From c751d0185114516c11f185363391636068be786d Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Wed, 30 May 2012 15:56:47 +0200 Subject: [PATCH] reviewed the ssh keys system use 5 different keys for pladmins, plpis, plusers, sfapis and sfausers kind of intrusive so probably not quite thorough --- system/TestKey.py | 2 +- system/TestNode.py | 2 +- system/TestPlc.py | 12 +-- system/TestSlice.py | 9 +-- system/TestSliceSfa.py | 36 ++++----- system/TestUser.py | 9 +-- system/config_default.py | 170 ++++++++++++++++++++++++++------------- 7 files changed, 145 insertions(+), 95 deletions(-) diff --git a/system/TestKey.py b/system/TestKey.py index 7fb508a..4ff08ff 100644 --- a/system/TestKey.py +++ b/system/TestKey.py @@ -13,7 +13,7 @@ class TestKey: self.test_ssh=TestSsh(self.test_plc.test_ssh) def name(self): - return self.key_spec['name'] + return self.key_spec['key_name'] def publicpath(self): return "keys/%s.pub"%(self.name()) diff --git a/system/TestNode.py b/system/TestNode.py index ceae771..e4cc1d4 100644 --- a/system/TestNode.py +++ b/system/TestNode.py @@ -268,7 +268,7 @@ class TestNode: ### # assuming we've run testplc.fetch_keys() ### key = "keys/%(vservername)s.rsa"%locals() # fetch_keys doesn't grab the root key anymore - key = "keys/key1.rsa" + key = "keys/key_admin.rsa" return TestSsh(self.name(), buildname=self.buildname(), key=key) def check_hooks (self): diff --git a/system/TestPlc.py b/system/TestPlc.py index aced650..c6658a1 100644 --- a/system/TestPlc.py +++ b/system/TestPlc.py @@ -263,11 +263,11 @@ class TestPlc: return (site,node) raise Exception,"Cannot locate hostname %s"%hostname - def locate_key (self,keyname): + def locate_key (self,key_name): for key in self.plc_spec['keys']: - if key['name'] == keyname: + if key['key_name'] == key_name: return key - raise Exception,"Cannot locate key %s"%keyname + raise Exception,"Cannot locate key %s"%key_name def locate_slice (self, slicename): for slice in self.plc_spec['slices']: @@ -446,7 +446,7 @@ class TestPlc: print '+ ======== initscript',initscript['initscript_fields']['name'] def display_key_spec (self,key): - print '+ ======== key',key['name'] + print '+ ======== key',key['key_name'] def display_slice_spec (self,slice): print '+ ======== slice',slice['slice_fields']['name'] @@ -954,7 +954,7 @@ class TestPlc: local_key = "keys/%(vservername)s-debug.rsa"%locals() else: message="boot" - local_key = "keys/key1.rsa" + local_key = "keys/key_admin.rsa" node_infos = self.all_node_infos() utils.header("checking ssh access (expected in %s mode) to nodes:"%message) for (nodename,qemuname) in node_infos: @@ -1534,7 +1534,7 @@ class TestPlc: test_site = TestSite (self,site_spec) for node_spec in site_spec['nodes']: test_node=TestNode(self,test_site,node_spec) - test_ssh = TestSsh (test_node.name(),key="keys/key1.rsa") + test_ssh = TestSsh (test_node.name(),key="keys/key_admin.rsa") command = test_ssh.actual_command("tar -C /var/log -cf - .") command = command + "| tar -C logs/node.var-log.%s -xf -"%test_node.name() utils.system("mkdir -p logs/node.var-log.%s"%test_node.name()) diff --git a/system/TestSlice.py b/system/TestSlice.py index 27d2901..4377e66 100644 --- a/system/TestSlice.py +++ b/system/TestSlice.py @@ -74,9 +74,9 @@ class TestSlice: # trash the slice altogether def delete_slice(self): - utils.header("Deleting slice %s"%slice_name) auth = self.owner_auth() slice_name = self.slice_name() + utils.header("Deleting slice %s"%slice_name) self.test_plc.apiserver.DeleteSlice(auth,slice_name) # keep the slice alive and just delete nodes @@ -95,12 +95,11 @@ class TestSlice: found=False for username in self.slice_spec['usernames']: user_spec=self.test_site.locate_user(username) - for keyname in user_spec['keynames']: - key_spec=self.test_plc.locate_key(keyname) + for key_name in user_spec['key_names']: + key_spec=self.test_plc.locate_key(key_name) test_key=TestKey(self.test_plc,key_spec) publickey=test_key.publicpath() privatekey=test_key.privatepath() - keyname=test_key.name() if os.path.isfile(publickey) and os.path.isfile(privatekey): found=True return (found,privatekey) @@ -159,7 +158,7 @@ class TestSlice: # nm restart after first failure, if requested if options.forcenm and hostname not in restarted: utils.header ("forcenm option : restarting nm on %s"%hostname) - restart_test_ssh=TestSsh(hostname,key="keys/key1.rsa") + restart_test_ssh=TestSsh(hostname,key="keys/key_admin.rsa") access=restart_test_ssh.actual_command('service nm restart') if (access==0): utils.header('nm restarted on %s'%hostname) diff --git a/system/TestSliceSfa.py b/system/TestSliceSfa.py index bcbaf0d..1ddc174 100644 --- a/system/TestSliceSfa.py +++ b/system/TestSliceSfa.py @@ -60,13 +60,13 @@ class TestSliceSfa: return "/root/sfi/%s%s"%(self.slicename,self.rspec_style()) def locate_key(self): - for username,keyname in self.sfa_slice_spec['usernames']: - key_spec=self.test_plc.locate_key(keyname) - test_key=TestKey(self.test_plc,key_spec) - publickey=test_key.publicpath() - privatekey=test_key.privatepath() - if os.path.isfile(publickey) and os.path.isfile(privatekey): - found=True + for key_name in self.sfa_slice_spec['slice_key_names']: + key_spec=self.test_plc.locate_key(key_name) + test_key=TestKey(self.test_plc,key_spec) + publickey=test_key.publicpath() + privatekey=test_key.privatepath() + if os.path.isfile(publickey) and os.path.isfile(privatekey): + found=True return (found,privatekey) # dir_name is local and will be pushed later on by TestPlc @@ -78,17 +78,15 @@ class TestSliceSfa: sfa_slice_spec=self.sfa_slice_spec keys=plc_spec['keys'] # fetch keys in config spec and expose to sfi - for (key_key,name) in [ ('pi_private_key', self.piuser+'.pkey'), - ('pi_public_key', self.piuser+'.pub'), - ('user_private_key', self.regularuser+'.pkey'), - ('user_public_key', self.regularuser+'.pub'), - ]: - file_name=os.path.join(dir_name,self.qualified_hrn(name)) - fileconf=open(file_name,'w') - contents=self.sfa_slice_spec[key_key] - fileconf.write (contents) - fileconf.close() - utils.header ("(Over)wrote %s"%file_name) + for (hrn_leaf,key_name) in sfa_slice_spec['hrn_keys'].items(): + key_spec = self.test_plc.locate_key (key_name) + for (kind,ext) in [ ('private', 'pkey'), ('public', 'pub') ] : + contents=key_spec[kind] + file_name=os.path.join(dir_name,self.qualified_hrn(hrn_leaf))+"."+ext + fileconf=open(file_name,'w') + fileconf.write (contents) + fileconf.close() + utils.header ("(Over)wrote %s"%file_name) # file_name=dir_name + os.sep + 'sfi_config' fileconf=open(file_name,'w') @@ -253,7 +251,7 @@ class TestSliceSfa: # nm restart after first failure, if requested if options.forcenm and hostname not in restarted: utils.header ("forcenm option : restarting nm on %s"%hostname) - restart_test_ssh=TestSsh(hostname,key="keys/key1.rsa") + restart_test_ssh=TestSsh(hostname,key="keys/key_admin.rsa") access=restart_test_ssh.actual_command('service nm restart') if (access==0): utils.header('nm restarted on %s'%hostname) diff --git a/system/TestUser.py b/system/TestUser.py index 23f01a4..12728ee 100644 --- a/system/TestUser.py +++ b/system/TestUser.py @@ -43,10 +43,7 @@ class TestUser: def add_keys (self): user_spec=self.user_spec - for keyname in user_spec['keynames']: - key=self.test_plc.locate_key(keyname) + for key_name in user_spec['key_names']: + key_spec=self.test_plc.locate_key(key_name) auth=self.auth() - self.test_plc.apiserver.AddPersonKey(auth,self.name(), key['key_fields']) - - - + self.test_plc.apiserver.AddPersonKey(auth,self.name(), key_spec['key_fields']) diff --git a/system/config_default.py b/system/config_default.py index d89dc6b..c4ededc 100644 --- a/system/config_default.py +++ b/system/config_default.py @@ -69,45 +69,52 @@ def all_nodenames (options,index): return [ node['name'] for node in nodes(options,index)] def users (options) : - return [ {'name' : 'pi', 'keynames' : [ 'key1' ], - 'user_fields' : {'first_name':'PI', 'last_name':'PI', - 'enabled':'True', - 'email':'fake-pi1@%s'%domain, - 'password':'testpi'}, - 'roles':['pi']}, - {'name' : 'tech', 'keynames' : [ 'key1' ], - 'user_fields' : {'first_name':'Tech', 'last_name':'Tech', - 'enabled':'true', - 'email':'fake-tech1@%s'%domain, - 'password':'testtech'}, - 'roles':['tech']}, - {'name':'user', 'keynames' : [ 'key1' ], - 'user_fields' : {'first_name':'User', 'last_name':'User', - 'enabled':'true', - 'email':'fake-user1@%s'%domain, - 'password':'testuser'}, - 'roles':['user']}, - {'name':'techuser', 'keynames' : [ 'key1' ], - 'user_fields' : {'first_name':'UserTech', 'last_name':'UserTech', - 'enabled':'true', - 'email':'fake-tech2@%s'%domain, - 'password':'testusertech'}, - 'roles':['tech','user']}, - {'name':'pitech', 'keynames' : [ 'key1' ], - 'user_fields' : {'first_name':'PiTech', - 'last_name':'PiTech', - 'enabled':'true', - 'email':'fake-pi2@%s'%domain, - 'password':'testusertech'}, - 'roles':['pi','tech']}, - {'name':'admin', 'keynames' : [ 'key1' ], - 'user_fields' : {'first_name':'Admin', - 'last_name':'Admin', - 'enabled':'true', - 'email':'admin@%s'%domain, - 'password':'testuseradmin'}, - 'roles':['admin']}, - ] + return [ + {'name':'admin', 'key_names' : [ 'key_admin' ], + 'user_fields' : {'first_name':'Admin', + 'last_name':'Admin', + 'enabled':'true', + 'email':'admin@%s'%domain, + 'password':'testuseradmin'}, + 'roles':['admin']}, + + {'name' : 'pi', 'key_names' : [ 'key_pi' ], + 'user_fields' : {'first_name':'PI', 'last_name':'PI', + 'enabled':'True', + 'email':'fake-pi1@%s'%domain, + 'password':'testpi'}, + 'roles':['pi']}, + + {'name':'pitech', 'key_names' : [ 'key_pi' ], + 'user_fields' : {'first_name':'PiTech', + 'last_name':'PiTech', + 'enabled':'true', + 'email':'fake-pi2@%s'%domain, + 'password':'testusertech'}, + 'roles':['pi','tech']}, + + {'name' : 'tech', 'key_names' : [ 'key_user' ], + 'user_fields' : {'first_name':'Tech', 'last_name':'Tech', + 'enabled':'true', + 'email':'fake-tech1@%s'%domain, + 'password':'testtech'}, + 'roles':['tech']}, + + {'name':'user', 'key_names' : [ 'key_user' ], + 'user_fields' : {'first_name':'User', 'last_name':'User', + 'enabled':'true', + 'email':'fake-user1@%s'%domain, + 'password':'testuser'}, + 'roles':['user']}, + + {'name':'techuser', 'key_names' : [ 'key_user' ], + 'user_fields' : {'first_name':'UserTech', 'last_name':'UserTech', + 'enabled':'true', + 'email':'fake-tech2@%s'%domain, + 'password':'testusertech'}, + 'roles':['tech','user']}, + + ] def all_usernames (options): return [ user['name'] for user in users(options)] @@ -134,10 +141,43 @@ def sites (options,index): }] ########## +# key0 -> planetlab admin # key1 -> planetlab PI # key2 -> planetlab user # key3 -> sfa PI # key4 -> sfa user +public_key0="""ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3okOugCBs2j/uur/lBdNUqWG0VdLdrELy85MR6mGOER5ijdbZekEG6KD4zzG2fwXOzdGF99HTQAOXvty02V5/sBN/GbT1Rehwh3cUvZ8i3aJIdN4ku+zbWK6CBsQ8XGXMpCImALDxcvcaoToWJbephDpkgKtcBwmowmOQswO4GTzIdT217J13Z860Jz/QJPIjloS7HpuLmKVlZ/sWCYcuKmR4X7evCXrvbHh+iamSrOHV9sQ6Sf0Wu+VJRaUN92BrxVi9zuJNWZWtWWWjLecyaooOVS0UMBZKUNbnuGXSJ8IFHfQ9wpGGsG+KohvGH4Axh3utaDOlUG641iM5GVBX planetlab-admin@test.onelab.eu +""" + +private_key0="""-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAt6JDroAgbNo/7rq/5QXTVKlhtFXS3axC8vOTEephjhEeYo3W +2XpBBuig+M8xtn8Fzs3RhffR00ADl77ctNlef7ATfxm09UXocId3FL2fIt2iSHTe +JLvs21iuggbEPFxlzKQiJgCw8XL3GqE6FiW3qYQ6ZICrXAcJqMJjkLMDuBk8yHU9 +teydd2fOtCc/0CTyI5aEux6bi5ilZWf7FgmHLipkeF+3rwl672x4fompkqzh1fbE +Okn9FrvlSUWlDfdga8VYvc7iTVmVrVlloy3nMmqKDlUtFDAWSlDW57hl0ifCBR30 +PcKRhrBviqIbxh+AMYd7rWgzpVBuuNYjORlQVwIDAQABAoIBAQCSvuT/SfyfgDme ++TXoOyOKgGFHz13XL5XAuM1Kf9a9xQhXEaoj2QKmFrisnEbJ4/AsN2W8fTH8cydr +2GZfT2Wo/HhYFZ76cocxhc+vj2jgX+UTqfDrwhGhp9isp+OhqOThCDkRzXOZP5og +eb8Fe9atbLGNJxXJUQZzCgSu2Z+bOZMhh983DNB7porEhcB21Ja86a6VzIW0ieM0 +WxeVuQfPPGH1U6wGr3rVwKF0tXQHlMg48KNmpvahwS89Ihp1VIBzSNlVXkZ9O5Fc +wmBQGNoeM32/N+8yHVYkdTHIrvi5mm52KMwhDGg0lXDjrXAIe+rCzuigv5kIsmuA +fqu6Co8hAoGBAPJF7xDGVYjOObQ/ckdpQ76ntJcNMIVa4XoL0cn9NFBhvV1ooRTn +KASHH9Wj+sWYkZDm4wmWgaIthnQb2F1Rq/8FmJaPlCVQZtLDydDI7spLF+ixVxCk +y8nhCr+cad9yPJ8ozYP2vMs9gBheDaL8LBDUdPyuC94e2TQy0fqW0rJFAoGBAMIJ +yvATDuF4Zssn4gOpRkyP9fjdrnIo5YKF9aCjv/j984XexwRqAwvSMqykmUnwF4Yg +rWjV+1Jw9lJuAIMUdiIH3fqPGBeOrpvES5Kmi1FFB5ufA1Hcpe9LNJSiuNMYemCB +rDnfoG2cW1lCwrb5y8ROOUp2OAQ5jJQyPjV08S/rAoGARZ0An1JN23xeKkOcw5Yk +iBDKHCkHCxpc9WOWCTL/KCWdcsyQlGADKKHm7M0sTkCTew5MqEGdyArKumwR1GaW +RDXIbWKeD8a1dNQbFinWKzw+h3cFbFvdzokiPIJmDXVWo+jmfIeWIdPvDZFg27cX +tlJFtyEPeehlQtFjclyJ9/0CgYEAuDht6MJfVWdnSKfj6A/1Q0lGgXGOZqo3RFWE +n2/4GiCY7NdWYfV4UOfO3qQjONRusRQjLy5BPsMqyZXQfKKXibWoZXMnr23yjsat +7VybVpxQHcq5byYqkGb5U8it6xUJUsiqSAPtn0NcYwGENg4xDH4r3GsiwbgVpLmS +4FPXjOMCgYA40bzt7QjKBURj3A9nMrFpbg1dQjNZv7ThnDq2KcLlQxusddSO3Tou +capLbON5tuaHbiGGVYSiUCHC6HXYWN7JGytpAjAYZhLWmK7ltNMlDQA9FX8LktPE +UToHxiKAuREDgRP9waHmk16833hNe8tDvX5P9vKWxx1AtZRuJoFozw== +-----END RSA PRIVATE KEY----- +""" + public_key1="""ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4jNj8yT9ieEc6nSJz/ESu4fui9WrJ2y/MCfqIZ5WcdVKhBFUYyIenmUaeTduMcSqvoYRQ4QnFR1BFdLG8XR9D6FWZ5zTKUgpkew22EVNeqai4IXeWYKyt1Qf3ehaz9E3o1PG/bmQNIM6aQay6TD1Y4lqXI+eTVXVQev4K2fixySjFQpp9RB4UHbeA8c28yoa/cgAYHqCqlvm9uvpGMjgm/Qa4M+ZeO7NdjowfaF/wF4BQIzVFN9YRhvQ/d8WDz84B5Pr0J7pWpaX7EyC4bvdskxl6kmdNIwIRcIe4OcuIiX5Z9oO+7h/chsEVJWF4vqNIYlL9Zvyhnr0hLLhhuk2bw== planetlab-pi@test.onelab.eu """ private_key1="""-----BEGIN RSA PRIVATE KEY----- @@ -270,18 +310,31 @@ NhwboXV6u+hSpUHGK+MmqGgKkkZI6KRwTT+NWZY2FTX3UOl8IMymTBk= -----END RSA PRIVATE KEY----- """ +master_key_index = { + 'key_admin': {'private':private_key0, 'public':public_key0}, + 'key_pi': {'private':private_key1, 'public':public_key1}, + 'key_user': {'private':private_key2, 'public':public_key2}, + 'key_sfapi': {'private':private_key3, 'public':public_key3}, + 'key_sfauser': {'private':private_key4, 'public':public_key4}, +} -# the keys for PLC -def plc_keys (options,index): - return [ {'name': 'key1', - 'private' : private_key1, - 'key_fields' : {'key_type':'ssh', - 'key': public_key1}}, - {'name': 'key2', - 'private' : private_key2, - 'key_fields' : {'key_type':'ssh', - 'key': public_key2}} - ] +plc_key_names = [ 'key_admin', 'key_pi', 'key_tech' ] + +# expose a list of key_specs +# { 'key_name':<>, 'private':<>, 'public':<>, 'in_plc':, key_fields: , } +def keys (options,index): + result = [] + for (key_name, priv_pub) in master_key_index.items(): + private=priv_pub['private'] + public=priv_pub['public'] + result.append( { 'key_name': key_name, + 'private':private, + 'public':public, + 'in_plc': key_name in plc_key_names, + 'key_fields' : {'key_type':'ssh', + 'key': public}, + } ) + return result ############################## initscripts initscript_by_name="""#!/bin/bash @@ -418,7 +471,7 @@ def plc (options,index) : 'PLC_OMF_ENABLED' : 'true', 'PLC_OMF_XMPP_SERVER': 'deferred-myplc-hostname', 'sites' : sites(options,index), - 'keys' : plc_keys(options,index), + 'keys' : keys(options,index), 'initscripts': initscripts(options,index), 'slices' : slices(options,index), 'tcp_test' : tcp_tests(options,index), @@ -465,6 +518,7 @@ def sfa_slice_spec (options,index,rspec_style): pi_hrn=prefix+'.'+piuser mail="%s@%s"%(regularuser,domain) # passed to sfi + # -k gets computed later on from the hrn (i.e. from the '-x' key..) person_options = { '-t': 'user', '-x': user_hrn, '-e': mail, @@ -489,18 +543,20 @@ def sfa_slice_spec (options,index,rspec_style): 'pimail' : pimail, 'regularuser':regularuser, 'domain':domain, - 'usernames' : [ (regularuser,'key2') ], + 'slice_key_names' : [ 'key_sfauser' ], + 'hrn_keys' : { piuser : 'key_sfapi', + regularuser : 'key_sfauser' }, 'nodenames' : all_nodenames(options,index), 'sitename' : the_login_base, 'slicename' : slicename, 'rspec_style':rspec_style, 'person_sfi_options': person_options, 'slice_sfi_options': slice_options, - # these get exported under the sfi directory - 'pi_private_key':private_key3, - 'pi_public_key':public_key3, - 'user_private_key':private_key4, - 'user_public_key':public_key4, +# # these get exported under the sfi directory +# 'pi_private_key':private_key3, +# 'pi_public_key':public_key3, +# 'user_private_key':private_key4, +# 'user_public_key':public_key4, } -- 2.43.0