diff --git a/agents/bakery/curl.py b/agents/bakery/curl.py
index 8c8045bbbbaa9c9bd4f50a3c912034a58c3bf6d7..3d8ed4dfebc1385d10eaebb99ef7f917af16a57e 100755
--- a/agents/bakery/curl.py
+++ b/agents/bakery/curl.py
@@ -42,7 +42,8 @@
# added regex pattern match
# 2022-03-20: added dns_options, ftp_options
# 2022-03-21: fixed handling of limits and sub directories from wato
-#
+# 2022-03-24: added options --hostpubmd5, --hostpubsha256, --pubkey
+# #
from pathlib import Path
from typing import List, Tuple, Dict
@@ -58,7 +59,7 @@ from cmk.base.cee.plugins.bakery.bakery_api.v1 import (
)
-bakery_version = '20220313.v0.0.5'
+bakery_version = '20220323.v0.0.6'
def get_curl_files(conf: Tuple[str, Dict[str, List[any]]]) -> FileGenerator:
@@ -288,7 +289,13 @@ def get_curl_files(conf: Tuple[str, Dict[str, List[any]]]) -> FileGenerator:
url_settings.pop('redirects')
if url_settings.get('cert_verify'):
- insecure, ocsp, no_revoke, cert_chain = url_settings['cert_verify']
+ pub_md5 = None
+ pub_sha256 = None
+ pub_key = None
+ try:
+ insecure, ocsp, no_revoke, cert_chain = url_settings['cert_verify']
+ except ValueError:
+ insecure, ocsp, no_revoke, cert_chain, pub_md5, pub_sha256, pub_key = url_settings['cert_verify']
if insecure:
options_array.append(f'--insecure')
if ocsp:
@@ -304,6 +311,19 @@ def get_curl_files(conf: Tuple[str, Dict[str, List[any]]]) -> FileGenerator:
include_header=False,
)
options_array.append(f'--cacert {_conf_path}curl/curl_item_{curl_item}.ca_cert')
+ if pub_md5:
+ options_array.append(f'--hostpubmd5 {pub_md5}')
+ if pub_sha256:
+ options_array.append(f'--hostpubsha256 {pub_sha256}')
+ if pub_key:
+ yield PluginConfig(
+ base_os=_os,
+ lines=[cert_chain],
+ target=Path(f'curl/curl_item_{curl_item}.pub_key'),
+ include_header=False,
+ )
+ options_array.append(f'--pubkey {_conf_path}curl/curl_item_{curl_item}.pub_key')
+
url_settings.pop('cert_verify')
if url_settings.get('advanced_settings'):
diff --git a/curl.mkp b/curl.mkp
index 15c0725660715888787cdc2de7d669f0716e3c2e..7515d568bdc7dc372abfc4313ee4c9fe8342b1bb 100644
Binary files a/curl.mkp and b/curl.mkp differ
diff --git a/packages/curl b/packages/curl
index fb86a1ee723fad1d3c4fa1c1e3448d5c948aef3e..1874db69d908c650a77b6c3a13e278d7d91240ce 100644
--- a/packages/curl
+++ b/packages/curl
@@ -21,7 +21,7 @@
'name': 'curl',
'num_files': 6,
'title': 'cURL agent plugin',
- 'version': '20220322.v0.1.2',
+ 'version': '20220323.v0.1.3',
'version.min_required': '2.0.0',
'version.packaged': '2021.09.20',
'version.usable_until': None}
\ No newline at end of file
diff --git a/web/plugins/wato/curl.py b/web/plugins/wato/curl.py
index b04b3553f46c23d31f584187477662c3465515e5..14bf05df1c07a56bf361c575b3c703c530365ba4 100644
--- a/web/plugins/wato/curl.py
+++ b/web/plugins/wato/curl.py
@@ -59,6 +59,7 @@
# 2022-03-21: moved --connect-timeout, --limit-rate, --max-filesize, --max-time, --speed-limit, --speed-time
# to "limits" sub Directory
# 2022-03-22: added curl_error_code_to_ignore and http_error_code_to_ignore options
+# 2022-03-24: added options --hostpubmd5, --hostpubsha256, --pubkey
#
import ipaddress
from cmk.gui.i18n import _
@@ -98,7 +99,7 @@ from cmk.gui.cee.plugins.wato.agent_bakery.rulespecs.utils import (
RulespecGroupMonitoringAgentsAgentPlugins,
)
-bakery_plugin_version = '20220313.v0.0.5'
+bakery_plugin_version = '20220323.v0.0.6'
# unsafe characters https://www.tutorialspoint.com/html/html_url_encoding.htm
forbidden_chars = '"<>#%{}|\^~[]` \''
@@ -335,16 +336,33 @@ _option_curl_service = ('curl_service',
orientation='horizontal',
))
-_option_cert_verify = ('cert_verify',
- Tuple(
- title='Configure certificate verification',
- elements=[
- Checkbox('Don\'t verify certificates'),
- Checkbox('Use OCSP to check certificate status'),
- Checkbox('Disable cert revocation checks (WinSSL)'),
- Optional(Foldable(CAorCAChain()), label='Certificate to verify against', ),
- ]
- ))
+
+def _transform_forth_verify_remote_host(params):
+ if type(params) == tuple:
+ if len(params) == 4: # added 2022-03-23
+ params = (params[0], params[1], params[2], params[3], None, None, None)
+ return params
+
+
+_option_verify_remote_host = ('cert_verify',
+ Transform(
+ Tuple(
+ title='Configure verification of remote host (certificate/pub key)',
+ elements=[
+ Checkbox('Don\'t verify certificate/pub key'),
+ Checkbox('Use OCSP to check certificate status'),
+ Checkbox('Disable cert revocation checks (WinSSL)'),
+ Optional(Foldable(CAorCAChain()), label='Certificate to verify against', ),
+ Optional(TextUnicode(size=35, minlen=32, maxlen=32, regex='[0-9a-fA-F]', ),
+ label='Expected MD5 hash of pub key'),
+ Optional(TextUnicode(size=60, allow_empty=False),
+ label='Expected SHA256 hash of pub key'),
+ Optional(Foldable(UploadOrPasteTextFile(title='Public key'), ),
+ label='Expected public key'),
+ ]
+ ),
+ forth=_transform_forth_verify_remote_host
+ ))
_option_redirects = ('redirects',
Tuple(
@@ -1053,7 +1071,7 @@ _option_url_settings = ('url_settings',
Dictionary(
title=_('Per URL settings'),
elements=[
- _option_cert_verify,
+ _option_verify_remote_host,
_options_proxy,
_option_redirects,
_url_user_auth,
@@ -1135,7 +1153,7 @@ _option_default_settings = ('default_settings',
Dictionary(
title=_('Plugin settings'),
elements=[
- _option_cert_verify,
+ _option_verify_remote_host,
_options_proxy,
_option_redirects,
_option_user_auth,