summaryrefslogtreecommitdiffstats
path: root/modules/md/mod_md_status.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:30 +0000
commit6beeb1b708550be0d4a53b272283e17e5e35fe17 (patch)
tree1ce8673d4aaa948e5554000101f46536a1e4cc29 /modules/md/mod_md_status.c
parentInitial commit. (diff)
downloadapache2-upstream.tar.xz
apache2-upstream.zip
Adding upstream version 2.4.57.upstream/2.4.57upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/md/mod_md_status.c')
-rw-r--r--modules/md/mod_md_status.c987
1 files changed, 987 insertions, 0 deletions
diff --git a/modules/md/mod_md_status.c b/modules/md/mod_md_status.c
new file mode 100644
index 0000000..2286051
--- /dev/null
+++ b/modules/md/mod_md_status.c
@@ -0,0 +1,987 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <assert.h>
+#include <apr_optional.h>
+#include <apr_time.h>
+#include <apr_date.h>
+#include <apr_strings.h>
+
+#include <httpd.h>
+#include <http_core.h>
+#include <http_protocol.h>
+#include <http_request.h>
+#include <http_log.h>
+
+#include "mod_status.h"
+
+#include "md.h"
+#include "md_curl.h"
+#include "md_crypt.h"
+#include "md_http.h"
+#include "md_ocsp.h"
+#include "md_json.h"
+#include "md_status.h"
+#include "md_store.h"
+#include "md_store_fs.h"
+#include "md_log.h"
+#include "md_reg.h"
+#include "md_util.h"
+#include "md_version.h"
+#include "md_acme.h"
+#include "md_acme_authz.h"
+
+#include "mod_md.h"
+#include "mod_md_private.h"
+#include "mod_md_config.h"
+#include "mod_md_drive.h"
+#include "mod_md_status.h"
+
+/**************************************************************************************************/
+/* Certificate status */
+
+#define APACHE_PREFIX "/.httpd/"
+#define MD_STATUS_RESOURCE APACHE_PREFIX"certificate-status"
+#define HTML_STATUS(X) (!((X)->flags & AP_STATUS_SHORT))
+
+int md_http_cert_status(request_rec *r)
+{
+ int i;
+ md_json_t *resp, *mdj, *cj;
+ const md_srv_conf_t *sc;
+ const md_t *md;
+ md_pkey_spec_t *spec;
+ const char *keyname;
+ apr_bucket_brigade *bb;
+ apr_status_t rv;
+
+ if (!r->parsed_uri.path || strcmp(MD_STATUS_RESOURCE, r->parsed_uri.path))
+ return DECLINED;
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "requesting status for: %s", r->hostname);
+
+ /* We are looking for information about a staged certificate */
+ sc = ap_get_module_config(r->server->module_config, &md_module);
+ if (!sc || !sc->mc || !sc->mc->reg || !sc->mc->certificate_status_enabled) return DECLINED;
+ md = md_get_by_domain(sc->mc->mds, r->hostname);
+ if (!md) return DECLINED;
+
+ if (r->method_number != M_GET) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "md(%s): status supports only GET", md->name);
+ return HTTP_NOT_IMPLEMENTED;
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "requesting status for MD: %s", md->name);
+
+ rv = md_status_get_md_json(&mdj, md, sc->mc->reg, sc->mc->ocsp, r->pool);
+ if (APR_SUCCESS != rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10204)
+ "loading md status for %s", md->name);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "status for MD: %s is %s", md->name, md_json_writep(mdj, r->pool, MD_JSON_FMT_INDENT));
+
+ resp = md_json_create(r->pool);
+
+ if (md_json_has_key(mdj, MD_KEY_CERT, MD_KEY_VALID, NULL)) {
+ md_json_setj(md_json_getj(mdj, MD_KEY_CERT, MD_KEY_VALID, NULL), resp, MD_KEY_VALID, NULL);
+ }
+
+ for (i = 0; i < md_cert_count(md); ++i) {
+ spec = md_pkeys_spec_get(md->pks, i);
+ keyname = md_pkey_spec_name(spec);
+ cj = md_json_create(r->pool);
+
+ if (md_json_has_key(mdj, MD_KEY_CERT, keyname, MD_KEY_VALID, NULL)) {
+ md_json_setj(md_json_getj(mdj, MD_KEY_CERT, keyname, MD_KEY_VALID, NULL),
+ cj, MD_KEY_VALID, NULL);
+ }
+
+ if (md_json_has_key(mdj, MD_KEY_CERT, keyname, MD_KEY_SERIAL, NULL)) {
