Skip to content

Commit

Permalink
chore: rename if exists system parameters to global-conf-tls-cert-ver…
Browse files Browse the repository at this point in the history 
…ification and global-conf-hostname-verification (#2470)

Refs: XRDDEV-2765
  • Loading branch information
@enelir
enelir authored Dec 10, 2024
1 parent 1d0b2ed commit 23931a9
Show file tree
Hide file tree
Showing 6 changed files with 41 additions and 12 deletions.
7 changes: 4 additions & 3 deletions doc/Manuals/ug-syspar_x-road_v6_system_parameters.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# X-Road: System Parameters User Guide

Version: 2.90
Version: 2.91
Doc. ID: UG-SYSPAR


Expand Down Expand Up @@ -101,6 +101,7 @@ Doc. ID: UG-SYSPAR
| 19.08.2024 | 2.88 | Added parameters for management requests sender | Justas Samuoslis |
| 20.09.2024 | 2.89 | Acme automatic certificate renewal job related parameters | Mikk-Erik Bachmann |
| 08.11.2024 | 2.90 | Added new parameters *key-named-curve*, *soft-token-pin-keystore-algorithm*, *authentication-key-algorithm* and *signing-key-algorithm* to add ECDSA support for Authentication/Signing certificates | Ovidijus Narkevicius |
| 09.12.2024 | 2.91 | Rename parameters *global_conf_tls_cert_verification* -> *global-conf-tls-cert-verification*, *global_conf_hostname_verification* -> *global-conf-hostname-verification* | Eneli Reimets |


## Table of Contents
Expand Down Expand Up @@ -355,8 +356,8 @@ Proxy-ui has been removed in version 6.24 and it's parameters are not used anymo
| admin-port | 5675 | TCP port on which the configuration client process listens for admin commands. |
| allowed-federations | none | A comma-separated list of case-insensitive X-Road instances that fetching configuration anchors is allowed for. This enables federation with the listed instances if the X-Road instance is already federated at the central server level . Special value *none*, if present, disables all federation (the default value), while *all* allows all federations if *none* is not present. Example: *allowed-federations=ee,sv* allows federation with example instances *EE* and *Sv* while *allowed-federations=all,none* disables federation. X-Road services `xroad-confclient` and `xroad-proxy` need to be restarted (in that order) for the setting change to take effect. |
| proxy-configuration-backup-cron | 0 15 3 * * ? | Cron expression for proxy configuration automatic backup job |
| global_conf_tls_cert_verification | true | It is possible to disable the verification of the global configuration download TLS certificate. Should be `true` in production environment |
| global_conf_hostname_verification | true | It is possible to disable the hostname verification. Does the hostname specified in the URL match the hostname specified in the Common Name (CN) of the Central Server’s TLS certificate. Should be `true` in production environment |
| global-conf-tls-cert-verification | true | It is possible to disable the verification of the global configuration download TLS certificate. Should be `true` in production environment |
| global-conf-hostname-verification | true | It is possible to disable the hostname verification. Does the hostname specified in the URL match the hostname specified in the Common Name (CN) of the Central Server’s TLS certificate. Should be `true` in production environment |

### 3.7 Message log add-on parameters: `[message-log]`

Expand Down
4 changes: 2 additions & 2 deletions src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -507,10 +507,10 @@ private SystemProperties() {
PREFIX + "configuration-client.proxy-configuration-backup-cron";

public static final String CONFIGURATION_CLIENT_GLOBAL_CONF_TLS_CERT_VERIFICATION =
PREFIX + "configuration-client.global_conf_tls_cert_verification";
PREFIX + "configuration-client.global-conf-tls-cert-verification";

public static final String CONFIGURATION_CLIENT_GLOBAL_CONF_HOSTNAME_VERIFICATION =
PREFIX + "configuration-client.global_conf_hostname_verification";
PREFIX + "configuration-client.global-conf-hostname-verification";

