/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. #include <assert.h>#include <apr_optional.h>#include <apr_time.h>#include <apr_date.h>#include <apr_strings.h>#include <httpd.h>#include <http_core.h>#include <http_protocol.h>#include <http_request.h>#include <http_log.h>#include "mod_status.h" #include "md.h" #include "md_curl.h" #include "md_crypt.h" #include "md_http.h" #include "md_ocsp.h" #include "md_json.h" #include "md_status.h" #include "md_store.h" #include "md_store_fs.h" #include "md_log.h" #include "md_reg.h" #include "md_util.h" #include "md_version.h" #include "md_acme.h" #include "md_acme_authz.h" #include "mod_md.h" #include "mod_md_private.h" #include "mod_md_config.h" #include "mod_md_drive.h" #include "mod_md_status.h" /**************************************************************************************************/ /* Certificate status */ #define APACHE_PREFIX "/.httpd/" #define MD_STATUS_RESOURCE APACHE_PREFIX"certificate-status" #define HTML_STATUS(X) (!((X)->flags & AP_STATUS_SHORT))int md_http_cert_status(request_rec *r)int i;const md_srv_conf_t *sc;const md_t *md;const char *keyname;if (!r->parsed_uri.path || strcmp(MD_STATUS_RESOURCE, r->parsed_uri.path))return DECLINED;"requesting status for: %s" , r->hostname);/* We are looking for information about a staged certificate */ if (!sc || !sc->mc || !sc->mc->reg || !sc->mc->certificate_status_enabled) return DECLINED;if (!md) return DECLINED;if (r->method_number != M_GET) {"md(%s): status supports only GET" , md->name);return HTTP_NOT_IMPLEMENTED;"requesting status for MD: %s" , md->name);if (APR_SUCCESS != rv) {"loading md status for %s" , md->name);return HTTP_INTERNAL_SERVER_ERROR;"status for MD: %s is %s" , md->name, md_json_writep(mdj, r->pool, MD_JSON_FMT_INDENT));if (md_json_has_key(mdj, MD_KEY_CERT, MD_KEY_VALID, NULL)) {ULL);for (i = 0; i < md_cert_count(md); ++i) {if (md_json_has_key(mdj, MD_KEY_CERT, keyname, MD_KEY_VALID, NULL)) {if (md_json_has_key(mdj, MD_KEY_CERT, keyname, MD_KEY_SERIAL, NULL)) {if (md_json_has_key(mdj, MD_KEY_CERT, keyname, MD_KEY_SHA256_FINGERPRINT, NULL)) {),if (md_json_has_key(mdj, MD_KEY_RENEWAL, NULL)) {/* copy over the information we want to make public about this: * - when not finished, add an empty object to indicate something is going on "md[%s]: sending status" , md->name);"Content-Type" , "application/json" );return DONE;/**************************************************************************************************/ /* Status hook */ typedef struct {const md_mod_conf_t *mc;int flags;const char *prefix;const char *separator;typedef struct status_info status_info;static void add_json_val(status_ctx *ctx, md_json_t *j);typedef void add_status_fn(status_ctx *ctx, md_json_t *mdj, const status_info *info);struct status_info {const char *label;const char *key;static void si_val_status(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *s = "unknown" ;void )info;switch (md_json_getl(mdj, info->key, NULL)) {case MD_S_INCOMPLETE:"incomplete: %s" , s) : "incomplete" ;break ;case MD_S_EXPIRED_DEPRECATED:case MD_S_COMPLETE:"good" : "expired" ;break ;case MD_S_ERROR: s = "error" ; break ;case MD_S_MISSING_INFORMATION: s = "missing information" ; break ;default : break ;if (HTML_STATUS(ctx)) {else {"%s%s: %s\n" ,static void si_val_url(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *url, *s;if (!url) return ;if (HTML_STATUS(ctx)) {"%s " ,else {"%s%sName: %s\n" ,"%s%sURL: %s\n" ,static void print_date(status_ctx *ctx, apr_time_t timestamp, const char *title)if (timestamp > 0) {char ts[128];char ts2[128];sizeof (ts2)-1, "%Y-%m-%d" , &texp);'\0' ;if (!title) {sizeof (ts)-1, "%Y-%m-%dT%H:%M:%SZ" , &texp);'\0' ;if (HTML_STATUS(ctx)) {"%s " ,else {"%s%s: %s\n" ,static void print_time(status_ctx *ctx, const char *label, apr_time_t t)const char *pre, *post, *sep;char ts[APR_RFC822_DATE_LEN];char ts2[128];if (t == 0) {/* timestamp is 0, we use that for "not set" */ return ;"" ;" " : "" ;if (HTML_STATUS(ctx)) {if (t > now) {"in " ;else {" ago" ;if (delta >= (4 * apr_time_from_sec(MD_SECS_PER_DAY))) {sizeof (ts2)-1, "%Y-%m-%d" , &texp);'\0' ;"%s%s"style='white-space: nowrap;'>%s "else {"%s%s%s%s%s " ,else {"%s%s: %" APR_TIME_T_FMT "\n" ,static void si_val_valid_time(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *sfrom, *suntil, *sep, *title;if (HTML_STATUS(ctx)) {if (from > apr_time_now()) {"from " );" " ;if (until) {if (sep) apr_brigade_puts(ctx->bb, NULL, NULL, sep);"until " );"%s - %s" , sfrom, suntil) : suntil;else {if (from > apr_time_now()) {"From" , NULL));if (until) {"Until" , NULL));static void si_add_header(status_ctx *ctx, const status_info *info)if (HTML_STATUS(ctx)) {const char *html = ap_escape_html2(ctx->p, info->label, 1);" %s\">%s " , html, html);
}
}
static void si_val_cert_valid_time(status_ctx *ctx, md_json_t *mdj,
const status_info *i
nfo)if (jcert) si_val_valid_time(ctx, jcert, &sub);static void val_url_print(status_ctx *ctx, const status_info *info,const char *url, const char *proto, int i)const char *s;if (proto && !strcmp(proto, "tailscale" )) {"tailscale" ;else if (url) {else {return ;if (HTML_STATUS(ctx)) {"%s%s " ," " : "" ,else if (i == 0) {"%s%sName: %s\n" ,"%s%sURL: %s\n" ,else {"%s%sName%d: %s\n" ,"%s%sURL%d: %s\n" ,static void si_val_ca_urls(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *proto, *url;int i;if (!jcert) {return ;if (url) {/* print the effective CA url used, if set */ else {/* print the available CA urls configured */ sizeof (const char *));for (i = 0; i < urls->nelts; ++i) {const char *);static int count_certs(void *baton, const char *key, md_json_t *json)int *pcount = baton;void )json;if (strcmp(key, MD_KEY_VALID)) {return 1;static void print_job_summary(status_ctx *ctx, md_json_t *mdj, const char *key,const char *separator)char buffer[HUGE_STRING_LEN];int finished, errors, cert_count;const char *s, *line;if (!md_json_has_key(mdj, key, NULL)) {return ;int )md_json_getl(mdj, key, MD_KEY_ERRORS, NULL);"" ;if (rv != APR_SUCCESS) {char *errstr = apr_strerror(rv, buffer, sizeof (buffer));if (HTML_STATUS(ctx)) {"%s Error[%s]: %s" , line,"" );else {"%sLastStatus: %s\n" , ctx->prefix, errstr);"%sLastProblem: %s\n" , ctx->prefix, s);if (!HTML_STATUS(ctx)) {"%sFinished: %s\n" , ctx->prefix,"yes" : "no" );if (finished) {if (HTML_STATUS(ctx)) {if (cert_count > 0) {"%s finished, %d new certificate%s staged." ,"s" : "" );else {"%s finished successfully." , line);else {"%sNewStaged: %d\n" , ctx->prefix, cert_count);else {if (s) {if (HTML_STATUS(ctx)) {"%s %s" , line, s);else {"%sLastDetail: %s\n" , ctx->prefix, s);int )md_json_getl(mdj, MD_KEY_ERRORS, NULL);if (errors > 0) {if (HTML_STATUS(ctx)) {"%s (%d retr%s) " , line,"y" : "ies" );else {"%sRetries: %d\n" , ctx->prefix, errors);if (HTML_STATUS(ctx)) {if (t > apr_time_now() && !finished) {"\nNext run" : "NextRun" ,else if (line[0] != '\0' ) {if (HTML_STATUS(ctx)) {"\nOngoing..." );else {"%s: Ongoing\n" , ctx->prefix);static void si_val_activity(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *prefix = ctx->prefix;void )info;if (!HTML_STATUS(ctx)) {if (md_json_has_key(mdj, MD_KEY_RENEWAL, NULL)) {return ;if (t > apr_time_now()) {"Renew" , t);else if (t) {if (HTML_STATUS(ctx)) {"Pending" );else {"%s: %s" , ctx->prefix, "Pending\n" );else if (MD_RENEW_MANUAL == md_json_getl(mdj, MD_KEY_RENEW_MODE, NULL)) {if (HTML_STATUS(ctx)) {"Manual renew" );else {"%s: %s" , ctx->prefix, "Manual renew\n" );if (!HTML_STATUS(ctx)) {static int cert_check_iter(void *baton, const char *key, md_json_t *json)const char *fingerprint;if (fingerprint) {if (HTML_STATUS(ctx)) {"%s%s\">%s[%s] ,else {"%sType: %s\n" ,"%sName: %s\n" ,"%sURL: %s%s\n" ,"%sFingerprint: %s\n" ,return 1;static void si_val_remote_check(status_ctx *ctx, md_json_t *mdj, const status_info *info)void )info;if (ctx->mc->cert_check_name && ctx->mc->cert_check_url) {const char *prefix = ctx->prefix;if (!HTML_STATUS(ctx)) {if (!HTML_STATUS(ctx)) {static void si_val_stapling(status_ctx *ctx, md_json_t *mdj, const status_info *info)void )info;if (!md_json_getb(mdj, MD_KEY_STAPLING, NULL)) return ;if (HTML_STATUS(ctx)) {"on" );else {"%sStapling: on\n" , ctx->prefix);static int json_iter_val(void *data, size_t index, md_json_t *json)const char *prefix = ctx->prefix;if (HTML_STATUS(ctx)) {if (index) apr_brigade_puts(ctx->bb, NULL, NULL, ctx->separator);else {"[%" APR_SIZE_T_FMT "]" , index), NULL);if (!HTML_STATUS(ctx)) {return 1;static void add_json_val(status_ctx *ctx, md_json_t *j)if (!j) return ;if (md_json_is(MD_JSON_TYPE_ARRAY, j, NULL)) {return ;if (!HTML_STATUS(ctx)) {": " );if (md_json_is(MD_JSON_TYPE_INT, j, NULL)) {else if (md_json_is(MD_JSON_TYPE_STRING, j, NULL)) {else if (md_json_is(MD_JSON_TYPE_OBJECT, j, NULL)) {else if (md_json_is(MD_JSON_TYPE_BOOL, j, NULL)) {"on" : "off" );if (!HTML_STATUS(ctx)) {"\n" );static void si_val_names(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *prefix = ctx->prefix;if (HTML_STATUS(ctx)) {"max-width:400px;\">" );else {if (HTML_STATUS(ctx)) {"
" );else {static void add_status_cell(status_ctx *ctx, md_json_t *mdj, const status_info *info)if (info->fn) {else {const char *prefix = ctx->prefix;if (!HTML_STATUS(ctx)) {if (!HTML_STATUS(ctx)) {static const status_info status_infos[] = {"Domain" , MD_KEY_NAME, NULL },"Names" , MD_KEY_DOMAINS, si_val_names },"Status" , MD_KEY_STATE, si_val_status },"Valid" , MD_KEY_CERT, si_val_cert_valid_time },"CA" , MD_KEY_CA, si_val_ca_urls },"Stapling" , MD_KEY_STAPLING, si_val_stapling },"CheckAt" , MD_KEY_SHA256_FINGERPRINT, si_val_remote_check },"Activity" , MD_KEY_NOTIFIED, si_val_activity },static int add_md_row(void *baton, apr_size_t index, md_json_t *mdj)const char *prefix = ctx->prefix;int i;if (HTML_STATUS(ctx)) {"%s\">" , (index % 2)? "odd" : "even" );for (i = 0; i < (int )(sizeof (status_infos)/sizeof (status_infos[0])); ++i) {" ");" ");" " );else {for (i = 0; i < (int )(sizeof (status_infos)/sizeof (status_infos[0])); ++i) {"[%" APR_SIZE_T_FMT "]" , index), NULL);return 1;static int md_name_cmp(const void *v1, const void *v2)return strcmp((*(const md_t**)v1)->name, (*(const md_t**)v2)->name);int md_domains_status_hook(request_rec *r, int flags)const md_srv_conf_t *sc;const md_mod_conf_t *mc;int i;"server-status for managed domains, start" );if (!sc) return DECLINED;if (!mc || !mc->server_status_enabled) return DECLINED;"ManagedCertificates" ;" " ;sizeof (md_t *), md_name_cmp);if (!HTML_STATUS(&ctx)) {int total = 0, complete = 0, renewing = 0, errored = 0, ready = 0;"no-html managed domain status summary" );if (mc->mds->nelts > 0) {"got JSON managed domain status summary" );int )md_json_getl(jstock, MD_KEY_TOTAL, NULL);int )md_json_getl(jstock, MD_KEY_COMPLETE, NULL);int )md_json_getl(jstock, MD_KEY_RENEWING, NULL);int )md_json_getl(jstock, MD_KEY_ERRORED, NULL);int )md_json_getl(jstock, MD_KEY_READY, NULL);"%sTotal: %d\n" , ctx.prefix, total);"%sOK: %d\n" , ctx.prefix, complete);"%sRenew: %d\n" , ctx.prefix, renewing);"%sErrored: %d\n" , ctx.prefix, errored);"%sReady: %d\n" , ctx.prefix, ready);if (mc->mds->nelts > 0) {"got JSON managed domain status" );if (HTML_STATUS(&ctx)) {"html managed domain status table" );"Managed Certificates \n\n");for (i = 0; i < (int )(sizeof (status_infos)/sizeof (status_infos[0])); ++i) {" \n");else {"ManagedDomain" ;"iterating JSON managed domain status" );if (HTML_STATUS(&ctx)) {"\n \n
\n" );"server-status for managed domains, end" );return OK;static void si_val_ocsp_activity(status_ctx *ctx, md_json_t *mdj, const status_info *info)const char *prefix = ctx->prefix;void )info;if (!HTML_STATUS(ctx)) {"Refresh" , t);": " );if (!HTML_STATUS(ctx)) {static const status_info ocsp_status_infos[] = {"Domain" , MD_KEY_DOMAIN, NULL },"CertificateID" , MD_KEY_ID, NULL },"OCSPStatus" , MD_KEY_STATUS, NULL },"StaplingValid" , MD_KEY_VALID, si_val_valid_time },"Responder" , MD_KEY_URL, si_val_url },"Activity" , MD_KEY_NOTIFIED, si_val_ocsp_activity },static int add_ocsp_row(void *baton, apr_size_t index, md_json_t *mdj)const char *prefix = ctx->prefix;int i;if (HTML_STATUS(ctx)) {"%s\">" , (index % 2)? "odd" : "even" );for (i = 0; i < (int )(sizeof (ocsp_status_infos)/sizeof (ocsp_status_infos[0])); ++i) {" ");" ");" " );else {for (i = 0; i < (int )(sizeof (ocsp_status_infos)/sizeof (ocsp_status_infos[0])); ++i) {"[%" APR_SIZE_T_FMT "]" , index), NULL);return 1;int md_ocsp_status_hook(request_rec *r, int flags)const md_srv_conf_t *sc;const md_mod_conf_t *mc;int i;"server-status for ocsp stapling, start" );if (!sc) return DECLINED;if (!mc || !mc->server_status_enabled) return DECLINED;"ManagedStaplings" ;" " ;if (!HTML_STATUS(&ctx)) {int total = 0, good = 0, revoked = 0, unknown = 0;"no-html ocsp stapling status summary" );if (md_ocsp_count(mc->ocsp) > 0) {"got JSON ocsp stapling status summary" );int )md_json_getl(jstock, MD_KEY_TOTAL, NULL);int )md_json_getl(jstock, MD_KEY_GOOD, NULL);int )md_json_getl(jstock, MD_KEY_REVOKED, NULL);int )md_json_getl(jstock, MD_KEY_UNKNOWN, NULL);"%sTotal: %d\n" , ctx.prefix, total);"%sOK: %d\n" , ctx.prefix, good);"%sRenew: %d\n" , ctx.prefix, revoked);"%sErrored: %d\n" , ctx.prefix, unknown);if (md_ocsp_count(mc->ocsp) > 0) {"got JSON ocsp stapling status" );if (HTML_STATUS(&ctx)) {"html ocsp stapling status table" );"Managed Staplings \n\n");for (i = 0; i < (int )(sizeof (ocsp_status_infos)/sizeof (ocsp_status_infos[0])); ++i) {" \n");else {"ManagedStapling" ;"iterating JSON ocsp stapling status" );if (HTML_STATUS(&ctx)) {"\n \n
\n" );"server-status for ocsp stapling, end" );return OK;/**************************************************************************************************/ /* Status handlers */ int md_status_handler(request_rec *r)const md_srv_conf_t *sc;const md_mod_conf_t *mc;const md_t *md;const char *name;if (strcmp(r->handler, "md-status" )) {return DECLINED;if (!sc) return DECLINED;if (!mc) return DECLINED;if (r->method_number != M_GET) {"md-status supports only GET" );return HTTP_NOT_IMPLEMENTED;if (r->path_info && r->path_info[0] == '/' && r->path_info[1] != '\0' ) {'/' ) + 1;if (!md) md = md_get_by_domain(mc->mds, name);if (md) {else {sizeof (md_t *), md_name_cmp);if (jstatus) {"Content-Type" , "application/json" );return DONE;return DECLINED;quality 97%
¤ Dauer der Verarbeitung: 0.24 Sekunden
(vorverarbeitet)
¤ *© Formatika GbR, Deutschland
