diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index acddbf2f..8ddb80c1 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -412,6 +412,10 @@ def resourcehandler_backend(env, start_response): ('X-Permitted-Cross-Domain-Policies', 'none')] reqbody = None reqtype = None + if env.get('PATH_INFO', '').startswith('/self/'): + for res in selfservice.handle_request(env, start_response): + yield res + return if 'CONTENT_LENGTH' in env and int(env['CONTENT_LENGTH']) > 0: reqbody = env['wsgi.input'].read(int(env['CONTENT_LENGTH'])) reqtype = env['CONTENT_TYPE'] @@ -420,10 +424,6 @@ def resourcehandler_backend(env, start_response): if operation != 'retrieve' and 'restexplorerop' in querydict: operation = querydict['restexplorerop'] del querydict['restexplorerop'] - if env.get('PATH_INFO', '').startswith('/self/'): - for res in selfservice.handle_request(env, operation, start_response): - yield res - return authorized = _authorize_request(env, operation) if 'logout' in authorized: start_response('200 Successful logout', headers) diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py index 9d75afc0..218de874 100644 --- a/confluent_server/confluent/selfservice.py +++ b/confluent_server/confluent/selfservice.py @@ -1,5 +1,6 @@ import confluent.config.configmanager as configmanager import confluent.netutil as netutil +import confluent.sshutil as sshutil import crypt import json import yaml @@ -9,7 +10,7 @@ def yamldump(input): return yaml.safe_dump(input, default_flow_style=False) -def handle_request(env, operation, start_response): +def handle_request(env, start_response): nodename = env.get('HTTP_CONFLUENT_NODENAME', None) apikey = env.get('HTTP_CONFLUENT_APIKEY', None) if not (nodename and apikey): @@ -39,6 +40,8 @@ def handle_request(env, operation, start_response): start_response('406 Not supported', []) yield 'Unsupported content type in ACCEPT: ' + retype return + if 'CONTENT_LENGTH' in env and int(env['CONTENT_LENGTH']) > 0: + reqbody = env['wsgi.input'].read(int(env['CONTENT_LENGTH'])) if env['PATH_INFO'] == '/self/deploycfg': myip = env.get('HTTP_X_FORWARDED_HOST', None) myip = myip.replace('[', '').replace(']', '') @@ -58,6 +61,14 @@ def handle_request(env, operation, start_response): ncfg['protocol'] = 'https' start_response('200 OK', (('Content-Type', retype),)) yield dumper(ncfg) + elif env['PATH_INFO'] == '/self/sshcert': + if not sshutil.ca_exists(): + start_response('500 Unconfigured', ()) + yield 'CA is not configured on this system (run ...)' + return + cert = sshutil.sign_host_key(reqbody, nodename) + start_response('200 OK', (('Content-Type', 'text/plain'),)) + yield cert else: start_response('404 Not Found', ()) yield 'Not found' \ No newline at end of file diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py index aa949e31..808b6c4e 100644 --- a/confluent_server/confluent/sshutil.py +++ b/confluent_server/confluent/sshutil.py @@ -40,7 +40,7 @@ def sign_host_key(pubkey, nodename): tmpdir = tempfile.mkdtemp() try: pkeyname = os.path.join(tmpdir, 'hostkey.pub') - with open(pkeyname, 'w') as pubfile: + with open(pkeyname, 'wb') as pubfile: pubfile.write(pubkey) subprocess.check_call( ['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename,