( @icinga_master.nil? )
+        begin
+          server_name = icinga2_server_name
+        rescue => e
+          logger.error(e)
+          server_name = @icinga_master
+        else
+          server_ip    = icinga2_server_ip
+        end
+      else
+        server_name = @icinga_master
+        begin
+          server_ip    = icinga2_server_ip(server_name)
+        rescue => e
+          logger.error(server_name)
+          logger.error(e)
+
+          server_ip = '127.0.0.1'
+        end
+      end
+
+      [server_ip, server_name]
+
+    end
+
+
+    def is_remote_clients_authorized( params )
+
+      remote_addr   = params.dig(:remote_addr)
+      remote_fqdn   = nil
+      remote_short  = nil
+      real_ip       = params.dig(:real_ip)
+      forwarded_for = params.dig(:forwarded_for)
+      host          = params.dig(:host)
+      salt_passend  = params.dig(:salt_passend)
+
+      logger.debug("params   #{params}")
+
+      result        = true
+
+      unless(remote_addr.nil? && real_ip.nil?)
+        logger.debug('we running behind a proxy')
+
+        logger.debug("  remote addr   #{remote_addr}")
+        logger.debug("  real ip       #{real_ip}")
+        logger.debug("  forwarded for #{forwarded_for}")
+
+        remote_addr = forwarded_for
+      end
+
+      host_short   = host.split('.')
+      host_short   = if( host_short.count > 0 )
+        host_short.first
+      else
+        host
+      end
+
+      logger.debug( "  host_fqdn     #{host}" )
+      logger.debug( "  host_short    #{host_short}" )
+
+      if( salt_passend == false )
+
+        unless( remote_addr.nil? )
+          remote_fqdn    = Resolv.getnames(remote_addr)
+          remote_fqdn    = remote_fqdn.sort.last
+          remote_short   = remote_fqdn.split('.')
+          remote_short   = if( remote_short.count > 0 )
+            remote_short.first
+          else
+            remote_fqdn
+          end
+
+          logger.debug( "  remote_fqdn   #{remote_fqdn}" )
+          logger.debug( "  remote_short  #{remote_short}" )
+
+          result = false
+        end
+      end
+
+      { result: result, remote_short: remote_short, host_short: host_short }
+
+    end
+
   end
 end

data/lib/cert-service/endpoint_handler.rb

@@ -21,8 +21,11 @@ module IcingaCertService
     #
     def add_endpoint(params)
 
-      host      = validate( params, required: true, var: 'host', type: String )
-      satellite = validate( params, required: false, var: 'satellite', type: Boolean ) || false
+      logger.debug("add_endpoint(#{params})")
+
+      host       = validate( params, required: true , var: 'host'     , type: String )
+      satellite  = validate( params, required: false, var: 'satellite', type: Boolean ) || false
+      file_name  = '/etc/icinga2/zones.conf'
 
       return { status: 500, message: 'no hostname to create an endpoint' } if host.nil?
 
@@ -36,10 +39,8 @@ module IcingaCertService
 
       # logger.debug( ret )
 
-      if( satellite )
-        file_name      = '/etc/icinga2/zones.conf'
-      else
-        zone_directory = format('/etc/icinga2/zones.d/%s', host)
+      unless( satellite )
+        zone_directory = format('/etc/icinga2/satellites.d/%s', host)
         file_name      = format('%s/%s.conf', zone_directory, host)
 
         begin
@@ -51,6 +52,8 @@ module IcingaCertService
 
       if( File.exist?(file_name) )
 
+        logger.debug( format('the zone file (%s) for the endpoint %s exists', file_name, host) )
+
         file     = File.open(file_name, 'r')
         contents = file.read
 
@@ -67,6 +70,8 @@ module IcingaCertService
 
         scan_endpoint = result.scan(/object Endpoint(.*)"(?<endpoint>.+\S)"/).flatten
 
+        #logger.debug( "#{scan_endpoint} (#{scan_endpoint.class})" )
+
         return { status: 200, message: format('the configuration for the endpoint %s already exists', host) } if( scan_endpoint.include?(host) == true )
       end
 

data/lib/cert-service/version.rb

@@ -1,5 +1,5 @@
 
 module IcingaCertService
   # static version string
-  VERSION = '0.18.4'.freeze
+  VERSION = '0.20.0'.freeze
 end

data/lib/logging.rb

@@ -27,10 +27,11 @@ module Logging
     def configure_logger_for( classname )
 
       log_level = ENV.fetch('LOG_LEVEL', 'DEBUG' )
-      level = log_level.dup
+
+      level = log_level.upcase.dup
 
       # DEBUG < INFO < WARN < ERROR < FATAL < UNKNOWN
-      log_level = case level.upcase
+      log_level = case level
         when 'DEBUG'
           Logger::DEBUG   # Low-level information for developers.
         when 'INFO'

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: icinga-cert-service
 version: !ruby/object:Gem::Version
-  version: 0.18.4
+  version: 0.20.0
 platform: ruby
 authors:
 - Bodo Schulz
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-22 00:00:00.000000000 Z
+date: 2020-03-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: etc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: openssl
   requirement: !ruby/object:Gem::Requirement
@@ -203,7 +217,6 @@ files:
 - README.md
 - bin/icinga2-cert-service.rb
 - bin/installer.sh
-- bin/test.rb
 - lib/cert-service.rb
 - lib/cert-service/backup.rb
 - lib/cert-service/certificate_handler.rb
@@ -239,7 +252,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.10
 signing_key: 
 specification_version: 4
 summary: Icinga Certificate Service

data/bin/test.rb

@@ -1,28 +0,0 @@
-#!/usr/bin/env ruby
-#
-# 05.10.2016 - Bodo Schulz
-#
-#
-# v2.1.0
-
-# -----------------------------------------------------------------------------
-
-require 'ruby_dig' if RUBY_VERSION < '2.3'
-
-require 'sinatra/base'
-require 'sinatra/basic_auth'
-require 'json'
-require 'yaml'
-
-require_relative '../lib/cert-service'
-require_relative '../lib/logging'
-
-# -----------------------------------------------------------------------------
-
-config = {
-  icinga_master: 'localhost'
-}
-
-ics = IcingaCertService::Client.new(config)
-
-# -----------------------------------------------------------------------------