def SetInitState(cfg, state): """Sets system's initialization state. For oneway, it stores it in C.ENT_SYSTEM_INIT_STATE. For Clusters, it stores it in chubby file /ls/ent<version>/ENT_SYSTEM_INIT_STATE. @param cfg - of type configurator. @param state - string """ # oneway? if 1 == len(core_utils.GetNodes()): cfg.setGlobalParam(C.ENT_SYSTEM_INIT_STATE, state) return tmpfile = E.mktemp('/export/hda3/tmp') try: f = open(tmpfile, 'w') f.write(state) f.close() except IOError: logging.fatal('Cannot write to temp file %s' % tmpfile) return version = cfg.getGlobalParam('VERSION') lockserv_cmd_prefix = core_utils.GetLSClientCmd(version, is_test(version)) chubby_root_dir = '/ls/%s' % core_utils.GetCellName(version) write_cmd = '%s cp %s %s/%s' % (lockserv_cmd_prefix, tmpfile, chubby_root_dir, 'ENT_SYSTEM_INIT_STATE') logging.info('setting system init state to: %s', state) E.exe_or_fail(write_cmd) E.exe('rm -rf %s' % tmpfile)
def __init__(self, cfg, box_key_dir, license_key_dir): self.cfg = cfg self.inInitialization = true self.killingIsRunning = false self.counter_lock = threading.Lock() self.counter_file = cfg.getGlobalParam('ENT_LICENSE_COUNTER_FILE') self.counter_back_file = cfg.getGlobalParam('ENT_LICENSE_COUNTER_FILE_BACKUP') self.parser = ent_license.LicenseParser() data_dir = cfg.getGlobalParam('DATADIR') working_dir = E.mktemp(data_dir, "license_manager") E.system('rm -rf %s/@*.0license_manager; mkdir -p %s' % ( data_dir, working_dir)) box_pub_keyring = E.joinpaths([box_key_dir, "ent_box_key.pub"]) box_pri_keyring = E.joinpaths([box_key_dir, "ent_box_key.pri"]) license_pub_keyring = E.joinpaths([license_key_dir, "google_license_key.pub"]) self.decryptor = ent_license.LicenseDecryptor(working_dir, box_pub_keyring, box_pri_keyring, license_pub_keyring)
def encryptLicense(self, license, passphrase = None): tempdir = E.mktemp(self.working_dir, 'encrypt') # if no passphrase supplied, use the one given in the constructor if passphrase == None: passphrase = self.passphrase # make sure the license is valid (note that this is a fresh license) if license.isInvalid(fresh_license = 1): logging.error("license is not valid") return None if not self.checkFiles(): logging.error("encryptor keys don't exist or aren't valid") return None # get the header header = self.extractHeader(license) # NOTE: this ent_license.config is important; the old license code expects # to find this filename. do not change it license_fn = E.joinpaths([tempdir, "ent_license.config"]) tgz_fn = E.joinpaths([tempdir, "license.tgz"]) encrypted_fn = E.joinpaths([tempdir, "license.encrypted"]) encrypted_w_header_fn = E.joinpaths([tempdir, "license.header"]) signed_fn = E.joinpaths([tempdir, "license.signed"]) try: # make the temp directory os.system("rm -rf %s" % commands.mkarg(tempdir)) os.makedirs(tempdir) # write the raw license body to a file license_body = {} license_body.update(license.license) # overwrite the version number with the current version (just in case) license_body['ENT_LICENSE_VERSION'] = CURRENT_LICENSE_VERSION try: body_str = string.join(map(lambda (k,v): '%s = %s' % (k,repr(v)), license_body.items()), '\n') open(license_fn, 'w').write(str(body_str)) except IOError: logging.error("writing plain license failed") return None # tar the license body tar_cmd = "tar zvcf %s -C %s %s" % ( commands.mkarg(tgz_fn), commands.mkarg(os.path.dirname(license_fn)), commands.mkarg(os.path.basename(license_fn))) if os.system(tar_cmd) != 0: logging.error("tarring license failed") return None # encrypt it encrypt_cmd = "gpg --no-options --no-default-keyring --no-secmem-warning --no-tty --yes --default-recipient-self --keyring %s --secret-keyring %s -o %s -se %s" % ( commands.mkarg(self.box_public_keyring), commands.mkarg(self.box_private_keyring), commands.mkarg(encrypted_fn), commands.mkarg(tgz_fn)) if os.system(encrypt_cmd) != 0: logging.error("encrypting license failed") return None # write out the header (plus \n\n) to encrypted_w_header_fn try: header_str = string.join(map(lambda (k,v): '%s = %s' % (k,repr(v)), header.items()), '\n') header_str = header_str + '\n\n' # end of header open(encrypted_w_header_fn, 'w').write(header_str) except IOError: logging.error("writing license header failed") return None # append the encrypted tarred license to encrypted_w_header_fn cat_cmd = "cat %s >> %s" % ( commands.mkarg(encrypted_fn), commands.mkarg(encrypted_w_header_fn)) if os.system(cat_cmd) != 0: logging.error("reading encrypted license failed") return None # sign encrypted_w_header_fn sign_cmd = "gpg --no-options --no-default-keyring --no-tty --no-secmem-warning --keyring %s --secret-keyring %s --passphrase-fd 0 --yes -o %s -s %s" % ( commands.mkarg(self.license_public_keyring), commands.mkarg(self.license_private_keyring), commands.mkarg(signed_fn), commands.mkarg(encrypted_w_header_fn)) try: # use popen so that we can write the passphrase to stdin sign_fd = os.popen(sign_cmd, 'w') if passphrase != None: sign_fd.write(passphrase) status = sign_fd.close() except IOError: status = -1 if status != None: logging.error("signing license signature failed") return None # read the signed body try: signed_body = open(signed_fn, 'r').read() except IOError: logging.error("reading signed license failed") return None finally: # make sure to clean up all the temp files os.system("rm -rf %s" % commands.mkarg(tempdir)) return signed_body
def decryptLicense(self, encrypted_license): tempdir = E.mktemp(self.working_dir, 'decrypt') signed_fn = E.joinpaths([tempdir, "license.signed"]) verified_fn = E.joinpaths([tempdir, "license.verified"]) encrypted_fn = E.joinpaths([tempdir, "license.encrypted"]) tgz_fn = E.joinpaths([tempdir, "license.tgz"]) license_fn = E.joinpaths([tempdir, "ent_license.config"]) if not self.checkFiles(): logging.error("decryptor keys don't exist or aren't valid") return None, None, DECRYPT_SYSTEM_ERROR try: # make the temp directory os.system("rm -rf %s" % commands.mkarg(tempdir)) os.makedirs(tempdir) # output to a file try: open(signed_fn, 'w').write(encrypted_license) except IOError: logging.error("writing encrypted license failed") return None, None, DECRYPT_SYSTEM_ERROR # verify signature verify_cmd = ("gpg --no-options --no-default-keyring --no-tty" " --no-verbose --yes --keyring %s -o %s --decrypt %s") % ( commands.mkarg(self.license_public_keyring), commands.mkarg(verified_fn), commands.mkarg(signed_fn)) # When gpg is given a file with no signature it returns successfully; # so we must check gpg's output fi, foe = os.popen4(verify_cmd) fi.close() gpg_result = foe.read() foe.close() if gpg_result.find("Good signature") == -1: logging.error("verifying license signature failed") return None, None, DECRYPT_GPG_VERIFY_FAILED # remove header verified_body = open(verified_fn, 'r').read() sep_poi = string.find(verified_body, "\n\n") if sep_poi < 0: logging.error("license doesn't have valid header") return None, None, DECRYPT_BAD_HEADER # NOTE: At this point, we've read the header, which is a subset of the # actual license (which we can't see yet, because it's encrypted). If # we fail past this point, we return the header in place of the license # because it will look like an invalid license, and allow us to report # some basic information about the license. # header_body = verified_body[0:sep_poi] # write out the encrypted body try: open(encrypted_fn, 'w').write(verified_body[sep_poi+2:]) except IOError: logging.error("writing encrypted license failed") return None, header_body, DECRYPT_SYSTEM_ERROR # decrypt it decrypt_cmd = "gpg --no-options --no-default-keyring --no-tty --yes --keyring %s --secret-keyring %s -o %s --decrypt %s" % ( commands.mkarg(self.box_public_keyring), commands.mkarg(self.box_private_keyring), commands.mkarg(tgz_fn), commands.mkarg(encrypted_fn)) if os.system(decrypt_cmd) != 0: logging.error("decrypting license failed") return None, header_body, DECRYPT_GPG_DECRYPT_FAILED # untar it (we only ask for the file we want) untar_cmd = "tar xvzf %s -C %s ent_license.config" % ( commands.mkarg(tgz_fn), tempdir) if os.system(untar_cmd) != 0: logging.error("untarring license failed") return None, header_body, DECRYPT_TAR_FAILED # read in the decrypted license try: license_body = open(license_fn, 'r').read() except IOError: logging.error("reading decrypted license failed") return None, header_body, DECRYPT_SYSTEM_ERROR finally: # make sure to clean up all the temp files os.system("rm -rf %s" % commands.mkarg(tempdir)) return license_body, header_body, DECRYPT_OK
def encryptLicense(self, license, passphrase=None): tempdir = E.mktemp(self.working_dir, 'encrypt') # if no passphrase supplied, use the one given in the constructor if passphrase == None: passphrase = self.passphrase # make sure the license is valid (note that this is a fresh license) if license.isInvalid(fresh_license=1): logging.error("license is not valid") return None if not self.checkFiles(): logging.error("encryptor keys don't exist or aren't valid") return None # get the header header = self.extractHeader(license) # NOTE: this ent_license.config is important; the old license code expects # to find this filename. do not change it license_fn = E.joinpaths([tempdir, "ent_license.config"]) tgz_fn = E.joinpaths([tempdir, "license.tgz"]) encrypted_fn = E.joinpaths([tempdir, "license.encrypted"]) encrypted_w_header_fn = E.joinpaths([tempdir, "license.header"]) signed_fn = E.joinpaths([tempdir, "license.signed"]) try: # make the temp directory os.system("rm -rf %s" % commands.mkarg(tempdir)) os.makedirs(tempdir) # write the raw license body to a file license_body = {} license_body.update(license.license) # overwrite the version number with the current version (just in case) license_body['ENT_LICENSE_VERSION'] = CURRENT_LICENSE_VERSION try: body_str = string.join( map(lambda (k, v): '%s = %s' % (k, repr(v)), license_body.items()), '\n') open(license_fn, 'w').write(str(body_str)) except IOError: logging.error("writing plain license failed") return None # tar the license body tar_cmd = "tar zvcf %s -C %s %s" % ( commands.mkarg(tgz_fn), commands.mkarg(os.path.dirname(license_fn)), commands.mkarg(os.path.basename(license_fn))) if os.system(tar_cmd) != 0: logging.error("tarring license failed") return None # encrypt it encrypt_cmd = "gpg --no-options --no-default-keyring --no-secmem-warning --no-tty --yes --default-recipient-self --keyring %s --secret-keyring %s -o %s -se %s" % ( commands.mkarg(self.box_public_keyring), commands.mkarg(self.box_private_keyring), commands.mkarg(encrypted_fn), commands.mkarg(tgz_fn)) if os.system(encrypt_cmd) != 0: logging.error("encrypting license failed") return None # write out the header (plus \n\n) to encrypted_w_header_fn try: header_str = string.join( map(lambda (k, v): '%s = %s' % (k, repr(v)), header.items()), '\n') header_str = header_str + '\n\n' # end of header open(encrypted_w_header_fn, 'w').write(header_str) except IOError: logging.error("writing license header failed") return None # append the encrypted tarred license to encrypted_w_header_fn cat_cmd = "cat %s >> %s" % (commands.mkarg(encrypted_fn), commands.mkarg(encrypted_w_header_fn)) if os.system(cat_cmd) != 0: logging.error("reading encrypted license failed") return None # sign encrypted_w_header_fn sign_cmd = "gpg --no-options --no-default-keyring --no-tty --no-secmem-warning --keyring %s --secret-keyring %s --passphrase-fd 0 --yes -o %s -s %s" % ( commands.mkarg(self.license_public_keyring), commands.mkarg( self.license_private_keyring), commands.mkarg(signed_fn), commands.mkarg(encrypted_w_header_fn)) try: # use popen so that we can write the passphrase to stdin sign_fd = os.popen(sign_cmd, 'w') if passphrase != None: sign_fd.write(passphrase) status = sign_fd.close() except IOError: status = -1 if status != None: logging.error("signing license signature failed") return None # read the signed body try: signed_body = open(signed_fn, 'r').read() except IOError: logging.error("reading signed license failed") return None finally: # make sure to clean up all the temp files os.system("rm -rf %s" % commands.mkarg(tempdir)) return signed_body
def decryptLicense(self, encrypted_license): tempdir = E.mktemp(self.working_dir, 'decrypt') signed_fn = E.joinpaths([tempdir, "license.signed"]) verified_fn = E.joinpaths([tempdir, "license.verified"]) encrypted_fn = E.joinpaths([tempdir, "license.encrypted"]) tgz_fn = E.joinpaths([tempdir, "license.tgz"]) license_fn = E.joinpaths([tempdir, "ent_license.config"]) if not self.checkFiles(): logging.error("decryptor keys don't exist or aren't valid") return None, None, DECRYPT_SYSTEM_ERROR try: # make the temp directory os.system("rm -rf %s" % commands.mkarg(tempdir)) os.makedirs(tempdir) # output to a file try: open(signed_fn, 'w').write(encrypted_license) except IOError: logging.error("writing encrypted license failed") return None, None, DECRYPT_SYSTEM_ERROR # verify signature verify_cmd = ("gpg --no-options --no-default-keyring --no-tty" " --no-verbose --yes --keyring %s -o %s --decrypt %s" ) % (commands.mkarg(self.license_public_keyring), commands.mkarg(verified_fn), commands.mkarg(signed_fn)) # When gpg is given a file with no signature it returns successfully; # so we must check gpg's output fi, foe = os.popen4(verify_cmd) fi.close() gpg_result = foe.read() foe.close() if gpg_result.find("Good signature") == -1: logging.error("verifying license signature failed") return None, None, DECRYPT_GPG_VERIFY_FAILED # remove header verified_body = open(verified_fn, 'r').read() sep_poi = string.find(verified_body, "\n\n") if sep_poi < 0: logging.error("license doesn't have valid header") return None, None, DECRYPT_BAD_HEADER # NOTE: At this point, we've read the header, which is a subset of the # actual license (which we can't see yet, because it's encrypted). If # we fail past this point, we return the header in place of the license # because it will look like an invalid license, and allow us to report # some basic information about the license. # header_body = verified_body[0:sep_poi] # write out the encrypted body try: open(encrypted_fn, 'w').write(verified_body[sep_poi + 2:]) except IOError: logging.error("writing encrypted license failed") return None, header_body, DECRYPT_SYSTEM_ERROR # decrypt it decrypt_cmd = "gpg --no-options --no-default-keyring --no-tty --yes --keyring %s --secret-keyring %s -o %s --decrypt %s" % ( commands.mkarg(self.box_public_keyring), commands.mkarg(self.box_private_keyring), commands.mkarg(tgz_fn), commands.mkarg(encrypted_fn)) if os.system(decrypt_cmd) != 0: logging.error("decrypting license failed") return None, header_body, DECRYPT_GPG_DECRYPT_FAILED # untar it (we only ask for the file we want) untar_cmd = "tar xvzf %s -C %s ent_license.config" % ( commands.mkarg(tgz_fn), tempdir) if os.system(untar_cmd) != 0: logging.error("untarring license failed") return None, header_body, DECRYPT_TAR_FAILED # read in the decrypted license try: license_body = open(license_fn, 'r').read() except IOError: logging.error("reading decrypted license failed") return None, header_body, DECRYPT_SYSTEM_ERROR finally: # make sure to clean up all the temp files os.system("rm -rf %s" % commands.mkarg(tempdir)) return license_body, header_body, DECRYPT_OK