Skip to content

Commit

Permalink
tls-cert: removed needless certificate checks from director and storage
Browse files Browse the repository at this point in the history 
- checking certificates at startup is a remains from former times
  when there was only tls cert
  • Loading branch information
@franku
franku committed Nov 20, 2018
1 parent 9e5090d commit 79f0696
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 166 deletions.
101 changes: 2 additions & 99 deletions core/src/dird/dird.cc
View file
Expand Up @@ -742,42 +742,13 @@ static bool CheckResources()
goto bail_out;
}

/*
* tls_require implies tls_enable
*/
if (me->IsTlsConfigured() || me->IsTlsConfigured()) {
if (me->IsTlsConfigured() ) {
if (!have_tls) {
Jmsg(NULL, M_FATAL, 0, _("TLS required but not compiled into BAREOS.\n"));
OK = false;
goto bail_out;
}
}

need_tls = me->IsTlsConfigured() || me->authenticate_;

if ((me->tls_cert_.certfile_ == nullptr || me->tls_cert_.certfile_->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"), me->name(),configfile.c_str());
OK = false;
goto bail_out;
}

if ((me->tls_cert_.keyfile_ == nullptr || me->tls_cert_.keyfile_->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),me->name(), configfile.c_str());
OK = false;
goto bail_out;
}

if (((me->tls_cert_.ca_certfile_ == nullptr || me->tls_cert_.ca_certfile_->empty()) &&
(me->tls_cert_.ca_certdir_ == nullptr || me->tls_cert_.ca_certdir_->empty())) &&
need_tls && me->tls_cert_.verify_peer_) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA"
" Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required"
" when using \"TLS Verify Peer\".\n"),
me->name(), configfile.c_str());
OK = false;
goto bail_out;
}
}

if (!job) {
Expand Down Expand Up @@ -812,54 +783,17 @@ static bool CheckResources()
}
}

/*
* Loop over Consoles
*/
ConsoleResource *cons;
foreach_res(cons, R_CONSOLE) {
/*
* tls_require implies tls_enable
*/
if (cons->IsTlsConfigured()) {
if (!have_tls) {
Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured in BAREOS.\n"));
OK = false;
goto bail_out;
}
}

need_tls = cons->IsTlsConfigured() || cons->authenticate_;

if ((cons->tls_cert_.certfile_ == nullptr || cons->tls_cert_.certfile_->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Console \"%s\" in %s.\n"),
cons->name(), configfile.c_str());
OK = false;
goto bail_out;
}

if ((cons->tls_cert_.keyfile_ == nullptr || cons->tls_cert_.keyfile_->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Console \"%s\" in %s.\n"),
cons->name(), configfile.c_str());
OK = false;
goto bail_out;
}

if ((cons->tls_cert_.ca_certfile_ == nullptr || cons->tls_cert_.ca_certfile_->empty()) &&
(cons->tls_cert_.ca_certdir_ == nullptr || cons->tls_cert_.ca_certdir_->empty()) && need_tls &&
cons->tls_cert_.verify_peer_) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\" or \"TLS CA"
" Certificate Dir\" are defined for Console \"%s\" in %s."
" At least one CA certificate store is required"
" when using \"TLS Verify Peer\".\n"),
cons->name(), configfile.c_str());
OK = false;
goto bail_out;
}
}

/*
* Loop over Clients
*/
me->subscriptions_used = 0;
ClientResource *client;
foreach_res(client, R_CLIENT) {
Expand All @@ -870,56 +804,25 @@ static bool CheckResources()
*/
me->subscriptions_used++;

/*
* tls_require implies tls_enable
*/
if (client->IsTlsConfigured()) {
if (!have_tls) {
Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured.\n"));
OK = false;
goto bail_out;
}
}
need_tls = client->IsTlsConfigured() || client->authenticate_;
if ((client->tls_cert_.ca_certfile_ == nullptr || client->tls_cert_.ca_certfile_->empty()) &&
(client->tls_cert_.ca_certdir_ == nullptr || client->tls_cert_.ca_certdir_->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for File daemon \"%s\" in %s.\n"),
client->name(), configfile.c_str());
OK = false;
goto bail_out;
}
}