+ md_json_sets(md_json_gets(mdj, MD_KEY_CERT, keyname, MD_KEY_SERIAL, NULL),
+ cj, MD_KEY_SERIAL, NULL);
+ }
+ if (md_json_has_key(mdj, MD_KEY_CERT, keyname, MD_KEY_SHA256_FINGERPRINT, NULL)) {
+ md_json_sets(md_json_gets(mdj, MD_KEY_CERT, keyname, MD_KEY_SHA256_FINGERPRINT, NULL),
+ cj, MD_KEY_SHA256_FINGERPRINT, NULL);
+ }
+ md_json_setj(cj, resp, keyname, NULL );
+ }
+
+ if (md_json_has_key(mdj, MD_KEY_RENEWAL, NULL)) {
+ /* copy over the information we want to make public about this:
+ * - when not finished, add an empty object to indicate something is going on
+ * - when a certificate is staged, add the information from that */
+ cj = md_json_getj(mdj, MD_KEY_RENEWAL, MD_KEY_CERT, NULL);
+ cj = cj? cj : md_json_create(r->pool);
+ md_json_setj(cj, resp, MD_KEY_RENEWAL, MD_KEY_CERT, NULL);
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "md[%s]: sending status", md->name);
+ apr_table_set(r->headers_out, "Content-Type", "application/json");
+ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+ md_json_writeb(resp, MD_JSON_FMT_INDENT, bb);
+ ap_pass_brigade(r->output_filters, bb);
+ apr_brigade_cleanup(bb);
+
+ return DONE;
+}
+
+/**************************************************************************************************/
+/* Status hook */
+
+typedef struct {
+ apr_pool_t *p;
+ const md_mod_conf_t *mc;
+ apr_bucket_brigade *bb;
+ int flags;
+ const char *prefix;
+ const char *separator;
+} status_ctx;
+
+typedef struct status_info status_info;
+
+static void add_json_val(status_ctx *ctx, md_json_t *j);
+
+typedef void add_status_fn(status_ctx *ctx, md_json_t *mdj, const status_info *info);
+
+struct status_info {
+ const char *label;
+ const char *key;
+ add_status_fn *fn;
+};
+
+static void si_val_status(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ const char *s = "unknown";
+ apr_time_t until;
+ (void)info;
+ switch (md_json_getl(mdj, info->key, NULL)) {
+ case MD_S_INCOMPLETE:
+ s = md_json_gets(mdj, MD_KEY_STATE_DESCR, NULL);
+ s = s? apr_psprintf(ctx->p, "incomplete: %s", s) : "incomplete";
+ break;
+ case MD_S_EXPIRED_DEPRECATED:
+ case MD_S_COMPLETE:
+ until = md_json_get_time(mdj, MD_KEY_CERT, MD_KEY_VALID, MD_KEY_UNTIL, NULL);
+ s = (!until || until > apr_time_now())? "good" : "expired";
+ break;
+ case MD_S_ERROR: s = "error"; break;
+ case MD_S_MISSING_INFORMATION: s = "missing information"; break;
+ default: break;
+ }
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, s);
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%s: %s\n",
+ ctx->prefix, info->label, s);
+ }
+}
+
+static void si_val_url(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ const char *url, *s;
+
+ s = url = md_json_gets(mdj, info->key, NULL);
+ if (!url) return;
+ s = md_get_ca_name_from_url(ctx->p, url);
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "<a href='%s'>%s</a>",
+ ap_escape_html2(ctx->p, url, 1),
+ ap_escape_html2(ctx->p, s, 1));
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%sName: %s\n",
+ ctx->prefix, info->label, s);
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%sURL: %s\n",
+ ctx->prefix, info->label, url);
+ }
+}
+
+static void print_date(status_ctx *ctx, apr_time_t timestamp, const char *title)
+{
+ apr_bucket_brigade *bb = ctx->bb;
+ if (timestamp > 0) {
+ char ts[128];
+ char ts2[128];
+ apr_time_exp_t texp;
+ apr_size_t len;
+
+ apr_time_exp_gmt(&texp, timestamp);
+ apr_strftime(ts, &len, sizeof(ts2)-1, "%Y-%m-%d", &texp);
+ ts[len] = '\0';
+ if (!title) {
+ apr_strftime(ts2, &len, sizeof(ts)-1, "%Y-%m-%dT%H:%M:%SZ", &texp);
+ ts2[len] = '\0';
+ title = ts2;
+ }
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_printf(bb, NULL, NULL,
+ "<span title='%s' style='white-space: nowrap;'>%s</span>",
+ ap_escape_html2(bb->p, title, 1), ts);
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%s%s: %s\n",
+ ctx->prefix, title, ts);
+ }
+ }
+}
+
+static void print_time(status_ctx *ctx, const char *label, apr_time_t t)
+{
+ apr_bucket_brigade *bb = ctx->bb;
+ apr_time_t now;
+ const char *pre, *post, *sep;
+ char ts[APR_RFC822_DATE_LEN];
+ char ts2[128];
+ apr_time_exp_t texp;
+ apr_size_t len;
+ apr_interval_time_t delta;
+
+ if (t == 0) {
+ /* timestamp is 0, we use that for "not set" */
+ return;
+ }
+ apr_time_exp_gmt(&texp, t);
+ now = apr_time_now();
+ pre = post = "";
+ sep = (label && strlen(label))? " " : "";
+ delta = 0;
+ if (HTML_STATUS(ctx)) {
+ apr_rfc822_date(ts, t);
+ if (t > now) {
+ delta = t - now;
+ pre = "in ";
+ }
+ else {
+ delta = now - t;
+ post = " ago";
+ }
+ if (delta >= (4 * apr_time_from_sec(MD_SECS_PER_DAY))) {
+ apr_strftime(ts2, &len, sizeof(ts2)-1, "%Y-%m-%d", &texp);
+ ts2[len] = '\0';
+ apr_brigade_printf(bb, NULL, NULL, "%s%s<span title='%s' "
+ "style='white-space: nowrap;'>%s</span>",
+ label, sep, ts, ts2);
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%s%s<span title='%s'>%s%s%s</span>",
+ label, sep, ts, pre, md_duration_roughly(bb->p, delta), post);
+ }
+ }
+ else {
+ delta = t - now;
+ apr_brigade_printf(bb, NULL, NULL, "%s%s: %" APR_TIME_T_FMT "\n",
+ ctx->prefix, label, apr_time_sec(delta));
+ }
+}
+
+static void si_val_valid_time(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ const char *sfrom, *suntil, *sep, *title;
+ apr_time_t from, until;
+
+ sep = NULL;
+ sfrom = md_json_gets(mdj, info->key, MD_KEY_FROM, NULL);
+ from = sfrom? apr_date_parse_rfc(sfrom) : 0;
+ suntil = md_json_gets(mdj, info->key, MD_KEY_UNTIL, NULL);
+ until = suntil?apr_date_parse_rfc(suntil) : 0;
+
+ if (HTML_STATUS(ctx)) {
+ if (from > apr_time_now()) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "from ");
+ print_date(ctx, from, sfrom);
+ sep = " ";
+ }
+ if (until) {
+ if (sep) apr_brigade_puts(ctx->bb, NULL, NULL, sep);
+ apr_brigade_puts(ctx->bb, NULL, NULL, "until ");
+ title = sfrom? apr_psprintf(ctx->p, "%s - %s", sfrom, suntil) : suntil;
+ print_date(ctx, until, title);
+ }
+ }
+ else {
+ if (from > apr_time_now()) {
+ print_date(ctx, from,
+ apr_pstrcat(ctx->p, info->label, "From", NULL));
+ }
+ if (until) {
+ print_date(ctx, from,
+ apr_pstrcat(ctx->p, info->label, "Until", NULL));
+ }
+ }
+}
+
+static void si_add_header(status_ctx *ctx, const status_info *info)
+{
+ if (HTML_STATUS(ctx)) {
+ const char *html = ap_escape_html2(ctx->p, info->label, 1);
+ apr_brigade_printf(ctx->bb, NULL, NULL, "<th class=\"%s\">%s</th>", html, html);
+ }
+}
+
+static void si_val_cert_valid_time(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ md_json_t *jcert;
+ status_info sub = *info;
+
+ sub.key = MD_KEY_VALID;
+ jcert = md_json_getj(mdj, info->key, NULL);
+ if (jcert) si_val_valid_time(ctx, jcert, &sub);
+}
+
+static void val_url_print(status_ctx *ctx, const status_info *info,
+ const char*url, const char *proto, int i)
+{
+ const char *s;
+
+ if (proto && !strcmp(proto, "tailscale")) {
+ s = "tailscale";
+ }
+ else if (url) {
+ s = md_get_ca_name_from_url(ctx->p, url);
+ }
+ else {
+ return;
+ }
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s<a href='%s'>%s</a>",
+ i? " " : "",
+ ap_escape_html2(ctx->p, url, 1),
+ ap_escape_html2(ctx->p, s, 1));
+ }
+ else if (i == 0) {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%sName: %s\n",
+ ctx->prefix, info->label, s);
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%sURL: %s\n",
+ ctx->prefix, info->label, url);
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%sName%d: %s\n",
+ ctx->prefix, info->label, i, s);
