reviewed the ssh keys system
Thierry Parmentelat [Wed, 30 May 2012 13:56:47 +0000 (15:56 +0200)]
use 5 different keys for pladmins, plpis, plusers, sfapis and sfausers
kind of intrusive so probably not quite thorough

system/TestKey.py
system/TestNode.py
system/TestPlc.py
system/TestSlice.py
system/TestSliceSfa.py
system/TestUser.py
system/config_default.py

index 7fb508a..4ff08ff 100644 (file)
@@ -13,7 +13,7 @@ class TestKey:
         self.test_ssh=TestSsh(self.test_plc.test_ssh)
         
     def name(self):
-        return self.key_spec['name']
+        return self.key_spec['key_name']
 
     def publicpath(self):
         return "keys/%s.pub"%(self.name())
index ceae771..e4cc1d4 100644 (file)
@@ -268,7 +268,7 @@ class TestNode:
 ###        # assuming we've run testplc.fetch_keys()
 ###        key = "keys/%(vservername)s.rsa"%locals()
         # fetch_keys doesn't grab the root key anymore
-        key = "keys/key1.rsa"
+        key = "keys/key_admin.rsa"
         return TestSsh(self.name(), buildname=self.buildname(), key=key)
 
     def check_hooks (self):
index aced650..c6658a1 100644 (file)
@@ -263,11 +263,11 @@ class TestPlc:
                     return (site,node)
         raise Exception,"Cannot locate hostname %s"%hostname
         
-    def locate_key (self,keyname):
+    def locate_key (self,key_name):
         for key in self.plc_spec['keys']:
-            if key['name'] == keyname:
+            if key['key_name'] == key_name:
                 return key
-        raise Exception,"Cannot locate key %s"%keyname
+        raise Exception,"Cannot locate key %s"%key_name
 
     def locate_slice (self, slicename):
         for slice in self.plc_spec['slices']:
@@ -446,7 +446,7 @@ class TestPlc:
         print '+ ======== initscript',initscript['initscript_fields']['name']
 
     def display_key_spec (self,key):
-        print '+ ======== key',key['name']
+        print '+ ======== key',key['key_name']
 
     def display_slice_spec (self,slice):
         print '+ ======== slice',slice['slice_fields']['name']
@@ -954,7 +954,7 @@ class TestPlc:
             local_key = "keys/%(vservername)s-debug.rsa"%locals()
         else: 
             message="boot"
-           local_key = "keys/key1.rsa"
+           local_key = "keys/key_admin.rsa"
         node_infos = self.all_node_infos()
         utils.header("checking ssh access (expected in %s mode) to nodes:"%message)
         for (nodename,qemuname) in node_infos:
@@ -1534,7 +1534,7 @@ class TestPlc:
             test_site = TestSite (self,site_spec)
             for node_spec in site_spec['nodes']:
                 test_node=TestNode(self,test_site,node_spec)
-                test_ssh = TestSsh (test_node.name(),key="keys/key1.rsa")
+                test_ssh = TestSsh (test_node.name(),key="keys/key_admin.rsa")
                 command = test_ssh.actual_command("tar -C /var/log -cf - .")
                 command = command + "| tar -C logs/node.var-log.%s -xf -"%test_node.name()
                 utils.system("mkdir -p logs/node.var-log.%s"%test_node.name())
index 27d2901..4377e66 100644 (file)
@@ -74,9 +74,9 @@ class TestSlice:
         
     # trash the slice altogether
     def delete_slice(self):
-        utils.header("Deleting slice %s"%slice_name)
         auth = self.owner_auth()
         slice_name = self.slice_name()
+        utils.header("Deleting slice %s"%slice_name)
         self.test_plc.apiserver.DeleteSlice(auth,slice_name)
 
     # keep the slice alive and just delete nodes
@@ -95,12 +95,11 @@ class TestSlice:
         found=False
         for username in self.slice_spec['usernames']:
             user_spec=self.test_site.locate_user(username)
-            for keyname in user_spec['keynames']:
-                key_spec=self.test_plc.locate_key(keyname)
+            for key_name in user_spec['key_names']:
+                key_spec=self.test_plc.locate_key(key_name)
                 test_key=TestKey(self.test_plc,key_spec)
                 publickey=test_key.publicpath()
                 privatekey=test_key.privatepath()
-                keyname=test_key.name()
                 if os.path.isfile(publickey) and os.path.isfile(privatekey):
                     found=True
         return (found,privatekey)
@@ -159,7 +158,7 @@ class TestSlice:
                     # nm restart after first failure, if requested 
                     if options.forcenm and hostname not in restarted:
                         utils.header ("forcenm option : restarting nm on %s"%hostname)
-                        restart_test_ssh=TestSsh(hostname,key="keys/key1.rsa")
+                        restart_test_ssh=TestSsh(hostname,key="keys/key_admin.rsa")
                         access=restart_test_ssh.actual_command('service nm restart')
                         if (access==0):
                             utils.header('nm restarted on %s'%hostname)
index bcbaf0d..1ddc174 100644 (file)
@@ -60,13 +60,13 @@ class TestSliceSfa:
         return "/root/sfi/%s%s"%(self.slicename,self.rspec_style())
 
     def locate_key(self):
-        for username,keyname in self.sfa_slice_spec['usernames']:
-                key_spec=self.test_plc.locate_key(keyname)
-                test_key=TestKey(self.test_plc,key_spec)
-                publickey=test_key.publicpath()
-                privatekey=test_key.privatepath()
-                if os.path.isfile(publickey) and os.path.isfile(privatekey):
-                    found=True
+        for key_name in self.sfa_slice_spec['slice_key_names']:
+            key_spec=self.test_plc.locate_key(key_name)
+            test_key=TestKey(self.test_plc,key_spec)
+            publickey=test_key.publicpath()
+            privatekey=test_key.privatepath()
+            if os.path.isfile(publickey) and os.path.isfile(privatekey):
+                found=True
         return (found,privatekey)
 
     # dir_name is local and will be pushed later on by TestPlc
@@ -78,17 +78,15 @@ class TestSliceSfa:
         sfa_slice_spec=self.sfa_slice_spec
         keys=plc_spec['keys']
         # fetch keys in config spec and expose to sfi
-        for (key_key,name) in [ ('pi_private_key',     self.piuser+'.pkey'),
-                                ('pi_public_key',      self.piuser+'.pub'),
-                                ('user_private_key',   self.regularuser+'.pkey'),
-                                ('user_public_key',    self.regularuser+'.pub'),
-                                ]:
-            file_name=os.path.join(dir_name,self.qualified_hrn(name))
-            fileconf=open(file_name,'w')
-            contents=self.sfa_slice_spec[key_key]
-            fileconf.write (contents)
-            fileconf.close()
-            utils.header ("(Over)wrote %s"%file_name)
+        for (hrn_leaf,key_name) in sfa_slice_spec['hrn_keys'].items():
+            key_spec = self.test_plc.locate_key (key_name)
+            for (kind,ext) in [ ('private', 'pkey'), ('public', 'pub') ] :
+                contents=key_spec[kind]
+                file_name=os.path.join(dir_name,self.qualified_hrn(hrn_leaf))+"."+ext
+                fileconf=open(file_name,'w')
+                fileconf.write (contents)
+                fileconf.close()
+                utils.header ("(Over)wrote %s"%file_name)
         #
        file_name=dir_name + os.sep + 'sfi_config'
         fileconf=open(file_name,'w')
@@ -253,7 +251,7 @@ class TestSliceSfa:
                     # nm restart after first failure, if requested 
                     if options.forcenm and hostname not in restarted:
                         utils.header ("forcenm option : restarting nm on %s"%hostname)
-                        restart_test_ssh=TestSsh(hostname,key="keys/key1.rsa")
+                        restart_test_ssh=TestSsh(hostname,key="keys/key_admin.rsa")
                         access=restart_test_ssh.actual_command('service nm restart')
                         if (access==0):
                             utils.header('nm restarted on %s'%hostname)
index 23f01a4..12728ee 100644 (file)
@@ -43,10 +43,7 @@ class TestUser:
 
     def add_keys (self):
         user_spec=self.user_spec
-        for keyname in user_spec['keynames']:
-            key=self.test_plc.locate_key(keyname)
+        for key_name in user_spec['key_names']:
+            key_spec=self.test_plc.locate_key(key_name)
             auth=self.auth()
-            self.test_plc.apiserver.AddPersonKey(auth,self.name(), key['key_fields'])
-            
-
-        
+            self.test_plc.apiserver.AddPersonKey(auth,self.name(), key_spec['key_fields'])
index d89dc6b..c4ededc 100644 (file)
@@ -69,45 +69,52 @@ def all_nodenames (options,index):
     return [ node['name'] for node in nodes(options,index)]
 
