mirror of
https://github.com/xcat2/confluent.git
synced 2026-04-29 03:47:47 +00:00
Rework cert validation
Move a generic callback to the generic function
This commit is contained in:
Jarrod Johnson
@@ -1109,7 +1109,7 @@ async def get_nodename(cfg, handler, info):
|
||||
# chassis
|
||||
nodename = get_nodename_from_enclosures(cfg, info)
|
||||
if not nodename and handler.devname in ('SMM', 'SMM3'):
|
||||
nodename = get_nodename_from_chained_smms(cfg, handler, info)
|
||||
nodename = await get_nodename_from_chained_smms(cfg, handler, info)
|
||||
if not nodename: # as a last resort, search switches for info
|
||||
# This is the slowest potential operation, so we hope for the
|
||||
# best to occur prior to this
|
||||
@@ -1123,8 +1123,8 @@ async def get_nodename(cfg, handler, info):
|
||||
# We found an SMM, and it's in a chain per configuration
|
||||
# we need to ask the switch for the fingerprint to see
|
||||
# if we have a match or not
|
||||
newnodename, v = get_chained_smm_name(nodename, cfg,
|
||||
handler, nl)
|
||||
newnodename, v = await get_chained_smm_name(nodename, cfg,
|
||||
handler, nl)
|
||||
if newnodename:
|
||||
# while this started by switch, it was disambiguated
|
||||
info['verified'] = v
|
||||
@@ -1150,16 +1150,16 @@ async def get_nodename(cfg, handler, info):
|
||||
return nodename, maccount
|
||||
|
||||
|
||||
def get_nodename_from_chained_smms(cfg, handler, info):
|
||||
async def get_nodename_from_chained_smms(cfg, handler, info):
|
||||
nodename = None
|
||||
for fprint in get_smm_neighbor_fingerprints(
|
||||
async for fprint in get_smm_neighbor_fingerprints(
|
||||
handler.ipaddr, lambda x: True):
|
||||
if fprint in nodes_by_fprint:
|
||||
# need to chase the whole chain
|
||||
# to support either direction
|
||||
chead = get_enclosure_chain_head(nodes_by_fprint[fprint],
|
||||
cfg)
|
||||
newnodename, v = get_chained_smm_name(
|
||||
newnodename, v = await get_chained_smm_name(
|
||||
chead, cfg, handler, checkswitch=False)
|
||||
if newnodename:
|
||||
info['verified'] = v
|
||||
|
||||
@@ -27,12 +27,6 @@ class NodeHandler(bmchandler.NodeHandler):
|
||||
devname = 'BMC'
|
||||
maxmacs = 2
|
||||
|
||||
def validate_cert(self, certificate):
|
||||
# broadly speaking, merely checks consistency moment to moment,
|
||||
# but if https_cert gets stricter, this check means something
|
||||
fprint = util.get_fingerprint(self.https_cert)
|
||||
return util.cert_matches(fprint, certificate)
|
||||
|
||||
async def get_webclient(self, user, passwd, newuser, newpass):
|
||||
wc = webclient.WebConnection(self.ipaddr, 443,
|
||||
verifycallback=self.validate_cert)
|
||||
|
||||
@@ -31,7 +31,7 @@ class NodeHandler(object):
|
||||
|
||||
def __init__(self, info, configmanager):
|
||||
self._certfailreason = None
|
||||
self._fp = None
|
||||
self._savedcert = None
|
||||
self.info = info
|
||||
self.configmanager = configmanager
|
||||
targsa = [None]
|
||||
@@ -71,10 +71,10 @@ class NodeHandler(object):
|
||||
wc = webclient.WebConnection(self._ipaddr, verifycallback=self._savecert, port=443)
|
||||
wc.connect()
|
||||
wc.close()
|
||||
if not self._fp:
|
||||
if not self._savedcert:
|
||||
return False
|
||||
# Check if certificate is self-signed by comparing issuer and subject
|
||||
cert = self._fp
|
||||
cert = self._savedcert
|
||||
certobj = x509.load_der_x509_certificate(cert)
|
||||
skid = None
|
||||
akid = None
|
||||
@@ -116,7 +116,7 @@ class NodeHandler(object):
|
||||
return macs <= self.maxmacs
|
||||
|
||||
def _savecert(self, certificate):
|
||||
self._fp = certificate
|
||||
self._savedcert = certificate
|
||||
return True
|
||||
|
||||
def get_node_credentials(self, nodename, creds, defuser, defpass):
|
||||
@@ -152,8 +152,8 @@ class NodeHandler(object):
|
||||
return 'unreachable'
|
||||
|
||||
async def get_https_cert(self):
|
||||
if self._fp:
|
||||
return self._fp
