Google Git
Sign in
apache / httpd / 45da8a29531b6ca83b640c6a13ac30599e1e61f7 / . / modules / md / mod_md_status.c
blob: 9ceadb6007ee4ef3d744e434e2b248369d14e954 [file] [log] [blame]
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <apr_optional.h>
#include <apr_time.h>
#include <apr_date.h>
#include <apr_strings.h>
#include <httpd.h>
#include <http_core.h>
#include <http_protocol.h>
#include <http_request.h>
#include <http_log.h>
#include "mod_status.h"
#include "md.h"
#include "md_curl.h"
#include "md_crypt.h"
#include "md_http.h"
#include "md_json.h"
#include "md_status.h"
#include "md_store.h"
#include "md_store_fs.h"
#include "md_log.h"
#include "md_reg.h"
#include "md_util.h"
#include "md_version.h"
#include "md_acme.h"
#include "md_acme_authz.h"
#include "mod_md.h"
#include "mod_md_private.h"
#include "mod_md_config.h"
#include "mod_md_drive.h"
#include "mod_md_status.h"
/**************************************************************************************************/
/* Certificate status */
#define APACHE_PREFIX "/.httpd/"
#define MD_STATUS_RESOURCE APACHE_PREFIX"certificate-status"
int md_http_cert_status(request_rec *r)
{
md_json_t *resp, *j, *mdj, *certj;
const md_srv_conf_t *sc;
const md_t *md;
apr_bucket_brigade *bb;
apr_status_t rv;
if (!r->parsed_uri.path || strcmp(MD_STATUS_RESOURCE, r->parsed_uri.path))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"requesting status for: %s", r->hostname);
/* We are looking for information about a staged certificate */
sc = ap_get_module_config(r->server->module_config, &md_module);
if (!sc || !sc->mc || !sc->mc->reg || !sc->mc->certificate_status_enabled) return DECLINED;
md = md_get_by_domain(sc->mc->mds, r->hostname);
if (!md) return DECLINED;
if (r->method_number != M_GET) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"md(%s): status supports only GET", md->name);
return HTTP_NOT_IMPLEMENTED;
}
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"requesting status for MD: %s", md->name);
if (APR_SUCCESS != (rv = md_status_get_md_json(&mdj, md, sc->mc->reg, r->pool))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10175)
"loading md status for %s", md->name);
return HTTP_INTERNAL_SERVER_ERROR;
}
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"status for MD: %s is %s", md->name, md_json_writep(mdj, r->pool, MD_JSON_FMT_INDENT));
resp = md_json_create(r->pool);
if (md_json_has_key(mdj, MD_KEY_CERT, MD_KEY_VALID_UNTIL, NULL)) {
md_json_sets(md_json_gets(mdj, MD_KEY_CERT, MD_KEY_VALID_UNTIL, NULL),
resp, MD_KEY_VALID_UNTIL, NULL);
}
if (md_json_has_key(mdj, MD_KEY_CERT, MD_KEY_VALID_FROM, NULL)) {
md_json_sets(md_json_gets(mdj, MD_KEY_CERT, MD_KEY_VALID_FROM, NULL),
resp, MD_KEY_VALID_FROM, NULL);
}
if (md_json_has_key(mdj, MD_KEY_CERT, MD_KEY_SERIAL, NULL)) {
md_json_sets(md_json_gets(mdj, MD_KEY_CERT, MD_KEY_SERIAL, NULL),
resp, MD_KEY_SERIAL, NULL);
}
if (md_json_has_key(mdj, MD_KEY_CERT, MD_KEY_SHA256_FINGERPRINT, NULL)) {
md_json_sets(md_json_gets(mdj, MD_KEY_CERT, MD_KEY_SHA256_FINGERPRINT, NULL),
resp, MD_KEY_SHA256_FINGERPRINT, NULL);
}
if (md_json_has_key(mdj, MD_KEY_RENEWAL, NULL)) {
/* copy over the information we want to make public about this:
* - when not finished, add an empty object to indicate something is going on
* - when a certificate is staged, add the information from that */
certj = md_json_getj(mdj, MD_KEY_RENEWAL, MD_KEY_CERT, NULL);
j = certj? certj : md_json_create(r->pool);;
md_json_setj(j, resp, MD_KEY_RENEWAL, NULL);
}
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "md[%s]: sending status", md->name);
apr_table_set(r->headers_out, "Content-Type", "application/json");
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
md_json_writeb(resp, MD_JSON_FMT_INDENT, bb);
ap_pass_brigade(r->output_filters, bb);
apr_brigade_cleanup(bb);
return DONE;
}
/**************************************************************************************************/
/* Status hook */
typedef struct {
apr_pool_t *p;
const md_mod_conf_t *mc;
apr_bucket_brigade *bb;
const char *separator;
} status_ctx;
typedef struct status_info status_info;
static void add_json_val(status_ctx *ctx, md_json_t *j);
typedef void add_status_fn(status_ctx *ctx, md_json_t *mdj, const status_info *info);
struct status_info {
const char *label;
const char *key;
add_status_fn *fn;
};
static void si_val_status(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
const char *s = "unknown";
(void)info;
switch (md_json_getl(mdj, MD_KEY_STATE, NULL)) {
case MD_S_INCOMPLETE: s = "incomplete"; break;
case MD_S_EXPIRED_DEPRECATED:
case MD_S_COMPLETE: s = "ok"; break;
case MD_S_ERROR: s = "error"; break;
case MD_S_MISSING_INFORMATION: s = "missing information"; break;
default: break;
}
apr_brigade_puts(ctx->bb, NULL, NULL, s);
}
static void si_val_renew_mode(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
const char *s;
switch (md_json_getl(mdj, info->key, NULL)) {
case MD_RENEW_MANUAL: s = "manual"; break;
case MD_RENEW_ALWAYS: s = "always"; break;
default: s = "auto"; break;
}
apr_brigade_puts(ctx->bb, NULL, NULL, s);
}
static void si_val_date(status_ctx *ctx, apr_time_t timestamp)
{
if (timestamp > 0) {
char ts[128];
char ts2[128];
apr_time_exp_t texp;
apr_size_t len;
apr_time_exp_gmt(&texp, timestamp);
apr_strftime(ts, &len, sizeof(ts)-1, "%Y-%m-%dT%H:%M:%SZ", &texp);
ts[len] = '\0';
apr_strftime(ts2, &len, sizeof(ts2)-1, "%Y-%m-%d", &texp);
ts2[len] = '\0';
apr_brigade_printf(ctx->bb, NULL, NULL,
"<span title='%s' style='white-space: nowrap;'>%s</span>",
ts, ts2);
}
else {
apr_brigade_puts(ctx->bb, NULL, NULL, "-");
}
}
static void si_val_time(status_ctx *ctx, apr_time_t timestamp)
{
if (timestamp > 0) {
char ts[128];
char ts2[128];
apr_time_exp_t texp;
apr_size_t len;
apr_time_exp_gmt(&texp, timestamp);
apr_strftime(ts, &len, sizeof(ts)-1, "%Y-%m-%dT%H:%M:%SZ", &texp);
ts[len] = '\0';
apr_strftime(ts2, &len, sizeof(ts2)-1, "%H:%M:%SZ", &texp);
ts2[len] = '\0';
apr_brigade_printf(ctx->bb, NULL, NULL,
"<span title='%s' style='white-space: nowrap;'>%s</span>",
ts, ts2);
}
else {
apr_brigade_puts(ctx->bb, NULL, NULL, "-");
}
}
static void si_val_expires(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
const char *s;
apr_time_t t;
(void)info;
s = md_json_dups(ctx->p, mdj, MD_KEY_CERT, MD_KEY_VALID_UNTIL, NULL);
if (s) {
t = apr_date_parse_rfc(s);
si_val_date(ctx, t);
}
}
static void si_val_valid_from(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
const char *s;
apr_time_t t;
(void)info;
s = md_json_dups(ctx->p, mdj, MD_KEY_CERT, MD_KEY_VALID_FROM, NULL);
if (s) {
t = apr_date_parse_rfc(s);
si_val_date(ctx, t);
}
}
static void si_val_props(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
const char *s, *url;
md_pkey_type_t ptype;
int i = 0;
(void)info;
if (md_json_getb(mdj, MD_KEY_MUST_STAPLE, NULL)) {
++i;
apr_brigade_puts(ctx->bb, NULL, NULL, "must-staple");
}
s = md_json_gets(mdj, MD_KEY_RENEW_WINDOW, NULL);
if (s) {
if (i++) apr_brigade_puts(ctx->bb, NULL, NULL, " \n");
apr_brigade_printf(ctx->bb, NULL, NULL, "renew-at[%s]", s);
}
url = s = md_json_gets(mdj, MD_KEY_CA, MD_KEY_URL, NULL);
if (s) {
if (i++) apr_brigade_puts(ctx->bb, NULL, NULL, " \n");
if (!strcmp(LE_ACMEv2_PROD, s)) s = "letsencrypt(v2)";
else if (!strcmp(LE_ACMEv1_PROD, s)) s = "letsencrypt(v1)";
else if (!strcmp(LE_ACMEv2_STAGING, s)) s = "letsencrypt(Testv2)";
else if (!strcmp(LE_ACMEv1_STAGING, s)) s = "letsencrypt(Testv1)";
apr_brigade_printf(ctx->bb, NULL, NULL, "ca=[<a href=\"%s\">%s</a>]", url, s);
}
if (md_json_has_key(mdj, MD_KEY_CONTACTS, NULL)) {
if (i++) apr_brigade_puts(ctx->bb, NULL, NULL, " \n");
apr_brigade_puts(ctx->bb, NULL, NULL, "contacts=[");
add_json_val(ctx, md_json_getj(mdj, MD_KEY_CONTACTS, NULL));
apr_brigade_puts(ctx->bb, NULL, NULL, "]");
}
ptype = md_json_has_key(mdj, MD_KEY_PKEY, MD_KEY_TYPE, NULL)?
(unsigned)md_json_getl(mdj, MD_KEY_PKEY, MD_KEY_TYPE, NULL) : MD_PKEY_TYPE_DEFAULT;
switch (ptype) {
case MD_PKEY_TYPE_RSA:
if (i++) apr_brigade_puts(ctx->bb, NULL, NULL, " \n");
apr_brigade_printf(ctx->bb, NULL, NULL, "key[RSA(%u)]",
(unsigned)md_json_getl(mdj, MD_KEY_PKEY, MD_PKEY_RSA_BITS_MIN, NULL));
default:
break;
}
}
static void si_val_renewal(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
char buffer[HUGE_STRING_LEN];
apr_status_t rv;
int finished, errors;
apr_time_t t;
const char *s;
(void)info;
if (!md_json_has_key(mdj, MD_KEY_RENEWAL, NULL)) {
return;
}
finished = (int)md_json_getl(mdj, MD_KEY_RENEWAL, MD_KEY_FINISHED, NULL);
errors = (int)md_json_getl(mdj, MD_KEY_RENEWAL, MD_KEY_ERRORS, NULL);
rv = (apr_status_t)md_json_getl(mdj, MD_KEY_RENEWAL, MD_KEY_LAST, MD_KEY_STATUS, NULL);
if (rv != APR_SUCCESS) {
s = md_json_gets(mdj, MD_KEY_RENEWAL, MD_KEY_LAST, MD_KEY_PROBLEM, NULL);
apr_brigade_printf(ctx->bb, NULL, NULL, "Error[%s]: %s",
apr_strerror(rv, buffer, sizeof(buffer)), s? s : "");
}
if (finished) {
apr_brigade_puts(ctx->bb, NULL, NULL, "Finished");
if (md_json_has_key(mdj, MD_KEY_RENEWAL, MD_KEY_VALID_FROM, NULL)) {
s = md_json_gets(mdj, MD_KEY_RENEWAL, MD_KEY_VALID_FROM, NULL);
t = apr_date_parse_rfc(s);
apr_brigade_puts(ctx->bb, NULL, NULL, (apr_time_now() >= t)?
", valid since: " : ", activate at: ");
si_val_time(ctx, t);
}
apr_brigade_puts(ctx->bb, NULL, NULL, ".");
}
s = md_json_gets(mdj, MD_KEY_RENEWAL, MD_KEY_LAST, MD_KEY_DETAIL, NULL);
if (s) apr_brigade_puts(ctx->bb, NULL, NULL, s);
errors = (int)md_json_getl(mdj, MD_KEY_ERRORS, NULL);
if (errors > 0) {
apr_brigade_printf(ctx->bb, NULL, NULL, ", Had %d errors.", errors);
}
s = md_json_gets(mdj, MD_KEY_RENEWAL, MD_KEY_NEXT_RUN, NULL);
if (s) {
t = apr_date_parse_rfc(s);
apr_brigade_puts(ctx->bb, NULL, NULL, "Next attempt: ");
si_val_time(ctx, t);
apr_brigade_puts(ctx->bb, NULL, NULL, ".");
}
}
static void si_val_remote_check(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
const char *fingerprint;
(void)info;
fingerprint = md_json_gets(mdj, MD_KEY_CERT, MD_KEY_SHA256_FINGERPRINT, NULL);
if (fingerprint) {
apr_brigade_printf(ctx->bb, NULL, NULL,
"<a href=\"https://censys.io/certificates/%s\">censys.io</a> ",
fingerprint);
apr_brigade_printf(ctx->bb, NULL, NULL,
"<a href=\"https://crt.sh?q=%s\">crt.sh</a> ", fingerprint);
}
}
const status_info status_infos[] = {
{ "Name", MD_KEY_NAME, NULL },
{ "Domains", MD_KEY_DOMAINS, NULL },
{ "Status", MD_KEY_STATUS, si_val_status },
{ "Valid", MD_KEY_VALID_FROM, si_val_valid_from },
{ "Expires", MD_KEY_VALID_UNTIL, si_val_expires },
{ "Renew", MD_KEY_RENEW_MODE, si_val_renew_mode },
{ "Check@", MD_KEY_SHA256_FINGERPRINT, si_val_remote_check },
{ "Configuration", MD_KEY_MUST_STAPLE, si_val_props },
{ "Renewal", MD_KEY_NOTIFIED, si_val_renewal },
};
static int json_iter_val(void *data, size_t index, md_json_t *json)
{
status_ctx *ctx = data;
if (index) apr_brigade_puts(ctx->bb, NULL, NULL, ctx->separator);
add_json_val(ctx, json);
return 1;
}
static void add_json_val(status_ctx *ctx, md_json_t *j)
{
if (!j) return;
else if (md_json_is(MD_JSON_TYPE_ARRAY, j, NULL)) {
md_json_itera(json_iter_val, ctx, j, NULL);
}
else if (md_json_is(MD_JSON_TYPE_INT, j, NULL)) {
md_json_writeb(j, MD_JSON_FMT_COMPACT, ctx->bb);
}
else if (md_json_is(MD_JSON_TYPE_STRING, j, NULL)) {
apr_brigade_puts(ctx->bb, NULL, NULL, md_json_gets(j, NULL));
}
else if (md_json_is(MD_JSON_TYPE_OBJECT, j, NULL)) {
md_json_writeb(j, MD_JSON_FMT_COMPACT, ctx->bb);
}
}
static void add_status_cell(status_ctx *ctx, md_json_t *mdj, const status_info *info)
{
if (info->fn) {
info->fn(ctx, mdj, info);
}
else {
add_json_val(ctx, md_json_getj(mdj, info->key, NULL));
}
}
static int add_md_row(void *baton, apr_size_t index, md_json_t *mdj)
{
status_ctx *ctx = baton;
int i;
apr_brigade_printf(ctx->bb, NULL, NULL, "<tr class=\"%s\">", (index % 2)? "odd" : "even");
for (i = 0; i < (int)(sizeof(status_infos)/sizeof(status_infos[0])); ++i) {
apr_brigade_puts(ctx->bb, NULL, NULL, "<td>");
add_status_cell(ctx, mdj, &status_infos[i]);
apr_brigade_puts(ctx->bb, NULL, NULL, "</td>");
}
apr_brigade_puts(ctx->bb, NULL, NULL, "</tr>");
return 1;
}
static int md_name_cmp(const void *v1, const void *v2)
{
return strcmp((*(const md_t**)v1)->name, (*(const md_t**)v2)->name);
}
int md_status_hook(request_rec *r, int flags)
{
const md_srv_conf_t *sc;
const md_mod_conf_t *mc;
int i, html;
status_ctx ctx;
apr_array_header_t *mds;
md_json_t *jstatus, *jstock;
sc = ap_get_module_config(r->server->module_config, &md_module);
if (!sc) return DECLINED;
mc = sc->mc;
if (!mc || !mc->server_status_enabled) return DECLINED;
html = !(flags & AP_STATUS_SHORT);
ctx.p = r->pool;
ctx.mc = mc;
ctx.bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
ctx.separator = " ";
mds = apr_array_copy(r->pool, mc->mds);
qsort(mds->elts, (size_t)mds->nelts, sizeof(md_t *), md_name_cmp);
if (!html) {
apr_brigade_puts(ctx.bb, NULL, NULL, "ManagedDomains: ");
if (mc->mds->nelts > 0) {
md_status_take_stock(&jstock, mds, mc->reg, r->pool);
apr_brigade_printf(ctx.bb, NULL, NULL, "total=%d, ok=%d renew=%d errored=%d ready=%d",
(int)md_json_getl(jstock, MD_KEY_TOTAL, NULL),
(int)md_json_getl(jstock, MD_KEY_COMPLETE, NULL),
(int)md_json_getl(jstock, MD_KEY_RENEWING, NULL),
(int)md_json_getl(jstock, MD_KEY_ERRORED, NULL),
(int)md_json_getl(jstock, MD_KEY_READY, NULL));
}
else {
apr_brigade_puts(ctx.bb, NULL, NULL, "[]");
}
apr_brigade_puts(ctx.bb, NULL, NULL, "\n");
}
else if (mc->mds->nelts > 0) {
md_status_get_json(&jstatus, mds, mc->reg, r->pool);
apr_brigade_puts(ctx.bb, NULL, NULL,
"<hr>\n<h2>Managed Domains</h2>\n<table class='md_status'><thead><tr>\n");
for (i = 0; i < (int)(sizeof(status_infos)/sizeof(status_infos[0])); ++i) {
apr_brigade_puts(ctx.bb, NULL, NULL, "<th>");
apr_brigade_puts(ctx.bb, NULL, NULL, status_infos[i].label);
apr_brigade_puts(ctx.bb, NULL, NULL, "</th>");
}
apr_brigade_puts(ctx.bb, NULL, NULL, "</tr>\n</thead><tbody>");
md_json_itera(add_md_row, &ctx, jstatus, MD_KEY_MDS, NULL);
apr_brigade_puts(ctx.bb, NULL, NULL, "</td></tr>\n</tbody>\n</table>\n");
}
ap_pass_brigade(r->output_filters, ctx.bb);
apr_brigade_cleanup(ctx.bb);
return OK;
}
/**************************************************************************************************/
/* Status handler */
int md_status_handler(request_rec *r)
{
const md_srv_conf_t *sc;
const md_mod_conf_t *mc;
apr_array_header_t *mds;
md_json_t *jstatus;
apr_bucket_brigade *bb;
const md_t *md;
const char *name;
if (strcmp(r->handler, "md-status")) {
return DECLINED;
}
sc = ap_get_module_config(r->server->module_config, &md_module);
if (!sc) return DECLINED;
mc = sc->mc;
if (!mc) return DECLINED;
if (r->method_number != M_GET) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "md-status supports only GET");
return HTTP_NOT_IMPLEMENTED;
}
jstatus = NULL;
md = NULL;
if (r->path_info && r->path_info[0] == '/' && r->path_info[1] != '\0') {
name = strrchr(r->path_info, '/') + 1;
md = md_get_by_name(mc->mds, name);
if (!md) md = md_get_by_domain(mc->mds, name);
}
if (md) {
md_status_get_md_json(&jstatus, md, mc->reg, r->pool);
}
else {
mds = apr_array_copy(r->pool, mc->mds);
qsort(mds->elts, (size_t)mds->nelts, sizeof(md_t *), md_name_cmp);
md_status_get_json(&jstatus, mds, mc->reg, r->pool);
}
if (jstatus) {
apr_table_set(r->headers_out, "Content-Type", "application/json");
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
md_json_writeb(jstatus, MD_JSON_FMT_INDENT, bb);
ap_pass_brigade(r->output_filters, bb);
apr_brigade_cleanup(bb);
return DONE;
}
return DECLINED;
}