def sign(options):
"""
Sign the specified gid
"""
hierarchy = Hierarchy()
config = Config()
default_authority = config.SFA_INTERFACE_HRN
auth_info = hierarchy.get_auth_info(default_authority)
# load the gid
gidfile = os.path.abspath(options.sign)
if not os.path.isfile(gidfile):
print "no such gid: %s" % gidfile
sys.exit(1)
gid = GID(filename=gidfile)
# extract pub_key and create new gid
pkey = gid.get_pubkey()
urn = gid.get_urn()
gid = hierarchy.create_gid(urn, create_uuid(), pkey)
# get the outfile
outfile = options.outfile
if not outfile:
outfile = os.path.abspath('./signed-%s.gid' % gid.get_hrn())
# save the signed gid
if options.verbose:
print "Writing signed gid %s" % outfile
gid.save_to_file(outfile, save_parents=True)
def export_gid(options):
from sfa.util.table import SfaTable
# lookup the record for the specified hrn
hrn = options.export
type = options.type
# check sfa table first
filter = {'hrn': hrn}
if type:
filter['type'] = type
table = SfaTable()
records = table.find(filter)
if not records:
# check the authorities hierarchy
hierarchy = Hierarchy()
try:
auth_info = hierarchy.get_auth_info()
gid = auth_info.gid_object
except:
print "Record: %s not found" % hrn
sys.exit(1)
else:
record = records[0]
gid = GID(string=record['gid'])
# get the outfile
outfile = options.outfile
if not outfile:
outfile = os.path.abspath('./%s.gid' % gid.get_hrn())
# save it
if options.verbose:
print "Writing %s gid to %s" % (gid.get_hrn(), outfile)
gid.save_to_file(outfile, save_parents=True)
def install_peer_certs(server_key_file, server_cert_file):
"""
Attempt to install missing trusted gids and db records for
our federated interfaces
"""
# Attempt to get any missing peer gids
# There should be a gid file in /etc/sfa/trusted_roots for every
# peer registry found in in the registries.xml config file. If there
# are any missing gids, request a new one from the peer registry.
api = SfaAPI(key_file=server_key_file, cert_file=server_cert_file)
registries = Registries()
aggregates = Aggregates()
interfaces = dict(registries.items() + aggregates.items())
gids_current = api.auth.trusted_cert_list
hrns_current = [gid.get_hrn() for gid in gids_current]
hrns_expected = set([hrn for hrn in interfaces])
new_hrns = set(hrns_expected).difference(hrns_current)
# gids = self.get_peer_gids(new_hrns) + gids_current
peer_gids = []
if not new_hrns:
return
trusted_certs_dir = api.config.get_trustedroots_dir()
for new_hrn in new_hrns:
if not new_hrn:
continue
# the gid for this interface should already be installed
if new_hrn == api.config.SFA_INTERFACE_HRN:
continue
try:
# get gid from the registry
url = interfaces[new_hrn].get_url()
interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30)
# skip non sfa aggregates
server_version = api.get_cached_server_version(interface)
if "sfa" not in server_version:
logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn)
continue
trusted_gids = interface.get_trusted_certs()
if trusted_gids:
# the gid we want should be the first one in the list,
# but lets make sure
for trusted_gid in trusted_gids:
# default message
message = "interface: %s\t" % (api.interface)
message += "unable to install trusted gid for %s" % (new_hrn)
gid = GID(string=trusted_gids[0])
peer_gids.append(gid)
if gid.get_hrn() == new_hrn:
gid_filename = os.path.join(trusted_certs_dir, "%s.gid" % new_hrn)
gid.save_to_file(gid_filename, save_parents=True)
message = "installed trusted cert for %s" % new_hrn
# log the message
api.logger.info(message)
except:
message = "interface: %s\tunable to install trusted gid for %s" % (api.interface, new_hrn)
api.logger.log_exc(message)
# doesnt matter witch one
update_cert_records(peer_gids)
def _get_gid(self, hrn=None, type=None):
"""
git_gid helper. Retrive the gid from the registry and save it to file.
"""
if not hrn:
hrn = self.user
gidfile = os.path.join(self.options.sfi_dir, hrn + ".gid")
gid = self.get_cached_gid(gidfile)
if not gid:
user_cred = self.get_user_cred()
records = self.registry.Resolve(hrn, user_cred.save_to_string(save_parents=True))
if not records:
raise RecordNotFound(args[0])
record = records[0]
if type:
record=None
for rec in records:
if type == rec['type']:
record = rec
if not record:
raise RecordNotFound(args[0])
gid = GID(string=record['gid'])
self.logger.info("Writing gid to %s"%gidfile)
gid.save_to_file(filename=gidfile)
return gid
def get_cert_file(self, key_file):
cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert")
if (os.path.isfile(cert_file)):
# we'd perfer to use Registry issued certs instead of self signed certs.
# if this is a Registry cert (GID) then we are done
gid = GID(filename=cert_file)
if gid.get_urn():
return cert_file
# generate self signed certificate
k = Keypair(filename=key_file)
cert = Certificate(subject=self.user)
cert.set_pubkey(k)
cert.set_issuer(k, self.user)
cert.sign()
self.logger.info("Writing self-signed certificate to %s"%cert_file)
cert.save_to_file(cert_file)
self.cert = cert
# try to get registry issued cert
try:
self.logger.info("Getting Registry issued cert")
self.read_config()
# *hack. need to set registyr before _get_gid() is called
self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug)
gid = self._get_gid(type='user')
self.registry = None
self.logger.info("Writing certificate to %s"%cert_file)
gid.save_to_file(cert_file)
except:
self.logger.info("Failed to download Registry issued cert")
return cert_file
class UploadCertForm(forms.Form):
"""Form to upload a certificate and its corresponding key."""
key_file = forms.FileField(
help_text="Select the file that contains the key for the "\
"certificate to upload.")
cert_file = forms.FileField(
help_text="Select the file that contains the "\
"certificate to upload. The certificate must be signed "\
"with the uploaded key.")
clean_key_file = _clean_x_file_factory("key")
clean_cert_file = _clean_x_file_factory("cert")
def clean(self):
"""Check that the cert file is signed by the key file and is trusted."""
logger.debug("cleaned_data %s" % self.cleaned_data)
if self.files:
self.key = Keypair(string=self.files["key_file"].read())
self.cert = GID(string=self.files["cert_file"].read())
cert_pubkey = self.cert.get_pubkey().get_pubkey_string()
if cert_pubkey != self.key.get_pubkey_string():
raise forms.ValidationError(
"Error: The certificate was not signed "
"by the uploaded key. Please use a key "
"that matches the certificate.")
try:
certs = [GID(filename=f) for f in get_trusted_cert_filenames()]
self.cert.verify_chain(certs)
except Exception as e:
logger.error(traceback.format_exc())
raise forms.ValidationError(
"Could not verify that the uploaded certificate is "
"trusted. This could be because none of the certificate's "
"ancestors have been installed as trusted. The error was: "
"%s" % e
)
return self.cleaned_data
def save(self, user):
"""Write the key and cert into files.
@param user: the user to save the cert and key for.
@type user: C{django.contrib.auth.models.User}
"""
key_fname = get_user_key_fname(user)
cert_fname = get_user_cert_fname(user)
self.key.save_to_file(key_fname)
self.cert.save_to_file(cert_fname)
class UploadCertForm(forms.Form):
"""Form to upload a certificate and its corresponding key."""
key_file = forms.FileField(
help_text="Select the file that contains the key for the "\
"certificate to upload.")
cert_file = forms.FileField(
help_text="Select the file that contains the "\
"certificate to upload. The certificate must be signed "\
"with the uploaded key.")
clean_key_file = _clean_x_file_factory("key")
clean_cert_file = _clean_x_file_factory("cert")
def clean(self):
"""Check that the cert file is signed by the key file and is trusted."""
logger.debug("cleaned_data %s" % self.cleaned_data)
if self.files:
self.key = Keypair(string=self.files["key_file"].read())
self.cert = GID(string=self.files["cert_file"].read())
cert_pubkey = self.cert.get_pubkey().get_pubkey_string()
if cert_pubkey != self.key.get_pubkey_string():
raise forms.ValidationError(
"Error: The certificate was not signed "
"by the uploaded key. Please use a key "
"that matches the certificate.")
try:
certs = [GID(filename=f) for f in get_trusted_cert_filenames()]
self.cert.verify_chain(certs)
except Exception as e:
logger.error(traceback.format_exc())
raise forms.ValidationError(
"Could not verify that the uploaded certificate is "
"trusted. This could be because none of the certificate's "
"ancestors have been installed as trusted. The error was: "
"%s" % e)
return self.cleaned_data
def save(self, user):
"""Write the key and cert into files.
@param user: the user to save the cert and key for.
@type user: C{django.contrib.auth.models.User}
"""
key_fname = get_user_key_fname(user)
cert_fname = get_user_cert_fname(user)
self.key.save_to_file(key_fname)
self.cert.save_to_file(cert_fname)
def get_trusted_certs(registry=None, verbose=False):
"""
refresh our list of trusted certs.
"""
# define useful variables
config = Config()
data_dir = config.SFA_DATA_DIR
config_dir = config.SFA_CONFIG_DIR
trusted_certs_dir = config.get_trustedroots_dir()
keyfile = data_dir + os.sep + "server.key"
certfile = data_dir + os.sep + "server.cert"
node_gid_file = config_dir + os.sep + "node.gid"
node_gid = GID(filename=node_gid_file)
hrn = node_gid.get_hrn()
# get credential
cred = GetCredential(registry=registry, verbose=verbose)
# make sure server key cert pair exists
create_server_keypair(keyfile=keyfile,
certfile=certfile,
hrn=hrn,
verbose=verbose)
registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile)
# get the trusted certs and save them in the right place
if verbose:
print "Getting trusted certs from registry"
trusted_certs = registry.get_trusted_certs(cred)
trusted_gid_names = []
for gid_str in trusted_certs:
gid = GID(string=gid_str)
gid.decode()
relative_filename = gid.get_hrn() + ".gid"
trusted_gid_names.append(relative_filename)
gid_filename = trusted_certs_dir + os.sep + relative_filename
if verbose:
print "Writing GID for %s as %s" % (gid.get_hrn(), gid_filename)
gid.save_to_file(gid_filename, save_parents=True)
# remove old certs
all_gids_names = os.listdir(trusted_certs_dir)
for gid_name in all_gids_names:
if gid_name not in trusted_gid_names:
if verbose:
print "Removing old gid ", gid_name
os.unlink(trusted_certs_dir + os.sep + gid_name)
def init_server_cert(hrn, key, server_cert_file, self_signed=False):
"""
Setup the certificate for this server. Attempt to use gid before
creating a self signed cert
"""
if self_signed:
init_self_signed_cert(hrn, key, server_cert_file)
else:
try:
# look for gid file
logger.debug("generating server cert from gid: %s" % hrn)
hierarchy = Hierarchy()
auth_info = hierarchy.get_auth_info(hrn)
gid = GID(filename=auth_info.gid_filename)
gid.save_to_file(filename=server_cert_file)
except:
# fall back to self signed cert
logger.debug("gid for %s not found" % hrn)
init_self_signed_cert(hrn, key, server_cert_file)
def import_gid(options):
"""
Import the specified gid into the registry (db and authorities
hierarchy) overwriting any previous gid.
"""
from sfa.util.table import SfaTable
from sfa.util.record import SfaRecord
# load the gid
gidfile = os.path.abspath(options.importgid)
if not gidfile or not os.path.isfile(gidfile):
print "No such gid: %s" % gidfile
sys.exit(1)
gid = GID(filename=gidfile)
# check if it exists within the hierarchy
hierarchy = Hierarchy()
if not hierarchy.auth_exists(gid.get_hrn()):
print "%s not found in hierarchy" % gid.get_hrn()
sys.exit(1)
# check if record exists in db
table = SfaTable()
records = table.find({'hrn': gid.get_hrn(), 'type': 'authority'})
if not records:
print "%s not found in record database" % get.get_hrn()
sys.exit(1)
# update the database record
record = records[0]
record['gid'] = gid.save_to_string(save_parents=True)
table.update(record)
if options.verbose:
print "Imported %s gid into db" % record['hrn']
# update the hierarchy
auth_info = hierarchy.get_auth_info(gid.get_hrn())
filename = auth_info.gid_filename
gid.save_to_file(filename, save_parents=True)
if options.verbose:
print "Writing %s gid to %s" % (gid.get_hrn(), filename)
# ending here
return
def get_trusted_certs(registry=None, verbose=False):
"""
refresh our list of trusted certs.
"""
# define useful variables
config = Config()
data_dir = config.SFA_DATA_DIR
config_dir = config.SFA_CONFIG_DIR
trusted_certs_dir = config.get_trustedroots_dir()
keyfile = data_dir + os.sep + "server.key"
certfile = data_dir + os.sep + "server.cert"
node_gid_file = config_dir + os.sep + "node.gid"
node_gid = GID(filename=node_gid_file)
hrn = node_gid.get_hrn()
# get credential
cred = GetCredential(registry=registry, verbose=verbose)
# make sure server key cert pair exists
create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose)
registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile)
# get the trusted certs and save them in the right place
if verbose:
print "Getting trusted certs from registry"
trusted_certs = registry.get_trusted_certs(cred)
trusted_gid_names = []
for gid_str in trusted_certs:
gid = GID(string=gid_str)
gid.decode()
relative_filename = gid.get_hrn() + ".gid"
trusted_gid_names.append(relative_filename)
gid_filename = trusted_certs_dir + os.sep + relative_filename
if verbose:
print "Writing GID for %s as %s" % (gid.get_hrn(), gid_filename)
gid.save_to_file(gid_filename, save_parents=True)
# remove old certs
all_gids_names = os.listdir(trusted_certs_dir)
for gid_name in all_gids_names:
if gid_name not in trusted_gid_names:
if verbose:
print "Removing old gid ", gid_name
os.unlink(trusted_certs_dir + os.sep + gid_name)
def export(self, xrn, type=None, outfile=None):
"""Fetch an object's GID from the Registry"""
from sfa.storage.model import RegRecord
hrn = Xrn(xrn).get_hrn()
request = self.api.dbsession().query(RegRecord).filter_by(hrn=hrn)
if type: request = request.filter_by(type=type)
record = request.first()
if record:
gid = GID(string=record.gid)
else:
# check the authorities hierarchy
hierarchy = Hierarchy()
try:
auth_info = hierarchy.get_auth_info(hrn)
gid = auth_info.gid_object
except:
print "Record: %s not found" % hrn
sys.exit(1)
# save to file
if not outfile:
outfile = os.path.abspath('./%s.gid' % gid.get_hrn())
gid.save_to_file(outfile, save_parents=True)
def install_trusted_certs(api):
cred = api.getCredential()
registry = api.get_registry()
trusted_certs = registry.get_trusted_certs(cred)
trusted_gid_names = []
for gid_str in trusted_certs:
gid = GID(string=gid_str)
gid.decode()
relative_filename = gid.get_hrn() + ".gid"
trusted_gid_names.append(relative_filename)
gid_filename = trusted_certs_dir + os.sep + relative_filename
if verbose:
print("Writing GID for %s as %s" % (gid.get_hrn(), gid_filename))
