summaryrefslogtreecommitdiffstats
path: root/cert-updater/main.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cert-updater/main.cpp')
-rw-r--r--cert-updater/main.cpp45
1 files changed, 39 insertions, 6 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index 8c96f2e..78ad0dc 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2013 by Timothy Pearson *
+ * Copyright (C) 2013 - 2015 by Timothy Pearson *
* kb9vqf@pearsoncomputing.net *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -48,7 +48,12 @@
static const char description[] =
I18N_NOOP("TDE utility for updating realm certificates");
-static const char version[] = "v0.0.1";
+static const char version[] = "v0.0.2";
+
+static TDECmdLineOptions options[] = {
+ { "immediate", I18N_NOOP("Force immediate update"), 0 },
+ TDECmdLineLastOption
+};
bool received_sighup = false;
@@ -78,8 +83,8 @@ int get_certificate_from_server(TQString certificateName, TQString certificateFi
credentials->username = "";
credentials->password = "";
credentials->realm = realmcfg.name.upper();
- credentials->use_tls = false;
- LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldap://%1").arg(realmcfg.admin_server).ascii(), credentials);
+ credentials->use_tls = true;
+ LDAPManager* ldap_mgr = new LDAPManager(realmcfg.name.upper(), TQString("ldaps://%1").arg(realmcfg.admin_server).ascii(), credentials);
// Add the domain-wide computer local admin group to local sudoers
ldap_mgr->writeSudoersConfFile(&errorstring);
@@ -125,15 +130,18 @@ int main(int argc, char *argv[])
// Initialize TDE application libraries
TDEAboutData aboutData( "tdeldapcertupdater", I18N_NOOP("Realm Certificate Updater"),
version, description, TDEAboutData::License_GPL,
- "(c) 2013, Timothy Pearson");
+ "(c) 2013 - 2015, Timothy Pearson");
aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
TDECmdLineArgs::init( argc, argv, &aboutData );
+ TDECmdLineArgs::addCmdLineOptions(options);
TDEApplication::disableAutoDcopRegistration();
TDEApplication app(false, false);
TDEStartupInfo::appStarted();
+ bool immediate = TDECmdLineArgs::parsedArgs()->isSet("immediate");
+
//======================================================================================================================================================
//
// Updater code follows
@@ -155,6 +163,7 @@ int main(int argc, char *argv[])
for (it = realms.begin(); it != realms.end(); ++it) {
LDAPRealmConfig realmcfg = it.data();
TQString certificateFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crt";
+ TQString crlFileName = KERBEROS_PKI_PUBLICDIR + realmcfg.admin_server + ".ldap.crl";
TQDateTime certExpiry;
TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp
@@ -164,7 +173,7 @@ int main(int argc, char *argv[])
if (certExpiry >= now) {
printf("[INFO] Certificate %s expires %s\n", certificateFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
}
- if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+ if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
if (get_certificate_from_server("publicRootCertificate", certificateFileName, realmcfg) != 0) {
allDownloadsOK = false;
}
@@ -180,7 +189,30 @@ int main(int argc, char *argv[])
allDownloadsOK = false;
}
}
+
+ if (TQFile::exists(crlFileName)) {
+ certExpiry = LDAPManager::getCertificateExpiration(crlFileName);
+ if (certExpiry >= now) {
+ printf("[INFO] CRL %s expires %s\n", crlFileName.ascii(), certExpiry.toString().ascii()); fflush(stdout);
+ }
+ if (immediate || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ allDownloadsOK = false;
+ }
+ }
+ if (certExpiry < earliestCertExpiry) {
+ earliestCertExpiry = certExpiry;
+ }
+ }
+ else {
+ mkdir(TDE_CERTIFICATE_DIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ mkdir(KERBEROS_PKI_PUBLICDIR, S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ if (get_certificate_from_server("publicRootCertificateRevocationList", crlFileName, realmcfg) != 0) {
+ allDownloadsOK = false;
+ }
+ }
}
+ immediate = false;
earliestCertExpiry = earliestCertExpiry.addDays(-7); // Keep in sync with now.addDays above (use negative of value given above)
int secondsToExpiry = now.secsTo(earliestCertExpiry);
@@ -204,6 +236,7 @@ int main(int argc, char *argv[])
}
unlink(TDE_LDAP_CERT_UPDATER_PID_FILE);
+ delete systemconfig;
//======================================================================================================================================================