dewrich closed pull request #2334: TO postinstall -- modify GenerateCert.pm to not overwrite cdn.conf URL: https://github.com/apache/incubator-trafficcontrol/pull/2334
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/traffic_ops/install/lib/GenerateCert.pm b/traffic_ops/install/lib/GenerateCert.pm index 69cd73689..1b9ebaedf 100644 --- a/traffic_ops/install/lib/GenerateCert.pm +++ b/traffic_ops/install/lib/GenerateCert.pm @@ -40,57 +40,40 @@ my $msg = << 'EOF'; EOF -sub writeCdn_conf { - my $cdn_conf = shift; - - - # load as perl hash to find string to be replaced - my $cdnh = do $cdn_conf; - - # get existing port, if any - my $listen = $cdnh->{hypnotoad}{listen}[0]; - my ($port) = $listen =~ /:(\d+)/; - if (!defined($port)) { - $port = 60443; - } - # listen param to be inserted - my $listen_str = "https://[::]:${port}?cert=${cert}&key=${key}&ca=${ca}&verify=0x00&ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED"; - - if ( exists $cdnh->{hypnotoad} ) { - $cdnh->{hypnotoad}{listen} = [$listen_str]; - } - else { - # add the whole hypnotoad config without affecting anything else in the config - $cdnh->{hypnotoad} = { - listen => [$listen_str], - user => 'trafops', - group => 'trafops', - pid_file => '/var/run/traffic_ops.pid', - workers => 48, - }; - } +# Check the cdn.conf for the cert and key file references -- abort if they don't match what's defined here +# This normally wouldn't happen unless the user modified the cdn.conf to reference different file names, and in that +# case, they're probably generating certs outside of this anyway: this check is just here for safety.. +sub checkCdnConf { + my $cdn_conf = shift; + my $conf; + # load cdn.conf + { + local $/; # slurp mode + open my $fh, '<', $cdn_conf or die "Cannot load $cdn_conf\n"; + $conf = decode_json(scalar <$fh>); + } + + my $listen = $conf->{hypnotoad}{listen}[0]; + my $msg; + + if (!defined $listen) { + my $msg = <<"EOF"; + The "listen" portion of $cdn_conf is missing from $cdn_conf. + Please ensure it contains the same structure as the one originally installed. +EOF + } + + if ($listen !~ m@cert=$cert@ || $listen !~ m@key=$key@) { + $msg = << "EOF"; + The "listen" portion of $cdn_conf is: + $listen + and does not reference the same "cert=" and "key=" values as are created here. + Please modify $cdn_conf to add the following as parameters: + ?cert=$cert&key=$key +EOF + } - # write whole config to temp file in pwd (keeps in same filesystem) - my $tmpfile = File::Temp->new( DIR => '.' ); - writeJson( $tmpfile, $cdnh ); - close $tmpfile; - - # make backup of current file - my $backup_num = 0; - my $backup_name; - do { - $backup_num++; - $backup_name = "$cdn_conf.backup$backup_num"; - } while ( -e $backup_name ); - rename( $cdn_conf, $backup_name ) or die("rename(): $!"); - - # rename temp file to cdn.conf and set ownership/permissions same as backup - my @stats = stat($backup_name); - my ( $uid, $gid, $perm ) = @stats[ 4, 5, 2 ]; - move( $tmpfile, $cdn_conf ) or die("move(): $!"); - - chown $uid, $gid, $cdn_conf; - chmod $perm, $cdn_conf; + return $msg; } # execOpenssl takes a description of the command being done, and an array of arguments to OpenSSL, @@ -197,7 +180,6 @@ sub createCert { $result = InstallUtils::execCommand( "/bin/chmod", "664", "$csr" ); $result = InstallUtils::execCommand( "/bin/chown", "trafops:trafops", "$csr" ); - writeCdn_conf($cdn_conf); my $msg = << 'EOF'; @@ -211,6 +193,11 @@ sub createCert { EOF InstallUtils::logger( $msg, "info" ); + my $error = checkCdnConf($cdn_conf); + if ($error) { + errorOut( $error, "error "); + exit 1; + } return 0; } ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services