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s%sURL%d: %s\n",
+ ctx->prefix, info->label, i, url);
+ }
+}
+
+static void si_val_ca_urls(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ md_json_t *jcert;
+ const char *proto, *url;
+ apr_array_header_t *urls;
+ int i;
+
+ jcert = md_json_getj(mdj, info->key, NULL);
+ if (!jcert) {
+ return;
+ }
+
+ proto = md_json_gets(jcert, MD_KEY_PROTO, NULL);
+ url = md_json_gets(jcert, MD_KEY_URL, NULL);
+ if (url) {
+ /* print the effective CA url used, if set */
+ val_url_print(ctx, info, url, proto, 0);
+ }
+ else {
+ /* print the available CA urls configured */
+ urls = apr_array_make(ctx->p, 3, sizeof(const char*));
+ md_json_getsa(urls, jcert, MD_KEY_URLS, NULL);
+ for (i = 0; i < urls->nelts; ++i) {
+ url = APR_ARRAY_IDX(urls, i, const char*);
+ val_url_print(ctx, info, url, proto, i);
+ }
+ }
+}
+
+static int count_certs(void *baton, const char *key, md_json_t *json)
+{
+ int *pcount = baton;
+
+ (void)json;
+ if (strcmp(key, MD_KEY_VALID)) {
+ *pcount += 1;
+ }
+ return 1;
+}
+
+static void print_job_summary(status_ctx *ctx, md_json_t *mdj, const char *key,
+ const char *separator)
+{
+ apr_bucket_brigade *bb = ctx->bb;
+ char buffer[HUGE_STRING_LEN];
+ apr_status_t rv;
+ int finished, errors, cert_count;
+ apr_time_t t;
+ const char *s, *line;
+
+ if (!md_json_has_key(mdj, key, NULL)) {
+ return;
+ }
+
+ finished = md_json_getb(mdj, key, MD_KEY_FINISHED, NULL);
+ errors = (int)md_json_getl(mdj, key, MD_KEY_ERRORS, NULL);
+ rv = (apr_status_t)md_json_getl(mdj, key, MD_KEY_LAST, MD_KEY_STATUS, NULL);
+
+ line = separator? separator : "";
+
+ if (rv != APR_SUCCESS) {
+ char *errstr = apr_strerror(rv, buffer, sizeof(buffer));
+ s = md_json_gets(mdj, key, MD_KEY_LAST, MD_KEY_PROBLEM, NULL);
+ if (HTML_STATUS(ctx)) {
+ line = apr_psprintf(bb->p, "%s Error[%s]: %s", line,
+ errstr, s? s : "");
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%sLastStatus: %s\n", ctx->prefix, errstr);
+ apr_brigade_printf(bb, NULL, NULL, "%sLastProblem: %s\n", ctx->prefix, s);
+ }
+ }
+
+ if (!HTML_STATUS(ctx)) {
+ apr_brigade_printf(bb, NULL, NULL, "%sFinished: %s\n", ctx->prefix,
+ finished ? "yes" : "no");
+ }
+ if (finished) {
+ cert_count = 0;
+ md_json_iterkey(count_certs, &cert_count, mdj, key, MD_KEY_CERT, NULL);
+ if (HTML_STATUS(ctx)) {
+ if (cert_count > 0) {
+ line =apr_psprintf(bb->p, "%s finished, %d new certificate%s staged.",
+ line, cert_count, cert_count > 1? "s" : "");
+ }
+ else {
+ line = apr_psprintf(bb->p, "%s finished successfully.", line);
+ }
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%sNewStaged: %d\n", ctx->prefix, cert_count);
+ }
+ }
+ else {
+ s = md_json_gets(mdj, key, MD_KEY_LAST, MD_KEY_DETAIL, NULL);
+ if (s) {
+ if (HTML_STATUS(ctx)) {
+ line = apr_psprintf(bb->p, "%s %s", line, s);
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%sLastDetail: %s\n", ctx->prefix, s);
+ }
+ }
+ }
+
+ errors = (int)md_json_getl(mdj, MD_KEY_ERRORS, NULL);
+ if (errors > 0) {
+ if (HTML_STATUS(ctx)) {
+ line = apr_psprintf(bb->p, "%s (%d retr%s) ", line,
+ errors, (errors > 1)? "y" : "ies");
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%sRetries: %d\n", ctx->prefix, errors);
+ }
+ }
+
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(bb, NULL, NULL, line);
+ }
+
+ t = md_json_get_time(mdj, key, MD_KEY_NEXT_RUN, NULL);
+ if (t > apr_time_now() && !finished) {
+ print_time(ctx,
+ HTML_STATUS(ctx) ? "\nNext run" : "NextRun",
+ t);
+ }
+ else if (line[0] != '\0') {
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(bb, NULL, NULL, "\nOngoing...");
+ }
+ else {
+ apr_brigade_printf(bb, NULL, NULL, "%s: Ongoing\n", ctx->prefix);
+ }
+ }
+}
+
+static void si_val_activity(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ apr_time_t t;
