def ProcessMessage(self, message):
"""Begins an enrollment flow for this client.
Args:
message: The Certificate sent by the client. Note that this
message is not authenticated.
"""
cert = rdf_crypto.Certificate(message.payload)
queue = self.well_known_session_id.Queue()
client_id = message.source
# It makes no sense to enrol the same client multiple times, so we
# eliminate duplicates. Note, that we can still enroll clients multiple
# times due to cache expiration.
try:
enrolment_cache.Get(client_id)
return
except KeyError:
enrolment_cache.Put(client_id, 1)
# Create a new client object for this client.
client = aff4.FACTORY.Create(
client_id, aff4_grr.VFSGRRClient, mode="rw", token=self.token)
# Only enroll this client if it has no certificate yet.
if not client.Get(client.Schema.CERT):
# Start the enrollment flow for this client.
flow.StartFlow(
client_id=client_id,
flow_name=CAEnroler.__name__,
csr=cert,
queue=queue,
token=self.token)
def ProcessMessage(self, message):
"""Begins an enrollment flow for this client.
Args:
message: The Certificate sent by the client. Note that this message is
not authenticated.
"""
cert = rdf_crypto.Certificate(message.payload)
queue = self.well_known_session_id.Queue()
client_id = message.source
# It makes no sense to enrol the same client multiple times, so we
# eliminate duplicates. Note, that we can still enroll clients multiple
# times due to cache expiration.
try:
enrolment_cache.Get(client_id)
return
except KeyError:
enrolment_cache.Put(client_id, 1)
# Create a new client object for this client.
if data_store.AFF4Enabled():
client = aff4.FACTORY.Create(client_id,
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token)
client_cert = client.Get(client.Schema.CERT)
if data_store.RelationalDBReadEnabled():
try:
md = data_store.REL_DB.ReadClientMetadata(client_id.Basename())
client_cert = md.certificate
except db.UnknownClientError:
client_cert = None
if data_store.RelationalDBWriteEnabled():
data_store.REL_DB.WriteClientMetadata(client_id.Basename(),
fleetspeak_enabled=False)
# Only enroll this client if it has no certificate yet.
if not client_cert:
# Start the enrollment flow for this client.
# Note, that the actual CAEnroler class is autogenerated from the
# CAEnrolerMixin by the DualDBFlow decorator confusing the linter - hence
# the disable directive.
flow.StartAFF4Flow(
client_id=client_id,
flow_name=CAEnroler.__name__, # pylint: disable=undefined-variable
csr=cert,
queue=queue,
token=self.token)
def InitiateEnrolment(self):
"""Initiate the enrollment process.
We do not sent more than one enrollment request every 10 minutes. Note that
we still communicate to the server in fast poll mode, but these requests are
not carrying any payload.
"""
logging.debug("sending enrollment request")
now = time.time()
if now > self.last_enrollment_time + 10 * 60:
if not self.last_enrollment_time:
# This is the first enrollment request - we should enter fastpoll mode.
self.timer.FastPoll()
self.last_enrollment_time = now
# Send registration request:
self.client_worker.SendReply(
rdf_crypto.Certificate(
type=rdf_crypto.Certificate.Type.CSR,
pem=self.communicator.GetCSRAsPem()),
session_id=rdfvalue.SessionID(
queue=queues.ENROLLMENT, flow_name="Enrol"))
