def install_peer_certs(server_key_file, server_cert_file):
"""
Attempt to install missing trusted gids and db records for
our federated interfaces
"""
# Attempt to get any missing peer gids
# There should be a gid file in /etc/sfa/trusted_roots for every
# peer registry found in in the registries.xml config file. If there
# are any missing gids, request a new one from the peer registry.
api = SfaAPI(key_file=server_key_file, cert_file=server_cert_file)
registries = Registries()
aggregates = Aggregates()
interfaces = dict(registries.items() + aggregates.items())
gids_current = api.auth.trusted_cert_list
hrns_current = [gid.get_hrn() for gid in gids_current]
hrns_expected = set([hrn for hrn in interfaces])
new_hrns = set(hrns_expected).difference(hrns_current)
# gids = self.get_peer_gids(new_hrns) + gids_current
peer_gids = []
if not new_hrns:
return
trusted_certs_dir = api.config.get_trustedroots_dir()
for new_hrn in new_hrns:
if not new_hrn:
continue
# the gid for this interface should already be installed
if new_hrn == api.config.SFA_INTERFACE_HRN:
continue
try:
# get gid from the registry
url = interfaces[new_hrn].get_url()
interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30)
# skip non sfa aggregates
server_version = api.get_cached_server_version(interface)
if "sfa" not in server_version:
logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn)
continue
trusted_gids = interface.get_trusted_certs()
if trusted_gids:
# the gid we want should be the first one in the list,
# but lets make sure
for trusted_gid in trusted_gids:
# default message
message = "interface: %s\t" % (api.interface)
message += "unable to install trusted gid for %s" % (new_hrn)
gid = GID(string=trusted_gids[0])
peer_gids.append(gid)
if gid.get_hrn() == new_hrn:
gid_filename = os.path.join(trusted_certs_dir, "%s.gid" % new_hrn)
gid.save_to_file(gid_filename, save_parents=True)
message = "installed trusted cert for %s" % new_hrn
# log the message
api.logger.info(message)
except:
message = "interface: %s\tunable to install trusted gid for %s" % (api.interface, new_hrn)
api.logger.log_exc(message)
# doesnt matter witch one
update_cert_records(peer_gids)
def main():
config = Config()
if not config.SFA_REGISTRY_ENABLED:
sys.exit(0)
# Get the path to the sfa server key/cert files from
# the sfa hierarchy object
sfa_hierarchy = Hierarchy()
sfa_key_path = sfa_hierarchy.basedir
key_file = os.path.join(sfa_key_path, "server.key")
cert_file = os.path.join(sfa_key_path, "server.cert")
key = Keypair(filename=key_file)
# get a connection to our local sfa registry
# and a valid credential
authority = config.SFA_INTERFACE_HRN
url = 'http://%s:%s/' %(config.SFA_REGISTRY_HOST, config.SFA_REGISTRY_PORT)
registry = xmlrpcprotocol.get_server(url, key_file, cert_file)
sfa_api = SfaAPI(key_file = key_file, cert_file = cert_file, interface='registry')
credential = sfa_api.getCredential()
# get peer registries
registries = Registries(sfa_api)
tree = prefixTree()
tree.load(registries.keys())
# get local peer records
table = SfaTable()
peer_records = table.find({'~peer_authority': None})
found_records = []
hrn_dict = {}
for record in peer_records:
registry_hrn = tree.best_match(record['hrn'])
if registry_hrn not in hrn_dict:
hrn_dict[registry_hrn] = []
hrn_dict[registry_hrn].append(record['hrn'])
# attempt to resolve the record at the authoritative interface
for registry_hrn in hrn_dict:
if registry_hrn in registries:
records = []
target_hrns = hrn_dict[registry_hrn]
try:
records = registries[registry_hrn].Resolve(target_hrns, credential)
found_records.extend([record['hrn'] for record in records])
except ServerException:
# an exception will be thrown if the record doenst exist
# if so remove the record from the local registry
continue
except:
# this deosnt necessarily mean the records dont exist
# lets give them the benefit of the doubt here (for now)
found_records.extend(target_hrns)
traceback.print_exc()
# remove what wasnt found
for peer_record in peer_records:
if peer_record['hrn'] not in found_records:
registries[sfa_api.hrn].Remove(peer_record['hrn'], credential, peer_record['type'])
def _getCredential(self):
"""
Get our credential from a remote registry
"""
from sfa.server.registry import Registries
registries = Registries()
registry = registries.server_proxy(self.hrn, self.key_file, self.cert_file)
cert_string=self.cert.save_to_string(save_parents=True)
# get self credential
self_cred = registry.GetSelfCredential(cert_string, self.hrn, 'authority')
# get credential
cred = registry.GetCredential(self_cred, self.hrn, 'authority')
return Credential(string=cred)
def _getCredential(self):
"""
Get our credential from a remote registry
"""
from sfa.server.registry import Registries
registries = Registries()
registry = registries.server_proxy(self.hrn, self.key_file,
self.cert_file)
cert_string = self.cert.save_to_string(save_parents=True)
# get self credential
self_cred = registry.GetSelfCredential(cert_string, self.hrn,
'authority')
# get credential
cred = registry.GetCredential(self_cred, self.hrn, 'authority')
return Credential(string=cred)
def __init__(self,
encoding="utf-8",
methods='sfa.methods',
config="/etc/sfa/sfa_config",
peer_cert=None,
interface=None,
key_file=None,
cert_file=None,
cache=None):
XmlrpcApi.__init__(self, encoding)
# we may be just be documenting the API
if config is None:
return
# Load configuration
self.config = Config(config)
self.credential = None
self.auth = Auth(peer_cert)
self.interface = interface
self.hrn = self.config.SFA_INTERFACE_HRN
self.key_file = key_file
self.key = Keypair(filename=self.key_file)
self.cert_file = cert_file
self.cert = Certificate(filename=self.cert_file)
self.cache = cache
if self.cache is None:
self.cache = Cache()
# load registries
from sfa.server.registry import Registries
self.registries = Registries()
# load aggregates
from sfa.server.aggregate import Aggregates
self.aggregates = Aggregates()
# filled later on by generic/Generic
self.manager = None
self._dbsession = None
def install_peer_certs(server_key_file, server_cert_file):
"""
Attempt to install missing trusted gids and db records for
our federated interfaces
"""
# Attempt to get any missing peer gids
# There should be a gid file in /etc/sfa/trusted_roots for every
# peer registry found in in the registries.xml config file. If there
# are any missing gids, request a new one from the peer registry.
api = SfaApi(key_file=server_key_file, cert_file=server_cert_file)
registries = Registries()
aggregates = Aggregates()
interfaces = dict(registries.items() + aggregates.items())
gids_current = api.auth.trusted_cert_list
hrns_current = [gid.get_hrn() for gid in gids_current]
hrns_expected = set([hrn for hrn in interfaces])
new_hrns = set(hrns_expected).difference(hrns_current)
#gids = self.get_peer_gids(new_hrns) + gids_current
peer_gids = []
if not new_hrns:
return
trusted_certs_dir = api.config.get_trustedroots_dir()
for new_hrn in new_hrns:
if not new_hrn: continue
# the gid for this interface should already be installed
if new_hrn == api.config.SFA_INTERFACE_HRN: continue
try:
# get gid from the registry
url = interfaces[new_hrn].get_url()
interface = interfaces[new_hrn].server_proxy(server_key_file,
server_cert_file,
timeout=30)
# skip non sfa aggregates
server_version = api.get_cached_server_version(interface)
if 'sfa' not in server_version:
logger.info(
"get_trusted_certs: skipping non sfa aggregate: %s" %
new_hrn)
continue
trusted_gids = ReturnValue.get_value(interface.get_trusted_certs())
if trusted_gids:
# the gid we want should be the first one in the list,
# but lets make sure
for trusted_gid in trusted_gids:
# default message
message = "interface: %s\t" % (api.interface)
message += "unable to install trusted gid for %s" % \
(new_hrn)
gid = GID(string=trusted_gid)
peer_gids.append(gid)
if gid.get_hrn() == new_hrn:
gid_filename = os.path.join(trusted_certs_dir,
'%s.gid' % new_hrn)
gid.save_to_file(gid_filename, save_parents=True)
message = "installed trusted cert for %s" % new_hrn
# log the message
api.logger.info(message)
except:
message = "interface: %s\tunable to install trusted gid for %s" % \
(api.interface, new_hrn)
api.logger.log_exc(message)
# doesnt matter witch one
update_cert_records(peer_gids)