+ const char *prefix = ctx->prefix;
+
+ (void)info;
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, info->label, NULL);
+ }
+
+ if (md_json_has_key(mdj, MD_KEY_RENEWAL, NULL)) {
+ print_job_summary(ctx, mdj, MD_KEY_RENEWAL, NULL);
+ return;
+ }
+
+ t = md_json_get_time(mdj, MD_KEY_RENEW_AT, NULL);
+ if (t > apr_time_now()) {
+ print_time(ctx, "Renew", t);
+ }
+ else if (t) {
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "Pending");
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s: %s", ctx->prefix, "Pending");
+ }
+ }
+ else if (MD_RENEW_MANUAL == md_json_getl(mdj, MD_KEY_RENEW_MODE, NULL)) {
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "Manual renew");
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s: %s", ctx->prefix, "Manual renew");
+ }
+ }
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = prefix;
+ }
+}
+
+static int cert_check_iter(void *baton, const char *key, md_json_t *json)
+{
+ status_ctx *ctx = baton;
+ const char *fingerprint;
+
+ fingerprint = md_json_gets(json, MD_KEY_SHA256_FINGERPRINT, NULL);
+ if (fingerprint) {
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_printf(ctx->bb, NULL, NULL,
+ "<a href=\"%s%s\">%s[%s]</a><br>",
+ ctx->mc->cert_check_url, fingerprint,
+ ctx->mc->cert_check_name, key);
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL,
+ "%sType: %s\n",
+ ctx->prefix,
+ key);
+ apr_brigade_printf(ctx->bb, NULL, NULL,
+ "%sName: %s\n",
+ ctx->prefix,
+ ctx->mc->cert_check_name);
+ apr_brigade_printf(ctx->bb, NULL, NULL,
+ "%sURL: %s%s\n",
+ ctx->prefix,
+ ctx->mc->cert_check_url, fingerprint);
+ apr_brigade_printf(ctx->bb, NULL, NULL,
+ "%sFingerprint: %s\n",
+ ctx->prefix,
+ fingerprint);
+ }
+ }
+ return 1;
+}
+
+static void si_val_remote_check(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ (void)info;
+ if (ctx->mc->cert_check_name && ctx->mc->cert_check_url) {
+ const char *prefix = ctx->prefix;
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, info->label, NULL);
+ }
+ md_json_iterkey(cert_check_iter, ctx, mdj, MD_KEY_CERT, NULL);
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = prefix;
+ }
+ }
+}
+
+static void si_val_stapling(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ (void)info;
+ if (!md_json_getb(mdj, MD_KEY_STAPLING, NULL)) return;
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "on");
+ }
+ else {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "%s: on", ctx->prefix);
+ }
+}
+
+static int json_iter_val(void *data, size_t index, md_json_t *json)
+{
+ status_ctx *ctx = data;
+ const char *prefix = ctx->prefix;
+ if (HTML_STATUS(ctx)) {
+ if (index) apr_brigade_puts(ctx->bb, NULL, NULL, ctx->separator);
+ }
+ else {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, apr_psprintf(ctx->p, "[%" APR_SIZE_T_FMT "]", index), NULL);
+ }
+ add_json_val(ctx, json);
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = prefix;
+ }
+ return 1;
+}
+
+static void add_json_val(status_ctx *ctx, md_json_t *j)
+{
+ if (!j) return;
+ if (md_json_is(MD_JSON_TYPE_ARRAY, j, NULL)) {
+ md_json_itera(json_iter_val, ctx, j, NULL);
+ return;
+ }
+ if (!HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, ctx->prefix);
+ apr_brigade_puts(ctx->bb, NULL, NULL, ": ");
+ }
+ if (md_json_is(MD_JSON_TYPE_INT, j, NULL)) {
+ md_json_writeb(j, MD_JSON_FMT_COMPACT, ctx->bb);
+ }
+ else if (md_json_is(MD_JSON_TYPE_STRING, j, NULL)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, md_json_gets(j, NULL));
+ }
+ else if (md_json_is(MD_JSON_TYPE_OBJECT, j, NULL)) {
+ md_json_writeb(j, MD_JSON_FMT_COMPACT, ctx->bb);
+ }
+ else if (md_json_is(MD_JSON_TYPE_BOOL, j, NULL)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, md_json_getb(j, NULL)? "on" : "off");
