17340 FIX Registering agents without automation user

This is only relevant if you use the managed edition and you set the automation user to belong to the provider! If the automation user is marked to belong to the *provider* the user is not synchronized to the customer sites. When registering an agent the agent-receiver queries the RestAPI in order to get the configuration for the configured lifetime of agent certificates. In order to authenticate the agent-receiver tries to use the automation user. This failed with an uncaught exception if that automation user does not exists. In 2.3.0 we switched to another authentication scheme which is not available in 2.2.0, therefore these cases are now caught and the default lifetime (5 years) is used. SUP-16830 Change-Id: Ife29a396720908fc4b679f1416bbd658210ecbcb
Checkmk · Oct 9, 2024 · 1de462f · 1de462f
1 parent 64d8c32
commit 1de462f
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/.werks/17340 b/.werks/17340
@@ -0,0 +1,16 @@
+Title: Registering agents without automation user
+Class: fix
+Compatible: compat
+Component: checks
+Date: 1728390830
+Edition: cme
+Level: 1
+Version: 2.2.0p36
+
+This is only relevant if you use the managed edition and you set the automation user to belong to the provider!
+
+If the automation user is marked to belong to the *provider* the user is not synchronized to the customer sites.
+When registering an agent the agent receiver queries the RestAPI in order to get the configuration for the configured lifetime of agent certificates.
+In order to authenticate the agent receiver tries to use the automation user.
+This failed with an uncaught exception if that automation user does not exists.
+In 2.3.0 we switched to another authentication scheme which is not available in 2.2.0, therefore these cases are now caught and the default lifetime (5 years) is used.
diff --git a/agent-receiver/agent_receiver/endpoints.py b/agent-receiver/agent_receiver/endpoints.py
@@ -81,12 +81,20 @@ def _validate_uuid_against_csr(uuid: UUID4, csr_field: CsrField) -> None:
 
 
 def _sign_agent_csr(uuid: UUID4, csr_field: CsrField) -> Certificate:
-    return sign_agent_csr(
-        csr_field.csr,
-        controller_certificate_settings(
+    try:
+        lifetime = controller_certificate_settings(
             f"uuid={uuid} Querying agent controller certificate settings failed",
             internal_credentials(),
-        ).lifetime_in_months,
+        ).lifetime_in_months
+    except FileNotFoundError:
+        # In a managed edition the automation user might not be available,
+        # therefore we cannot lookup what is configured. So let's go with the
+        # default of 60. This would have been configurable via
+        # `lifetime_in_months` aka "Lifetime of certificates"
+        lifetime = 60
+    return sign_agent_csr(
+        csr_field.csr,
+        lifetime,
     )
 
 

diff --git a/agent-receiver/agent_receiver/utils.py b/agent-receiver/agent_receiver/utils.py
@@ -73,5 +73,8 @@ def uuid_from_pem_csr(pem_csr: str) -> str:
 
 
 def internal_credentials() -> HTTPBasicCredentials:
+    """return credentials of the INTERNAL_REST_API_USER aka automation user
+
+    If there is not automation user this will raise a FileNotFoundError"""
     secret = (users_dir() / INTERNAL_REST_API_USER / "automation.secret").read_text().strip()
     return HTTPBasicCredentials(username=INTERNAL_REST_API_USER, password=secret)