BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level

This commit adds an ha_warning() when 'show tls-keys' or 'set ssl
tls-key' are accessed without admin level. This is to warn users that
these commands will be restricted to admin only in HAProxy 3.3.

Must be backported in every stable branches.

Initially reported by Cameron Brown.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2b1daa748fc1342020825488494f0acb3a51db75..41619bef570688a220b2f4031f00d400f4453b7d 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8086,6 +8086,9 @@ static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *app
 {
        struct show_keys_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
 
+       if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+               ha_warning("'%s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1]);
+
        /* no parameter, shows only file list */
        if (!*args[2]) {
                ctx->names_only = 1;
@@ -8110,6 +8113,9 @@ static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appc
        struct tls_keys_ref *ref;
        int ret;
 
+       if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+               ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+
        /* Expect two parameters: the filename and the new new TLS key in encoding */
        if (!*args[3] || !*args[4])
                return cli_err(appctx, "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n");