+ }
+ if (!HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "\n");
+ }
+}
+
+static void si_val_names(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ const char *prefix = ctx->prefix;
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "<div style=\"max-width:400px;\">");
+ }
+ else {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, info->label, NULL);
+ }
+ add_json_val(ctx, md_json_getj(mdj, info->key, NULL));
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "</div>");
+ }
+ else {
+ ctx->prefix = prefix;
+ }
+}
+
+static void add_status_cell(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ if (info->fn) {
+ info->fn(ctx, mdj, info);
+ }
+ else {
+ const char *prefix = ctx->prefix;
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, info->label, NULL);
+ }
+ add_json_val(ctx, md_json_getj(mdj, info->key, NULL));
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = prefix;
+ }
+ }
+}
+
+static const status_info status_infos[] = {
+ { "Domain", MD_KEY_NAME, NULL },
+ { "Names", MD_KEY_DOMAINS, si_val_names },
+ { "Status", MD_KEY_STATE, si_val_status },
+ { "Valid", MD_KEY_CERT, si_val_cert_valid_time },
+ { "CA", MD_KEY_CA, si_val_ca_urls },
+ { "Stapling", MD_KEY_STAPLING, si_val_stapling },
+ { "CheckAt", MD_KEY_SHA256_FINGERPRINT, si_val_remote_check },
+ { "Activity", MD_KEY_NOTIFIED, si_val_activity },
+};
+
+static int add_md_row(void *baton, apr_size_t index, md_json_t *mdj)
+{
+ status_ctx *ctx = baton;
+ const char *prefix = ctx->prefix;
+ int i;
+
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "<tr class=\"%s\">", (index % 2)? "odd" : "even");
+ for (i = 0; i < (int)(sizeof(status_infos)/sizeof(status_infos[0])); ++i) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "<td>");
+ add_status_cell(ctx, mdj, &status_infos[i]);
+ apr_brigade_puts(ctx->bb, NULL, NULL, "</td>");
+ }
+ apr_brigade_puts(ctx->bb, NULL, NULL, "</tr>");
+ } else {
+ for (i = 0; i < (int)(sizeof(status_infos)/sizeof(status_infos[0])); ++i) {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, apr_psprintf(ctx->p, "[%" APR_SIZE_T_FMT "]", index), NULL);
+ add_status_cell(ctx, mdj, &status_infos[i]);
+ ctx->prefix = prefix;
+ }
+ }
+ return 1;
+}
+
+static int md_name_cmp(const void *v1, const void *v2)
+{
+ return strcmp((*(const md_t**)v1)->name, (*(const md_t**)v2)->name);
+}
+
+int md_domains_status_hook(request_rec *r, int flags)
+{
+ const md_srv_conf_t *sc;
+ const md_mod_conf_t *mc;
+ int i;
+ status_ctx ctx;
+ apr_array_header_t *mds;
+ md_json_t *jstatus, *jstock;
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "server-status for managed domains, start");
+ sc = ap_get_module_config(r->server->module_config, &md_module);
+ if (!sc) return DECLINED;
+ mc = sc->mc;
+ if (!mc || !mc->server_status_enabled) return DECLINED;
+
+ ctx.p = r->pool;
+ ctx.mc = mc;
+ ctx.bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+ ctx.flags = flags;
+ ctx.prefix = "ManagedCertificates";
+ ctx.separator = " ";
+
+ mds = apr_array_copy(r->pool, mc->mds);
+ qsort(mds->elts, (size_t)mds->nelts, sizeof(md_t *), md_name_cmp);
+
+ if (!HTML_STATUS(&ctx)) {
+ int total = 0, complete = 0, renewing = 0, errored = 0, ready = 0;
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "no-html managed domain status summary");
+ if (mc->mds->nelts > 0) {
+ md_status_take_stock(&jstock, mds, mc->reg, r->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "got JSON managed domain status summary");
+ total = (int)md_json_getl(jstock, MD_KEY_TOTAL, NULL);
+ complete = (int)md_json_getl(jstock, MD_KEY_COMPLETE, NULL);
+ renewing = (int)md_json_getl(jstock, MD_KEY_RENEWING, NULL);
+ errored = (int)md_json_getl(jstock, MD_KEY_ERRORED, NULL);
+ ready = (int)md_json_getl(jstock, MD_KEY_READY, NULL);
+ }
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sTotal: %d\n", ctx.prefix, total);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sOK: %d\n", ctx.prefix, complete);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sRenew: %d\n", ctx.prefix, renewing);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sErrored: %d\n", ctx.prefix, errored);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sReady: %d\n", ctx.prefix, ready);
+ }
+ if (mc->mds->nelts > 0) {
+ md_status_get_json(&jstatus, mds, mc->reg, mc->ocsp, r->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "got JSON managed domain status");
+ if (HTML_STATUS(&ctx)) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "html managed domain status table");
+ apr_brigade_puts(ctx.bb, NULL, NULL,
+ "<hr>\n<h3>Managed Certificates</h3>\n<table class='md_status'><thead><tr>\n");
+ for (i = 0; i < (int)(sizeof(status_infos)/sizeof(status_infos[0])); ++i) {
+ si_add_header(&ctx, &status_infos[i]);
+ }
+ apr_brigade_puts(ctx.bb, NULL, NULL, "</tr>\n</thead><tbody>");
+ }
+ else {
+ ctx.prefix = "ManagedDomain";
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "iterating JSON managed domain status");
+ md_json_itera(add_md_row, &ctx, jstatus, MD_KEY_MDS, NULL);
+ if (HTML_STATUS(&ctx)) {
+ apr_brigade_puts(ctx.bb, NULL, NULL, "</td></tr>\n</tbody>\n</table>\n");
+ }
+ }
+
+ ap_pass_brigade(r->output_filters, ctx.bb);
+ apr_brigade_cleanup(ctx.bb);
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "server-status for managed domains, end");
+
+ return OK;
+}
+
+static void si_val_ocsp_activity(status_ctx *ctx, md_json_t *mdj, const status_info *info)
+{
+ apr_time_t t;
+ const char *prefix = ctx->prefix;
+
+ (void)info;
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, info->label, NULL);
+ }
+ t = md_json_get_time(mdj, MD_KEY_RENEW_AT, NULL);
+ print_time(ctx, "Refresh", t);
+ print_job_summary(ctx, mdj, MD_KEY_RENEWAL, ": ");
+ if (!HTML_STATUS(ctx)) {
+ ctx->prefix = prefix;
+ }
+}
+
+static const status_info ocsp_status_infos[] = {
+ { "Domain", MD_KEY_DOMAIN, NULL },
+ { "CertificateID", MD_KEY_ID, NULL },
+ { "OCSPStatus", MD_KEY_STATUS, NULL },
+ { "StaplingValid", MD_KEY_VALID, si_val_valid_time },
+ { "Responder", MD_KEY_URL, si_val_url },
+ { "Activity", MD_KEY_NOTIFIED, si_val_ocsp_activity },
+};
+
+static int add_ocsp_row(void *baton, apr_size_t index, md_json_t *mdj)
+{
+ status_ctx *ctx = baton;
+ const char *prefix = ctx->prefix;
+ int i;
+
+ if (HTML_STATUS(ctx)) {
+ apr_brigade_printf(ctx->bb, NULL, NULL, "<tr class=\"%s\">", (index % 2)? "odd" : "even");
+ for (i = 0; i < (int)(sizeof(ocsp_status_infos)/sizeof(ocsp_status_infos[0])); ++i) {
+ apr_brigade_puts(ctx->bb, NULL, NULL, "<td>");
+ add_status_cell(ctx, mdj, &ocsp_status_infos[i]);
+ apr_brigade_puts(ctx->bb, NULL, NULL, "</td>");
+ }
+ apr_brigade_puts(ctx->bb, NULL, NULL, "</tr>");
+ } else {
+ for (i = 0; i < (int)(sizeof(ocsp_status_infos)/sizeof(ocsp_status_infos[0])); ++i) {
+ ctx->prefix = apr_pstrcat(ctx->p, prefix, apr_psprintf(ctx->p, "[%" APR_SIZE_T_FMT "]", index), NULL);
+ add_status_cell(ctx, mdj, &ocsp_status_infos[i]);
+ ctx->prefix = prefix;
+ }
+ }
+ return 1;
+}
+
+int md_ocsp_status_hook(request_rec *r, int flags)
+{
+ const md_srv_conf_t *sc;
+ const md_mod_conf_t *mc;
+ int i;
+ status_ctx ctx;
+ md_json_t *jstatus, *jstock;
+
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "server-status for ocsp stapling, start");
+ sc = ap_get_module_config(r->server->module_config, &md_module);
+ if (!sc) return DECLINED;
+ mc = sc->mc;
+ if (!mc || !mc->server_status_enabled) return DECLINED;
+
+ ctx.p = r->pool;
+ ctx.mc = mc;
+ ctx.bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+ ctx.flags = flags;
+ ctx.prefix = "ManagedStaplings";
+ ctx.separator = " ";
+
+ if (!HTML_STATUS(&ctx)) {
+ int total = 0, good = 0, revoked = 0, unknown = 0;
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "no-html ocsp stapling status summary");
+ if (md_ocsp_count(mc->ocsp) > 0) {
+ md_ocsp_get_summary(&jstock, mc->ocsp, r->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "got JSON ocsp stapling status summary");
+ total = (int)md_json_getl(jstock, MD_KEY_TOTAL, NULL);
+ good = (int)md_json_getl(jstock, MD_KEY_GOOD, NULL);
+ revoked = (int)md_json_getl(jstock, MD_KEY_REVOKED, NULL);
+ unknown = (int)md_json_getl(jstock, MD_KEY_UNKNOWN, NULL);
+ }
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sTotal: %d\n", ctx.prefix, total);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sOK: %d\n", ctx.prefix, good);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sRenew: %d\n", ctx.prefix, revoked);
+ apr_brigade_printf(ctx.bb, NULL, NULL, "%sErrored: %d\n", ctx.prefix, unknown);
+ }
+ if (md_ocsp_count(mc->ocsp) > 0) {
+ md_ocsp_get_status_all(&jstatus, mc->ocsp, r->pool);
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "got JSON ocsp stapling status");
+ if (HTML_STATUS(&ctx)) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "html ocsp stapling status table");
+ apr_brigade_puts(ctx.bb, NULL, NULL,
+ "<hr>\n<h3>Managed Staplings</h3>\n<table class='md_ocsp_status'><thead><tr>\n");
+ for (i = 0; i < (int)(sizeof(ocsp_status_infos)/sizeof(ocsp_status_infos[0])); ++i) {
+ si_add_header(&ctx, &ocsp_status_infos[i]);
+ }
+ apr_brigade_puts(ctx.bb, NULL, NULL, "</tr>\n</thead><tbody>");
+ }
+ else {
+ ctx.prefix = "ManagedStapling";
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "iterating JSON ocsp stapling status");
+ md_json_itera(add_ocsp_row, &ctx, jstatus, MD_KEY_OCSPS, NULL);
+ if (HTML_STATUS(&ctx)) {
+ apr_brigade_puts(ctx.bb, NULL, NULL, "</td></tr>\n</tbody>\n</table>\n");
+ }
+ }
+
+ ap_pass_brigade(r->output_filters, ctx.bb);
+ apr_brigade_cleanup(ctx.bb);
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "server-status for ocsp stapling, end");
+
+ return OK;
+}
+
+/**************************************************************************************************/
+/* Status handlers */
+
+int md_status_handler(request_rec *r)
+{
+ const md_srv_conf_t *sc;
+ const md_mod_conf_t *mc;
+ apr_array_header_t *mds;
+ md_json_t *jstatus;
+ apr_bucket_brigade *bb;
+ const md_t *md;
+ const char *name;
+
+ if (strcmp(r->handler, "md-status")) {
+ return DECLINED;
+ }
+
+ sc = ap_get_module_config(r->server->module_config, &md_module);
+ if (!sc) return DECLINED;
+ mc = sc->mc;
+ if (!mc) return DECLINED;
+
+ if (r->method_number != M_GET) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "md-status supports only GET");
+ return HTTP_NOT_IMPLEMENTED;
+ }
+
+ jstatus = NULL;
+ md = NULL;
+ if (r->path_info && r->path_info[0] == '/' && r->path_info[1] != '\0') {
+ name = strrchr(r->path_info, '/') + 1;
+ md = md_get_by_name(mc->mds, name);
+ if (!md) md = md_get_by_domain(mc->mds, name);
+ }
+
+ if (md) {
+ md_status_get_md_json(&jstatus, md, mc->reg, mc->ocsp, r->pool);
+ }
+ else {
+ mds = apr_array_copy(r->pool, mc->mds);
+ qsort(mds->elts, (size_t)mds->nelts, sizeof(md_t *), md_name_cmp);
+ md_status_get_json(&jstatus, mds, mc->reg, mc->ocsp, r->pool);
+ }
+
+ if (jstatus) {
+ apr_table_set(r->headers_out, "Content-Type", "application/json");
+ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+ md_json_writeb(jstatus, MD_JSON_FMT_INDENT, bb);
+ ap_pass_brigade(r->output_filters, bb);
+ apr_brigade_cleanup(bb);
+
+ return DONE;
+ }
+ return DECLINED;
+}
+