Skip to content

Commit

Permalink
MB-44361: Temporarily generate cert file in old format...
Browse files Browse the repository at this point in the history 
... for services that haven't implemented ca file support yet

Change-Id: I509f9f788d9da0111ec74e86dae662b9d2bc564a
Reviewed-on: http://review.couchbase.org/c/ns_server/+/158845
Well-Formed: Build Bot <build@couchbase.com>
Tested-by: Build Bot <build@couchbase.com>
Tested-by: Timofey Barmin <timofey.barmin@couchbase.com>
Reviewed-by: Artem Stemkovski <artem@couchbase.com>
  • Loading branch information
@timofey-barmin
timofey-barmin committed Aug 20, 2021
1 parent b619678 commit c6040da
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 2 deletions.
2 changes: 1 addition & 1 deletion src/memcached_config_mgr.erl
View file
Expand Up @@ -437,7 +437,7 @@ prometheus_cfg([], _Params) ->

generate_interfaces(MCDParams) ->
SSL = {[{key, list_to_binary(ns_ssl_services_setup:pkey_file_path())},
{cert, list_to_binary(ns_ssl_services_setup:chain_file_path())}]},
{cert, list_to_binary(ns_ssl_services_setup:legacy_cert_path())}]},
GetPort = fun (Port) ->
{Port, Value} = lists:keyfind(Port, 1, MCDParams),
Value
Expand Down
2 changes: 1 addition & 1 deletion src/ns_ports_setup.erl
View file
Expand Up @@ -245,7 +245,7 @@ build_https_args(PortName, PortArg, PortPrefix, CertArg, KeyArg, Config) ->
[];
Port ->
[PortArg ++ "=" ++ PortPrefix ++ integer_to_list(Port),
CertArg ++ "=" ++ ns_ssl_services_setup:chain_file_path(),
CertArg ++ "=" ++ ns_ssl_services_setup:legacy_cert_path(),
KeyArg ++ "=" ++ ns_ssl_services_setup:pkey_file_path()]
end.

Expand Down
21 changes: 21 additions & 0 deletions src/ns_ssl_services_setup.erl
View file
Expand Up @@ -23,6 +23,7 @@
pkey_file_path/0,
chain_file_path/0,
ca_file_path/0,
legacy_cert_path/0,
sync/0,
ssl_minimum_protocol/1,
ssl_minimum_protocol/2,
Expand Down Expand Up @@ -368,6 +369,8 @@ ca_file_path_erl22() ->
filename:join(path_config:component_path(data, "config"), "ca_erl22.pem").
cert_file_path_erl22() ->
filename:join(path_config:component_path(data, "config"), "cert_erl22.pem").
legacy_cert_path() ->
filename:join(path_config:component_path(data, "config"), "legacy_cert.pem").

sync() ->
ns_config:sync_announcements(),
Expand Down Expand Up @@ -566,6 +569,9 @@ maybe_store_ca_certs() ->
?log_info("CA file updated: ~b cert(s) written", [N]),
%% Can be removed when upgraded to erl >= 23
update_certs_erl22(),
%% Can be removed when all the services and memcached switch to new
%% cert format (where ca certs are kept separately)
update_legacy_cert_file(),
misc:create_marker(marker_path());
false ->
ok
Expand Down Expand Up @@ -651,6 +657,9 @@ save_node_certs_phase2() ->
%% Can be removed when upgraded to erl >= 23
update_certs_erl22(),
ns_config:set({node, node(), node_cert}, Props),
%% Can be removed when all the services and memcached switch to new
%% cert format (where ca certs are kept separately)
update_legacy_cert_file(),
ok = ssl:clear_pem_cache(),
misc:create_marker(marker_path()),
ok = file:delete(TmpFile);
Expand Down Expand Up @@ -678,6 +687,18 @@ update_certs_erl22() ->
Erl22CAs = lists:join(io_lib:nl(), Erl22Chain ++ CAs),
misc:atomic_write_file(ca_file_path_erl22(), Erl22CAs).

update_legacy_cert_file() ->
Chain = case file:read_file(chain_file_path()) of
{ok, C} -> [C];
{error, enoent} -> []
end,
CA = case ns_config:search({node, node(), node_cert}) of
{value, Props} -> [proplists:get_value(ca, Props)];
false -> []
end,
LegacyCert = lists:join(io_lib:nl(), Chain ++ CA),
misc:atomic_write_file(legacy_cert_path(), LegacyCert).

-spec get_user_name_from_client_cert(term()) -> string() | undefined | failed.
get_user_name_from_client_cert(Val) ->
ClientAuth = ns_ssl_services_setup:client_cert_auth(),
Expand Down

0 comments on commit c6040da

Please sign in to comment.