picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Support journal-upload HTTPS without key and certificate

This commit is contained in:
Ciprian Hacman 2020-04-06 15:44:15 +03:00
parent ac24e418d9
commit 3dadb54f5f
2 changed files with 55 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
man/systemd-journal-upload.service.xml
View File

@ -165,7 +165,9 @@
<term><option>--key=</option></term>
<listitem><para>
Takes a path to a SSL key file in PEM format.
Takes a path to a SSL key file in PEM format, or <option>-</option>.
If <option>-</option> is set, then client certificate authentication checking
will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
</para></listitem>
</varlistentry>
@ -174,7 +176,9 @@
<term><option>--cert=</option></term>
<listitem><para>
Takes a path to a SSL certificate file in PEM format.
Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
If <option>-</option> is set, then client certificate authentication checking
will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
</para></listitem>
</varlistentry>
@ -183,9 +187,8 @@
<term><option>--trust=</option></term>
<listitem><para>
Takes a path to a SSL CA certificate file in PEM format,
or <option>all</option>. If <option>all</option> is set,
then certificate checking will be disabled.
Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
</para></listitem>
</varlistentry>

53
src/journal-remote/journal-upload.c
View File

@ -23,6 +23,7 @@
#include "main-func.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "pretty-print.h"
#include "process-util.h"
#include "rlimit-util.h"
@ -240,14 +241,14 @@ int start_upload(Uploader *u,
"systemd-journal-upload " GIT_VERSION,
LOG_WARNING, );
if (arg_key || startswith(u->url, "https://")) {
if (!streq_ptr(arg_key, "-") && (arg_key || startswith(u->url, "https://"))) {
easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE,
LOG_ERR, return -EXFULL);
easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE,
LOG_ERR, return -EXFULL);
}
if (streq_ptr(arg_trust, "all"))
if (STRPTR_IN_SET(arg_trust, "-", "all"))
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
LOG_ERR, return -EUCLEAN);
else if (arg_trust || startswith(u->url, "https://"))
@ -515,12 +516,52 @@ static int perform_upload(Uploader *u) {
return update_cursor_state(u);
}
static int config_parse_path_or_ignore(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_free_ char *n = NULL;
bool fatal = ltype;
char **s = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue))
goto finalize;
n = strdup(rvalue);
if (!n)
return log_oom();
if (streq(n, "-"))
goto finalize;
r = path_simplify_and_warn(n, PATH_CHECK_ABSOLUTE | (fatal ? PATH_CHECK_FATAL : 0), unit, filename, line, lvalue);
if (r < 0)
return fatal ? -ENOEXEC : 0;
finalize:
return free_and_replace(*s, n);
}
static int parse_config(void) {
const ConfigTableItem items[] = {
{ "Upload", "URL", config_parse_string, 0, &arg_url },
{ "Upload", "ServerKeyFile", config_parse_path, 0, &arg_key },
{ "Upload", "ServerCertificateFile", config_parse_path, 0, &arg_cert },
{ "Upload", "TrustedCertificateFile", config_parse_path, 0, &arg_trust },
{ "Upload", "URL", config_parse_string, 0, &arg_url },
{ "Upload", "ServerKeyFile", config_parse_path_or_ignore, 0, &arg_key },
{ "Upload", "ServerCertificateFile", config_parse_path_or_ignore, 0, &arg_cert },
{ "Upload", "TrustedCertificateFile", config_parse_path_or_ignore, 0, &arg_trust },
{}};
return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",