def main(argv=sys.argv):
"""Main method of the Cloud Verifier Server. This method is encapsulated in a function for packaging to allow it to be
called as a function by an external program."""
config = common.get_config()
cloudverifier_port = config.get('cloud_verifier', 'cloudverifier_port')
VerfierMain.metadata.create_all(engine, checkfirst=True)
session = SessionManager().make_session(engine)
try:
query_all = session.query(VerfierMain).all()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
for row in query_all:
row.operational_state = cloud_verifier_common.CloudAgent_Operational_State.SAVED
try:
session.commit()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
num = session.query(VerfierMain.agent_id).count()
if num > 0:
agent_ids = session.query(VerfierMain.agent_id).all()
logger.info("agent ids in db loaded from file: %s" % agent_ids)
logger.info('Starting Cloud Verifier (tornado) on port ' +
cloudverifier_port + ', use <Ctrl-C> to stop')
app = tornado.web.Application([
(r"/(?:v[0-9]/)?agents/.*", AgentsHandler),
(r".*", MainHandler),
])
context = cloud_verifier_common.init_mtls()
# after TLS is up, start revocation notifier
if config.getboolean('cloud_verifier', 'revocation_notifier'):
logger.info(
"Starting service for revocation notifications on port %s" %
config.getint('cloud_verifier', 'revocation_notifier_port'))
revocation_notifier.start_broker()
sockets = tornado.netutil.bind_sockets(int(cloudverifier_port),
address='0.0.0.0')
tornado.process.fork_processes(
config.getint('cloud_verifier', 'multiprocessing_pool_num_workers'))
asyncio.set_event_loop(asyncio.new_event_loop())
server = tornado.httpserver.HTTPServer(app, ssl_options=context)
server.add_sockets(sockets)
try:
tornado.ioloop.IOLoop.instance().start()
except KeyboardInterrupt:
tornado.ioloop.IOLoop.instance().stop()
if config.getboolean('cloud_verifier', 'revocation_notifier'):
revocation_notifier.stop_broker()
def do_DELETE(self):
"""This method handles the DELETE requests to remove agents from the Registrar Server.
Currently, only agents resources are available for DELETEing, i.e. /agents. All other DELETE uri's will return errors.
agents requests require a single agent_id parameter which identifies the agent to be deleted.
"""
session = SessionManager().make_session(engine)
rest_params = web_util.get_restful_params(self.path)
if rest_params is None:
web_util.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if not rest_params["api_version"]:
web_util.echo_json_response(self, 400, "API Version not supported")
return
if "agents" not in rest_params:
web_util.echo_json_response(self, 400, "URI not supported")
logger.warning(
'DELETE agent returning 400 response. uri not supported: %s',
self.path)
return
agent_id = rest_params["agents"]
if agent_id is not None:
# If the agent ID is not valid (wrong set of characters),
# just do nothing.
if not validators.valid_agent_id(agent_id):
web_util.echo_json_response(self, 400,
"agent_id not not valid")
logger.error("DELETE received an invalid agent ID: %s",
agent_id)
return
if session.query(RegistrarMain).filter_by(
agent_id=agent_id).delete():
# send response
try:
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
web_util.echo_json_response(self, 200, "Success")
return
# send response
web_util.echo_json_response(self, 404)
return
web_util.echo_json_response(self, 404)
def do_DELETE(self):
"""This method handles the DELETE requests to remove agents from the Registrar Server.
Currently, only agents resources are available for DELETEing, i.e. /agents. All other DELETE uri's will return errors.
agents requests require a single agent_id parameter which identifies the agent to be deleted.
"""
session = SessionManager().make_session(engine)
rest_params = common.get_restful_params(self.path)
if rest_params is None:
common.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if "agents" not in rest_params:
common.echo_json_response(self, 400, "uri not supported")
logger.warning(
'DELETE agent returning 400 response. uri not supported: ' +
self.path)
return
agent_id = rest_params["agents"]
if agent_id is not None:
if session.query(RegistrarMain).filter_by(
agent_id=agent_id).delete():
# send response
try:
session.commit()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
common.echo_json_response(self, 200, "Success")
return
else:
# send response
common.echo_json_response(self, 404)
return
else:
common.echo_json_response(self, 404)
return
class TestVerfierDB(unittest.TestCase):
def setUp(self):
self.engine = create_engine('sqlite://')
VerfierMain.metadata.create_all(self.engine, checkfirst=True)
self.session = SessionManager().make_session(self.engine)
self.populate_agent()
def populate_agent(self):
self.session.add(VerfierMain(**test_data))
self.session.commit()
def test_add_agent(self):
agent = self.session.query(VerfierMain).filter_by(
agent_id=agent_id).first()
self.assertEqual(
agent.v, 'cf0B779EA1dkHVWfTxQuSLHNFeutYeSmVWe7JOFWzXg=')
self.assertEqual(
agent.port, 9002)
self.assertEqual(
agent.tpm_policy, '{"22": ["0000000000000000000000000000000000000001", "0000000000000000000000000000000000000000000000000000000000000001", "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001", "ffffffffffffffffffffffffffffffffffffffff", "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"], "15": ["0000000000000000000000000000000000000000", "0000000000000000000000000000000000000000000000000000000000000000", "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"], "mask": "0x408400"}')
self.assertEqual(
agent.revocation_key, '-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDs1onKjLZHDnqu\nnrsCb5aZohK2FU+jjU4NT23x1UzYzpFU9wBZ0avj+HeFYbQiAKanSbS7PvhjJMdE\naWMgRMgigr2K1xx+ZhBu4zTPFMy11msxMIL/HPROSYx/9wUZrhf4z/rBsuppFVs3\nKfKmQHuptjZX+D+m+nANO8WOILyW2+5YO5FNw1XJ3gVO6elJJ/CzQcYWIioONuTM\nQ+g8OQc+yTZruwedcSpOX56GpBImWUKXzTz3zoX7AlYxjEBjT86rxoBVXo3ZIwYx\n+mJk7NADN2qvLSXxTnLBxISHdsUDBP5DfurFQPhZC5oARN6/Y4zPESnhm8iwlG5o\n2ZjxVzphAgMBAAECggEBAKVKudImUJTY8yBp4aS6koXYymxQBUvlM8MwW1A7iK2L\nxXxiAtms7uVlJK1vWhOdFrKMS1mfgiVXpscFMkx0FKWZT4XVyaohu3hYlCOupYyH\nADrNW6+G2q7EwA0TLnkUuuBI7v4+y0DZydZ/LT2ApY31gIn21R3JjWh+/crK6DP0\nJO51hLO+z4GAMbWimRzA3lnYltUSJEvam3EHnj/pW+hlczjdI6AfJTWRWx6+gqP3\nRBvLcjBA9ZIx4JzYab5tnvwnd8ZzVItYBQJ8UhxzNsrSzEGguUEO4G/jYQTtYi6T\nufksmewcIClp48AfDThKSCMQXgFwpVI4EPxwmfd6Mt0CgYEA+i+2jjeFREMNam4p\nEBf5tmY2xvg3HXGgCjBfllepZQZHQatfv/kEqhFW497W+okyjTXflMR1TkjMKAqO\nahA+D1lItycPxsvTTiZ85KgrybbQT7Y+s2ET2f68wZh2XyiJIYE/MNi3ZclIBFaY\npyXicj0RIB6IY9PIHNgdEHI4casCgYEA8ldrcbWof8YpwJ6KFVuMvkYKniVF0aXH\nsQUWL/dyjBYIq/jg3Z4J+b0360DhZVpp1SaO4jFISxVMRzkDf3/gbKxH9F4a9Id8\nDmGH15v1ooKBYfkk7GwEB3AOY4gN3RMnWb1hxxhjsM9pmeTffqgqYzHYzv1ArjHe\ntYkjWOqPECMCgYBT//kXPuTrymeSuHHpCWO6Lg9uNqCqrh/BzAQMAlrJpJYAIn3/\ngqhiQXgfAg7EB5SFfPUYie2o3yBMwV6XleSAWsXjWKYfZQgJUTrVuvEYxNykJthe\nedWkd7cAeSQlRwLj0PVafSj2b+JSMpEGbd3d5Ur+scGxYsXpiVYY04DICQKBgBPZ\nhTtzHbIZkSHt2nGVZhnPst7xPp7FbW3adM7I/eDrjRpI8GI2p6qFDSd/0PZ0SWbk\nGZ/9WWaNAAp1aQvwdXlxQxOJAbw1vLuQ0Yefhqcg+WgE+DlFP688RnFwm3IYN4jq\nMjAUl1XMJ2IrlQLS02X8lz2dEMcz3oIQEY0e6UjxAoGAFeiOjFF2i4wRRUKx8kpb\nnBKRmFaMXdkeMV2IQALJ4skNNflf0YdDFVniFUyq9vfbq2drJSnMiy8Dvju0j5PC\n+MALz22fsNoIV2h6gz0i1lXiyVgpoAhYCbbPv0wO6iHKPBzH3Onv6BKrVMy1pnzh\n6QsfbhjzBfFg1Zxp/h1tBqA=\n-----END PRIVATE KEY-----\n')
self.assertEqual(agent.accept_tpm_hash_algs, [
'sha512',
'sha384',
'sha256',
'sha1'])
def test_count_agents(self):
agent = self.session.query(
VerfierMain.agent_id).count()
self.assertEqual(agent, 1)
def test_set_operation_state(self):
self.session.query(VerfierMain).filter(agent_id == agent_id).update(
{'operational_state': TENANT_FAILED})
self.session.commit()
agent = self.session.query(VerfierMain).filter_by(
agent_id=agent_id).first()
self.assertEqual(agent.operational_state, 10)
def test_delete_agent(self):
agent = self.session.query(VerfierMain).filter_by(
agent_id=agent_id).first()
self.session.query(VerfierMain).filter_by(
agent_id=agent_id).delete()
self.session.commit()
agent = self.session.query(VerfierMain).filter_by(
agent_id=agent_id).first()
self.assertIsNone(agent)
def tearDown(self):
self.session.close()
def do_PUT(self):
"""This method handles the PUT requests to add agents to the Registrar Server.
Currently, only agents resources are available for PUTing, i.e. /agents. All other PUT uri's
will return errors.
"""
session = SessionManager().make_session(engine)
rest_params = config.get_restful_params(self.path)
if rest_params is None:
config.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if "agents" not in rest_params:
config.echo_json_response(self, 400, "uri not supported")
logger.warning(
'PUT agent returning 400 response. uri not supported: %s',
self.path)
return
agent_id = rest_params["agents"]
if agent_id is None:
config.echo_json_response(self, 400, "agent id not found in uri")
logger.warning(
'PUT agent returning 400 response. agent id not found in uri %s',
self.path)
return
try:
content_length = int(self.headers.get('Content-Length', 0))
if content_length == 0:
config.echo_json_response(self, 400,
"Expected non zero content length")
logger.warning(
'PUT for %s returning 400 response. Expected non zero content length.',
agent_id)
return
post_body = self.rfile.read(content_length)
json_body = json.loads(post_body)
auth_tag = json_body['auth_tag']
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except NoResultFound as e:
raise Exception(
"attempting to activate agent before requesting "
"registrar for %s" % agent_id) from e
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
if config.STUB_TPM:
try:
session.query(RegistrarMain).filter(
RegistrarMain.agent_id == agent_id).update(
{'active': True})
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
else:
# TODO(kaifeng) Special handling should be removed
if engine.dialect.name == "mysql":
agent.key = agent.key.encode('utf-8')
ex_mac = crypto.do_hmac(agent.key, agent_id)
if ex_mac == auth_tag:
try:
session.query(RegistrarMain).filter(
RegistrarMain.agent_id == agent_id).update(
{'active': True})
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
else:
raise Exception(
"Auth tag %s does not match expected value %s" %
(auth_tag, ex_mac))
config.echo_json_response(self, 200, "Success")
logger.info('PUT activated: %s', agent_id)
except Exception as e:
config.echo_json_response(self, 400, "Error: %s" % e)
logger.warning("PUT for %s returning 400 response. Error: %s",
agent_id, e)
logger.exception(e)
return
def do_POST(self):
"""This method handles the POST requests to add agents to the Registrar Server.
Currently, only agents resources are available for POSTing, i.e. /agents. All other POST uri's
will return errors. POST requests require an an agent_id identifying the agent to add, and json
block sent in the body with 2 entries: ek and aik.
"""
session = SessionManager().make_session(engine)
rest_params = config.get_restful_params(self.path)
if rest_params is None:
config.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if "agents" not in rest_params:
config.echo_json_response(self, 400, "uri not supported")
logger.warning(
'POST agent returning 400 response. uri not supported: %s',
self.path)
return
agent_id = rest_params["agents"]
if agent_id is None:
config.echo_json_response(self, 400, "agent id not found in uri")
logger.warning(
'POST agent returning 400 response. agent id not found in uri %s',
self.path)
return
try:
content_length = int(self.headers.get('Content-Length', 0))
if content_length == 0:
config.echo_json_response(self, 400,
"Expected non zero content length")
logger.warning(
'POST for %s returning 400 response. Expected non zero content length.',
agent_id)
return
post_body = self.rfile.read(content_length)
json_body = json.loads(post_body)
ekcert = json_body['ekcert']
aik_tpm = json_body['aik_tpm']
initialize_tpm = tpm()
if ekcert is None or ekcert == 'emulator':
logger.warning('Agent %s did not submit an ekcert' % agent_id)
ek_tpm = json_body['ek_tpm']
else:
if 'ek_tpm' in json_body:
# This would mean the agent submitted both a non-None ekcert, *and*
# an ek_tpm... We can deal with it by just ignoring the ek_tpm they sent
logger.warning(
'Overriding ek_tpm for agent %s from ekcert' %
agent_id)
# If there's an EKCert, we just overwrite their ek_tpm
# Note, we don't validate the EKCert here, other than the implicit
# "is it a valid x509 cert" check. So it's still untrusted.
# This will be validated by the tenant.
ek509 = load_der_x509_certificate(
base64.b64decode(ekcert),
backend=default_backend(),
)
ek_tpm = base64.b64encode(
tpm2_objects.ek_low_tpm2b_public_from_pubkey(
ek509.public_key(), ))
aik_attrs = tpm2_objects.get_tpm2b_public_object_attributes(
base64.b64decode(aik_tpm), )
if aik_attrs != tpm2_objects.AK_EXPECTED_ATTRS:
config.echo_json_response(self, 400, "Invalid AK attributes")
logger.warning(
"Agent %s submitted AIK with invalid attributes! %s (provided) != %s (expected)",
agent_id,
tpm2_objects.object_attributes_description(aik_attrs),
tpm2_objects.object_attributes_description(
tpm2_objects.AK_EXPECTED_ATTRS),
)
return
# try to encrypt the AIK
(blob, key) = initialize_tpm.encryptAIK(
agent_id,
base64.b64decode(ek_tpm),
base64.b64decode(aik_tpm),
)
# special behavior if we've registered this uuid before
regcount = 1
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except NoResultFound:
agent = None
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
if agent is not None:
# keep track of how many ek-ekcerts have registered on this uuid
regcount = agent.regcount
if agent.ek_tpm != ek_tpm or agent.ekcert != ekcert:
logger.warning(
'WARNING: Overwriting previous registration for this UUID with new ek-ekcert pair!'
)
regcount += 1
# force overwrite
logger.info('Overwriting previous registration for this UUID.')
try:
session.query(RegistrarMain).filter_by(
agent_id=agent_id).delete()
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
# Add values to database
d = {}
d['agent_id'] = agent_id
d['ek_tpm'] = ek_tpm
d['aik_tpm'] = aik_tpm
d['ekcert'] = ekcert
d['virtual'] = int(ekcert == 'virtual')
d['active'] = int(False)
d['key'] = key
d['provider_keys'] = {}
d['regcount'] = regcount
try:
session.add(RegistrarMain(**d))
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
response = {
'blob': blob,
}
config.echo_json_response(self, 200, "Success", response)
logger.info('POST returning key blob for agent_id: %s', agent_id)
except Exception as e:
config.echo_json_response(self, 400, "Error: %s" % e)
logger.warning("POST for %s returning 400 response. Error: %s",
agent_id, e)
logger.exception(e)
def do_PUT(self):
"""This method handles the PUT requests to add agents to the Registrar Server.
Currently, only agents resources are available for PUTing, i.e. /agents. All other PUT uri's
will return errors.
"""
session = SessionManager().make_session(engine)
rest_params = web_util.get_restful_params(self.path)
if rest_params is None:
web_util.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if not rest_params["api_version"]:
web_util.echo_json_response(self, 400, "API Version not supported")
return
if "agents" not in rest_params:
web_util.echo_json_response(self, 400, "uri not supported")
logger.warning(
'PUT agent returning 400 response. uri not supported: %s',
self.path)
return
agent_id = rest_params["agents"]
if agent_id is None:
web_util.echo_json_response(self, 400, "agent id not found in uri")
logger.warning(
'PUT agent returning 400 response. agent id not found in uri %s',
self.path)
return
# If the agent ID is not valid (wrong set of characters), just
# do nothing.
if not validators.valid_agent_id(agent_id):
web_util.echo_json_response(self, 400, "agent_id not not valid")
logger.error("PUT received an invalid agent ID: %s", agent_id)
return
try:
content_length = int(self.headers.get('Content-Length', 0))
if content_length == 0:
web_util.echo_json_response(
self, 400, "Expected non zero content length")
logger.warning(
'PUT for %s returning 400 response. Expected non zero content length.',
agent_id)
return
post_body = self.rfile.read(content_length)
json_body = json.loads(post_body)
auth_tag = json_body['auth_tag']
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except NoResultFound as e:
raise Exception(
"attempting to activate agent before requesting "
"registrar for %s" % agent_id) from e
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
if config.STUB_TPM:
try:
session.query(RegistrarMain).filter(
RegistrarMain.agent_id == agent_id).update(
{'active': int(True)})
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
else:
ex_mac = crypto.do_hmac(agent.key.encode(), agent_id)
if ex_mac == auth_tag:
try:
session.query(RegistrarMain).filter(
RegistrarMain.agent_id == agent_id).update(
{'active': int(True)})
session.commit()
except SQLAlchemyError as e:
logger.error('SQLAlchemy Error: %s', e)
raise
else:
raise Exception(
f"Auth tag {auth_tag} does not match expected value {ex_mac}"
)
web_util.echo_json_response(self, 200, "Success")
logger.info('PUT activated: %s', agent_id)
except Exception as e:
web_util.echo_json_response(self, 400, "Error: %s" % e)
logger.warning("PUT for %s returning 400 response. Error: %s",
agent_id, e)
logger.exception(e)
return
class TestRegistrarDB(unittest.TestCase):
def setUp(self):
self.engine = create_engine("sqlite://")
RegistrarMain.metadata.create_all(self.engine, checkfirst=True)
self.session = SessionManager().make_session(self.engine)
self.populate_agent()
def populate_agent(self):
self.session.add(RegistrarMain(**test_data))
self.session.commit()
def test_add_agent(self):
agent = self.session.query(RegistrarMain).filter_by(agent_id=agent_id).first()
self.assertEqual(
agent.ek_tpm,
"""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0dLxdAABVJO6qxamjCMh
yhWZgiFHZHnPEe0tMFyK3fNVr/w8lX9r+QOLxLmkT0IdgsEYtGZGefbD+qQl4O1s
k25823Xzu5tEF8966rTdkfsv8CRrNaBLwWlnt/n+qjIoU3xZJMmR+mFfqTc3a6zV
mPOYJstFtM8r4b9HPCUq6Mte/J3Wx4FxI9R4UrCUyiAeH++0QapIxuEGsVIYs92n
GyvFQYBZFRU6cIt33iaqTrRCICJp+YblMnw54YJGAH2vTVQf6/fLAnQt5L1UfmTy
R/ZA6advx8soekSBOIAW7XmV8Xp9mSquIHZdSXMJlcn/B35PU3BdkUtIYm5JuGGt
PQIDAQAB
-----END PUBLIC KEY-----""",
)
self.assertEqual(
agent.aik_tpm,
"""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0dLxdAABVJO6qxamjCMh
yhWZgiFHZHnPEe0tMFyK3fNVr/w8lX9r+QOLxLmkT0IdgsEYtGZGefbD+qQl4O1s
k25823Xzu5tEF8966rTdkfsv8CRrNaBLwWlnt/n+qjIoU3xZJMmR+mFfqTc3a6zV
mPOYJstFtM8r4b9HPCUq6Mte/J3Wx4FxI9R4UrCUyiAeH++0QapIxuEGsVIYs92n
GyvFQYBZFRU6cIt33iaqTrRCICJp+YblMnw54YJGAH2vTVQf6/fLAnQt5L1UfmTy
R/ZA6advx8soekSBOIAW7XmV8Xp9mSquIHZdSXMJlcn/B35PU3BdkUtIYm5JuGGt
PQIDAQAB
-----END PUBLIC KEY-----""",
)
self.assertEqual(
agent.ekcert,
"""-----BEGIN CERTIFICATE-----
MIIEnzCCA4egAwIBAgIEMV64bDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
QTAeFw0wNTEwMjAxMzQ3NDNaFw0yNTEwMjAxMzQ3NDNaMHcxCzAJBgNVBAYTAkRF
MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
aWF0ZSBDQSAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALftPhYN
t4rE+JnU/XOPICbOBLvfo6iA7nuq7zf4DzsAWBdsZEdFJQfaK331ihG3IpQnlQ2i
YtDim289265f0J4OkPFpKeFU27CsfozVaNUm6UR/uzwA8ncxFc3iZLRMRNLru/Al
VG053ULVDQMVx2iwwbBSAYO9pGiGbk1iMmuZaSErMdb9v0KRUyZM7yABiyDlM3cz
UQX5vLWV0uWqxdGoHwNva5u3ynP9UxPTZWHZOHE6+14rMzpobs6Ww2RR8BgF96rh
4rRAZEl8BXhwiQq4STvUXkfvdpWH4lzsGcDDtrB6Nt3KvVNvsKz+b07Dk+Xzt+EH
NTf3Byk2HlvX+scCAwEAAaOCATswggE3MB0GA1UdDgQWBBQ4k8292HPEIzMV4bE7
qWoNI8wQxzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
DQYJKoZIhvcNAQEFBQADggEBABJ1+Ap3rNlxZ0FW0aIgdzktbNHlvXWNxFdYIBbM
OKjmbOos0Y4O60eKPu259XmMItCUmtbzF3oKYXq6ybARUT2Lm+JsseMF5VgikSlU
BJALqpKVjwAds81OtmnIQe2LSu4xcTSavpsL4f52cUAu/maMhtSgN9mq5roYptq9
DnSSDZrX4uYiMPl//rBaNDBflhJ727j8xo9CCohF3yQUoQm7coUgbRMzyO64yMIO
3fhb+Vuc7sNwrMOz3VJN14C3JMoGgXy0c57IP/kD5zGRvljKEvrRC2I147+fPeLS
DueRMS6lblvRKiZgmGAg7YaKOkOaEmVDMQ+fTo2Po7hI5wc=
-----END CERTIFICATE-----""",
)
self.assertEqual(agent.virtual, 0)
