Merging upstream version 1.16.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2019-08-04 08:57:13 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2019-08-04 08:57:13 +0000
commit: cbf70980c060bde02906a8e9de2064459bacc93c (patch)
tree: 5b9ade02e0ed32a4b33f5e8647092d0c02ea586d /libnetdata/socket/socket.c
parent: Releasing debian version 1.16.0-1. (diff)
download: netdata-cbf70980c060bde02906a8e9de2064459bacc93c.tar.xz
netdata-cbf70980c060bde02906a8e9de2064459bacc93c.zip
1 files changed, 40 insertions, 26 deletions
diff --git a/libnetdata/socket/socket.c b/libnetdata/socket/socket.c
index 282710081..22abb47f4 100644
--- a/libnetdata/socket/socket.c
+++ b/libnetdata/socket/socket.c
@@ -301,39 +301,47 @@ void listen_sockets_close(LISTEN_SOCKETS *sockets) {
     sockets->failed = 0;
 }
 
-WEB_CLIENT_ACL socket_ssl_acl(char *ssl) {
+/*
+ *  SSL ACL
+ *
+ *  Search the SSL acl and apply it case it is set.
+ *
+ *  @param acl is the acl given by the user.
+ */
+WEB_CLIENT_ACL socket_ssl_acl(char *acl) {
+    char *ssl = strchr(acl,'^');
+    if(ssl) {
+        //Due the format of the SSL command it is always the last command,
+        //we finish it here to avoid problems with the ACLs
+        *ssl = '\0';
 #ifdef ENABLE_HTTPS
-    if (!strcmp(ssl,"optional")) {
-        netdata_use_ssl_on_http = NETDATA_SSL_OPTIONAL;
-        return WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING;
-    }
-    else if (!strcmp(ssl,"force")) {
-        netdata_use_ssl_on_stream = NETDATA_SSL_FORCE;
-        return WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING;
-    }
+        ssl++;
+        if (!strncmp("SSL=",ssl,4)) {
+            ssl += 4;
+            if (!strcmp(ssl,"optional")) {
+                return WEB_CLIENT_ACL_SSL_OPTIONAL;
+            }
+            else if (!strcmp(ssl,"force")) {
+                return WEB_CLIENT_ACL_SSL_FORCE;
+            }
+        }
 #endif
+    }
 
     return WEB_CLIENT_ACL_NONE;
 }
 
 WEB_CLIENT_ACL read_acl(char *st) {
-    char *ssl = strchr(st,'^');
-    if (ssl) {
-        ssl++;
-        if (!strncmp("SSL=",ssl,4)) {
-            ssl += 4;
-        }
-        socket_ssl_acl(ssl);
-    }
+    WEB_CLIENT_ACL ret = socket_ssl_acl(st);
 
-    if (!strcmp(st,"dashboard")) return WEB_CLIENT_ACL_DASHBOARD;
-    if (!strcmp(st,"registry")) return WEB_CLIENT_ACL_REGISTRY;
-    if (!strcmp(st,"badges")) return WEB_CLIENT_ACL_BADGE;
-    if (!strcmp(st,"management")) return WEB_CLIENT_ACL_MGMT;
-    if (!strcmp(st,"streaming")) return WEB_CLIENT_ACL_STREAMING;
-    if (!strcmp(st,"netdata.conf")) return WEB_CLIENT_ACL_NETDATACONF;
+    if (!strcmp(st,"dashboard")) ret |= WEB_CLIENT_ACL_DASHBOARD;
+    if (!strcmp(st,"registry")) ret |= WEB_CLIENT_ACL_REGISTRY;
+    if (!strcmp(st,"badges")) ret |= WEB_CLIENT_ACL_BADGE;
+    if (!strcmp(st,"management")) ret |= WEB_CLIENT_ACL_MGMT;
+    if (!strcmp(st,"streaming")) ret |= WEB_CLIENT_ACL_STREAMING;
+    if (!strcmp(st,"netdata.conf")) ret |= WEB_CLIENT_ACL_NETDATACONF;
 
-    return socket_ssl_acl(st);
+    return ret;
 }
 
 static inline int bind_to_this(LISTEN_SOCKETS *sockets, const char *definition, uint16_t default_port, int listen_backlog) {
@@ -375,7 +383,7 @@ static inline int bind_to_this(LISTEN_SOCKETS *sockets, const char *definition,
             error("LISTENER: Cannot create unix socket '%s'", path);
             sockets->failed++;
         } else {
-            acl_flags = WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING;
+            acl_flags = WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING | WEB_CLIENT_ACL_SSL_DEFAULT;
             listen_sockets_add(sockets, fd, AF_UNIX, socktype, protocol_str, path, 0, acl_flags);
             added++;
         }
@@ -425,7 +433,13 @@ static inline int bind_to_this(LISTEN_SOCKETS *sockets, const char *definition,
         }
         acl_flags |= read_acl(portconfig);
     } else {
-        acl_flags = WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING;
+        acl_flags = WEB_CLIENT_ACL_DASHBOARD | WEB_CLIENT_ACL_REGISTRY | WEB_CLIENT_ACL_BADGE | WEB_CLIENT_ACL_MGMT | WEB_CLIENT_ACL_NETDATACONF | WEB_CLIENT_ACL_STREAMING | WEB_CLIENT_ACL_SSL_DEFAULT;
+    }
+
+    //Case the user does not set the option SSL in the "bind to", but he has
+    //the certificates, I must redirect, so I am assuming here the default option
+    if(!(acl_flags & WEB_CLIENT_ACL_SSL_OPTIONAL) && !(acl_flags & WEB_CLIENT_ACL_SSL_FORCE)) {
+        acl_flags |= WEB_CLIENT_ACL_SSL_DEFAULT;
     }
 
     uint32_t scope_id = 0;
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2019-08-04 08:57:13 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2019-08-04 08:57:13 +0000
commit	cbf70980c060bde02906a8e9de2064459bacc93c (patch)
tree	5b9ade02e0ed32a4b33f5e8647092d0c02ea586d /libnetdata/socket/socket.c
parent	Releasing debian version 1.16.0-1. (diff)
download	netdata-cbf70980c060bde02906a8e9de2064459bacc93c.tar.xz netdata-cbf70980c060bde02906a8e9de2064459bacc93c.zip