|
||||
if self._savedcert:
|
||||
return self._savedcert
|
||||
ip, port = await self.get_web_port_and_ip()
|
||||
wc = webclient.WebConnection(ip, verifycallback=self._savecert, port=port)
|
||||
try:
|
||||
@@ -170,7 +170,14 @@ class NodeHandler(object):
|
||||
except Exception:
|
||||
self._certfailreason = 2
|
||||
return None
|
||||
return self._fp
|
||||
return self._savedcert
|
||||
|
||||
def validate_cert(self, certificate):
|
||||
if not self._savedcert:
|
||||
self._savedcert = certificate
|
||||
return True
|
||||
fprint = util.get_fingerprint(self._savedcert)
|
||||
return util.cert_matches(fprint, certificate)
|
||||
|
||||
async def get_web_port_and_ip(self):
|
||||
if self.web_ip:
|
||||
|
||||
@@ -91,12 +91,6 @@ class NodeHandler(generic.NodeHandler):
|
||||
if uuid:
|
||||
self.info['uuid'] = uuid.lower()
|
||||
|
||||
def validate_cert(self, certificate):
|
||||
# broadly speaking, merely checks consistency moment to moment,
|
||||
# but if https_cert gets stricter, this check means something
|
||||
fprint = util.get_fingerprint(self.https_cert)
|
||||
return util.cert_matches(fprint, certificate)
|
||||
|
||||
async def enable_ipmi(self, wc):
|
||||
mgrinfo = await self.mgrinfo(wc)
|
||||
npu =mgrinfo.get(
|
||||
|
||||
@@ -61,14 +61,6 @@ class NodeHandler(bmchandler.NodeHandler):
|
||||
uuid = fixuuid(uuid[0])
|
||||
self.info['uuid'] = uuid
|
||||
|
||||
def _validate_cert(self, certificate):
|
||||
# Assumption is by the time we call config, that discovery core has
|
||||
# vetted self._fp. Our job here then is just to make sure that
|
||||
# the currect connection matches the previously saved cert
|
||||
if not self._fp: # circumstances are that we haven't validated yet
|
||||
self._fp = certificate
|
||||
return certificate == self._fp
|
||||
|
||||
def _webconfigrules(self, wc):
|
||||
rules = []
|
||||
for rule in self.ruleset.split(','):
|
||||
@@ -137,7 +129,7 @@ class NodeHandler(bmchandler.NodeHandler):
|
||||
|
||||
def _webconfigcreds(self, username, password):
|
||||
ip, port = self.get_web_port_and_ip()
|
||||
wc = webclient.WebConnection(ip, port, verifycallback=self._validate_cert)
|
||||
wc = webclient.WebConnection(ip, port, verifycallback=self.validate_cert)
|
||||
wc.connect()
|
||||
authdata = { # start by trying factory defaults
|
||||
'user': 'USERID',
|
||||
|
||||
@@ -49,12 +49,6 @@ class NodeHandler(generic.NodeHandler):
|
||||
if uuid:
|
||||
self.info['uuid'] = uuid.lower()
|
||||
|
||||
def validate_cert(self, certificate):
|
||||
# broadly speaking, merely checks consistency moment to moment,
|
||||
# but if https_cert gets stricter, this check means something
|
||||
fprint = util.get_fingerprint(self.https_cert)
|
||||
return util.cert_matches(fprint, certificate)
|
||||
|
||||
async def _get_wc(self):
|
||||
authdata = { # start by trying factory defaults
|
||||
'username': self.DEFAULT_USER,
|
||||
|
||||
@@ -193,12 +193,6 @@ class NodeHandler(immhandler.NodeHandler):
|
||||
#if ipmicmd:
|
||||
# ipmicmd.ipmi_session.logout()
|
||||
|
||||
def validate_cert(self, certificate):
|
||||
# broadly speaking, merely checks consistency moment to moment,
|
||||
# but if https_cert gets stricter, this check means something
|
||||
fprint = util.get_fingerprint(self.https_cert)
|
||||
return util.cert_matches(fprint, certificate)
|
||||
|
||||
async def get_webclient(self, username, password, newpassword):
|
||||
wc = self._wc.dupe()
|
||||
pwdchanged = False
|
||||
|
||||
@@ -72,9 +72,7 @@ class NodeHandler(redfishbmc.NodeHandler):
|
||||
if slot != 0:
|
||||
self.info['enclosure.bay'] = slot
|
||||
|
||||
def validate_cert(self, certificate):
|
||||
fprint = util.get_fingerprint(self.https_cert)
|
||||
return util.cert_matches(fprint, certificate)
|
||||
|
||||
|
||||
|
||||
def remote_nodecfg(nodename, cfm):
|
||||
|
||||
Reference in New Issue
Block a user