self.assertEqual(agent.active, int(False))
self.assertEqual(agent.key, "R0xKMU5maWVEaHVxQ0poZUZhWm9yRVkyRHZZUkVIMFA=")
self.assertEqual(agent.provider_keys, {})
self.assertEqual(agent.regcount, 1)
self.assertEqual(agent.ip, "127.0.0.1")
self.assertEqual(agent.port, 9002)
def test_delete_agent(self):
agent = self.session.query(RegistrarMain).filter_by(agent_id=agent_id).first()
self.session.query(RegistrarMain).filter_by(agent_id=agent_id).delete()
self.session.commit()
agent = self.session.query(RegistrarMain).filter_by(agent_id=agent_id).first()
self.assertIsNone(agent)
def tearDown(self):
self.session.close()
def do_PUT(self):
"""This method handles the PUT requests to add agents to the Registrar Server.
Currently, only agents resources are available for PUTing, i.e. /agents. All other PUT uri's
will return errors.
"""
session = SessionManager().make_session(engine)
rest_params = common.get_restful_params(self.path)
if rest_params is None:
common.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if "agents" not in rest_params:
common.echo_json_response(self, 400, "uri not supported")
logger.warning(
'PUT agent returning 400 response. uri not supported: ' +
self.path)
return
agent_id = rest_params["agents"]
if agent_id is None:
common.echo_json_response(self, 400, "agent id not found in uri")
logger.warning(
'PUT agent returning 400 response. agent id not found in uri '
+ self.path)
return
try:
content_length = int(self.headers.get('Content-Length', 0))
if content_length == 0:
common.echo_json_response(self, 400,
"Expected non zero content length")
logger.warning(
'PUT for ' + agent_id +
' returning 400 response. Expected non zero content length.'
)
return
post_body = self.rfile.read(content_length)
json_body = json.loads(post_body)
if "activate" in rest_params:
auth_tag = json_body['auth_tag']
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
if agent is None:
raise Exception(
"attempting to activate agent before requesting registrar for %s"
% agent_id)
if agent.virtual:
raise Exception(
"attempting to activate virtual AIK using physical interface for %s"
% agent_id)
if common.STUB_TPM:
try:
session.query(RegistrarMain).filter(
agent_id == agent_id).update({'active': True})
session.commit()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
else:
ex_mac = crypto.do_hmac(agent.key, agent_id)
if ex_mac == auth_tag:
try:
session.query(RegistrarMain).filter(
agent_id == agent_id).update({'active': True})
session.commit()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
else:
raise Exception(
"Auth tag %s does not match expected value %s" %
(auth_tag, ex_mac))
common.echo_json_response(self, 200, "Success")
logger.info('PUT activated: ' + agent_id)
elif "vactivate" in rest_params:
deepquote = json_body.get('deepquote', None)
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
if agent is None:
raise Exception(
"attempting to activate agent before requesting registrar for %s"
% agent_id)
if not agent['virtual']:
raise Exception(
"attempting to activate physical AIK using virtual interface for %s"
% agent_id)
# get an physical AIK for this host
registrar_client.init_client_tls(config, 'registrar')
provider_keys = registrar_client.getKeys(
config.get('registrar', 'provider_registrar_ip'),
config.get('registrar', 'provider_registrar_tls_port'),
agent_id)
# we already have the vaik
tpm = tpm_obj.getTPM(need_hw_tpm=False,
tpm_version=agent['tpm_version'])
if not tpm.check_deep_quote(
agent_id,
hashlib.sha1(agent['key']).hexdigest(),
agent_id + agent['aik'] + agent['ek'], deepquote,
agent['aik'], provider_keys['aik']):
raise Exception("Deep quote invalid")
try:
session.query(RegistrarMain).filter(
agent_id == agent_id).update({'active': True})
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
try:
session.query(RegistrarMain).filter(
agent_id == agent_id).update(
{'provider_keys': provider_keys})
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
common.echo_json_response(self, 200, "Success")
logger.info('PUT activated: ' + agent_id)
else:
pass
except Exception as e:
common.echo_json_response(self, 400, "Error: %s" % e)
logger.warning("PUT for " + agent_id +
" returning 400 response. Error: %s" % e)
logger.exception(e)
return
def do_POST(self):
"""This method handles the POST requests to add agents to the Registrar Server.
Currently, only agents resources are available for POSTing, i.e. /agents. All other POST uri's
will return errors. POST requests require an an agent_id identifying the agent to add, and json
block sent in the body with 2 entries: ek and aik.
"""
session = SessionManager().make_session(engine)
rest_params = common.get_restful_params(self.path)
if rest_params is None:
common.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if "agents" not in rest_params:
common.echo_json_response(self, 400, "uri not supported")
logger.warning(
'POST agent returning 400 response. uri not supported: ' +
self.path)
return
agent_id = rest_params["agents"]
if agent_id is None:
common.echo_json_response(self, 400, "agent id not found in uri")
logger.warning(
'POST agent returning 400 response. agent id not found in uri '
+ self.path)
return
try:
content_length = int(self.headers.get('Content-Length', 0))
if content_length == 0:
common.echo_json_response(self, 400,
"Expected non zero content length")
logger.warning(
'POST for ' + agent_id +
' returning 400 response. Expected non zero content length.'
)
return
post_body = self.rfile.read(content_length)
json_body = json.loads(post_body)
ek = json_body['ek']
ek_tpm = json_body['ek_tpm']
ekcert = json_body['ekcert']
aik = json_body['aik']
aik_name = json_body['aik_name']
tpm_version = int(json_body['tpm_version'])
# try to encrypt the AIK
tpm = tpm_obj.getTPM(need_hw_tpm=False, tpm_version=tpm_version)
(blob, key) = tpm.encryptAIK(agent_id, aik, ek, ek_tpm, aik_name)
# special behavior if we've registered this uuid before
regcount = 1
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
if agent is not None:
# keep track of how many ek-ekcerts have registered on this uuid
regcount = agent.regcount
if agent.ek != ek or agent.ekcert != ekcert:
logger.warning(
'WARNING: Overwriting previous registration for this UUID with new ek-ekcert pair!'
)
regcount += 1
# force overwrite
logger.info('Overwriting previous registration for this UUID.')
try:
session.query(RegistrarMain).filter_by(
agent_id=agent_id).delete()
session.commit()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
# Add values to database
d = {}
d['agent_id'] = agent_id
d['ek'] = ek
d['aik'] = aik
d['ekcert'] = ekcert
d['virtual'] = int(ekcert == 'virtual')
d['active'] = int(False)
d['key'] = key
d['provider_keys'] = {}
d['regcount'] = regcount
try:
session.add(RegistrarMain(**d))
session.commit()
except SQLAlchemyError as e:
logger.error(f'SQLAlchemy Error: {e}')
response = {
'blob': blob,
}
common.echo_json_response(self, 200, "Success", response)
logger.info('POST returning key blob for agent_id: ' + agent_id)
return
except Exception as e:
common.echo_json_response(self, 400, "Error: %s" % e)
logger.warning("POST for " + agent_id +
" returning 400 response. Error: %s" % e)
logger.exception(e)
return
def do_POST(self):
"""This method handles the POST requests to add agents to the Registrar Server.
Currently, only agents resources are available for POSTing, i.e. /agents. All other POST uri's
will return errors. POST requests require an an agent_id identifying the agent to add, and json
block sent in the body with 2 entries: ek and aik.
"""
session = SessionManager().make_session(engine)
rest_params = web_util.get_restful_params(self.path)
if rest_params is None:
web_util.echo_json_response(
self, 405, "Not Implemented: Use /agents/ interface")
return
if not web_util.validate_api_version(self, rest_params["api_version"],
logger):
return
if "agents" not in rest_params:
web_util.echo_json_response(self, 400, "uri not supported")
logger.warning(
"POST agent returning 400 response. uri not supported: %s",
self.path)
return
agent_id = rest_params["agents"]
if agent_id is None:
web_util.echo_json_response(self, 400, "agent id not found in uri")
logger.warning(
"POST agent returning 400 response. agent id not found in uri %s",
self.path)
return
# If the agent ID is not valid (wrong set of characters), just
# do nothing.
if not validators.valid_agent_id(agent_id):
web_util.echo_json_response(self, 400, "agent id not valid")
logger.error("POST received an invalid agent ID: %s", agent_id)
return
try:
content_length = int(self.headers.get("Content-Length", 0))
if content_length == 0:
web_util.echo_json_response(
self, 400, "Expected non zero content length")
logger.warning(
"POST for %s returning 400 response. Expected non zero content length.",
agent_id)
return
post_body = self.rfile.read(content_length)
json_body = json.loads(post_body)
ekcert = json_body["ekcert"]
aik_tpm = json_body["aik_tpm"]
initialize_tpm = tpm()
if ekcert is None or ekcert == "emulator":
logger.warning("Agent %s did not submit an ekcert", agent_id)
ek_tpm = json_body["ek_tpm"]
else:
if "ek_tpm" in json_body:
# This would mean the agent submitted both a non-None ekcert, *and*
# an ek_tpm... We can deal with it by just ignoring the ek_tpm they sent
logger.warning(
"Overriding ek_tpm for agent %s from ekcert", agent_id)
# If there's an EKCert, we just overwrite their ek_tpm
# Note, we don't validate the EKCert here, other than the implicit
# "is it a valid x509 cert" check. So it's still untrusted.
# This will be validated by the tenant.
ek509 = load_der_x509_certificate(
base64.b64decode(ekcert),
backend=default_backend(),
)
ek_tpm = base64.b64encode(
tpm2_objects.ek_low_tpm2b_public_from_pubkey(
ek509.public_key(), )).decode()
aik_attrs = tpm2_objects.get_tpm2b_public_object_attributes(
base64.b64decode(aik_tpm), )
if aik_attrs != tpm2_objects.AK_EXPECTED_ATTRS:
web_util.echo_json_response(self, 400, "Invalid AK attributes")
logger.warning(
"Agent %s submitted AIK with invalid attributes! %s (provided) != %s (expected)",
agent_id,
tpm2_objects.object_attributes_description(aik_attrs),
tpm2_objects.object_attributes_description(
tpm2_objects.AK_EXPECTED_ATTRS),
)
return
# try to encrypt the AIK
(blob, key) = initialize_tpm.encryptAIK(
agent_id,
base64.b64decode(ek_tpm),
base64.b64decode(aik_tpm),
)
# special behavior if we've registered this uuid before
regcount = 1
try:
agent = session.query(RegistrarMain).filter_by(
agent_id=agent_id).first()
except NoResultFound:
agent = None
except SQLAlchemyError as e:
logger.error("SQLAlchemy Error: %s", e)
raise
if agent is not None:
# keep track of how many ek-ekcerts have registered on this uuid
regcount = agent.regcount
if agent.ek_tpm != ek_tpm or agent.ekcert != ekcert:
logger.warning(
"WARNING: Overwriting previous registration for this UUID with new ek-ekcert pair!"
)
regcount += 1
# force overwrite
logger.info("Overwriting previous registration for this UUID.")
try:
session.query(RegistrarMain).filter_by(
agent_id=agent_id).delete()
session.commit()
except SQLAlchemyError as e:
logger.error("SQLAlchemy Error: %s", e)
raise
# Check for ip and port
contact_ip = json_body.get("ip", None)
contact_port = json_body.get("port", None)
# Validate ip and port
if contact_ip is not None:
try:
# Use parser from the standard library instead of implementing our own
ipaddress.ip_address(contact_ip)
except ValueError:
logger.warning(
"Contact ip for agent %s is not a valid ip got: %s.",
agent_id, contact_ip)
contact_ip = None
if contact_port is not None:
try:
contact_port = int(contact_port)
if contact_port < 1 or contact_port > 65535:
logger.warning(
"Contact port for agent %s is not a number between 1 and got: %s.",
agent_id, contact_port)
contact_port = None
except ValueError:
logger.warning(
"Contact port for agent %s is not a valid number got: %s.",
agent_id, contact_port)
contact_port = None
# Check for mTLS cert
mtls_cert = json_body.get("mtls_cert", None)
if mtls_cert is None:
logger.warning(
"Agent %s did not send a mTLS certificate. Most operations will not work!",
agent_id)
# Add values to database
d = {}
d["agent_id"] = agent_id
d["ek_tpm"] = ek_tpm
d["aik_tpm"] = aik_tpm
d["ekcert"] = ekcert
d["ip"] = contact_ip
d["mtls_cert"] = mtls_cert
d["port"] = contact_port
d["virtual"] = int(ekcert == "virtual")
d["active"] = int(False)
d["key"] = key
d["provider_keys"] = {}
d["regcount"] = regcount
try:
session.add(RegistrarMain(**d))
session.commit()
except SQLAlchemyError as e:
logger.error("SQLAlchemy Error: %s", e)
raise
response = {
"blob": blob,
}
web_util.echo_json_response(self, 200, "Success", response)
logger.info("POST returning key blob for agent_id: %s", agent_id)
except Exception as e:
web_util.echo_json_response(self, 400, f"Error: {str(e)}")
logger.warning("POST for %s returning 400 response. Error: %s",
agent_id, e)
logger.exception(e)