/*
* Loop over Storages
*/
StorageResource *store, *nstore;
foreach_res(store, R_STORAGE) {
/*
* tls_require implies tls_enable
*/
if (store->IsTlsConfigured()) {
if (have_tls) {
// store->tls.enable = true;
} else {
if (!have_tls) {
Jmsg(NULL, M_FATAL, 0, _("TLS required but not configured.\n"));
OK = false;
goto bail_out;
}
}

need_tls = store->IsTlsConfigured() || store->authenticate_;

if ((store->tls_cert_.ca_certfile_ == nullptr || store->tls_cert_.ca_certfile_->empty()) &&
(store->tls_cert_.ca_certdir_ == nullptr || store->tls_cert_.ca_certdir_->empty()) && need_tls) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Storage \"%s\" in %s.\n"),
store->name(), configfile.c_str());
OK = false;
goto bail_out;
}

/*
* If we collect statistics on this SD make sure any other entry pointing to the same SD does
* not
Expand Down
67 changes: 0 additions & 67 deletions core/src/stored/stored.cc
View file
Expand Up @@ -395,73 +395,6 @@ static int CheckResources()
}
}

tls_needed = store->IsTlsConfigured() || store->authenticate_;

if ((store->tls_cert_.certfile_ == nullptr || store->tls_cert_.certfile_->empty()) && tls_needed) {
Jmsg(NULL,
M_FATAL,
0,
_("\"TLS Certificate\" file not defined for Storage \"%s\" in %s.\n"),
store->name(),
configfile.c_str());
OK = false;
}

if ((store->tls_cert_.keyfile_ == nullptr || store->tls_cert_.keyfile_->empty()) && tls_needed) {
Jmsg(NULL,
M_FATAL,
0,
_("\"TLS Key\" file not defined for Storage \"%s\" in %s.\n"),
store->name(),
configfile.c_str());
OK = false;
}

if (((store->tls_cert_.ca_certfile_ == nullptr || store->tls_cert_.ca_certfile_->empty()) &&
(store->tls_cert_.ca_certdir_ == nullptr || store->tls_cert_.ca_certdir_->empty())) &&
tls_needed && store->tls_cert_.verify_peer_) {
Jmsg(NULL,
M_FATAL,
0,
_("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Storage \"%s\" in %s."
" At least one CA certificate store is required"
" when using \"TLS Verify Peer\".\n"),
store->name(),
configfile.c_str());
OK = false;
}

DirectorResource *director;
foreach_res(director, R_DIRECTOR) {

tls_needed = director->IsTlsConfigured() || director->authenticate_;

if ((director->tls_cert_.certfile_ == nullptr || director->tls_cert_.certfile_->empty()) &&
tls_needed) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Certificate\" file not defined for Director \"%s\" in %s.\n"),
director->name(), configfile.c_str());
OK = false;
}

if ((director->tls_cert_.keyfile_ == nullptr || director->tls_cert_.keyfile_->empty()) && tls_needed) {
Jmsg(NULL, M_FATAL, 0, _("\"TLS Key\" file not defined for Director \"%s\" in %s.\n"),
director->name(), configfile.c_str());
OK = false;
}

if (((director->tls_cert_.ca_certfile_ == nullptr || director->tls_cert_.ca_certfile_->empty()) &&
(director->tls_cert_.ca_certdir_ == nullptr || director->tls_cert_.ca_certdir_->empty())) &&
tls_needed && director->tls_cert_.verify_peer_) {
Jmsg(NULL, M_FATAL, 0, _("Neither \"TLS CA Certificate\""
" or \"TLS CA Certificate Dir\" are defined for Director \"%s\" in %s."
" At least one CA certificate store is required"
" when using \"TLS Verify Peer\".\n"),
director->name(), configfile.c_str());
OK = false;
}
}

DeviceResource *device;
foreach_res(device, R_DEVICE) {
if (device->drive_crypto_enabled && BitIsSet(CAP_LABEL, device->cap_bits)) {
Expand Down

0 comments on commit 79f0696

Please sign in to comment.