 def users (options) :
-    return [ {'name' : 'pi', 'keynames' : [ 'key1' ],
-              'user_fields' : {'first_name':'PI', 'last_name':'PI',
-                               'enabled':'True',
-                               'email':'fake-pi1@%s'%domain,
-                               'password':'testpi'},
-              'roles':['pi']},
-             {'name' : 'tech', 'keynames' : [ 'key1' ],
-              'user_fields' : {'first_name':'Tech', 'last_name':'Tech',
-                               'enabled':'true',
-                               'email':'fake-tech1@%s'%domain,
-                               'password':'testtech'},
-              'roles':['tech']},
-             {'name':'user', 'keynames' : [ 'key1' ],
-              'user_fields' : {'first_name':'User', 'last_name':'User',
-                               'enabled':'true',
-                               'email':'fake-user1@%s'%domain,
-                               'password':'testuser'},
-              'roles':['user']},
-             {'name':'techuser', 'keynames' : [ 'key1' ],
-              'user_fields' : {'first_name':'UserTech', 'last_name':'UserTech',
-                               'enabled':'true',
-                               'email':'fake-tech2@%s'%domain,
-                               'password':'testusertech'},
-              'roles':['tech','user']},
-             {'name':'pitech', 'keynames' : [ 'key1' ],
-              'user_fields' : {'first_name':'PiTech',
-                               'last_name':'PiTech',
-                               'enabled':'true',
-                               'email':'fake-pi2@%s'%domain,
-                               'password':'testusertech'},
-              'roles':['pi','tech']},
-             {'name':'admin', 'keynames' : [ 'key1' ],
-              'user_fields' : {'first_name':'Admin',
-                               'last_name':'Admin',
-                               'enabled':'true',
-                               'email':'admin@%s'%domain,
-                               'password':'testuseradmin'},
-              'roles':['admin']},
-             ]
+    return [ 
+        {'name':'admin', 'key_names' : [ 'key_admin' ],
+         'user_fields' : {'first_name':'Admin',
+                          'last_name':'Admin',
+                          'enabled':'true',
+                          'email':'admin@%s'%domain,
+                          'password':'testuseradmin'},
+         'roles':['admin']},
+
+        {'name' : 'pi', 'key_names' : [ 'key_pi' ],
+         'user_fields' : {'first_name':'PI', 'last_name':'PI',
+                          'enabled':'True',
+                          'email':'fake-pi1@%s'%domain,
+                          'password':'testpi'},
+         'roles':['pi']},
+
+        {'name':'pitech', 'key_names' : [ 'key_pi' ],
+         'user_fields' : {'first_name':'PiTech',
+                          'last_name':'PiTech',
+                          'enabled':'true',
+                          'email':'fake-pi2@%s'%domain,
+                          'password':'testusertech'},
+         'roles':['pi','tech']},
+
+        {'name' : 'tech', 'key_names' : [ 'key_user' ],
+         'user_fields' : {'first_name':'Tech', 'last_name':'Tech',
+                          'enabled':'true',
+                          'email':'fake-tech1@%s'%domain,
+                          'password':'testtech'},
+         'roles':['tech']},
+
+        {'name':'user', 'key_names' : [ 'key_user' ],
+         'user_fields' : {'first_name':'User', 'last_name':'User',
+                          'enabled':'true',
+                          'email':'fake-user1@%s'%domain,
+                          'password':'testuser'},
+         'roles':['user']},
+
+        {'name':'techuser', 'key_names' : [ 'key_user' ],
+         'user_fields' : {'first_name':'UserTech', 'last_name':'UserTech',
+                          'enabled':'true',
+                          'email':'fake-tech2@%s'%domain,
+                          'password':'testusertech'},
+         'roles':['tech','user']},
+
+        ]
 
 def all_usernames (options):
     return [ user['name'] for user in users(options)]
@@ -134,10 +141,43 @@ def sites (options,index):
             }]
 
 ##########
+# key0 -> planetlab admin
 # key1 -> planetlab PI
 # key2 -> planetlab user
 # key3 -> sfa PI
 # key4 -> sfa user
+public_key0="""ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3okOugCBs2j/uur/lBdNUqWG0VdLdrELy85MR6mGOER5ijdbZekEG6KD4zzG2fwXOzdGF99HTQAOXvty02V5/sBN/GbT1Rehwh3cUvZ8i3aJIdN4ku+zbWK6CBsQ8XGXMpCImALDxcvcaoToWJbephDpkgKtcBwmowmOQswO4GTzIdT217J13Z860Jz/QJPIjloS7HpuLmKVlZ/sWCYcuKmR4X7evCXrvbHh+iamSrOHV9sQ6Sf0Wu+VJRaUN92BrxVi9zuJNWZWtWWWjLecyaooOVS0UMBZKUNbnuGXSJ8IFHfQ9wpGGsG+KohvGH4Axh3utaDOlUG641iM5GVBX planetlab-admin@test.onelab.eu
+"""
+
+private_key0="""-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAt6JDroAgbNo/7rq/5QXTVKlhtFXS3axC8vOTEephjhEeYo3W
+2XpBBuig+M8xtn8Fzs3RhffR00ADl77ctNlef7ATfxm09UXocId3FL2fIt2iSHTe
+JLvs21iuggbEPFxlzKQiJgCw8XL3GqE6FiW3qYQ6ZICrXAcJqMJjkLMDuBk8yHU9
+teydd2fOtCc/0CTyI5aEux6bi5ilZWf7FgmHLipkeF+3rwl672x4fompkqzh1fbE
+Okn9FrvlSUWlDfdga8VYvc7iTVmVrVlloy3nMmqKDlUtFDAWSlDW57hl0ifCBR30
+PcKRhrBviqIbxh+AMYd7rWgzpVBuuNYjORlQVwIDAQABAoIBAQCSvuT/SfyfgDme
++TXoOyOKgGFHz13XL5XAuM1Kf9a9xQhXEaoj2QKmFrisnEbJ4/AsN2W8fTH8cydr
+2GZfT2Wo/HhYFZ76cocxhc+vj2jgX+UTqfDrwhGhp9isp+OhqOThCDkRzXOZP5og
+eb8Fe9atbLGNJxXJUQZzCgSu2Z+bOZMhh983DNB7porEhcB21Ja86a6VzIW0ieM0
+WxeVuQfPPGH1U6wGr3rVwKF0tXQHlMg48KNmpvahwS89Ihp1VIBzSNlVXkZ9O5Fc
+wmBQGNoeM32/N+8yHVYkdTHIrvi5mm52KMwhDGg0lXDjrXAIe+rCzuigv5kIsmuA
+fqu6Co8hAoGBAPJF7xDGVYjOObQ/ckdpQ76ntJcNMIVa4XoL0cn9NFBhvV1ooRTn
+KASHH9Wj+sWYkZDm4wmWgaIthnQb2F1Rq/8FmJaPlCVQZtLDydDI7spLF+ixVxCk
+y8nhCr+cad9yPJ8ozYP2vMs9gBheDaL8LBDUdPyuC94e2TQy0fqW0rJFAoGBAMIJ
+yvATDuF4Zssn4gOpRkyP9fjdrnIo5YKF9aCjv/j984XexwRqAwvSMqykmUnwF4Yg
+rWjV+1Jw9lJuAIMUdiIH3fqPGBeOrpvES5Kmi1FFB5ufA1Hcpe9LNJSiuNMYemCB
+rDnfoG2cW1lCwrb5y8ROOUp2OAQ5jJQyPjV08S/rAoGARZ0An1JN23xeKkOcw5Yk
+iBDKHCkHCxpc9WOWCTL/KCWdcsyQlGADKKHm7M0sTkCTew5MqEGdyArKumwR1GaW
+RDXIbWKeD8a1dNQbFinWKzw+h3cFbFvdzokiPIJmDXVWo+jmfIeWIdPvDZFg27cX
+tlJFtyEPeehlQtFjclyJ9/0CgYEAuDht6MJfVWdnSKfj6A/1Q0lGgXGOZqo3RFWE
+n2/4GiCY7NdWYfV4UOfO3qQjONRusRQjLy5BPsMqyZXQfKKXibWoZXMnr23yjsat
+7VybVpxQHcq5byYqkGb5U8it6xUJUsiqSAPtn0NcYwGENg4xDH4r3GsiwbgVpLmS
+4FPXjOMCgYA40bzt7QjKBURj3A9nMrFpbg1dQjNZv7ThnDq2KcLlQxusddSO3Tou
+capLbON5tuaHbiGGVYSiUCHC6HXYWN7JGytpAjAYZhLWmK7ltNMlDQA9FX8LktPE
+UToHxiKAuREDgRP9waHmk16833hNe8tDvX5P9vKWxx1AtZRuJoFozw==
+-----END RSA PRIVATE KEY-----
+"""
+
 public_key1="""ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4jNj8yT9ieEc6nSJz/ESu4fui9WrJ2y/MCfqIZ5WcdVKhBFUYyIenmUaeTduMcSqvoYRQ4QnFR1BFdLG8XR9D6FWZ5zTKUgpkew22EVNeqai4IXeWYKyt1Qf3ehaz9E3o1PG/bmQNIM6aQay6TD1Y4lqXI+eTVXVQev4K2fixySjFQpp9RB4UHbeA8c28yoa/cgAYHqCqlvm9uvpGMjgm/Qa4M+ZeO7NdjowfaF/wF4BQIzVFN9YRhvQ/d8WDz84B5Pr0J7pWpaX7EyC4bvdskxl6kmdNIwIRcIe4OcuIiX5Z9oO+7h/chsEVJWF4vqNIYlL9Zvyhnr0hLLhhuk2bw== planetlab-pi@test.onelab.eu
 """
 private_key1="""-----BEGIN RSA PRIVATE KEY-----
@@ -270,18 +310,31 @@ NhwboXV6u+hSpUHGK+MmqGgKkkZI6KRwTT+NWZY2FTX3UOl8IMymTBk=
 -----END RSA PRIVATE KEY-----
 """
 
