Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate certificate expiration notifications #1606

Merged
merged 2 commits into from
Aug 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion scripts/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ LN2_MODULES=(
"ietf-tls-common@2023-12-28.yang -e tls10 -e tls11 -e tls12 -e tls13 -e hello-params"
"ietf-tls-server@2023-12-28.yang -e server-ident-x509-cert -e client-auth-supported -e client-auth-x509-cert"
"ietf-netconf-server@2023-12-28.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home -e central-netconf-server-supported"
"libnetconf2-netconf-server@2024-01-15.yang"
"libnetconf2-netconf-server@2024-07-09.yang"
)

# get path to the sysrepocfg executable
Expand Down
98 changes: 98 additions & 0 deletions src/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -505,6 +505,98 @@ np2srv_sm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char
return rc;
}

#ifdef NC_ENABLED_SSH_TLS

/**
* @brief Callback for sending certificate expiration notifications generated by libnetconf2.
*/
static void
np2srv_cert_exp_notif_cb(const char *expiration_time, const char *xpath, void *user_data)
Roytak marked this conversation as resolved.
Show resolved Hide resolved
{
sr_session_ctx_t *sr_sess = user_data;
const struct ly_ctx *ly_ctx = NULL;
int rc, stop_thread = 0;
struct lyd_node *ntf = NULL;

ly_ctx = sr_acquire_context(np2srv.sr_conn);
if (!ly_ctx) {
ERR("Failed to acquire sysrepo context.");
stop_thread = 1;
goto cleanup;
}

rc = lyd_new_path(NULL, ly_ctx, xpath, expiration_time, 0, &ntf);
if (rc) {
ERR("Failed to create certificate expiration notification data.");
stop_thread = 1;
goto cleanup;
}

rc = sr_notif_send_tree(sr_sess, ntf, 0, 0);
if (rc) {
ERR("Failed to send certificate expiration notification.");
stop_thread = 1;
goto cleanup;
}

cleanup:
lyd_free_tree(ntf);
if (ly_ctx) {
sr_release_context(np2srv.sr_conn);
}
if (stop_thread) {
nc_server_notif_cert_expiration_thread_stop(1);
}
}

/**
* @brief Start the certificate expiration notification thread.
*
* The thread is started only if the 'certificate-expiration-notification' feature is enabled.
*
* @return 0 if the thread is successfully started or if the feature is disabled, -1 on error.
*/
static int
np2srv_start_cert_exp_notif_thread(void)
Roytak marked this conversation as resolved.
Show resolved Hide resolved
{
int r, ret = 0;
const struct ly_ctx *ly_ctx;
const struct lys_module *mod;

ly_ctx = sr_acquire_context(np2srv.sr_conn);
if (!ly_ctx) {
ERR("Failed to acquire SR connection context.");
return -1;
}

mod = ly_ctx_get_module_implemented(ly_ctx, "ietf-crypto-types");
if (!mod) {
ERR("Module \"ietf-crypto-types\" not implemented in sysrepo.");
ret = -1;
goto cleanup;
}

/* check if the feature is enabled and if so, then start the thread */
r = lys_feature_value(mod, "certificate-expiration-notification");
if (r == LY_SUCCESS) {
if (nc_server_notif_cert_expiration_thread_start(np2srv_cert_exp_notif_cb, np2srv.sr_sess, NULL)) {
ERR("Failed to start certificate expiration notification thread.");
ret = -1;
goto cleanup;
}
} else if (r == LY_ENOTFOUND) {
ERR("Feature \"certificate-expiration-notification\" not found in module \"ietf-crypto-types\".");
ret = -1;
goto cleanup;
}

cleanup:
sr_release_context(np2srv.sr_conn);
return ret;
}

#endif /* NC_ENABLED_SSH_TLS */

/**
* @brief Initialize the server,
*
Expand Down Expand Up @@ -562,6 +654,12 @@ server_init(void)
ERR("Setting authorized_keys path format failed.");
goto error;
}

/* start certificate expiration notification thread if the certificate-expiration-notification feature is enabled */
if (np2srv_start_cert_exp_notif_thread()) {
ERR("Starting certificate expiration notification thread failed.");
goto error;
}
#endif /* NC_ENABLED_SSH_TLS */

/* set capabilities for the NETCONF Notifications */
Expand Down