cloud_discovery: add automatic reenrolment of operational certificates

The daemon will check the vailidity of the operational certificate once and hour.
If the certificate is valid for less than three days, a reenrollment is attempted.
Once the reenroll happened the connection to the cloud controller will be restarted.

Fixes: WIFI-14900
Fixes: WIFI-14694
Signed-off-by: John Crispin <john@phrozen.org>

feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery

@@ -27,6 +27,8 @@ let timeouts = {
 	'validate': 120,
 	'orphan': 2 * 60 * 60,
 	interval: 10000,
+	expiry_interval: 60 * 60 * 1000,
+	expiry_threshold: 3 * 24 * 60 * 60,
 };
 
 ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "cloud_discover");
@@ -329,6 +331,27 @@ let ubus_methods = {
 	},
 };
 
+function expiry_handler() {
+	let stat = fs.stat('/etc/ucentral/operational.ca');
+	if (!stat)
+		return;
+
+	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
+	if (!ret) {
+		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
+		return;
+	}
+
+	ulog(LOG_INFO, 'certificate will expire soon\n');
+	if (system('/usr/bin/est_client reenroll')) {
+		ulog(LOG_INFO, 'reenroll failed\n');
+		return;
+	}
+	ulog(LOG_INFO, 'reenroll succeeded\n');
+	ulog(LOG_INFO, '(re)starting client\n');
+	system('/etc/init.d/ucentral restart');
+}
+
 if (gateway_available()) {
 	let status = ubus.call('ucentral', 'status');
 	ulog(LOG_INFO, 'cloud is known\n');
@@ -345,6 +368,7 @@ if (gateway_available()) {
 timeouts_load();
 
 interval = uloop.interval(timeouts.interval, interval_handler);
+uloop.interval(timeouts.expiry_interval, expiry_handler);
 
 ubus.publish('cloud', ubus_methods);