X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fserver%2Fsfa-ca.py;h=9ab75e7e5998bbbac02c9a547e4587b3843ad744;hb=862dfa7f7b8cce8c17e80c42aedd8d500ea86cb6;hp=ad2488f0171277e5cd3dbf7fb51313fec4433a0f;hpb=ba2aaa438f939a4b5c697052e37b1c3218901319;p=sfa.git diff --git a/sfa/server/sfa-ca.py b/sfa/server/sfa-ca.py index ad2488f0..9ab75e7e 100755 --- a/sfa/server/sfa-ca.py +++ b/sfa/server/sfa-ca.py @@ -1,8 +1,10 @@ #!/usr/bin/python # -# SFA Certificate Signing and management. Root authorities can use this script to sign -# the certificate of another authority and become its parent. +# SFA Certificate Signing and management. Root authorities can use this script +# to sign the certificate of another authority and become its parent. Sub +# authorities (authorities that have had their cert signed by another authority) +# can use this script to update their registry hierarchy with the new cert # # Example usage: # @@ -19,11 +21,14 @@ import os import sys from optparse import OptionParser -from sfa.trust.certificate import Keypair, Certificate + +from sfa.util.config import Config + from sfa.trust.gid import GID, create_uuid from sfa.trust.hierarchy import Hierarchy -from sfa.util.config import Config -from collections import defaultdict + +from sfa.storage.alchemy import dbsession +from sfa.storage.model import RegRecord def main(): args = sys.argv @@ -41,6 +46,8 @@ def main(): help="gid file to import into the registry") parser.add_option("-e", "--export", dest="export", help="name of gid to export from registry") + parser.add_option("-t", "--type", dest="type", + help="record type", default=None) parser.add_option("-o", "--outfile", dest="outfile", help="where to write the exprted gid") parser.add_option("-v", "--verbose", dest="verbose", default=False, @@ -73,14 +80,6 @@ def display(options): gid = GID(filename=gidfile) gid.dump(dump_parents=True) -def sign_gid(gid, parent_key, parent_gid): - gid.set_issuer(parent_key, parent_gid.get_hrn()) - gid.set_parent(parent_gid) - gid.set_intermediate_ca(True) - gid.set_pubkey(gid.get_pubkey()) - gid.sign() - return gid - def sign(options): """ Sign the specified gid @@ -97,36 +96,16 @@ def sign(options): sys.exit(1) gid = GID(filename=gidfile) - # remove previous parent - gid = GID(string=gid.save_to_string(save_parents=False)) - - # load the parent private info - authority = options.authority - # if no pkey was specified, then use the this authority's key - if not authority: - authority = default_authority - - if not hierarchy.auth_exists(authority): - print "no such authority: %s" % authority - - # load the parent gid and key - auth_info = hierarchy.get_auth_info(authority) - pkeyfile = auth_info.privkey_filename - parent_key = Keypair(filename=pkeyfile) - parent_gid = auth_info.gid_object + # extract pub_key and create new gid + pkey = gid.get_pubkey() + urn = gid.get_urn() + gid = hierarchy.create_gid(urn, create_uuid(), pkey) # get the outfile outfile = options.outfile if not outfile: outfile = os.path.abspath('./signed-%s.gid' % gid.get_hrn()) - # check if gid already has a parent - - # sign the gid - if options.verbose: - print "Signing %s gid with parent %s" % \ - (gid.get_hrn(), parent_gid.get_hrn()) - gid = sign_gid(gid, parent_key, parent_gid) # save the signed gid if options.verbose: print "Writing signed gid %s" % outfile @@ -134,25 +113,24 @@ def sign(options): def export_gid(options): - from sfa.util.table import SfaTable # lookup the record for the specified hrn hrn = options.export - - # check sfa table first - table = SfaTable() - records = table.find({'hrn': hrn, type: 'authority'}) - if not records: + type = options.type + # check sfa table first + request=dbsession.query(RegRecord).filter_by(hrn=hrn) + if type: request = request.filter_by(type=type) + record=request.first() + if not record: # check the authorities hierarchy hierarchy = Hierarchy() try: - auth_info = hierarchy.get_auth_info() + auth_info = hierarchy.get_auth_info(hrn) gid = auth_info.gid_object except: print "Record: %s not found" % hrn sys.exit(1) else: - record = records[0] - gid = GID(string=record['gid']) + gid = GID(string=record.gid) # get the outfile outfile = options.outfile @@ -169,8 +147,6 @@ def import_gid(options): Import the specified gid into the registry (db and authorities hierarchy) overwriting any previous gid. """ - from sfa.util.table import SfaTable - from sfa.util.record import SfaRecord # load the gid gidfile = os.path.abspath(options.importgid) if not gidfile or not os.path.isfile(gidfile): @@ -185,16 +161,14 @@ def import_gid(options): sys.exit(1) # check if record exists in db - table = SfaTable() - records = table.find({'hrn': gid.get_hrn(), 'type': 'authority'}) - if not records: - print "%s not found in record database" % get.get_hrn() + record = dbsession.query(RegRecord).filter_by(type='authority',hrn=gid.get_hrn()).first() + if not record: + print "%s not found in record database" % gid.get_hrn() sys.exit(1) # update the database record - record = records[0] - record['gid'] = gid.save_to_string(save_parents=True) - table.update(record) + record.gid = gid.save_to_string(save_parents=True) + dbsession.commit() if options.verbose: print "Imported %s gid into db" % record['hrn'] @@ -205,52 +179,8 @@ def import_gid(options): if options.verbose: print "Writing %s gid to %s" % (gid.get_hrn(), filename) - # re-sign all existing gids signed by this authority - # create a dictionary of records keyed on the record's authority - record_dict = defaultdict(list) - # only get regords that belong to this authority - # or any of its sub authorities - child_records = table.find({'hrn': '%s*' % gid.get_hrn()}) - if not child_records: - return - - for record in child_records: - record_dict[record['authority']].append(record) - - # start with the authority we just imported - authorities = [gid.get_hrn()] - while authorities: - next_authorities = [] - for authority in authorities: - # create a new signed gid for each record at this authority - # and update the registry - auth_info = hierarchy.get_auth_info(authority) - records = record_dict[authority] - for record in records: - record_gid = GID(string=record['gid']) - parent_pkey = Keypair(filename=auth_info.privkey_filename) - parent_gid = GID(filename=auth_info.gid_filename) - if options.verbose: - print "re-signing %s gid with parent %s" % \ - (record['hrn'], parent_gid.get_hrn()) - signed_gid = sign_gid(record_gid, parent_pkey, parent_gid) - record['gid'] = signed_gid.save_to_string(save_parents=True) - table.update(record) - - # if this is an authority then update the hierarchy - if record['type'] == 'authority': - record_info = hierarchy.get_auth_info(record['hrn']) - if options.verbose: - print "Writing %s gid to %s" % (record['hrn'], record_info.gid_filename) - signed_gid.save_to_file(filename=record_info.gid_filename, save_parents=True) - - # update list of next authorities - tmp_authorities = set([record['hrn'] for record in records \ - if record['type'] == 'authority']) - next_authorities.extend(tmp_authorities) - - # move on to next set of authorities - authorities = next_authorities + # ending here + return if __name__ == '__main__': main()