From 4c6bcfa35cf742fc79a97bfead95541fc711e4b2 Mon Sep 17 00:00:00 2001
From: Razvan Becheriu <razvan@isc.org>
Date: Thu, 15 May 2025 12:39:54 +0300
Subject: [PATCH] [#3840] update CA default config and dhcp examples

---
 doc/examples/kea4/all-keys-netconf.json   |  2 +-
 doc/examples/kea4/all-keys.json           |  2 +-
 doc/examples/kea4/dhcpv4-over-dhcpv6.json |  2 +-
 doc/examples/kea6/all-keys-netconf.json   |  2 +-
 doc/examples/kea6/all-keys.json           |  2 +-
 doc/examples/kea6/dhcpv4-over-dhcpv6.json |  2 +-
 src/bin/dhcp4/tests/dhcp4_test_utils.cc   |  4 ---
 src/bin/dhcp6/tests/dhcp6_test_utils.cc   |  4 ---
 src/bin/keactrl/kea-ctrl-agent.conf.pre   | 34 +++++++++++++++++++++++
 9 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/doc/examples/kea4/all-keys-netconf.json b/doc/examples/kea4/all-keys-netconf.json
index 8d018fb0e8..9182fdf1e6 100644
--- a/doc/examples/kea4/all-keys-netconf.json
+++ b/doc/examples/kea4/all-keys-netconf.json
@@ -542,7 +542,7 @@
 
             // Name of the lease file. In the case of a database it specifies the
             // database name.
-            "name": "kea-dhcp4.csv",
+            "name": "kea-leases4.csv",
 
             // memfile-specific parameter indicating whether leases should
             // be saved on persistent storage (disk) or not. The true value
diff --git a/doc/examples/kea4/all-keys.json b/doc/examples/kea4/all-keys.json
index 2b0eeb1342..098119869d 100644
--- a/doc/examples/kea4/all-keys.json
+++ b/doc/examples/kea4/all-keys.json
@@ -542,7 +542,7 @@
 
             // Name of the lease file. In the case of a database it specifies the
             // database name.
-            "name": "kea-dhcp4.csv",
+            "name": "kea-leases4.csv",
 
             // memfile-specific parameter indicating whether leases should
             // be saved on persistent storage (disk) or not. The true value
diff --git a/doc/examples/kea4/dhcpv4-over-dhcpv6.json b/doc/examples/kea4/dhcpv4-over-dhcpv6.json
index 8cf61b7782..7909c72e6e 100644
--- a/doc/examples/kea4/dhcpv4-over-dhcpv6.json
+++ b/doc/examples/kea4/dhcpv4-over-dhcpv6.json
@@ -12,7 +12,7 @@
 
   "lease-database": {
       "type": "memfile",
-      "name": "kea-dhcp4.csv",
+      "name": "kea-leases4.csv",
       "lfc-interval": 3600
   },
 
diff --git a/doc/examples/kea6/all-keys-netconf.json b/doc/examples/kea6/all-keys-netconf.json
index 2df5b02b69..86a9f8c122 100644
--- a/doc/examples/kea6/all-keys-netconf.json
+++ b/doc/examples/kea6/all-keys-netconf.json
@@ -468,7 +468,7 @@
 
             // Name of the lease file. In the case of a database it specifies the
             // database name.
-            "name": "kea-dhcp6.csv",
+            "name": "kea-leases6.csv",
 
             // memfile-specific parameter indicating whether leases should
             // be saved on persistent storage (disk) or not. The true value
diff --git a/doc/examples/kea6/all-keys.json b/doc/examples/kea6/all-keys.json
index 4dfd76753c..4d4fbebeed 100644
--- a/doc/examples/kea6/all-keys.json
+++ b/doc/examples/kea6/all-keys.json
@@ -468,7 +468,7 @@
 
             // Name of the lease file. In the case of a database it specifies the
             // database name.
-            "name": "kea-dhcp6.csv",
+            "name": "kea-leases6.csv",
 
             // memfile-specific parameter indicating whether leases should
             // be saved on persistent storage (disk) or not. The true value
diff --git a/doc/examples/kea6/dhcpv4-over-dhcpv6.json b/doc/examples/kea6/dhcpv4-over-dhcpv6.json
index d832ca5651..e723f69d01 100644
--- a/doc/examples/kea6/dhcpv4-over-dhcpv6.json
+++ b/doc/examples/kea6/dhcpv4-over-dhcpv6.json
@@ -13,7 +13,7 @@
 
   "lease-database": {
       "type": "memfile",
-      "name": "kea-dhcp6.csv"
+      "name": "kea-leases6.csv"
   },
 
   "preferred-lifetime": 3000,
diff --git a/src/bin/dhcp4/tests/dhcp4_test_utils.cc b/src/bin/dhcp4/tests/dhcp4_test_utils.cc
index 93e5132435..acc62bea80 100644
--- a/src/bin/dhcp4/tests/dhcp4_test_utils.cc
+++ b/src/bin/dhcp4/tests/dhcp4_test_utils.cc
@@ -50,10 +50,6 @@ BaseServerTest::~BaseServerTest() {
     s2 << CfgMgr::instance().getDataDir() << "/kea-leases4.csv";
     static_cast<void>(::remove(s2.str().c_str()));
 
-    std::ostringstream s3;
-    s3 << CfgMgr::instance().getDataDir() << "/kea-dhcp4.csv";
-    static_cast<void>(::remove(s3.str().c_str()));
-
     // Revert to original data directory.
     CfgMgr::instance().getDataDir(true, original_datadir_);
 
diff --git a/src/bin/dhcp6/tests/dhcp6_test_utils.cc b/src/bin/dhcp6/tests/dhcp6_test_utils.cc
index 35872e339e..b7c486fdb3 100644
--- a/src/bin/dhcp6/tests/dhcp6_test_utils.cc
+++ b/src/bin/dhcp6/tests/dhcp6_test_utils.cc
@@ -53,10 +53,6 @@ BaseServerTest::~BaseServerTest() {
     s2 << CfgMgr::instance().getDataDir() << "/kea-leases6.csv";
     static_cast<void>(::remove(s2.str().c_str()));
 
-    std::ostringstream s3;
-    s3 << CfgMgr::instance().getDataDir() << "/kea-dhcp6.csv";
-    static_cast<void>(::remove(s3.str().c_str()));
-
     // Revert to original data directory.
     CfgMgr::instance().getDataDir(true, original_datadir_);
 
diff --git a/src/bin/keactrl/kea-ctrl-agent.conf.pre b/src/bin/keactrl/kea-ctrl-agent.conf.pre
index 604ba0d6d4..f31096044d 100644
--- a/src/bin/keactrl/kea-ctrl-agent.conf.pre
+++ b/src/bin/keactrl/kea-ctrl-agent.conf.pre
@@ -26,6 +26,40 @@
     // is specifically for HA updates only.
     "http-port": 8000,
 
+    // Allow access only to kea-api user.
+    // To make it work, please store your password in kea-api-password file.
+    // Make sure the password file has sufficiently restrictive access permissions,
+    // in particular it is not world-readable.
+    // The basic HTTP auth offers poor security for unencrypted channels.
+    // If possible, a better, stronger HTTPS mechanism should be deployed,
+    // in particular when the client authentication is enabled by setting the
+    // cert-required to true (the default). See trust-anchor, cert-file,
+    // key-file and cert-required below. For more details read the Kea Security
+    // section in the ARM.
+    "authentication": {
+        "type": "basic",
+        "realm": "Kea Control Agent",
+        "directory": "/etc/kea",
+        "clients": [
+            {
+                "user": "kea-api",
+                "password-file": "kea-api-password"
+            }
+        ]
+    },
+
+    // Configuration section containing HTTPS parameters:
+    // TLS trust anchor (Certificate Authority). This is a file name or
+    // (for OpenSSL only) a directory path.
+    // "trust-anchor": "kea-server-ca",
+    // TLS server certificate file name.
+    // "cert-file": "kea-server-cert",
+    // TLS server private key file name.
+    // "key-file": "kea-server-key",
+    // TLS require client certificates flag. Default is true and means
+    // require client certificates. False means they are optional.
+    // "cert-required": true
+
     // Specify location of the files to which the Control Agent
     // should connect to forward commands to the DHCPv4, DHCPv6
     // and D2 servers via unix domain sockets.
-- 
2.47.2