X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fserver%2Fsfa-start.py;h=4f72b6784384bbcba56a7871162b6f1c1062db5a;hb=d40b9aa4b75edb62273b2d0705945342468d69d6;hp=b13b6a7a0cd11c4a996ccc043559342e645630eb;hpb=431a6bf78c6232a44b178e2092451e733a71bba3;p=sfa.git diff --git a/sfa/server/sfa-start.py b/sfa/server/sfa-start.py index b13b6a7a..4f72b678 100755 --- a/sfa/server/sfa-start.py +++ b/sfa/server/sfa-start.py @@ -39,8 +39,8 @@ from optparse import OptionParser from sfa.util.sfalogging import logger from sfa.util.xrn import get_authority, hrn_to_urn from sfa.util.config import Config -import sfa.util.xmlrpcprotocol as xmlrpcprotocol - +from sfa.trust.gid import GID +from sfa.trust.trustedroots import TrustedRoots from sfa.trust.certificate import Keypair, Certificate from sfa.trust.hierarchy import Hierarchy from sfa.trust.gid import GID @@ -60,81 +60,13 @@ def daemon(): devnull = os.open(os.devnull, os.O_RDWR) os.dup2(devnull, 0) # xxx fixme - this is just to make sure that nothing gets stupidly lost - should use devnull - crashlog = os.open('/var/log/httpd/sfa_access_log', os.O_RDWR | os.O_APPEND | os.O_CREAT, 0644) + logdir='/var/log/httpd' + # when installed in standalone we might not have httpd installed + if not os.path.isdir(logdir): os.mkdir('/var/log/httpd') + crashlog = os.open('%s/sfa_access_log'%logdir, os.O_RDWR | os.O_APPEND | os.O_CREAT, 0644) os.dup2(crashlog, 1) os.dup2(crashlog, 2) -def init_server_key(server_key_file, server_cert_file, config, hierarchy): - - hrn = config.SFA_INTERFACE_HRN.lower() - # check if the server's private key exists. If it doesnt, - # get the right one from the authorities directory. If it cant be - # found in the authorities directory, generate a random one - if not os.path.exists(server_key_file): - hrn = config.SFA_INTERFACE_HRN.lower() - hrn_parts = hrn.split(".") - rel_key_path = hrn - pkey_filename = hrn+".pkey" - - # sub authority's have "." in their hrn. This must - # be converted to os.path separator - if len(hrn_parts) > 0: - rel_key_path = hrn.replace(".", os.sep) - pkey_filename= hrn_parts[-1]+".pkey" - - key_file = os.sep.join([hierarchy.basedir, rel_key_path, pkey_filename]) - if not os.path.exists(key_file): - # if it doesnt exist then this is probably a fresh interface - # with no records. Generate a random keypair for now - logger.debug("server's public key not found in %s" % key_file) - - logger.debug("generating a random server key pair") - key = Keypair(create=True) - key.save_to_file(server_key_file) - init_server_cert(hrn, key, server_cert_file, self_signed=True) - - else: - # the pkey was found in the authorites directory. lets - # copy it to where the server key should be and generate - # the cert - key = Keypair(filename=key_file) - key.save_to_file(server_key_file) - init_server_cert(hrn, key, server_cert_file) - - # If private key exists and cert doesnt, recreate cert - if (os.path.exists(server_key_file)) and (not os.path.exists(server_cert_file)): - key = Keypair(filename=server_key_file) - init_server_cert(hrn, key, server_cert_file) - - -def init_server_cert(hrn, key, server_cert_file, self_signed=False): - """ - Setup the certificate for this server. Attempt to use gid before - creating a self signed cert - """ - if self_signed: - init_self_signed_cert(hrn, key, server_cert_file) - else: - try: - # look for gid file - logger.debug("generating server cert from gid: %s"% hrn) - hierarchy = Hierarchy() - auth_info = hierarchy.get_auth_info(hrn) - gid = GID(filename=auth_info.gid_filename) - gid.save_to_file(filename=server_cert_file) - except: - # fall back to self signed cert - logger.debug("gid for %s not found" % hrn) - init_self_signed_cert(hrn, key, server_cert_file) - -def init_self_signed_cert(hrn, key, server_cert_file): - logger.debug("generating self signed cert") - # generate self signed certificate - cert = Certificate(subject=hrn) - cert.set_issuer(key=key, subject=hrn) - cert.set_pubkey(key) - cert.sign() - cert.save_to_file(server_cert_file) def install_peer_certs(server_key_file, server_cert_file): """ @@ -166,7 +98,7 @@ def install_peer_certs(server_key_file, server_cert_file): try: # get gid from the registry url = interfaces[new_hrn].get_url() - interface = interfaces[new_hrn].get_server(server_key_file, server_cert_file, timeout=30) + interface = interfaces[new_hrn].server_proxy(server_key_file, server_cert_file, timeout=30) # skip non sfa aggregates server_version = api.get_cached_server_version(interface) if 'sfa' not in server_version: @@ -203,8 +135,8 @@ def update_cert_records(gids): Removes old records from the db. """ # import SfaTable here so this module can be loaded by PlcComponentApi - from sfa.util.table import SfaTable - from sfa.util.record import SfaRecord + from sfa.storage.table import SfaTable + from sfa.storage.record import SfaRecord if not gids: return table = SfaTable() @@ -253,12 +185,16 @@ def main(): config = Config() if config.SFA_API_DEBUG: pass - hierarchy = Hierarchy() - server_key_file = os.path.join(hierarchy.basedir, "server.key") - server_cert_file = os.path.join(hierarchy.basedir, "server.cert") - init_server_key(server_key_file, server_cert_file, config, hierarchy) + # ge the server's key and cert + hierarchy = Hierarchy() + auth_info = hierarchy.get_interface_auth_info() + server_key_file = auth_info.get_privkey_filename() + server_cert_file = auth_info.get_gid_filename() + # ensure interface cert is present in trusted roots dir + trusted_roots = TrustedRoots(config.get_trustedroots_dir()) + trusted_roots.add_gid(GID(filename=server_cert_file)) if (options.daemon): daemon() if options.trusted_certs: