X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=api-config;h=e6576419354d526451e002455c04c9366229bc94;hb=fa54f8b158000ff2112b997ff79e4ebff9469b0e;hp=b2b0e78ff5cb59c395faf907b4d3e39ac61112e8;hpb=ba2a83ee288368f1d41c13a6e4dc78c18f8f18fc;p=myplc.git diff --git a/api-config b/api-config index b2b0e78..e657641 100755 --- a/api-config +++ b/api-config @@ -1,18 +1,21 @@ #!/usr/bin/python # # Bootstraps the PLC database with a default administrator account and -# a default site. +# a default site. Also generates the MA/SA API certificate. # # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id: api-config,v 1.9 2006/05/23 18:09:21 mlhuang Exp $ +# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $ # -import plcapilib -(plcapi, moreopts, argv) = plcapilib.plcapi(globals()) from plc_config import PLCConfiguration -import sys +import os +import re +import xml +import CertOps, Certificate +import Certificate +import commands def main(): @@ -21,657 +24,56 @@ def main(): variables = cfg.variables() # Load variables into dictionaries - (category, variablelist) = variables['plc'] - plc = dict(zip(variablelist.keys(), - [variable['value'] for variable in variablelist.values()])) - - (category, variablelist) = variables['plc_www'] - plc_www = dict(zip(variablelist.keys(), - [variable['value'] for variable in variablelist.values()])) - - (category, variablelist) = variables['plc_api'] - plc_api = dict(zip(variablelist.keys(), - [variable['value'] for variable in variablelist.values()])) - - # Create/update the default administrator account (should be - # person_id 2). - admin = { 'person_id': 2, - 'first_name': "Default", - 'last_name': "Administrator", - 'email': plc['root_user'], - 'password': plc['root_password'] } - persons = AdmGetPersons([admin['person_id']]) - if not persons: - person_id = AdmAddPerson(admin['first_name'], admin['last_name'], admin) - if person_id != admin['person_id']: - # Huh? Someone deleted the account manually from the database. - AdmDeletePerson(person_id) - raise Exception, "Someone deleted the \"%s %s\" account from the database!" % \ - (admin['first_name'], admin['last_name']) - AdmSetPersonEnabled(person_id, True) - else: - person_id = persons[0]['person_id'] - AdmUpdatePerson(person_id, admin) - - # Create/update the default site (should be site_id 1) - if plc_www['port'] == '80': - url = "http://" + plc_www['host'] + "/" - elif plc_www['port'] == '443': - url = "https://" + plc_www['host'] + "/" - else: - url = "http://" + plc_www['host'] + ":" + plc_www['port'] + "/" - site = { 'site_id': 1, - 'name': plc['name'] + " Central", - 'abbreviated_name': plc['name'], - # XXX Default site slice_prefix/login_base must be "pl_" - # 'login_base': plc['slice_prefix'], - 'login_base': "pl", - 'is_public': False, - 'url': url, - 'max_slices': 100 } - - sites = AdmGetSites([site['site_id']]) - if not sites: - site_id = AdmAddSite(site['name'], site['abbreviated_name'], site['login_base'], site) - if site_id != site['site_id']: - AdmDeleteSite(site_id) - raise Exception, "Someone deleted the \"%s\" site from the database!" % \ - site['name'] - sites = [site] - - # Must call AdmUpdateSite() even after AdmAddSite() to update max_slices - site_id = sites[0]['site_id'] - # XXX login_base cannot be updated - del site['login_base'] - AdmUpdateSite(site_id, site) - - # The default administrator account must be associated with a site - # in order to login. - AdmAddPersonToSite(admin['person_id'], site['site_id']) - AdmSetPersonPrimarySite(admin['person_id'], site['site_id']) - - # Grant admin and PI roles to the default administrator account - AdmGrantRoleToPerson(admin['person_id'], 10) - AdmGrantRoleToPerson(admin['person_id'], 20) - - # Get the primary IP address for each node - hosts = {} - nodes = AdmGetNodes([], ['node_id', 'hostname']) - plcapi.begin() - for node in nodes: - AdmGetAllNodeNetworks(node['node_id']) - nodenetworks_list = plcapi.commit() - if nodenetworks_list is not None: - for i, nodenetworks in enumerate(nodenetworks_list): - for nodenetwork in nodenetworks: - if nodenetwork['hostname']: - hostname = nodenetwork['hostname'] - else: - hostname = nodes[i]['hostname'] - - if hosts.has_key(nodenetwork['ip']): - if hostname not in hosts[nodenetwork['ip']]: - hosts[nodenetwork['ip']].append(hostname) - else: - hosts[nodenetwork['ip']] = [hostname] - - # Write /etc/plc_hosts - plc_hosts = open("/etc/plc_hosts", "w") - for ip, hostnames in hosts.iteritems(): - plc_hosts.write(ip + "\t" + " ".join(hostnames) + "\n") - plc_hosts.close() - - # Setup default PlanetLabConf entries - default_conf_files = [ - # NTP configuration - {'enabled': 1, - 'source': 'PlanetLabConf/ntpconf.php', - 'dest': '/etc/ntp.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/rc.d/init.d/ntpd restart', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/ntptickers.php', - 'dest': '/etc/ntp/step-tickers', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/rc.d/init.d/ntpd restart', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # SSH server configuration - {'enabled': 1, - 'source': 'PlanetLabConf/sshd_config', - 'dest': '/etc/ssh/sshd_config', - 'file_permissions': '600', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/init.d/sshd restart', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Administrative SSH keys - {'enabled': 1, - 'source': 'PlanetLabConf/keys.php?root', - 'dest': '/root/.ssh/authorized_keys', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/keys.php?site_admin', - 'dest': '/home/site_admin/.ssh/authorized_keys', - 'file_permissions': '644', - 'file_owner': 'site_admin', - 'file_group': 'site_admin', - 'preinstall_cmd': 'grep -q site_admin /etc/passwd', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/keys.php?role=admin', - 'dest': '/home/pl_admin/.ssh/authorized_keys', - 'file_permissions': '644', - 'file_owner': 'pl_admin', - 'file_group': 'pl_admin', - 'preinstall_cmd': 'grep -q pl_admin /etc/passwd', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Log rotation configuration - {'enabled': 1, - 'source': 'PlanetLabConf/logrotate.conf', - 'dest': '/etc/logrotate.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # updatedb/locate nightly cron job - {'enabled': 1, - 'source': 'PlanetLabConf/slocate.cron', - 'dest': '/etc/cron.daily/slocate.cron', - 'file_permissions': '755', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # YUM configuration - {'enabled': 1, - 'source': 'PlanetLabConf/yum.conf.php?gpgcheck=1', - 'dest': '/etc/yum.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/delete-rpm-list-production', - 'dest': '/etc/planetlab/delete-rpm-list', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # PLC configuration - {'enabled': 1, - 'source': 'PlanetLabConf/get_plc_config.php', - 'dest': '/etc/planetlab/plc_config', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/get_plc_config.php?python', - 'dest': '/etc/planetlab/plc_config.py', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/get_plc_config.php?perl', - 'dest': '/etc/planetlab/plc_config.pl', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/get_plc_config.php?php', - 'dest': '/etc/planetlab/php/plc_config.php', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Node Manager configuration - {'enabled': 1, - 'source': 'PlanetLabConf/pl_nm-v3.conf', - 'dest': '/etc/planetlab/pl_nm.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/init.d/pl_nm restart', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/RootResources/plc_slice_pool.php', - 'dest': '/home/pl_nm/RootResources/plc_slice_pool', - 'file_permissions': '644', - 'file_owner': 'pl_nm', - 'file_group': 'pl_nm', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/RootResources/pl_conf.py', - 'dest': '/home/pl_nm/RootResources/pl_conf', - 'file_permissions': '644', - 'file_owner': 'pl_nm', - 'file_group': 'pl_nm', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/init.d/pl_nm restart', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/RootResources/pl_netflow.py', - 'dest': '/home/pl_nm/RootResources/pl_netflow', - 'file_permissions': '644', - 'file_owner': 'pl_nm', - 'file_group': 'pl_nm', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Proper configuration - {'enabled': 1, - 'source': 'PlanetLabConf/propd-NM-1.0.conf', - 'dest': '/etc/proper/propd.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/init.d/proper restart', - 'error_cmd': '', - 'ignore_cmd_errors': 1, - 'always_update': 0}, - - # Bandwidth cap - {'enabled': 1, - 'source': 'PlanetLabConf/bwlimit.php', - 'dest': '/etc/planetlab/bwcap', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/etc/init.d/pl_nm restart', - 'error_cmd': '', - 'ignore_cmd_errors': 1, - 'always_update': 0}, - - # Proxy ARP setup - {'enabled': 1, - 'source': 'PlanetLabConf/proxies.php', - 'dest': '/etc/planetlab/proxies', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Firewall configuration - {'enabled': 1, - 'source': 'PlanetLabConf/iptables', - 'dest': '/etc/sysconfig/iptables', - 'file_permissions': '600', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/blacklist.php', - 'dest': '/etc/planetlab/blacklist', - 'file_permissions': '600', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/sbin/iptables-restore --noflush < /etc/planetlab/blacklist', - 'error_cmd': '', - 'ignore_cmd_errors': 1, - 'always_update': 1}, - - # /etc/issue - {'enabled': 1, - 'source': 'PlanetLabConf/issue.php', - 'dest': '/etc/issue', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Kernel parameters - {'enabled': 1, - 'source': 'PlanetLabConf/sysctl.php', - 'dest': '/etc/sysctl.