Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix:[CO-457] delete orphaned cert-key pair from domain SSL dir #126

Merged
merged 3 commits into from
Nov 25, 2022
+93 −6
Merged

fix:[CO-457] delete orphaned cert-key pair from domain SSL dir #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1fae9b3
fix:[CO-457] delete orphaned certificate key
keshavbhatt Nov 23, 2022
923d6d5
chore: remove temp null checks
keshavbhatt Nov 24, 2022
c94bca8
chore: show in logs if obsolete cert key file is not deletable
keshavbhatt Nov 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 52 additions & 6 deletions store/src/java/com/zimbra/cs/util/proxyconfgen/ProxyConfGen.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
import org.apache.commons.cli.ParseException;

public class ProxyConfGen {

static final String ZIMBRA_USER = "zextras";
static final String ZIMBRA_UPSTREAM_NAME = "zimbra";
static final String ZIMBRA_UPSTREAM_WEBCLIENT_NAME = "zimbra_webclient";
Expand Down Expand Up @@ -177,9 +178,10 @@ private static CommandLine parseArgs(String[] args) {
* @author Davide Baldo
*/
private static List<ServerAttrItem> loadServerAttrs() throws ServiceException {
if (!(mProv instanceof LdapProv))
if (!(mProv instanceof LdapProv)) {
throw ServiceException.INVALID_REQUEST(
"The method can work only when LDAP is available", null);
}

final List<ServerAttrItem> serverAttrItems = new ArrayList<>();
for (Server server : mProv.getAllServers()) {
Expand All @@ -206,9 +208,10 @@ private static List<DomainAttrItem> loadDomainReverseProxyAttrs() throws Service
if (!mGenConfPerVhn) {
return Collections.emptyList();
}
if (!(mProv instanceof LdapProv))
if (!(mProv instanceof LdapProv)) {
throw ServiceException.INVALID_REQUEST(
"The method can work only when LDAP is available", null);
}

final Set<String> attrsNeeded = new HashSet<>();
attrsNeeded.add(ZAttrProvisioning.A_zimbraVirtualHostname);
Expand Down Expand Up @@ -375,7 +378,9 @@ public static void updateDomainCertificate(

/* Guess how to find a server object -- taken from ProvUtil::guessServerBy */
public static Key.ServerBy guessServerBy(String value) {
if (Provisioning.isUUID(value)) return Key.ServerBy.id;
if (Provisioning.isUUID(value)) {
return Key.ServerBy.id;
}
return Key.ServerBy.name;
}

Expand Down Expand Up @@ -657,7 +662,9 @@ private static void expandTemplateByExplodeServer(
ArrayList<String> cache = new ArrayList<>(50);
String line;
while ((line = temp.readLine()) != null) {
if (!line.startsWith("#")) cache.add(line); // cache only non-comment lines
if (!line.startsWith("#")) {
cache.add(line); // cache only non-comment lines
}
}

for (ServerAttrItem server : filteredServers) {
Expand Down Expand Up @@ -810,7 +817,9 @@ private static List<String> expandTemplateAndCache(BufferedReader temp, Buffered
String line;
ArrayList<String> cache = new ArrayList<>(50);
while ((line = temp.readLine()) != null) {
if (!line.startsWith("#")) cache.add(line); // cache only non-comment lines
if (!line.startsWith("#")) {
cache.add(line); // cache only non-comment lines
}
line = StringUtil.fillTemplate(line, mVars);
conf.write(line);
conf.newLine();
Expand Down Expand Up @@ -854,8 +863,9 @@ public static void displayVariables() throws ProxyConfException {
SortedSet<String> sk = new TreeSet<>(mVars.keySet());
for (String k : sk) {
ProxyConfVar proxyConfVar = mConfVars.get(k);
if (proxyConfVar instanceof TimeInSecVarWrapper)
if (proxyConfVar instanceof TimeInSecVarWrapper) {
proxyConfVar = ((TimeInSecVarWrapper) proxyConfVar).mVar;
}
proxyConfVar.write(System.out);
}
}
Expand Down Expand Up @@ -2221,6 +2231,9 @@ public static int createConf(String[] args) throws ServiceException, ProxyConfEx

String clientCA = loadAllClientCertCA();
writeClientCAtoFile(clientCA);

// cleanup DOMAIN_SSL_DIR
deleteObsoleteCertificateKeyPair(mDomainReverseProxyAttrs, mDryRun);
} catch (ProxyConfException | ServiceException pe) {
handleException(pe);
exitCode = 1;
Expand Down Expand Up @@ -2401,6 +2414,39 @@ public static int createConf(String[] args) throws ServiceException, ProxyConfEx
return (exitCode);
}

/**
* Cleanup of Obsolete certificate-key file pair from {@link ProxyConfGen#DOMAIN_SSL_DIR}
*
* @param mDomainReverseProxyAttrs List<{@link DomainAttrItem}> domain attribute items collected
* from domains
* @param dryRun if it's a dry run
* @author Keshav Bhatt
* @since 22.12.0
*/
private static void deleteObsoleteCertificateKeyPair(
final List<DomainAttrItem> mDomainReverseProxyAttrs, final boolean dryRun) {
List<String> filesInDirectory = Utils.getFilesPathInDirectory(DOMAIN_SSL_DIR);
for (DomainAttrItem entry : mDomainReverseProxyAttrs) {
filesInDirectory.removeIf(filePath -> (filePath.contains(entry.domainName)));
Polpetta marked this conversation as resolved.
Show resolved Hide resolved
}
if (dryRun) {
filesInDirectory.forEach(
fileName ->
LOG.info(
"Will delete obsoleted domain %s file %s",
(fileName.endsWith(SSL_KEY_EXT) ? "key" : "cert"), fileName));
} else {
filesInDirectory.forEach(
filePath -> {
try {
Utils.deleteFileIfExists(filePath);
keshavbhatt marked this conversation as resolved.
Show resolved Hide resolved
} catch (ProxyConfException e) {
LOG.info(e.getMessage());
}
});
}
}

/**
* Downloads all the certificates present in mDomainReverseProxyAttrs
*
Expand Down
41 changes: 41 additions & 0 deletions store/src/java/com/zimbra/cs/util/proxyconfgen/Utils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,16 @@
import com.zimbra.common.account.ZAttrProvisioning;
import com.zimbra.cs.account.Server;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.TreeSet;
import java.util.stream.Collectors;
import java.util.stream.Stream;

public final class Utils {

Expand Down Expand Up @@ -49,4 +54,40 @@ public static void createFolder(String folderPath) throws ProxyConfException {
throw new ProxyConfException("Unable to create folder in " + folderPath);
}
}

/**
* Delete a file specified by the given path
*
* @param filePath path of file to delete
* @author Keshav Bhatt
* @since 22.12.0
*/
public static void deleteFileIfExists(final String filePath) throws ProxyConfException {
File file = new File(filePath);
if (file.exists()) {
try {
Files.delete(file.toPath());
} catch (final IOException ie) {
throw new ProxyConfException("Unable to delete file " + filePath);
}
}
}

/**
* Get file paths from the given directory path Note: This will only return path of regular
* 'files' in the given directory path limiting the scan to depth -> 1
*
* @param directoryPath path to get directory
* @return String List of file paths
* @author Keshav Bhatt
* @since 22.12.0
*/
public static List<String> getFilesPathInDirectory(final String directoryPath) {
try (Stream<Path> paths = Files.walk(Paths.get(directoryPath), 1)) {
return paths.filter(Files::isRegularFile).map(Path::toString).collect(Collectors.toList());
} catch (IOException ignored) {
// ignore
}
return List.of();
}
}