From 9ac5741e6c6ee369c2213e0fd34a7929180a9523 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 14 Jun 2012 16:44:19 +0200 Subject: [PATCH 1/7] only warn about replays if the delta is more than 1 (or less than -1) --- ykval-sync.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ykval-sync.php b/ykval-sync.php index 8a5a6d3..55e1a53 100644 --- a/ykval-sync.php +++ b/ykval-sync.php @@ -162,7 +162,9 @@ if ($sync->countersEqual($localParams, $syncParams)) { if ($syncParams['modified']!=$localParams['modified'] && $syncParams['nonce']==$localParams['nonce']) { $deltaModified = $syncParams['modified'] - $localParams['modified']; - $myLog->log(LOG_WARNING, 'We might have a replay. 2 events at different times have generated the same counters. The time difference is ' . $deltaModified . ' seconds'); + if($deltaModified < -1 || $deltaModified > 1) { + $myLog->log(LOG_WARNING, 'We might have a replay. 2 events at different times have generated the same counters. The time difference is ' . $deltaModified . ' seconds'); + } } if ($syncParams['nonce']!=$localParams['nonce']) { From 42e13cd43bb4b86b0faefd8fdf71d79fbe38ca33 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 15 Jun 2012 10:15:51 +0200 Subject: [PATCH 2/7] simple munin plugin for response types --- ykval-munin-responses.pl | 48 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100755 ykval-munin-responses.pl diff --git a/ykval-munin-responses.pl b/ykval-munin-responses.pl new file mode 100755 index 0000000..dc3f6ce --- /dev/null +++ b/ykval-munin-responses.pl @@ -0,0 +1,48 @@ +#!/usr/bin/perl +#%# family=auto +#%# capabilities=autoconf + +use strict; +use warnings; + +my @types = qw/OK BAD_OTP MISSING_PARAMETER BACKEND_ERROR BAD_SIGNATURE DELAYED_OTP NO_SUCH_CLIENT NOT_ENOUGH_ANSWERS REPLAYED_REQUEST REPLAYED_OTP OPERATION_NOT_ALLOWED/; +my $logfile = "/var/log/yubikey-val-server-php.log"; + +if(@ARGV > 0) { + if($ARGV[0] eq "autoconf") { + print "yes\n"; + exit 0; + } elsif($ARGV[0] eq "config") { + print "multigraph yk_responses\n"; + print "graph_title YK-VAL response types\n"; + print "graph_vlabel responses\n"; + print "graph_category ykval\n"; + + foreach my $type (@types) { + print "${type}.label ${type}\n"; + print "${type}.type DERIVE\n"; + print "${type}.info Responses\n"; + print "${type}.min 0\n"; + print "${type}.draw LINE1\n"; + } + exit 0 + } + print "unknown command '${ARGV[0]}'\n"; + exit 1 +} + +my %statuses = map { $_ => 0 } @types; + +my $reg = qr/status=([A-Z_]+)/; +open (LOGFILE, "grep 'ykval-verify.*Response' $logfile |"); +while() { + next unless /$reg/; + $statuses{$1}++; +} +close LOGFILE; + +print "multigraph yk_responses\n"; +foreach my $type (@types) { + print "${type}.value ${statuses{$type}}\n"; +} +exit 0 From fff8073ac067545a63d6fad22a9781bb0f24912b Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 15 Jun 2012 10:22:26 +0200 Subject: [PATCH 3/7] NEWS for 2.17 --- NEWS | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index bbe4390..2030fad 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,17 @@ -* Version 2.17 unreleased +* Version 2.17 released 2012-06-15 + + * Logging improvements. + use ykval-verify/ykval-sync correctly for whole flow + clarify/degrade various logging messages + + * Fix mysql error introduced in 2.14, also logs + database updated/not updated correctly. + + * Accept sync for disabled keys, but still answer BAD_OTP. + + * Remove from sync queue on BAD_OTP answer. + + * Add munin plugin for response types. * Version 2.16 released 2012-06-13 From accebd2a1a026ff4da223e3272fe0031b056ed73 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 15 Jun 2012 10:24:52 +0200 Subject: [PATCH 4/7] bump versions post-release --- Makefile | 2 +- NEWS | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 70257ee..e564d2f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION = 2.17 +VERSION = 2.18 PACKAGE = yubikey-val CODE = COPYING Makefile NEWS ykval-checksum-clients.php \ ykval-common.php ykval-config.php ykval-db.php ykval-db.sql \ diff --git a/NEWS b/NEWS index 2030fad..01b6eb5 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,5 @@ +* Version 2.18 (unreleased) + * Version 2.17 released 2012-06-15 * Logging improvements. From ce830612de2d2520fd0aeef4701052a706150269 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 15 Jun 2012 10:31:56 +0200 Subject: [PATCH 5/7] actually install the responses munin check --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index e564d2f..b7373db 100644 --- a/Makefile +++ b/Makefile @@ -42,6 +42,7 @@ install: install -D ykval-munin-ksmlatency.php $(DESTDIR)$(muninprefix)/ykval_ksmlatency install -D ykval-munin-vallatency.php $(DESTDIR)$(muninprefix)/ykval_vallatency install -D ykval-munin-queuelength.php $(DESTDIR)$(muninprefix)/ykval_queuelength + install -D ykval-munin-responses.pl $(DESTDIR)$(muninprefix)/ykval_responses install -D --backup --mode 640 --group $(wwwgroup) ykval-config.php $(DESTDIR)$(etcprefix)/ykval-config.php-template install -D --mode 644 ykval-db.sql $(DESTDIR)$(docprefix)/ykval-db.sql install -D --mode 644 $(DOCS) $(DESTDIR)$(docprefix)/ From 3b7927ccb35451851848454ebf9dcccd5b9f773a Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 15 Jun 2012 10:39:48 +0200 Subject: [PATCH 6/7] add munin pluin to MUNIN so it's included in tar --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b7373db..c1b1f74 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ CODE = COPYING Makefile NEWS ykval-checksum-clients.php \ ykval-sync.php ykval-verify.php ykval-export-clients.php \ ykval-import-clients.php MUNIN = ykval-munin-ksmlatency.php ykval-munin-vallatency.php \ - ykval-munin-queuelength.php + ykval-munin-queuelength.php ykval-munin-responses.pl DOCS = doc/ClientInfoFormat.wiki doc/Installation.wiki \ doc/RevocationService.wiki doc/ServerReplicationProtocol.wiki \ doc/SyncMonitor.wiki doc/Troubleshooting.wiki From f72f00c33833d91c4030bb2ef107e37f35e36e18 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 15 Jun 2012 10:46:34 +0200 Subject: [PATCH 7/7] rollback to 2.17 --- Makefile | 2 +- NEWS | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/Makefile b/Makefile index c1b1f74..5e9b5cf 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION = 2.18 +VERSION = 2.17 PACKAGE = yubikey-val CODE = COPYING Makefile NEWS ykval-checksum-clients.php \ ykval-common.php ykval-config.php ykval-db.php ykval-db.sql \ diff --git a/NEWS b/NEWS index 01b6eb5..2030fad 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,3 @@ -* Version 2.18 (unreleased) - * Version 2.17 released 2012-06-15 * Logging improvements.