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/sbin/sysctl -e -p /etc/sysctl.conf', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 1}, - - # Sendmail configuration - {'enabled': 1, - 'source': 'PlanetLabConf/alpha-sendmail.mc', - 'dest': '/etc/mail/sendmail.mc', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/alpha-sendmail.cf', - 'dest': '/etc/mail/sendmail.cf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': 'service sendmail restart', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # GPG signing keys - {'enabled': 1, - 'source': 'PlanetLabConf/RPM-GPG-KEY-fedora', - 'dest': '/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - {'enabled': 1, - 'source': 'PlanetLabConf/get_gpg_key.php', - 'dest': '/etc/pki/rpm-gpg/RPM-GPG-KEY-planetlab', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': 'rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-planetlab', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # Ping of death configuration - {'enabled': 1, - 'source': 'PlanetLabConf/ipod.conf.php', - 'dest': '/etc/ipod.conf', - 'file_permissions': '644', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}, - - # sudo configuration - {'enabled': 1, - 'source': 'PlanetLabConf/v3-sudoers.php', - 'dest': '/etc/sudoers', - 'file_permissions': '440', - 'file_owner': 'root', - 'file_group': 'root', - 'preinstall_cmd': '', - 'postinstall_cmd': '/usr/sbin/visudo -c', - 'error_cmd': '', - 'ignore_cmd_errors': 0, - 'always_update': 0}] - - # Get list of existing (enabled, global) files - conf_files = AdmGetConfFile() - conf_files = filter(lambda conf_file: conf_file['enabled'] and \ - not conf_file['node_id'] and \ - not conf_file['nodegroup_id'], - conf_files) - dests = [conf_file['dest'] for conf_file in conf_files] - conf_files = dict(zip(dests, conf_files)) - - # Create/update default PlanetLabConf entries - for default_conf_file in default_conf_files: - if default_conf_file['dest'] not in dests: - AdmCreateConfFile(default_conf_file['enabled'], - default_conf_file['source'], - default_conf_file['dest'], - default_conf_file['file_permissions'], - default_conf_file['file_owner'], - default_conf_file['file_group'], - default_conf_file['preinstall_cmd'], - default_conf_file['postinstall_cmd'], - default_conf_file['error_cmd'], - default_conf_file['ignore_cmd_errors'], - default_conf_file['always_update']) - else: - conf_file = conf_files[default_conf_file['dest']] - AdmUpdateConfFile(conf_file['conf_file_id'], default_conf_file) - - # Setup default slice attribute types - default_attribute_types = [ - # Slice type (only vserver is supported) - {'name': "plc_slice_type", - 'description': "Type of slice rspec to be created", - 'is_exclusive': True, 'min_role_id': 20, 'max_per_slice': 1, - 'value_fields': [{'description': "rspec class", - 'name': "type", - 'type': "string"}]}, - - # Slice initialization script - {'name': "initscript", - 'description': "slice initialization script", - 'is_exclusive': False, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "", - 'name': "initscript_id", - 'type': "integer"}]}, - - # CPU share (general_prop_share is deprecated) - {'name': "general_prop_share", - 'description': "general share", - 'is_exclusive': False, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "", - 'name': "general_prop_share", - 'type': "integer"}]}, - {'name': "nm_cpu_share", - 'description': "Number of CPU shares to be allocated to slice", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "number of shares", - 'name': "cpu_share", - 'type': "integer"}]}, - - # Bandwidth limits - {'name': "nm_net_min_rate", - 'description': "Minimum network Tx bandwidth", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "rate (kbps)", - 'name': "rate", - 'type': "integer"}]}, - {'name': "nm_net_max_rate", - 'description': "Maximum network Tx bandwidth", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "rate (kbps)", - 'name': "rate", - 'type': "integer"}]}, - {'name': "nm_net_avg_rate", - 'description': "Average daily network Tx bandwidth", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "rate (kbps)", - 'name': "rate", - 'type': "integer"}]}, - {'name': "nm_net_exempt_min_rate", - 'description': "Minimum network Tx bandwidth to Internet2 destinations", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "rate (kbps)", - 'name': "rate", - 'type': "integer"}]}, - {'name': "nm_net_exempt_max_rate", - 'description': "Maximum network Tx bandwidth to Internet2 destinations", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "rate (kbps)", - 'name': "rate", - 'type': "integer"}]}, - {'name': "nm_net_exempt avg_rate", - 'description': "Average daily network Tx bandwidth to Internet2 destinations", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "rate (kbps)", - 'name': "rate", - 'type': "integer"}]}, - - # Disk quota - {'name': "nm_disk_quota", - 'description': "Disk quota", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "Number of 1k disk blocks", - 'name': "quota", - 'type': "integer"}]}, - - # Special attributes applicable to Slice Creation Service (pl_conf) slice - {'name': "plc_agent_version", - 'description': "Version of PLC agent (slice creation service) software to be deployed", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "current version of PLC agent (SCS)", - 'name': "version", - 'type': "string"}]}, - {'name': "plc_ticket_pubkey", - 'description': "Public key used to verify PLC-signed tickets", - 'is_exclusive': True, 'min_role_id': 10, 'max_per_slice': 1, - 'value_fields': [{'description': "PEM-encoded public key", - 'name': "key", - 'type': "string"}]}] - - # Get list of existing attribute types - attribute_types = SliceAttributeTypeList() - - # Create/update default slice attribute types - for default_attribute_type in default_attribute_types: - if default_attribute_type['name'] not in attribute_types: - SliceAttributeTypeCreate(default_attribute_type['name'], - default_attribute_type['description'], - default_attribute_type['min_role_id'], - default_attribute_type['max_per_slice'], - default_attribute_type['is_exclusive'], - default_attribute_type['value_fields']) - else: - # XXX No way to update slice attribute types - pass - - # Get contents of SSL public certificate used for signing tickets - try: - plc_ticket_pubkey = "" - for line in file(plc_api['ssl_key_pub']): - # Skip comments - if line[0:5] != "-----": - # XXX The embedded newlines matter, do not strip()! - plc_ticket_pubkey += line - except: - plc_ticket_pubkey = '%KEY%' - - # Create/update system slices - slices = [{'name': "pl_conf", - 'description': "PlanetLab Slice Creation Service (SCS)", - 'url': url, - 'attributes': {'plc_slice_type': {'type': "VServerSlice"}, - 'plc_agent_version': {'version': "1.0"}, - 'plc_ticket_pubkey': {'key': plc_ticket_pubkey}}}, - {'name': "pl_conf_vserverslice", - 'description': "Default attributes for vserver slices", - 'url': url, - 'attributes': {'nm_cpu_share': {'cpu_share': 32}, - 'plc_slice_type': {'type': "VServerSlice"}, - 'nm_disk_quota': {'quota': 5000000}}}] - for slice in slices: + for category_id, (category, variablelist) in variables.iteritems(): + globals()[category_id] = dict(zip(variablelist.keys(), + [variable['value'] for variable in variablelist.values()])) + + # Get the issuer e-mail address and public key from the root CA certificate + root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \ + plc_ma_sa['ca_ssl_crt']) + root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \ + plc_ma_sa['ca_ssl_crt']) + + # Verify API certificate + if os.path.exists(plc_ma_sa['api_crt']): + print "Verifying API certificate '%s'" % plc_ma_sa['api_crt'] try: - SliceInfo([slice['name']]) - except: - SliceCreate(slice['name']) - SliceSetInstantiationMethod(slice['name'], 'plc-instantiated') - SliceUpdate(slice['name'], slice['url'], slice['description']) - # Renew forever - SliceRenew(slice['name'], sys.maxint) - # Create/update all attributes - for attribute, values in slice['attributes'].iteritems(): - SliceAttributeSet(slice['name'], attribute, values) - + cert_xml = file(plc_ma_sa['api_crt']).read().strip() + # Verify root CA signature + CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub}) + # Check if MA/SA e-mail address has changed + dom = xml.dom.minidom.parseString(cert_xml) + for subject in dom.getElementsByTagName('subject'): + if subject.getAttribute('email') != plc_mail['support_address']: + raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \ + (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address']) + except Exception, e: + # Delete invalid API certificate + print "Warning: ", e + os.unlink(plc_ma_sa['api_crt']) + + # Generate self-signed API certificate + if not os.path.exists(plc_ma_sa['api_crt']): + print "Generating new API certificate" + try: + cert = Certificate.Certificate('ticket-cert-0') + ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \ + plc_ma_sa['ssl_crt']) + cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address']) + root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \ + plc_ma_sa['ssl_crt']) + m = re.search('/CN=([^/]*).*', root_ca_subject) + if m is None: + root_ca_cn = plc['name'] + " Management and Slice Authority" + else: + root_ca_cn = m.group(1) + cert.set_issuer(email = root_ca_email, cn = root_ca_cn) + cert_xml = cert.sign(plc_ma_sa['ssl_key']) + ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w") + ma_sa_api_crt.write(cert_xml) + ma_sa_api_crt.close() + except Exception, e: + print "Warning: Could not generate API certificate: ", e if __name__ == '__main__': main()