+master_key_index = {
+    'key_admin':    {'private':private_key0, 'public':public_key0},
+    'key_pi':       {'private':private_key1, 'public':public_key1},
+    'key_user':     {'private':private_key2, 'public':public_key2},
+    'key_sfapi':    {'private':private_key3, 'public':public_key3},
+    'key_sfauser':  {'private':private_key4, 'public':public_key4},
+}
 
-# the keys for PLC
-def plc_keys (options,index):
-    return [ {'name': 'key1',
-              'private' : private_key1,
-              'key_fields' : {'key_type':'ssh',
-                              'key': public_key1}},
-             {'name': 'key2',
-              'private' : private_key2,
-              'key_fields' : {'key_type':'ssh',
-                              'key': public_key2}}
-             ]
+plc_key_names = [ 'key_admin', 'key_pi', 'key_tech' ]
+
+# expose a list of key_specs
+#  { 'key_name':<>, 'private':<>, 'public':<>, 'in_plc':<bool>, key_fields: <for AddKey>, }
+def keys (options,index):
+    result = []
+    for (key_name, priv_pub) in master_key_index.items():
+        private=priv_pub['private']
+        public=priv_pub['public']
+        result.append( { 'key_name': key_name,
+                         'private':private,
+                         'public':public,
+                         'in_plc': key_name in plc_key_names,
+                         'key_fields' : {'key_type':'ssh',
+                                         'key': public},
+                         } )
+    return result
 
 ############################## initscripts
 initscript_by_name="""#!/bin/bash
@@ -418,7 +471,7 @@ def plc (options,index) :
         'PLC_OMF_ENABLED' : 'true',
         'PLC_OMF_XMPP_SERVER': 'deferred-myplc-hostname',
         'sites' : sites(options,index),
-        'keys' : plc_keys(options,index),
+        'keys' : keys(options,index),
         'initscripts': initscripts(options,index),
         'slices' : slices(options,index),
         'tcp_test' : tcp_tests(options,index),
@@ -465,6 +518,7 @@ def sfa_slice_spec (options,index,rspec_style):
     pi_hrn=prefix+'.'+piuser
     mail="%s@%s"%(regularuser,domain)
     # passed to sfi
+    # -k gets computed later on from the hrn (i.e. from the '-x' key..)
     person_options = { '-t': 'user',
                        '-x': user_hrn,
                        '-e': mail,
@@ -489,18 +543,20 @@ def sfa_slice_spec (options,index,rspec_style):
              'pimail' : pimail,
              'regularuser':regularuser,
              'domain':domain,
-             'usernames' : [ (regularuser,'key2') ],
+             'slice_key_names' : [ 'key_sfauser' ],
+             'hrn_keys' : { piuser : 'key_sfapi',
+                            regularuser : 'key_sfauser' },
              'nodenames' : all_nodenames(options,index),
              'sitename' : the_login_base,
              'slicename' : slicename,
              'rspec_style':rspec_style,
              'person_sfi_options': person_options,
              'slice_sfi_options': slice_options,
-             # these get exported under the sfi directory
-             'pi_private_key':private_key3,
-             'pi_public_key':public_key3,
-             'user_private_key':private_key4,
-             'user_public_key':public_key4,
+#             # these get exported under the sfi directory
+#             'pi_private_key':private_key3,
+#             'pi_public_key':public_key3,
+#             'user_private_key':private_key4,
+#             'user_public_key':public_key4,
              }