gid.save_to_file(gid_filename, save_parents=True)
# remove old certs
all_gids_names = os.listdir(trusted_certs_dir)
for gid_name in all_gids_names:
if gid_name not in trusted_gid_names:
if verbose:
print("Removing old gid ", gid_name)
os.unlink(trusted_certs_dir + os.sep + gid_name)
def export(self, xrn, type=None, outfile=None):
"""Fetch an object's GID from the Registry"""
from sfa.storage.model import RegRecord
hrn = Xrn(xrn).get_hrn()
request=self.api.dbsession().query(RegRecord).filter_by(hrn=hrn)
if type: request = request.filter_by(type=type)
record=request.first()
if record:
gid = GID(string=record.gid)
else:
# check the authorities hierarchy
hierarchy = Hierarchy()
try:
auth_info = hierarchy.get_auth_info(hrn)
gid = auth_info.gid_object
except:
print "Record: %s not found" % hrn
sys.exit(1)
# save to file
if not outfile:
outfile = os.path.abspath('./%s.gid' % gid.get_hrn())
gid.save_to_file(outfile, save_parents=True)
def get_gids(registry=None, verbose=False):
"""
Get the gid for all instantiated slices on this node and store it
in /etc/sfa/slice.gid in the slice's filesystem
"""
# define useful variables
config = Config()
data_dir = config.data_path
config_dir = config.SFA_CONFIG_DIR
trusted_certs_dir = config.get_trustedroots_dir()
keyfile = data_dir + os.sep + "server.key"
certfile = data_dir + os.sep + "server.cert"
node_gid_file = config_dir + os.sep + "node.gid"
node_gid = GID(filename=node_gid_file)
hrn = node_gid.get_hrn()
interface_hrn = config.SFA_INTERFACE_HRN
# get credential
cred = GetCredential(registry=registry, verbose=verbose)
# make sure server key cert pair exists
create_server_keypair(keyfile=keyfile,
certfile=certfile,
hrn=hrn,
verbose=verbose)
registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile)
if verbose:
print "Getting current slices on this node"
# get a list of slices on this node
from sfa.generic import Generic
generic = Generic.the_flavour()
api = generic.make_api(interface='component')
xids_tuple = api.driver.nodemanager.GetXIDs()
slices = eval(xids_tuple[1])
slicenames = slices.keys()
# generate a list of slices that dont have gids installed
slices_without_gids = []
for slicename in slicenames:
if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \
or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename):
slices_without_gids.append(slicename)
# convert slicenames to hrns
hrns = [slicename_to_hrn(interface_hrn, slicename) \
for slicename in slices_without_gids]
# exit if there are no gids to install
if not hrns:
return
if verbose:
print "Getting gids for slices on this node from registry"
# get the gids
# and save them in the right palce
records = registry.GetGids(hrns, cred)
for record in records:
# if this isnt a slice record skip it
if not record['type'] == 'slice':
continue
slicename = hrn_to_pl_slicename(record['hrn'])
# if this slice isnt really instatiated skip it
if not os.path.exists("/vservers/%(slicename)s" % locals()):
continue
# save the slice gid in /etc/sfa/ in the vservers filesystem
vserver_path = "/vservers/%(slicename)s" % locals()
gid = record['gid']
slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"])
if verbose:
print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals(
)
GID(string=gid).save_to_file(slice_gid_filename, save_parents=True)
# save the node gid in /etc/sfa
node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"])
if verbose:
print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals(
)
node_gid.save_to_file(node_gid_filename, save_parents=True)
def install_peer_certs(server_key_file, server_cert_file):
"""
Attempt to install missing trusted gids and db records for
our federated interfaces
"""
# Attempt to get any missing peer gids
# There should be a gid file in /etc/sfa/trusted_roots for every
# peer registry found in in the registries.xml config file. If there
# are any missing gids, request a new one from the peer registry.
api = SfaApi(key_file=server_key_file, cert_file=server_cert_file)
registries = Registries()
aggregates = Aggregates()
interfaces = dict(registries.items() + aggregates.items())
gids_current = api.auth.trusted_cert_list
hrns_current = [gid.get_hrn() for gid in gids_current]
hrns_expected = set([hrn for hrn in interfaces])
new_hrns = set(hrns_expected).difference(hrns_current)
#gids = self.get_peer_gids(new_hrns) + gids_current
peer_gids = []
if not new_hrns:
return
trusted_certs_dir = api.config.get_trustedroots_dir()
for new_hrn in new_hrns:
if not new_hrn: continue
# the gid for this interface should already be installed
if new_hrn == api.config.SFA_INTERFACE_HRN: continue
try:
# get gid from the registry
url = interfaces[new_hrn].get_url()
interface = interfaces[new_hrn].server_proxy(server_key_file,
server_cert_file,
timeout=30)
# skip non sfa aggregates
server_version = api.get_cached_server_version(interface)
if 'sfa' not in server_version:
logger.info(
"get_trusted_certs: skipping non sfa aggregate: %s" %
new_hrn)
continue
trusted_gids = ReturnValue.get_value(interface.get_trusted_certs())
if trusted_gids:
# the gid we want should be the first one in the list,
# but lets make sure
for trusted_gid in trusted_gids:
# default message
message = "interface: %s\t" % (api.interface)
message += "unable to install trusted gid for %s" % \
(new_hrn)
gid = GID(string=trusted_gid)
peer_gids.append(gid)
if gid.get_hrn() == new_hrn:
gid_filename = os.path.join(trusted_certs_dir,
'%s.gid' % new_hrn)
gid.save_to_file(gid_filename, save_parents=True)
message = "installed trusted cert for %s" % new_hrn
# log the message
api.logger.info(message)
except:
message = "interface: %s\tunable to install trusted gid for %s" % \
(api.interface, new_hrn)
api.logger.log_exc(message)
# doesnt matter witch one
update_cert_records(peer_gids)
def get_gids(registry=None, verbose=False):
"""
Get the gid for all instantiated slices on this node and store it
in /etc/sfa/slice.gid in the slice's filesystem
"""
# define useful variables
config = Config()
data_dir = config.data_path
config_dir = config.SFA_CONFIG_DIR
trusted_certs_dir = config.get_trustedroots_dir()
keyfile = data_dir + os.sep + "server.key"
certfile = data_dir + os.sep + "server.cert"
node_gid_file = config_dir + os.sep + "node.gid"
node_gid = GID(filename=node_gid_file)
hrn = node_gid.get_hrn()
interface_hrn = config.SFA_INTERFACE_HRN
# get credential
cred = GetCredential(registry=registry, verbose=verbose)
# make sure server key cert pair exists
create_server_keypair(keyfile=keyfile, certfile=certfile, hrn=hrn, verbose=verbose)
registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile)
if verbose:
print "Getting current slices on this node"
# get a list of slices on this node
from sfa.generic import Generic
generic=Generic.the_flavour()
api = generic.make_api(interface='component')
xids_tuple = api.driver.nodemanager.GetXIDs()
slices = eval(xids_tuple[1])
slicenames = slices.keys()
# generate a list of slices that dont have gids installed
slices_without_gids = []
for slicename in slicenames:
if not os.path.isfile("/vservers/%s/etc/slice.gid" % slicename) \
or not os.path.isfile("/vservers/%s/etc/node.gid" % slicename):
slices_without_gids.append(slicename)
# convert slicenames to hrns
hrns = [slicename_to_hrn(interface_hrn, slicename) \
for slicename in slices_without_gids]
# exit if there are no gids to install
if not hrns:
return
if verbose:
print "Getting gids for slices on this node from registry"
# get the gids
# and save them in the right palce
records = registry.GetGids(hrns, cred)
for record in records:
# if this isnt a slice record skip it
if not record['type'] == 'slice':
continue
slicename = hrn_to_pl_slicename(record['hrn'])
# if this slice isnt really instatiated skip it
if not os.path.exists("/vservers/%(slicename)s" % locals()):
continue
# save the slice gid in /etc/sfa/ in the vservers filesystem
vserver_path = "/vservers/%(slicename)s" % locals()
gid = record['gid']
slice_gid_filename = os.sep.join([vserver_path, "etc", "slice.gid"])
if verbose:
print "Saving GID for %(slicename)s as %(slice_gid_filename)s" % locals()
GID(string=gid).save_to_file(slice_gid_filename, save_parents=True)
# save the node gid in /etc/sfa
node_gid_filename = os.sep.join([vserver_path, "etc", "node.gid"])
if verbose:
print "Saving node GID for %(slicename)s as %(node_gid_filename)s" % locals()
node_gid.save_to_file(node_gid_filename, save_parents=True)
