def sign(options): """ Sign the specified gid """ hierarchy = Hierarchy() config = Config() default_authority = config.SFA_INTERFACE_HRN auth_info = hierarchy.get_auth_info(default_authority) # load the gid gidfile = os.path.abspath(options.sign) if not os.path.isfile(gidfile): print "no such gid: %s" % gidfile sys.exit(1) gid = GID(filename=gidfile) # extract pub_key and create new gid pkey = gid.get_pubkey() urn = gid.get_urn() gid = hierarchy.create_gid(urn, create_uuid(), pkey) # get the outfile outfile = options.outfile if not outfile: outfile = os.path.abspath('./signed-%s.gid' % gid.get_hrn()) # save the signed gid if options.verbose: print "Writing signed gid %s" % outfile gid.save_to_file(outfile, save_parents=True)
def export_gid(options): from sfa.util.table import SfaTable # lookup the record for the specified hrn hrn = options.export type = options.type # check sfa table first filter = {'hrn': hrn} if type: filter['type'] = type table = SfaTable() records = table.find(filter) if not records: # check the authorities hierarchy hierarchy = Hierarchy() try: auth_info = hierarchy.get_auth_info() gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) else: record = records[0] gid = GID(string=record['gid']) # get the outfile outfile = options.outfile if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) # save it if options.verbose: print "Writing %s gid to %s" % (gid.get_hrn(), outfile) gid.save_to_file(outfile, save_parents=True)
def install_peer_certs(server_key_file, server_cert_file): """ Attempt to install missing trusted gids and db records for our federated interfaces """ # Attempt to get any missing peer gids # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. api = SfaAPI(key_file=server_key_file, cert_file=server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) gids_current = api.auth.trusted_cert_list hrns_current = [gid.get_hrn() for gid in gids_current] hrns_expected = set([hrn for hrn in interfaces]) new_hrns = set(hrns_expected).difference(hrns_current) # gids = self.get_peer_gids(new_hrns) + gids_current peer_gids = [] if not new_hrns: return trusted_certs_dir = api.config.get_trustedroots_dir() for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if "sfa" not in server_version: logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue trusted_gids = interface.get_trusted_certs() if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % (new_hrn) gid = GID(string=trusted_gids[0]) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, "%s.gid" % new_hrn) gid.save_to_file(gid_filename, save_parents=True) message = "installed trusted cert for %s" % new_hrn # log the message api.logger.info(message) except: message = "interface: %s\tunable to install trusted gid for %s" % (api.interface, new_hrn) api.logger.log_exc(message) # doesnt matter witch one update_cert_records(peer_gids)
def _get_gid(self, hrn=None, type=None): """ git_gid helper. Retrive the gid from the registry and save it to file. """ if not hrn: hrn = self.user gidfile = os.path.join(self.options.sfi_dir, hrn + ".gid") gid = self.get_cached_gid(gidfile) if not gid: user_cred = self.get_user_cred() records = self.registry.Resolve(hrn, user_cred.save_to_string(save_parents=True)) if not records: raise RecordNotFound(args[0]) record = records[0] if type: record=None for rec in records: if type == rec['type']: record = rec if not record: raise RecordNotFound(args[0]) gid = GID(string=record['gid']) self.logger.info("Writing gid to %s"%gidfile) gid.save_to_file(filename=gidfile) return gid
def get_cert_file(self, key_file): cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert") if (os.path.isfile(cert_file)): # we'd perfer to use Registry issued certs instead of self signed certs. # if this is a Registry cert (GID) then we are done gid = GID(filename=cert_file) if gid.get_urn(): return cert_file # generate self signed certificate k = Keypair(filename=key_file) cert = Certificate(subject=self.user) cert.set_pubkey(k) cert.set_issuer(k, self.user) cert.sign() self.logger.info("Writing self-signed certificate to %s"%cert_file) cert.save_to_file(cert_file) self.cert = cert # try to get registry issued cert try: self.logger.info("Getting Registry issued cert") self.read_config() # *hack. need to set registyr before _get_gid() is called self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug) gid = self._get_gid(type='user') self.registry = None self.logger.info("Writing certificate to %s"%cert_file) gid.save_to_file(cert_file) except: self.logger.info("Failed to download Registry issued cert") return cert_file
class UploadCertForm(forms.Form): """Form to upload a certificate and its corresponding key.""" key_file = forms.FileField( help_text="Select the file that contains the key for the "\ "certificate to upload.") cert_file = forms.FileField( help_text="Select the file that contains the "\ "certificate to upload. The certificate must be signed "\ "with the uploaded key.") clean_key_file = _clean_x_file_factory("key") clean_cert_file = _clean_x_file_factory("cert") def clean(self): """Check that the cert file is signed by the key file and is trusted.""" logger.debug("cleaned_data %s" % self.cleaned_data) if self.files: self.key = Keypair(string=self.files["key_file"].read()) self.cert = GID(string=self.files["cert_file"].read()) cert_pubkey = self.cert.get_pubkey().get_pubkey_string() if cert_pubkey != self.key.get_pubkey_string(): raise forms.ValidationError( "Error: The certificate was not signed " "by the uploaded key. Please use a key " "that matches the certificate.") try: certs = [GID(filename=f) for f in get_trusted_cert_filenames()] self.cert.verify_chain(certs) except Exception as e: logger.error(traceback.format_exc()) raise forms.ValidationError( "Could not verify that the uploaded certificate is " "trusted. This could be because none of the certificate's " "ancestors have been installed as trusted. The error was: " "%s" % e ) return self.cleaned_data def save(self, user): """Write the key and cert into files. @param user: the user to save the cert and key for. @type user: C{django.contrib.auth.models.User} """ key_fname = get_user_key_fname(user) cert_fname = get_user_cert_fname(user) self.key.save_to_file(key_fname) self.cert.save_to_file(cert_fname)
class UploadCertForm(forms.Form): """Form to upload a certificate and its corresponding key.""" key_file = forms.FileField( help_text="Select the file that contains the key for the "\ "certificate to upload.") cert_file = forms.FileField( help_text="Select the file that contains the "\ "certificate to upload. The certificate must be signed "\ "with the uploaded key.") clean_key_file = _clean_x_file_factory("key") clean_cert_file = _clean_x_file_factory("cert") def clean(self): """Check that the cert file is signed by the key file and is trusted.""" logger.debug("cleaned_data %s" % self.cleaned_data) if self.files: self.key = Keypair(string=self.files["key_file"].read()) self.cert = GID(string=self.files["cert_file"].read()) cert_pubkey = self.cert.get_pubkey().get_pubkey_string() if cert_pubkey != self.key.get_pubkey_string(): raise forms.ValidationError( "Error: The certificate was not signed " "by the uploaded key. Please use a key " "that matches the certificate.") try: certs = [GID(filename=f) for f in get_trusted_cert_filenames()] self.cert.verify_chain(certs) except Exception as e: logger.error(traceback.format_exc()) raise forms.ValidationError( "Could not verify that the uploaded certificate is " "trusted. This could be because none of the certificate's " "ancestors have been installed as trusted. The error was: " "%s" % e) return self.cleaned_data def save(self, user): """Write the key and cert into files. @param user: the user to save the cert and key for. @type user: C{django.contrib.auth.models.User} """ key_fname = get_user_key_fname(user) cert_fname = get_user_cert_fname(user) self.key.save_to_file(key_fname) self.cert.save_to_file(cert_fname)
def get_trusted_certs(registry=None, verbose=False): """ refresh our list of trusted certs. """ # define useful variables config = Config() data_dir = config.SFA_DATA_DIR config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) # get the trusted certs and save them in the right place if verbose: print "Getting trusted certs from registry" trusted_certs = registry.get_trusted_certs(cred) trusted_gid_names = [] for gid_str in trusted_certs: gid = GID(string=gid_str) gid.decode() relative_filename = gid.get_hrn() + ".gid" trusted_gid_names.append(relative_filename) gid_filename = trusted_certs_dir + os.sep + relative_filename if verbose: print "Writing GID for %s as %s" % (gid.get_hrn(), gid_filename) gid.save_to_file(gid_filename, save_parents=True) # remove old certs all_gids_names = os.listdir(trusted_certs_dir) for gid_name in all_gids_names: if gid_name not in trusted_gid_names: if verbose: print "Removing old gid ", gid_name os.unlink(trusted_certs_dir + os.sep + gid_name)
def init_server_cert(hrn, key, server_cert_file, self_signed=False): """ Setup the certificate for this server. Attempt to use gid before creating a self signed cert """ if self_signed: init_self_signed_cert(hrn, key, server_cert_file) else: try: # look for gid file logger.debug("generating server cert from gid: %s" % hrn) hierarchy = Hierarchy() auth_info = hierarchy.get_auth_info(hrn) gid = GID(filename=auth_info.gid_filename) gid.save_to_file(filename=server_cert_file) except: # fall back to self signed cert logger.debug("gid for %s not found" % hrn) init_self_signed_cert(hrn, key, server_cert_file)
def import_gid(options): """ Import the specified gid into the registry (db and authorities hierarchy) overwriting any previous gid. """ from sfa.util.table import SfaTable from sfa.util.record import SfaRecord # load the gid gidfile = os.path.abspath(options.importgid) if not gidfile or not os.path.isfile(gidfile): print "No such gid: %s" % gidfile sys.exit(1) gid = GID(filename=gidfile) # check if it exists within the hierarchy hierarchy = Hierarchy() if not hierarchy.auth_exists(gid.get_hrn()): print "%s not found in hierarchy" % gid.get_hrn() sys.exit(1) # check if record exists in db table = SfaTable() records = table.find({'hrn': gid.get_hrn(), 'type': 'authority'}) if not records: print "%s not found in record database" % get.get_hrn() sys.exit(1) # update the database record record = records[0] record['gid'] = gid.save_to_string(save_parents=True) table.update(record) if options.verbose: print "Imported %s gid into db" % record['hrn'] # update the hierarchy auth_info = hierarchy.get_auth_info(gid.get_hrn()) filename = auth_info.gid_filename gid.save_to_file(filename, save_parents=True) if options.verbose: print "Writing %s gid to %s" % (gid.get_hrn(), filename) # ending here return
def get_trusted_certs(registry=None, verbose=False): """ refresh our list of trusted certs. """ # define useful variables config = Config() data_dir = config.SFA_DATA_DIR config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) # get the trusted certs and save them in the right place if verbose: print "Getting trusted certs from registry" trusted_certs = registry.get_trusted_certs(cred) trusted_gid_names = [] for gid_str in trusted_certs: gid = GID(string=gid_str) gid.decode() relative_filename = gid.get_hrn() + ".gid" trusted_gid_names.append(relative_filename) gid_filename = trusted_certs_dir + os.sep + relative_filename if verbose: print "Writing GID for %s as %s" % (gid.get_hrn(), gid_filename) gid.save_to_file(gid_filename, save_parents=True) # remove old certs all_gids_names = os.listdir(trusted_certs_dir) for gid_name in all_gids_names: if gid_name not in trusted_gid_names: if verbose: print "Removing old gid ", gid_name os.unlink(trusted_certs_dir + os.sep + gid_name)
def export(self, xrn, type=None, outfile=None): """Fetch an object's GID from the Registry""" from sfa.storage.model import RegRecord hrn = Xrn(xrn).get_hrn() request = self.api.dbsession().query(RegRecord).filter_by(hrn=hrn) if type: request = request.filter_by(type=type) record = request.first() if record: gid = GID(string=record.gid) else: # check the authorities hierarchy hierarchy = Hierarchy() try: auth_info = hierarchy.get_auth_info(hrn) gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) # save to file if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) gid.save_to_file(outfile, save_parents=True)
def install_trusted_certs(api): cred = api.getCredential() registry = api.get_registry() trusted_certs = registry.get_trusted_certs(cred) trusted_gid_names = [] for gid_str in trusted_certs: gid = GID(string=gid_str) gid.decode() relative_filename = gid.get_hrn() + ".gid" trusted_gid_names.append(relative_filename) gid_filename = trusted_certs_dir + os.sep + relative_filename if verbose: print("Writing GID for %s as %s" % (gid.get_hrn(), gid_filename)) gid.save_to_file(gid_filename, save_parents=True) # remove old certs all_gids_names = os.listdir(trusted_certs_dir) for gid_name in all_gids_names: if gid_name not in trusted_gid_names: if verbose: print("Removing old gid ", gid_name) os.unlink(trusted_certs_dir + os.sep + gid_name)
def export(self, xrn, type=None, outfile=None): """Fetch an object's GID from the Registry""" from sfa.storage.model import RegRecord hrn = Xrn(xrn).get_hrn() request=self.api.dbsession().query(RegRecord).filter_by(hrn=hrn) if type: request = request.filter_by(type=type) record=request.first() if record: gid = GID(string=record.gid) else: # check the authorities hierarchy hierarchy = Hierarchy() try: auth_info = hierarchy.get_auth_info(hrn) gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) # save to file if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) gid.save_to_file(outfile, save_parents=True)
def get_gids(registry=None, verbose=False): """ Get the gid for all instantiated slices on this node and store it in /etc/sfa/slice.gid in the slice's filesystem """ # define useful variables config = Config() data_dir = config.data_path config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() interface_hrn = config.SFA_INTERFACE_HRN # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) if verbose: print "Getting current slices on this node" # get a list of slices on this node from sfa.generic import Generic generic = Generic.the_flavour() api = generic.make_api(interface='component') xids_tuple = api.driver.nodemanager.GetXIDs() slices = eval(xids_tuple[1]) slicenames = slices.keys() # generate a list of slices that dont have gids installed slices_without_gids = [] for slicename in slicenames: if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \ or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename): slices_without_gids.append(slicename) # convert slicenames to hrns hrns = [slicename_to_hrn(interface_hrn, slicename) \ for slicename in slices_without_gids] # exit if there are no gids to install if not hrns: return if verbose: print "Getting gids for slices on this node from registry" # get the gids # and save them in the right palce records = registry.GetGids(hrns, cred) for record in records: # if this isnt a slice record skip it if not record['type'] == 'slice': continue slicename = hrn_to_pl_slicename(record['hrn']) # if this slice isnt really instatiated skip it if not os.path.exists("/vservers/%(slicename)s" % locals()): continue # save the slice gid in /etc/sfa/ in the vservers filesystem vserver_path = "/vservers/%(slicename)s" % locals() gid = record['gid'] slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"]) if verbose: print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals( ) GID(string=gid).save_to_file(slice_gid_filename, save_parents=True) # save the node gid in /etc/sfa node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"]) if verbose: print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals( ) node_gid.save_to_file(node_gid_filename, save_parents=True)
def install_peer_certs(server_key_file, server_cert_file): """ Attempt to install missing trusted gids and db records for our federated interfaces """ # Attempt to get any missing peer gids # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. api = SfaApi(key_file=server_key_file, cert_file=server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) gids_current = api.auth.trusted_cert_list hrns_current = [gid.get_hrn() for gid in gids_current] hrns_expected = set([hrn for hrn in interfaces]) new_hrns = set(hrns_expected).difference(hrns_current) #gids = self.get_peer_gids(new_hrns) + gids_current peer_gids = [] if not new_hrns: return trusted_certs_dir = api.config.get_trustedroots_dir() for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() interface = interfaces[new_hrn].server_proxy(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if 'sfa' not in server_version: logger.info( "get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue trusted_gids = ReturnValue.get_value(interface.get_trusted_certs()) if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % \ (new_hrn) gid = GID(string=trusted_gid) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, '%s.gid' % new_hrn) gid.save_to_file(gid_filename, save_parents=True) message = "installed trusted cert for %s" % new_hrn # log the message api.logger.info(message) except: message = "interface: %s\tunable to install trusted gid for %s" % \ (api.interface, new_hrn) api.logger.log_exc(message) # doesnt matter witch one update_cert_records(peer_gids)
def get_gids(registry=None, verbose=False): """ Get the gid for all instantiated slices on this node and store it in /etc/sfa/slice.gid in the slice's filesystem """ # define useful variables config = Config() data_dir = config.data_path config_dir = config.SFA_CONFIG_DIR trusted_certs_dir = config.get_trustedroots_dir() keyfile = data_dir + os.sep + "server.key" certfile = data_dir + os.sep + "server.cert" node_gid_file = config_dir + os.sep + "node.gid" node_gid = GID(filename=node_gid_file) hrn = node_gid.get_hrn() interface_hrn = config.SFA_INTERFACE_HRN # get credential cred = GetCredential(registry=registry, verbose=verbose) # make sure server key cert pair exists create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose) registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile) if verbose: print "Getting current slices on this node" # get a list of slices on this node from sfa.generic import Generic generic=Generic.the_flavour() api = generic.make_api(interface='component') xids_tuple = api.driver.nodemanager.GetXIDs() slices = eval(xids_tuple[1]) slicenames = slices.keys() # generate a list of slices that dont have gids installed slices_without_gids = [] for slicename in slicenames: if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \ or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename): slices_without_gids.append(slicename) # convert slicenames to hrns hrns = [slicename_to_hrn(interface_hrn, slicename) \ for slicename in slices_without_gids] # exit if there are no gids to install if not hrns: return if verbose: print "Getting gids for slices on this node from registry" # get the gids # and save them in the right palce records = registry.GetGids(hrns, cred) for record in records: # if this isnt a slice record skip it if not record['type'] == 'slice': continue slicename = hrn_to_pl_slicename(record['hrn']) # if this slice isnt really instatiated skip it if not os.path.exists("/vservers/%(slicename)s" % locals()): continue # save the slice gid in /etc/sfa/ in the vservers filesystem vserver_path = "/vservers/%(slicename)s" % locals() gid = record['gid'] slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"]) if verbose: print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals() GID(string=gid).save_to_file(slice_gid_filename, save_parents=True) # save the node gid in /etc/sfa node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"]) if verbose: print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals() node_gid.save_to_file(node_gid_filename, save_parents=True)