Ejemplo n.º 1
0
 def missing_host_key(self, client, hostname, key):
     fingerprint = 'sha512$' + hashlib.sha512(key.asbytes()).hexdigest()
     cfg = self.cfm.get_node_attributes(
         self.node, ('pubkeys.ssh', 'pubkeys.addpolicy'))
     if 'pubkeys.ssh' not in cfg[self.node]:
         if ('pubkeys.addpolicy' in cfg[self.node]
                 and cfg[self.node]['pubkeys.addpolicy'] and
                 cfg[self.node]['pubkeys.addpolicy']['value'] == 'manual'):
             raise cexc.PubkeyInvalid('New ssh key detected', key.asbytes(),
                                      fingerprint, 'pubkeys.ssh', 'newkey')
         auditlog = log.Logger('audit')
         auditlog.log({
             'node': self.node,
             'event': 'sshautoadd',
             'fingerprint': fingerprint
         })
         self.cfm.set_node_attributes(
             {self.node: {
                 'pubkeys.ssh': fingerprint
             }})
         return True
     elif cfg[self.node]['pubkeys.ssh']['value'] == fingerprint:
         return True
     raise cexc.PubkeyInvalid('Mismatched SSH host key detected',
                              key.asbytes(), fingerprint, 'pubkeys.ssh',
                              'mismatch')
Ejemplo n.º 2
0
 def verify_cert(self, certificate):
     storedprint = self.cfm.get_node_attributes(self.node, (self.fieldname,)
                                                )
     if (self.fieldname not in storedprint[self.node] or
             storedprint[self.node][self.fieldname]['value'] == ''):
         # no stored value, check policy for next action
         newpolicy = self.cfm.get_node_attributes(self.node,
                                                  ('pubkeys.addpolicy',))
         if ('pubkeys.addpolicy' in newpolicy[self.node] and
                 'value' in newpolicy[self.node]['pubkeys.addpolicy'] and
                 newpolicy[self.node]['pubkeys.addpolicy']['value'] == 'manual'):
             # manual policy means always raise unless a match is set
             # manually
             fingerprint = get_fingerprint(certificate, 'sha256')
             raise cexc.PubkeyInvalid('New certificate detected',
                                      certificate, fingerprint,
                                      self.fieldname, 'newkey')
         # since the policy is not manual, go ahead and add new key
         # after logging to audit log
         fingerprint = get_fingerprint(certificate, 'sha256')
         auditlog = log.Logger('audit')
         auditlog.log({'node': self.node, 'event': 'certautoadd',
                       'fingerprint': fingerprint})
         self.cfm.set_node_attributes(
             {self.node: {self.fieldname: fingerprint}})
         return True
     elif cert_matches(storedprint[self.node][self.fieldname]['value'],
                       certificate):
         return True
     fingerprint = get_fingerprint(certificate, 'sha256')
     raise cexc.PubkeyInvalid(
         'Mismatched certificate detected', certificate, fingerprint,
         self.fieldname, 'mismatch')