Merge remote-tracking branch 'upstream/1.6.x' into HEAD

* upstream/1.6.x:
  (packaging) Updating the cpp-pcp-client.pot file
  (PCP-893) Honor CRL when connecting to PCP broker
  (packaging) Bump to version '1.6.2' [no-promote]

Author: donoghuc

.travis.yml

@@ -4,7 +4,6 @@ services:
 
 before_install:
   - docker pull gcr.io/cpp-projects/cpp-ci:1
-
 script:
   - >
     docker run -v `pwd`:/cpp-pcp-client gcr.io/cpp-projects/cpp-ci:1 /bin/bash -c "

README.md

@@ -169,6 +169,7 @@ The constructor of the Connector class is defined as:
               std::string ca_crt_path,
               std::string client_crt_path,
               std::string client_key_path,
+              std::string client_crl_path,
               std::string proxy,
               long ws_connection_timeout_ms = 5000,
               uint32_t association_timeout_s = 15,
@@ -186,6 +187,7 @@ The parameters are described as:
  - ca_crt_path - The path to your CA certificate file.
  - client_crt_path - The path to a client certificate file generated by your CA.
  - client_key_path - The path to a client public key file generated by you CA.
+ - client_crl_path - The path to a certificate revocation list file.
  - proxy - The proxy URI you wish to connect to PCP-broker over. ex: `http://localhost:3128`
  - ws_connection_timeout_ms - The timeout for initiating the WebSocket handshake (in milliseconds). Defaults to 5000 ms.
  - association_timeout_s - The timeout for the completion of the PCP Association. Defaults to 3 s.
@@ -199,6 +201,7 @@ This means that you can instantiate a Connector object as follows:
                           "/etc/puppet/ssl/ca/ca_crt.pem",
                           "/etc/puppet/ssl/certs/client_crt.pem",
                           "/etc/puppet/ssl/public_keys/client_key.pem",
+                          "/etc/puppet/ssl/crl.pem",
                           "", // no proxy
                           4000,  // WebSocket connection timeout
                           5 };   // PCP Association timeout
@@ -212,6 +215,7 @@ An alternate constructor for Connector also exists that takes a list of brokers,
                           "/etc/puppet/ssl/ca/ca_crt.pem",
                           "/etc/puppet/ssl/certs/client_crt.pem",
                           "/etc/puppet/ssl/public_keys/client_key.pem",
+                          "/etc/puppet/ssl/crl.pem",
                           "", // no proxy
                           4000,  // WebSocket connection timeout
                           5 };   // PCP Association timeout

lib/inc/cpp-pcp-client/connector/client_metadata.hpp

@@ -17,6 +17,7 @@ class LIBCPP_PCP_CLIENT_EXPORT ClientMetadata {
     std::string ca;
     std::string crt;
     std::string key;
+    std::string crl;
     std::string client_type;
     std::string common_name;
     std::string uri;
@@ -39,7 +40,7 @@ class LIBCPP_PCP_CLIENT_EXPORT ClientMetadata {
                    uint32_t _pong_timeouts_before_retry,
                    long _pong_timeout_ms);
 
-    // constructor for proxy addition
+    // constructor proxy addition
     ClientMetadata(std::string _client_type,
                    std::string _ca,
                    std::string _crt,
@@ -48,6 +49,17 @@ class LIBCPP_PCP_CLIENT_EXPORT ClientMetadata {
                    long _ws_connection_timeout_ms,
                    uint32_t _pong_timeouts_before_retry,
                    long _pong_timeout_ms);
+
+    // constructor crl addition
+    ClientMetadata(std::string _client_type,
+                   std::string _ca,
+                   std::string _crt,
+                   std::string _key,
+                   std::string _crl,
+                   std::string proxy,
+                   long _ws_connection_timeout_ms,
+                   uint32_t _pong_timeouts_before_retry,
+                   long _pong_timeout_ms);
 };
 
 }  // namespace PCPClient

lib/inc/cpp-pcp-client/connector/connector_base.hpp

@@ -37,7 +37,7 @@ class LIBCPP_PCP_CLIENT_EXPORT ConnectorBase {
         uint32_t pong_timeouts_before_retry,
         long ws_pong_timeout_ms);
 
-    // constructor for proxy addition
+    // constructor proxy addition
     ConnectorBase(std::vector<std::string> broker_ws_uris,
         std::string client_type,
         std::string ca_crt_path,
@@ -48,6 +48,18 @@ class LIBCPP_PCP_CLIENT_EXPORT ConnectorBase {
         uint32_t pong_timeouts_before_retry,
         long ws_pong_timeout_ms);
 
+    // constructor crl addition
+    ConnectorBase(std::vector<std::string> broker_ws_uris,
+        std::string client_type,
+        std::string ca_crt_path,
+        std::string client_crt_path,
+        std::string client_key_path,
+        std::string client_crl_path,
+        std::string ws_proxy,
+        long ws_connection_timeout_ms,
+        uint32_t pong_timeouts_before_retry,
+        long ws_pong_timeout_ms);
+
     /// Calls stopMonitorTaskAndWait if the Monitoring Task thread is
     /// still active. In case an exception was previously stored by
     /// the Monitoring Task, the error message will be logged, but

lib/inc/cpp-pcp-client/connector/v1/connector.hpp

@@ -53,6 +53,20 @@ class LIBCPP_PCP_CLIENT_EXPORT Connector : public ConnectorBase {
               uint32_t pong_timeouts_before_retry = 3,
               long ws_pong_timeout_ms = 5000);
 
+    // constructor for crl addition
+    Connector(std::string broker_ws_uri,
+              std::string client_type,
+              std::string ca_crt_path,
+              std::string client_crt_path,
+              std::string client_key_path,
+              std::string client_crl_path,
+              std::string ws_proxy,
+              long ws_connection_timeout_ms = 5000,
+              uint32_t association_timeout_s = 15,
+              uint32_t association_request_ttl_s = 10,  // Unused
+              uint32_t pong_timeouts_before_retry = 3,
+              long ws_pong_timeout_ms = 5000);
+
     // legacy constructor: pre proxy
     Connector(std::vector<std::string> broker_ws_uris,
               std::string client_type,
@@ -78,6 +92,20 @@ class LIBCPP_PCP_CLIENT_EXPORT Connector : public ConnectorBase {
               uint32_t pong_timeouts_before_retry = 3,
               long ws_pong_timeout_ms = 5000);
 
+    // constructor for crl addition
+    Connector(std::vector<std::string> broker_ws_uris,
+              std::string client_type,
+              std::string ca_crt_path,
+              std::string client_crt_path,
+              std::string client_key_path,
+              std::string client_crl_path,
+              std::string ws_proxy,
+              long ws_connection_timeout_ms = 5000,
+              uint32_t association_timeout_s = 15,
+              uint32_t association_request_ttl_s = 10,  // Unused
+              uint32_t pong_timeouts_before_retry = 3,
+              long ws_pong_timeout_ms = 5000);
+
     /// Set an optional callback for associate responses
     void setAssociateCallback(MessageCallback callback);
 

lib/inc/cpp-pcp-client/connector/v2/connector.hpp

@@ -48,6 +48,18 @@ class LIBCPP_PCP_CLIENT_EXPORT Connector : public ConnectorBase {
               uint32_t pong_timeouts_before_retry = 3,
               long ws_pong_timeout_ms = 5000);
 
+    // constructor for crl addition
+    Connector(std::string broker_ws_uri,
+              std::string client_type,
+              std::string ca_crt_path,
+              std::string client_crt_path,
+              std::string client_key_path,
+              std::string client_crl_path,
+              std::string ws_proxy,
+              long ws_connection_timeout_ms = 5000,
+              uint32_t pong_timeouts_before_retry = 3,
+              long ws_pong_timeout_ms = 5000);
+
     // legacy constructor: pre proxy
     Connector(std::vector<std::string> broker_ws_uris,
               std::string client_type,
@@ -69,6 +81,18 @@ class LIBCPP_PCP_CLIENT_EXPORT Connector : public ConnectorBase {
               uint32_t pong_timeouts_before_retry = 3,
               long ws_pong_timeout_ms = 5000);
 
+    // constructor for proxy addition
+    Connector(std::vector<std::string> broker_ws_uris,
+              std::string client_type,
+              std::string ca_crt_path,
+              std::string client_crt_path,
+              std::string client_key_path,
+              std::string client_crl_path,
+              std::string ws_proxy,
+              long ws_connection_timeout_ms = 5000,
+              uint32_t pong_timeouts_before_retry = 3,
+              long ws_pong_timeout_ms = 5000);
+
     /// Send the specified message.
     /// Throw a connection_processing_error in case of failure;
     /// throw a connection_not_init_error in case the connection

lib/src/connector/client_metadata.cc

@@ -154,4 +154,33 @@ ClientMetadata::ClientMetadata(std::string _client_type,
     LOG_DEBUG("Validated the private key / certificate pair");
 }
 
+// constructor for crl addition
+ClientMetadata::ClientMetadata(std::string _client_type,
+                               std::string _ca,
+                               std::string _crt,
+                               std::string _key,
+                               std::string _crl,
+                               std::string _proxy,
+                               long _ws_connection_timeout_ms,
+                               uint32_t _pong_timeouts_before_retry,
+                               long _pong_timeout_ms)
+        : ca { std::move(_ca) },
+          crt { std::move(_crt) },
+          key { std::move(_key) },
+          crl { std::move(_crl) },
+          proxy { std::move(_proxy) },
+          client_type { std::move(_client_type) },
+          common_name { getCommonNameFromCert(crt) },
+          uri { PCP_URI_SCHEME + common_name + "/" + client_type },
+          ws_connection_timeout_ms { std::move(_ws_connection_timeout_ms) },
+          pong_timeouts_before_retry { std::move(_pong_timeouts_before_retry) },
+          pong_timeout_ms { std::move(_pong_timeout_ms) }
+{
+    LOG_INFO("Retrieved common name from the certificate and determined "
+             "the client URI: {1}", uri);
+    validatePrivateKeyCertPair(key, crt);
+    LOG_DEBUG("Validated the private key / certificate pair");
+}
+
+
 }  // namespace PCPClient

lib/src/connector/connection.cc

@@ -40,6 +40,11 @@
 #include <random>
 #include <algorithm>
 
+// We need to modify underlying openssl object to set CRL.
+// These includes exposes methods for reading and validating
+// against a CRL.
+#include <openssl/x509_vfy.h>
+
 // TODO(ale): disable assert() once we're confident with the code...
 // To disable assert()
 // #define NDEBUG
@@ -500,6 +505,17 @@ WS_Context_Ptr Connection::onTlsInit(WS_Connection_Handle hdl)
                                   boost::asio::ssl::context::file_format::pem);
         ctx->load_verify_file(client_metadata_.ca);
 
+        if (client_metadata_.crl.length() > 0) {
+            LOG_DEBUG("Using CRL file: {1}", client_metadata_.crl);
+            auto x509_store = SSL_CTX_get_cert_store(ctx->native_handle());
+            X509_LOOKUP* lu = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file());
+            // Returns the number of objects loaded from CRL file or 0 on error
+            if (X509_load_crl_file(lu, client_metadata_.crl.c_str(), X509_FILETYPE_PEM) == 0) {
+                throw connection_config_error {
+                    lth_loc::format("Cannot load crl file: {1}", client_metadata_.crl) };
+            }
+            X509_STORE_set_flags(x509_store, (X509_V_FLAG_CRL_CHECK_ALL | X509_V_FLAG_CRL_CHECK));
+        }
         auto uri_txt = getWsUri();
         auto uri = websocketpp::uri(uri_txt);
         ctx->set_verify_mode(boost::asio::ssl::verify_peer);

lib/src/connector/connector_base.cc

@@ -71,6 +71,38 @@ ConnectorBase::ConnectorBase(std::vector<std::string> broker_ws_uris,
           must_stop_monitoring_ { false }
 { }
 
+// constructor for crl addition
+ConnectorBase::ConnectorBase(std::vector<std::string> broker_ws_uris,
+                             std::string client_type,
+                             std::string ca_crt_path,
+                             std::string client_crt_path,
+                             std::string client_key_path,
+                             std::string client_crl_path,
+                             std::string ws_proxy,
+                             long ws_connection_timeout_ms,
+                             uint32_t pong_timeouts_before_retry,
+                             long ws_pong_timeout_ms)
+        : connection_ptr_ { nullptr },
+          broker_ws_uris_ { std::move(broker_ws_uris) },
+          client_metadata_ { std::move(client_type),
+                             std::move(ca_crt_path),
+                             std::move(client_crt_path),
+                             std::move(client_key_path),
+                             std::move(client_crl_path),
+                             std::move(ws_proxy),
+                             std::move(ws_connection_timeout_ms),
+                             std::move(pong_timeouts_before_retry),
+                             std::move(ws_pong_timeout_ms)},
+          validator_ {},
+          schema_callback_pairs_ {},
+          error_callback_ {},
+          is_monitoring_ { false },
+          monitor_thread_ {},
+          monitor_mutex_ {},
+          monitor_cond_var_ {},
+          must_stop_monitoring_ { false }
+{ }
+
 ConnectorBase::~ConnectorBase()
 {
     if (connection_ptr_ != nullptr) {

lib/src/connector/v1/connector.cc

@@ -88,6 +88,33 @@ Connector::Connector(std::string broker_ws_uri,
                       std::move(ws_pong_timeout_ms)}
 {
 }
+// constructor for crl addition
+Connector::Connector(std::string broker_ws_uri,
+                     std::string client_type,
+                     std::string ca_crt_path,
+                     std::string client_crt_path,
+                     std::string client_key_path,
+                     std::string client_crl_path,
+                     std::string ws_proxy,
+                     long ws_connection_timeout_ms,
+                     uint32_t association_timeout_s,
+                     uint32_t association_request_ttl_s,
+                     uint32_t pong_timeouts_before_retry,
+                     long ws_pong_timeout_ms)
+        : Connector { std::vector<std::string> { std::move(broker_ws_uri) },
+                      std::move(client_type),
+                      std::move(ca_crt_path),
+                      std::move(client_crt_path),
+                      std::move(client_key_path),
+                      std::move(client_crl_path),
+                      std::move(ws_proxy),
+                      std::move(ws_connection_timeout_ms),
+                      std::move(association_timeout_s),
+                      std::move(association_request_ttl_s),
+                      std::move(pong_timeouts_before_retry),
+                      std::move(ws_pong_timeout_ms)}
+{
+}
 // legacy constructor: pre proxy
 Connector::Connector(std::vector<std::string> broker_ws_uris,
                      std::string client_type,
@@ -182,6 +209,56 @@ Connector::Connector(std::vector<std::string> broker_ws_uris,
             TTLMessageCallback(parsed_chunks);
         });
 }
+// constructor for crl addition
+Connector::Connector(std::vector<std::string> broker_ws_uris,
+                     std::string client_type,
+                     std::string ca_crt_path,
+                     std::string client_crt_path,
+                     std::string client_key_path,
+                     std::string client_crl_path,
+                     std::string ws_proxy,
+                     long ws_connection_timeout_ms,
+                     uint32_t association_timeout_s,
+                     uint32_t association_request_ttl_s,
+                     uint32_t pong_timeouts_before_retry,
+                     long ws_pong_timeout_ms)
+        : ConnectorBase { std::move(broker_ws_uris),
+                          std::move(client_type),
+                          std::move(ca_crt_path),
+                          std::move(client_crt_path),
+                          std::move(client_key_path),
+                          std::move(client_crl_path),
+                          std::move(ws_proxy),
+                          std::move(ws_connection_timeout_ms),
+                          std::move(pong_timeouts_before_retry),
+                          std::move(ws_pong_timeout_ms) },
+          associate_response_callback_ {},
+          session_association_ { std::move(association_timeout_s) }
+{
+    // Add PCP schemas to the Validator instance member
+    validator_.registerSchema(Protocol::EnvelopeSchema());
+    validator_.registerSchema(Protocol::DebugSchema());
+    validator_.registerSchema(Protocol::DebugItemSchema());
+
+    // Register PCP callbacks
+    registerMessageCallback(
+        Protocol::AssociateResponseSchema(),
+        [this](const ParsedChunks& parsed_chunks) {
+            associateResponseCallback(parsed_chunks);
+        });
+
+    registerMessageCallback(
+        Protocol::ErrorMessageSchema(),
+        [this](const ParsedChunks& parsed_chunks) {
+            errorMessageCallback(parsed_chunks);
+        });
+
+    registerMessageCallback(
+        Protocol::TTLExpiredSchema(),
+        [this](const ParsedChunks& parsed_chunks) {
+            TTLMessageCallback(parsed_chunks);
+        });
+}
 
 // Set an optional callback for associate responses
 void Connector::setAssociateCallback(MessageCallback callback)