public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api 3/4] cluster: use old and new fingerprint on master
Date: Thu, 18 Mar 2021 16:14:48 +0100	[thread overview]
Message-ID: <20210318151449.18638-4-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20210318151449.18638-1-s.ivanov@proxmox.com>

when triggering a fingerprint update on master right after reloading
pmgproxy as we do for ACME certificates it can happen that the
connection is made against the old pmgproxy process (with the old
fingerprint). Simply trusting both fingerprints in that case seems
acceptable from a security perspective and makes the fingerprint
update more robust

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/Cluster.pm | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
index e7bf266..acaea8d 100644
--- a/src/PMG/Cluster.pm
+++ b/src/PMG/Cluster.pm
@@ -316,11 +316,13 @@ sub trigger_update_fingerprints {
     my ($cinfo) = @_;
 
     my $master = $cinfo->{master} || die "unable to lookup master node\n";
-    my $master_fp = $master->{fingerprint};
+    my $cached_fp = { $master->{fingerprint} => 1 };
 
     # if running on master the current fingerprint for the API-connection is needed
+    # in addition (to prevent races with restarting pmgproxy
     if ($cinfo->{local}->{type} eq 'master') {
-	$master_fp = PMG::Cluster::read_local_ssl_cert_fingerprint();
+	my $new_fp = PMG::Cluster::read_local_ssl_cert_fingerprint();
+	$cached_fp->{$new_fp} = 1;
     }
 
     my $ticket = PMG::Ticket::assemble_ticket('root@pam');
@@ -330,10 +332,8 @@ sub trigger_update_fingerprints {
 	csrftoken => $csrftoken,
 	cookie_name => 'PMGAuthCookie',
 	host => $master->{ip},
-	cached_fingerprints => {
-	    $master_fp => 1,
-	},
-    );
+	cached_fingerprints => $cached_fp,
+	);
 
     $conn->post("/config/cluster/update-fingerprints", {});
     return undef;
-- 
2.20.1





  parent reply	other threads:[~2021-03-18 15:15 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-18 15:14 [pmg-devel] [PATCH pmg-api 0/4] cosmetic and minor improvements to certificate integration Stoiko Ivanov
2021-03-18 15:14 ` [pmg-devel] [PATCH pmg-api 1/4] package: ship /etc/pmg/acme/accounts in deb Stoiko Ivanov
2021-03-18 15:14 ` [pmg-devel] [PATCH pmg-api 2/4] acme: recursively create account directory Stoiko Ivanov
2021-03-18 15:14 ` Stoiko Ivanov [this message]
2021-03-18 15:14 ` [pmg-devel] [PATCH pmg-api 4/4] certs: reload postfix to activate new certificate Stoiko Ivanov
2021-03-18 16:04 ` [pmg-devel] applied: [PATCH pmg-api 0/4] cosmetic and minor improvements to certificate integration Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210318151449.18638-4-s.ivanov@proxmox.com \
    --to=s.ivanov@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal