Support journal-upload HTTPS without key and certificate
This commit is contained in:
parent
ac24e418d9
commit
3dadb54f5f
|
@ -165,7 +165,9 @@
|
||||||
<term><option>--key=</option></term>
|
<term><option>--key=</option></term>
|
||||||
|
|
||||||
<listitem><para>
|
<listitem><para>
|
||||||
Takes a path to a SSL key file in PEM format.
|
Takes a path to a SSL key file in PEM format, or <option>-</option>.
|
||||||
|
If <option>-</option> is set, then client certificate authentication checking
|
||||||
|
will be disabled.
|
||||||
Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
|
Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -174,7 +176,9 @@
|
||||||
<term><option>--cert=</option></term>
|
<term><option>--cert=</option></term>
|
||||||
|
|
||||||
<listitem><para>
|
<listitem><para>
|
||||||
Takes a path to a SSL certificate file in PEM format.
|
Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
|
||||||
|
If <option>-</option> is set, then client certificate authentication checking
|
||||||
|
will be disabled.
|
||||||
Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
|
Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -183,9 +187,8 @@
|
||||||
<term><option>--trust=</option></term>
|
<term><option>--trust=</option></term>
|
||||||
|
|
||||||
<listitem><para>
|
<listitem><para>
|
||||||
Takes a path to a SSL CA certificate file in PEM format,
|
Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
|
||||||
or <option>all</option>. If <option>all</option> is set,
|
If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
|
||||||
then certificate checking will be disabled.
|
|
||||||
Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
|
Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
|
@ -23,6 +23,7 @@
|
||||||
#include "main-func.h"
|
#include "main-func.h"
|
||||||
#include "mkdir.h"
|
#include "mkdir.h"
|
||||||
#include "parse-util.h"
|
#include "parse-util.h"
|
||||||
|
#include "path-util.h"
|
||||||
#include "pretty-print.h"
|
#include "pretty-print.h"
|
||||||
#include "process-util.h"
|
#include "process-util.h"
|
||||||
#include "rlimit-util.h"
|
#include "rlimit-util.h"
|
||||||
|
@ -240,14 +241,14 @@ int start_upload(Uploader *u,
|
||||||
"systemd-journal-upload " GIT_VERSION,
|
"systemd-journal-upload " GIT_VERSION,
|
||||||
LOG_WARNING, );
|
LOG_WARNING, );
|
||||||
|
|
||||||
if (arg_key || startswith(u->url, "https://")) {
|
if (!streq_ptr(arg_key, "-") && (arg_key || startswith(u->url, "https://"))) {
|
||||||
easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE,
|
easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE,
|
||||||
LOG_ERR, return -EXFULL);
|
LOG_ERR, return -EXFULL);
|
||||||
easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE,
|
easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE,
|
||||||
LOG_ERR, return -EXFULL);
|
LOG_ERR, return -EXFULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (streq_ptr(arg_trust, "all"))
|
if (STRPTR_IN_SET(arg_trust, "-", "all"))
|
||||||
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
|
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
|
||||||
LOG_ERR, return -EUCLEAN);
|
LOG_ERR, return -EUCLEAN);
|
||||||
else if (arg_trust || startswith(u->url, "https://"))
|
else if (arg_trust || startswith(u->url, "https://"))
|
||||||
|
@ -515,12 +516,52 @@ static int perform_upload(Uploader *u) {
|
||||||
return update_cursor_state(u);
|
return update_cursor_state(u);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int config_parse_path_or_ignore(
|
||||||
|
const char *unit,
|
||||||
|
const char *filename,
|
||||||
|
unsigned line,
|
||||||
|
const char *section,
|
||||||
|
unsigned section_line,
|
||||||
|
const char *lvalue,
|
||||||
|
int ltype,
|
||||||
|
const char *rvalue,
|
||||||
|
void *data,
|
||||||
|
void *userdata) {
|
||||||
|
|
||||||
|
_cleanup_free_ char *n = NULL;
|
||||||
|
bool fatal = ltype;
|
||||||
|
char **s = data;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(filename);
|
||||||
|
assert(lvalue);
|
||||||
|
assert(rvalue);
|
||||||
|
assert(data);
|
||||||
|
|
||||||
|
if (isempty(rvalue))
|
||||||
|
goto finalize;
|
||||||
|
|
||||||
|
n = strdup(rvalue);
|
||||||
|
if (!n)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
if (streq(n, "-"))
|
||||||
|
goto finalize;
|
||||||
|
|
||||||
|
r = path_simplify_and_warn(n, PATH_CHECK_ABSOLUTE | (fatal ? PATH_CHECK_FATAL : 0), unit, filename, line, lvalue);
|
||||||
|
if (r < 0)
|
||||||
|
return fatal ? -ENOEXEC : 0;
|
||||||
|
|
||||||
|
finalize:
|
||||||
|
return free_and_replace(*s, n);
|
||||||
|
}
|
||||||
|
|
||||||
static int parse_config(void) {
|
static int parse_config(void) {
|
||||||
const ConfigTableItem items[] = {
|
const ConfigTableItem items[] = {
|
||||||
{ "Upload", "URL", config_parse_string, 0, &arg_url },
|
{ "Upload", "URL", config_parse_string, 0, &arg_url },
|
||||||
{ "Upload", "ServerKeyFile", config_parse_path, 0, &arg_key },
|
{ "Upload", "ServerKeyFile", config_parse_path_or_ignore, 0, &arg_key },
|
||||||
{ "Upload", "ServerCertificateFile", config_parse_path, 0, &arg_cert },
|
{ "Upload", "ServerCertificateFile", config_parse_path_or_ignore, 0, &arg_cert },
|
||||||
{ "Upload", "TrustedCertificateFile", config_parse_path, 0, &arg_trust },
|
{ "Upload", "TrustedCertificateFile", config_parse_path_or_ignore, 0, &arg_trust },
|
||||||
{}};
|
{}};
|
||||||
|
|
||||||
return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",
|
return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",
|
||||||
|
|
Loading…
Reference in a new issue