def _affluent_map_switch(args): switch, password, user, cfm = args kv = util.TLSCertVerifier(cfm, switch, 'pubkeys.tls_hardwaremanager').verify_cert wc = webclient.SecureHTTPConnection(switch, 443, verifycallback=kv, timeout=5) wc.set_basic_credentials(user, password) macs = wc.grab_json_response('/affluent/macs/by-port') _macsbyswitch[switch] = macs for iface in macs: nummacs = len(macs[iface]) for mac in macs[iface]: if mac in _macmap: _macmap[mac].append((switch, iface, nummacs)) else: _macmap[mac] = [(switch, iface, nummacs)] nodename = _nodelookup(switch, iface) if nodename is not None: if mac in _nodesbymac and _nodesbymac[mac][0] != nodename: # For example, listed on both a real edge port # and by accident a trunk port log.log({ 'error': '{0} and {1} described by ambiguous' ' switch topology values'.format( nodename, _nodesbymac[mac][0]) }) _nodesbymac[mac] = (None, None) else: _nodesbymac[mac] = (nodename, nummacs)
def _extract_neighbor_data_affluent(switch, user, password, cfm, lldpdata): kv = util.TLSCertVerifier(cfm, switch, 'pubkeys.tls_hardwaremanager').verify_cert wc = webclient.SecureHTTPConnection(switch, 443, verifycallback=kv, timeout=5) wc.set_basic_credentials(user, password) neighdata = wc.grab_json_response('/affluent/lldp/all') chassisid = neighdata['chassis']['id'] _chassisidbyswitch[switch] = chassisid, for record in neighdata['neighbors']: localport = record['localport'] peerid = '{0}.{1}'.format( record.get('peerchassisid', '').replace(':', '-').replace('/', '-'), record.get('peerportid', '').replace(':', '-').replace('/', '-'), ) portdata = { 'verified': True, # It is over TLS after all 'peerdescription': record.get('peerdescription', None), 'peerchassisid': record['peerchassisid'], 'peername': record['peername'], 'switch': switch, 'chassisid': chassisid, 'portid': record['localport'], 'peerportid': record['peerportid'], 'port': record['localport'], 'peerid': peerid, } _extract_extended_desc(portdata, portdata['peerdescription'], True) _neighbypeerid[peerid] = portdata lldpdata[localport] = portdata neighdata[switch] = lldpdata
def __init__(self, node, configmanager, creds): self.node = node self.wc = webclient.SecureHTTPConnection( node, port=443, verifycallback=util.TLSCertVerifier( configmanager, node, 'pubkeys.tls_hardwaremanager').verify_cert) self.wc.set_basic_credentials( creds[node]['secret.hardwaremanagementuser']['value'], creds[node]['secret.hardwaremanagementpassword']['value'])
def cnos_login(node, configmanager, creds): wc = webclient.SecureHTTPConnection( node, port=443, verifycallback=util.TLSCertVerifier( configmanager, node, 'pubkeys.tls_hardwaremanager').verify_cert) wc.set_basic_credentials( creds[node]['secret.hardwaremanagementuser']['value'], creds[node]['secret.hardwaremanagementpassword']['value']) wc.request('GET', '/nos/api/login/') rsp = wc.getresponse() body = rsp.read() if rsp.status == 401: # CNOS gives 401 on first attempt... wc.request('GET', '/nos/api/login/') rsp = wc.getresponse() body = rsp.read() if rsp.status >= 200 and rsp.status < 300: return wc raise exc.TargetEndpointBadCredentials('Unable to authenticate')
def get_chained_smm_name(nodename, cfg, handler, nl=None, checkswitch=True): # nodename is the head of the chain, cfg is a configmanager, handler # is the handler of the current candidate, nl is optional indication # of the next link in the chain, checkswitch can disable the switch # search if not indicated by current situation # returns the new name and whether it has been securely validated or not # first we check to see if directly connected mycert = handler.https_cert if checkswitch: fprints = macmap.get_node_fingerprints(nodename, cfg) for fprint in fprints: if util.cert_matches(fprint[0], mycert): # ok we have a direct match, it is this node return nodename, fprint[1] # ok, unable to get it, need to traverse the chain from the beginning if not nl: nl = list(cfg.filter_node_attributes( 'enclosure.extends=' + nodename)) while nl: if len(nl) != 1: raise exc.InvalidArgumentException('Multiple enclosures trying to ' 'extend a single enclosure') cd = cfg.get_node_attributes(nodename, ['hardwaremanagement.manager', 'pubkeys.tls_hardwaremanager']) smmaddr = cd[nodename]['hardwaremanagement.manager']['value'] pkey = cd[nodename].get('pubkeys.tls_hardwaremanager', {}).get( 'value', None) if not pkey: # We cannot continue through a break in the chain return None, False if pkey: cv = util.TLSCertVerifier( cfg, nodename, 'pubkeys.tls_hardwaremanager').verify_cert for fprint in get_smm_neighbor_fingerprints(smmaddr, cv): if util.cert_matches(fprint, mycert): # a trusted chain member vouched for the cert # so it's validated return nl[0], True # advance down the chain by one and try again nodename = nl[0] nl = list(cfg.filter_node_attributes( 'enclosure.extends=' + nodename)) return None, False
def connect(self, callback): self.datacallback = callback rc = rcmd.Command(self.origbmc, self.username, self.password, verifycallback=lambda x: True) wc = rc.oem.wc bmc = self.bmc if '%' in self.bmc: prefix = self.bmc.split('%')[0] bmc = prefix + ']' self.ws = WrappedWebSocket(host=bmc) kv = util.TLSCertVerifier(self.nodeconfig, self.node, 'pubkeys.tls_hardwaremanager').verify_cert self.ws.set_verify_callback(kv) self.ws.connect( 'wss://{0}/sol?CSRFTOKEN={1}'.format(self.bmc, rc.oem.csrftok), host=bmc, cookie='QSESSIONID={0}'.format(wc.cookies['QSESSIONID'])) self.connected = True eventlet.spawn_n(self.recvdata) return
def setup_confluent_keyhandler(self): self.register_key_handler(util.TLSCertVerifier( self.cfm, self.node, 'pubkeys.tls_hardwaremanager').verify_cert)