X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fserver%2Fsfa-ca.py;h=b87e119c16c44f6f179b9b4b557694d32d50be40;hb=e6d27e49ab5b982781e8d2b19f4029def4c1703c;hp=30afe4be8d3f365b91db5f8cc213d936501c68eb;hpb=c41e30aa56236ecc11148ed274508dd864b68e81;p=sfa.git diff --git a/sfa/server/sfa-ca.py b/sfa/server/sfa-ca.py index 30afe4be..b87e119c 100755 --- a/sfa/server/sfa-ca.py +++ b/sfa/server/sfa-ca.py @@ -1,16 +1,33 @@ #!/usr/bin/python # -# SFA Certificate Signing and management -# +# SFA Certificate Signing and management. Root authorities can use this script +# to sign the certificate of another authority and become its parent. Sub +# authorities (authorities that have had their cert signed by another authority) +# can use this script to update their registry hierarchy with the new cert +# +# Example usage: +# +## sign a peer cert +# sfa-ca.py --sign PEER_CERT_FILENAME -o OUTPUT_FILENAME +# +## import a cert and update the registry hierarchy +# sfa-ca.py --import CERT_FILENAME +# +## display a cert +# sfa-ca.py --display CERT_FILENAME + import os import sys from optparse import OptionParser -from sfa.trust.certificate import Keypair, Certificate + +from sfa.util.config import Config + from sfa.trust.gid import GID, create_uuid from sfa.trust.hierarchy import Hierarchy -from sfa.util.config import Config + +from sfa.storage.table import SfaTable def main(): args = sys.argv @@ -22,14 +39,18 @@ def main(): help="gid to sign" ) parser.add_option("-k", "--key", dest="key", default=None, help="keyfile to use for signing") + parser.add_option("-a", "--authority", dest="authority", default=None, + help="sign the gid using the specified authority ") parser.add_option("-i", "--import", dest="importgid", default=None, help="gid file to import into the registry") parser.add_option("-e", "--export", dest="export", help="name of gid to export from registry") + parser.add_option("-t", "--type", dest="type", + help="record type", default=None) parser.add_option("-o", "--outfile", dest="outfile", help="where to write the exprted gid") - parser.add_option("-v", "--verbose", dest="verobse", - help="be verbose") + parser.add_option("-v", "--verbose", dest="verbose", default=False, + action="store_true", help="be verbose") (options, args) = parser.parse_args() @@ -64,8 +85,8 @@ def sign(options): """ hierarchy = Hierarchy() config = Config() - parent_hrn = config.SFA_INTERFACE_HRN - auth_info = hierarchy.get_auth_info(parent_hrn) + default_authority = config.SFA_INTERFACE_HRN + auth_info = hierarchy.get_auth_info(default_authority) # load the gid gidfile = os.path.abspath(options.sign) @@ -74,46 +95,37 @@ def sign(options): sys.exit(1) gid = GID(filename=gidfile) - # load the parent private key - pkeyfile = options.key - # if no pkey was specified, then use the this authority's key - if not pkeyfile: - pkeyfile = auth_info.privkey_filename - if not os.path.isfile(pkeyfile): - print "no such pkey: %s.\nPlease specify a valid private key" % pkeyfile - sys.exit(1) - parent_key = Keypair(filename=pkeyfile) - - # load the parent gid - parent_gid = auth_info.gid_object + # extract pub_key and create new gid + pkey = gid.get_pubkey() + urn = gid.get_urn() + gid = hierarchy.create_gid(urn, create_uuid(), pkey) # get the outfile outfile = options.outfile if not outfile: outfile = os.path.abspath('./signed-%s.gid' % gid.get_hrn()) - # check if gid already has a parent - - # sign the gid - gid.set_issuer(parent_key, parent_hrn) - gid.set_parent(parent_gid) - gid.sign() - gid.save_to_file(outfile, save_parents=True) + # save the signed gid + if options.verbose: + print "Writing signed gid %s" % outfile + gid.save_to_file(outfile, save_parents=True) def export_gid(options): - from sfa.util.table import SfaTable # lookup the record for the specified hrn hrn = options.export - - # check sfa table first + type = options.type + # check sfa table first + filter = {'hrn': hrn} + if type: + filter['type'] = type table = SfaTable() - records = table.find({'hrn': hrn, type: 'authority'}) + records = table.find(filter) if not records: # check the authorities hierarchy hierarchy = Hierarchy() try: - auth_info = hierarchy.get_auth_info() + auth_info = hierarchy.get_auth_info(hrn) gid = auth_info.gid_object except: print "Record: %s not found" % hrn @@ -127,13 +139,52 @@ def export_gid(options): if not outfile: outfile = os.path.abspath('./%s.gid' % gid.get_hrn()) + # save it + if options.verbose: + print "Writing %s gid to %s" % (gid.get_hrn(), outfile) gid.save_to_file(outfile, save_parents=True) - - pass def import_gid(options): - from sfa.util.table import SfaTable - pass + """ + Import the specified gid into the registry (db and authorities + hierarchy) overwriting any previous gid. + """ + # load the gid + gidfile = os.path.abspath(options.importgid) + if not gidfile or not os.path.isfile(gidfile): + print "No such gid: %s" % gidfile + sys.exit(1) + gid = GID(filename=gidfile) + + # check if it exists within the hierarchy + hierarchy = Hierarchy() + if not hierarchy.auth_exists(gid.get_hrn()): + print "%s not found in hierarchy" % gid.get_hrn() + sys.exit(1) + + # check if record exists in db + table = SfaTable() + records = table.find({'hrn': gid.get_hrn(), 'type': 'authority'}) + if not records: + print "%s not found in record database" % gid.get_hrn() + sys.exit(1) + + # update the database record + record = records[0] + record['gid'] = gid.save_to_string(save_parents=True) + table.update(record) + if options.verbose: + print "Imported %s gid into db" % record['hrn'] + + # update the hierarchy + auth_info = hierarchy.get_auth_info(gid.get_hrn()) + filename = auth_info.gid_filename + gid.save_to_file(filename, save_parents=True) + if options.verbose: + print "Writing %s gid to %s" % (gid.get_hrn(), filename) + + # ending here + return if __name__ == '__main__': main()