def install_peer_certs(server_key_file, server_cert_file): """ Attempt to install missing trusted gids and db records for our federated interfaces """ # Attempt to get any missing peer gids # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. api = SfaAPI(key_file=server_key_file, cert_file=server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) gids_current = api.auth.trusted_cert_list hrns_current = [gid.get_hrn() for gid in gids_current] hrns_expected = set([hrn for hrn in interfaces]) new_hrns = set(hrns_expected).difference(hrns_current) # gids = self.get_peer_gids(new_hrns) + gids_current peer_gids = [] if not new_hrns: return trusted_certs_dir = api.config.get_trustedroots_dir() for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if "sfa" not in server_version: logger.info("get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue trusted_gids = interface.get_trusted_certs() if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % (new_hrn) gid = GID(string=trusted_gids[0]) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, "%s.gid" % new_hrn) gid.save_to_file(gid_filename, save_parents=True) message = "installed trusted cert for %s" % new_hrn # log the message api.logger.info(message) except: message = "interface: %s\tunable to install trusted gid for %s" % (api.interface, new_hrn) api.logger.log_exc(message) # doesnt matter witch one update_cert_records(peer_gids)
def main(): config = Config() if not config.SFA_REGISTRY_ENABLED: sys.exit(0) # Get the path to the sfa server key/cert files from # the sfa hierarchy object sfa_hierarchy = Hierarchy() sfa_key_path = sfa_hierarchy.basedir key_file = os.path.join(sfa_key_path, "server.key") cert_file = os.path.join(sfa_key_path, "server.cert") key = Keypair(filename=key_file) # get a connection to our local sfa registry # and a valid credential authority = config.SFA_INTERFACE_HRN url = 'http://%s:%s/' %(config.SFA_REGISTRY_HOST, config.SFA_REGISTRY_PORT) registry = xmlrpcprotocol.get_server(url, key_file, cert_file) sfa_api = SfaAPI(key_file = key_file, cert_file = cert_file, interface='registry') credential = sfa_api.getCredential() # get peer registries registries = Registries(sfa_api) tree = prefixTree() tree.load(registries.keys()) # get local peer records table = SfaTable() peer_records = table.find({'~peer_authority': None}) found_records = [] hrn_dict = {} for record in peer_records: registry_hrn = tree.best_match(record['hrn']) if registry_hrn not in hrn_dict: hrn_dict[registry_hrn] = [] hrn_dict[registry_hrn].append(record['hrn']) # attempt to resolve the record at the authoritative interface for registry_hrn in hrn_dict: if registry_hrn in registries: records = [] target_hrns = hrn_dict[registry_hrn] try: records = registries[registry_hrn].Resolve(target_hrns, credential) found_records.extend([record['hrn'] for record in records]) except ServerException: # an exception will be thrown if the record doenst exist # if so remove the record from the local registry continue except: # this deosnt necessarily mean the records dont exist # lets give them the benefit of the doubt here (for now) found_records.extend(target_hrns) traceback.print_exc() # remove what wasnt found for peer_record in peer_records: if peer_record['hrn'] not in found_records: registries[sfa_api.hrn].Remove(peer_record['hrn'], credential, peer_record['type'])
def _getCredential(self): """ Get our credential from a remote registry """ from sfa.server.registry import Registries registries = Registries() registry = registries.server_proxy(self.hrn, self.key_file, self.cert_file) cert_string=self.cert.save_to_string(save_parents=True) # get self credential self_cred = registry.GetSelfCredential(cert_string, self.hrn, 'authority') # get credential cred = registry.GetCredential(self_cred, self.hrn, 'authority') return Credential(string=cred)
def _getCredential(self): """ Get our credential from a remote registry """ from sfa.server.registry import Registries registries = Registries() registry = registries.server_proxy(self.hrn, self.key_file, self.cert_file) cert_string = self.cert.save_to_string(save_parents=True) # get self credential self_cred = registry.GetSelfCredential(cert_string, self.hrn, 'authority') # get credential cred = registry.GetCredential(self_cred, self.hrn, 'authority') return Credential(string=cred)
def __init__(self, encoding="utf-8", methods='sfa.methods', config="/etc/sfa/sfa_config", peer_cert=None, interface=None, key_file=None, cert_file=None, cache=None): XmlrpcApi.__init__(self, encoding) # we may be just be documenting the API if config is None: return # Load configuration self.config = Config(config) self.credential = None self.auth = Auth(peer_cert) self.interface = interface self.hrn = self.config.SFA_INTERFACE_HRN self.key_file = key_file self.key = Keypair(filename=self.key_file) self.cert_file = cert_file self.cert = Certificate(filename=self.cert_file) self.cache = cache if self.cache is None: self.cache = Cache() # load registries from sfa.server.registry import Registries self.registries = Registries() # load aggregates from sfa.server.aggregate import Aggregates self.aggregates = Aggregates() # filled later on by generic/Generic self.manager = None self._dbsession = None
def install_peer_certs(server_key_file, server_cert_file): """ Attempt to install missing trusted gids and db records for our federated interfaces """ # Attempt to get any missing peer gids # There should be a gid file in /etc/sfa/trusted_roots for every # peer registry found in in the registries.xml config file. If there # are any missing gids, request a new one from the peer registry. api = SfaApi(key_file=server_key_file, cert_file=server_cert_file) registries = Registries() aggregates = Aggregates() interfaces = dict(registries.items() + aggregates.items()) gids_current = api.auth.trusted_cert_list hrns_current = [gid.get_hrn() for gid in gids_current] hrns_expected = set([hrn for hrn in interfaces]) new_hrns = set(hrns_expected).difference(hrns_current) #gids = self.get_peer_gids(new_hrns) + gids_current peer_gids = [] if not new_hrns: return trusted_certs_dir = api.config.get_trustedroots_dir() for new_hrn in new_hrns: if not new_hrn: continue # the gid for this interface should already be installed if new_hrn == api.config.SFA_INTERFACE_HRN: continue try: # get gid from the registry url = interfaces[new_hrn].get_url() interface = interfaces[new_hrn].server_proxy(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if 'sfa' not in server_version: logger.info( "get_trusted_certs: skipping non sfa aggregate: %s" % new_hrn) continue trusted_gids = ReturnValue.get_value(interface.get_trusted_certs()) if trusted_gids: # the gid we want should be the first one in the list, # but lets make sure for trusted_gid in trusted_gids: # default message message = "interface: %s\t" % (api.interface) message += "unable to install trusted gid for %s" % \ (new_hrn) gid = GID(string=trusted_gid) peer_gids.append(gid) if gid.get_hrn() == new_hrn: gid_filename = os.path.join(trusted_certs_dir, '%s.gid' % new_hrn) gid.save_to_file(gid_filename, save_parents=True) message = "installed trusted cert for %s" % new_hrn # log the message api.logger.info(message) except: message = "interface: %s\tunable to install trusted gid for %s" % \ (api.interface, new_hrn) api.logger.log_exc(message) # doesnt matter witch one update_cert_records(peer_gids)