public static final String CONFIGURATION_CLIENT_ALLOWED_FEDERATIONS =
PREFIX + "configuration-client.allowed-federations";
Expand Down
4 changes: 2 additions & 2 deletions ...obalconf/src/test/java/ee/ria/xroad/common/conf/globalconf/ConfigurationLocationTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@
* Unit tests for {@link ConfigurationLocation}
*/
public class ConfigurationLocationTest {
private static final String TLS_CERTIFICATION_VERIFICATION_ENABLED = "xroad.configuration-client.global_conf_tls_cert_verification";
private static final String HOSTNAME_VERIFICATION_ENABLED = "xroad.configuration-client.global_conf_hostname_verification";
private static final String TLS_CERTIFICATION_VERIFICATION_ENABLED = "xroad.configuration-client.global-conf-tls-cert-verification";
private static final String HOSTNAME_VERIFICATION_ENABLED = "xroad.configuration-client.global-conf-hostname-verification";

/**
* Checks that {@link ConfigurationLocation} uses connections that timeout after a period of time.
Expand Down
14 changes: 14 additions & 0 deletions src/packages/src/xroad/redhat/SPECS/xroad-confclient.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,20 @@ su - xroad -c "test -O /var/lib/xroad && test -G /var/lib/xroad" || chown xroad:
chown xroad:xroad /var/lib/xroad/backup
chmod 0775 /var/lib/xroad

### this script can be delete starting from 7.9.0 version
local_ini_file="/etc/xroad/conf.d/local.ini"
if [[ -f "$local_ini_file" ]]; then
if grep -q "^global_conf_tls_cert_verification" "$local_ini_file"; then
sed -i 's/^global_conf_tls_cert_verification/global-conf-tls-cert-verification/' "$local_ini_file"
echo "Successfully updated property name: global_conf_tls_cert_verification -> global-conf-tls-cert-verification"
fi
if grep -q "^global_conf_hostname_verification" "$local_ini_file"; then
sed -i 's/^global_conf_hostname_verification/global-conf-hostname-verification/' "$local_ini_file"
echo "Successfully updated property name: global_conf_hostname_verification -> global-conf-hostname-verification"
fi
fi
###

chown -R xroad:xroad /etc/xroad/services/* /etc/xroad/conf.d/*
chmod -R o=rwX,g=rX,o= /etc/xroad/services/* /etc/xroad/conf.d/*

Expand Down
20 changes: 17 additions & 3 deletions src/packages/src/xroad/ubuntu/generic/xroad-confclient.postinst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,23 @@
umask 027

if [ "$1" = configure ]; then
chown xroad:xroad /etc/xroad/backup.d/??_xroad-confclient
chmod 0440 /etc/xroad/backup.d/??_xroad-confclient
test -e /etc/xroad/globalconf/files && rm -f /etc/xroad/globalconf/files
chown xroad:xroad /etc/xroad/backup.d/??_xroad-confclient
chmod 0440 /etc/xroad/backup.d/??_xroad-confclient
test -e /etc/xroad/globalconf/files && rm -f /etc/xroad/globalconf/files

### this script can be delete starting from 7.9.0 version
local_ini_file="/etc/xroad/conf.d/local.ini"
if [[ -f "$local_ini_file" ]]; then
if grep -q "^global_conf_tls_cert_verification" "$local_ini_file"; then
sed -i 's/^global_conf_tls_cert_verification/global-conf-tls-cert-verification/' "$local_ini_file"
echo "Successfully updated property name: global_conf_tls_cert_verification -> global-conf-tls-cert-verification"
fi
if grep -q "^global_conf_hostname_verification" "$local_ini_file"; then
sed -i 's/^global_conf_hostname_verification/global-conf-hostname-verification/' "$local_ini_file"
echo "Successfully updated property name: global_conf_hostname_verification -> global-conf-hostname-verification"
fi
fi
###
fi

if [ "$1" = abort-upgrade ]; then
Expand Down
4 changes: 2 additions & 2 deletions ...urity-server/system-test/src/intTest/resources/container-files/etc/xroad/conf.d/local.ini
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ health-check-port=5558
server-conf-cache-period=0
[configuration-client]
update-interval = 3
global_conf_tls_cert_verification = false
global_conf_hostname_verification = false
global-conf-tls-cert-verification = false
global-conf-hostname-verification = false
[message-log]
messagelog-encryption-enabled=true
messagelog-keystore=/etc/xroad/messagelog/messagelog.p12
Expand Down

0 comments on commit 23931a9

Please sign in to comment.