initsite.in 16.1 KB
Newer Older
Leigh B. Stoller's avatar
Leigh B. Stoller committed
1
2
#!/usr/bin/perl -w
#
3
# GENIPUBLIC-COPYRIGHT
4
# Copyright (c) 2008-2012 University of Utah and the Flux Group.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
5
6
7
8
9
10
11
12
13
14
15
16
# All rights reserved.
#
use strict;
use English;
use Getopt::Std;

#
# Initialize an emulab to act as a protogeni emulab. Add optional -c
# option if this is a clearinghouse.
# 
sub usage()
{
17
    print "Usage: initpgenisite\n";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
18
19
    exit(1);
}
20
21
22
my $optlist = "";
my $asch    = @PROTOGENI_ISCLEARINGHOUSE@;
my $cflag   = ($asch ? "-c" : "");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
23
24
25
26
27
28
29

#
# Configure variables
#
my $TB		  = "@prefix@";
my $TBOPS         = "@TBOPSEMAIL@";
my $TBLOGS        = "@TBLOGSEMAIL@";
30
my $OURDOMAIN     = "@OURDOMAIN@";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
31
32
my $PGENIDOMAIN   = "@PROTOGENI_DOMAIN@";
my $PGENISUPPORT  = @PROTOGENI_SUPPORT@;
33
my $PROTOGENI_RPCNAME = "@PROTOGENI_RPCNAME@";
34
my $PROTOGENI_RPCPORT = "@PROTOGENI_RPCPORT@";
35
my $OUTERBOSS_XMLRPCPORT = "@OUTERBOSS_XMLRPCPORT@";
36
37
my $PROTOGENI_WEBSITE  = "@PROTOGENI_WEBSITE@";
my $PROTOGENI_GENIRACK = @PROTOGENI_GENIRACK@;
38
my $PROTOGENI_URL = "@PROTOGENI_URL@";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
39
40
41
42
43
44
45
46
47
my $geniuserid    = "geniuser";
my $geniprojid    = "GeniSlices";
my $PROTOUSER	  = "elabman";
my $NEWUSER	  = "$TB/sbin/newuser";
my $NEWPROJ	  = "$TB/sbin/newproj";
my $MKPROJ	  = "$TB/sbin/mkproj";
my $TBACCT	  = "$TB/sbin/tbacct";
my $ADDAUTHORITY  = "$TB/sbin/protogeni/addauthority";
my $GETCACERTS    = "$TB/sbin/protogeni/getcacerts";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
48
my $POSTCRL       = "$TB/sbin/protogeni/postcrl";
49
my $GENCRL        = "$TB/sbin/protogeni/gencrl";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
50
my $GENCRLBUNDLE  = "$TB/sbin/protogeni/gencrlbundle";
51
52
my $INITCERTS	  = "$TB/sbin/protogeni/initcerts";
my $REGISTERCERTS = "$TB/sbin/protogeni/reregister";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
53
my $MKSYSCERT	  = "$TB/sbin/mksyscert";
54
my $MKUSERCERT	  = "$TB/sbin/mkusercert";
55
my $BATCHEXP      = "$TB/bin/batchexp";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
56
my $WAP           = "$TB/sbin/withadminprivs";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
57
58
59
my $SACERT	  = "$TB/etc/genisa.pem";
my $CMCERT	  = "$TB/etc/genicm.pem";
my $CHCERT	  = "$TB/etc/genich.pem";
60
my $SESCERT	  = "$TB/etc/genises.pem";
61
my $RPCCERT	  = "$TB/etc/genirpc.pem";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
62
63
64
65
66
my $SUDO	  = "/usr/local/bin/sudo";
my $MYSQL         = "/usr/local/bin/mysql";
my $MYSQLADMIN    = "/usr/local/bin/mysqladmin";
my $MYSQLSHOW     = "/usr/local/bin/mysqlshow";
my $MYSQLDUMP     = "/usr/local/bin/mysqldump";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
67
68
my $PKG_INFO      = "/usr/sbin/pkg_info";
my $FETCH	  = "/usr/bin/fetch";
69
my $OPENSSL       = "/usr/bin/openssl";
70
71
72
my $APACHE_START  = "@APACHE_START_COMMAND@";
my $APACHE_CONF   = "@INSTALL_APACHE_CONFIG@/httpd.conf";
my $APACHE_FLAGS  = ("@APACHE_VERSION@" == "22" ?
73
		     "apache22_flags" : "apache_flags");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

# Protos
sub fatal($);

#
# Turn off line buffering on output
#
$| = 1; 

# Load the Testbed support stuff.
use lib "@prefix@/lib";
89
use libtestbed;
90
use emdb;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
91
use libdb qw(TBSetSiteVar TBOPSPID DBQueryFatal);
Gary Wong's avatar
Gary Wong committed
92
use emutil qw(TBGetUniqueIndex);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
93
94
use User;
use Project;
95
use Experiment;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
96
use OSinfo;
97
98
use libinstall;
use installvars;
Leigh B. Stoller's avatar
Leigh B. Stoller committed
99
100
101
102
103
104
105
106
107
108
109
110
111

if ($UID != 0) {
    fatal("Must be root to run this script\n");
}

#
# Check args.
#
my %options = ();
if (! getopts($optlist, \%options)) {
    usage();
}

112
113
114
#
# People seem to miss this.
#
115
if ($PGENIDOMAIN =~ /^unknown/i) {
116
117
118
119
120
    print STDERR "Please define PROTOGENI_DOMAIN in your defs file!\n";
    print STDERR "Then reconfig,rebuild,reinstall, then try this again.\n";
    exit(1);
}

121
122
123
#
# Check for (and update) an old (pre-URN) root certificate.
#
124
125
126
127
128
129
system( "$OPENSSL x509 -text -noout < $TB/etc/emulab.pem | " .
	"grep -q -i URI:urn:publicid:IDN" );
if( $? == -1 ) {
    die( "could not inspect root certificate $TB/etc/emulab.pem" );
} elsif( $? & 0x7F ) {
    die( "unexpected signal while inspecting root certificate" );
Gary Wong's avatar
Gary Wong committed
130
} elsif( $? ) {
131
132
    # grep returned non-zero exit code (indicating no matches): this is
    # an old certificate, so regenerate it.
133
134
135
136
137
138
139
140
    my $extfile = "/tmp/$$"; # not worth trying to be secure
    open( EXTFILE, "> $extfile" ) or die "can't open $extfile";
    print EXTFILE "subjectAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
    print EXTFILE "issuerAltName=URI:urn:publicid:IDN+${OURDOMAIN}+authority+root\n";
    close EXTFILE;

    print "Adding URN to root certificate...\n";

141
142
143
144
    my $originalfile = "$TB/etc/emulab.pem.orig";
    -f $originalfile and
	die( "refusing to overwrite $originalfile" );
    rename( "$TB/etc/emulab.pem", "$originalfile" ) or
145
	die( "could not rename root certificate" );
146
147

    my $serial = TBGetUniqueIndex( "user_sslcerts" );
148
149
150
151
    # Save the new certificate to a temporary file: OpenSSL will reuse the
    # plain text from the old certificate instead of the current version,
    # so we regenerate the whole thing once we've finished to avoid
    # horrible confusion.
152
    system( "$OPENSSL x509 -days 2000 -text -extfile $extfile " .
153
154
155
	    "-set_serial $serial -signkey $TB/etc/emulab.key " .
	    "< $originalfile > $TB/etc/emulab.tmp" );

156
157
    # For some reason, OpenSSL can return non-zero even when the certificate
    # generation succeeded.  Check the output file instead.
158
159
    if( !( -s "$TB/etc/emulab.tmp" ) ) {
	rename( "$originalfile", "$TB/etc/emulab.pem" );
160
	die( "could not generate new root certificate" );	    
161
162
163
164
165
    }

    # Regenerate the certificate, so that the comments are up to date.
    system( "$OPENSSL x509 -text < $TB/etc/emulab.tmp > $TB/etc/emulab.pem" );
    unlink( "$TB/etc/emulab.tmp" );
166
167
168
169

    print "Root certificate updated.  You will need to send the new\n";
    print "certificate to the clearing house.\n";

170
    unlink( "$TB/etc/.protogeni_federated" );
171
172
}

Leigh B. Stoller's avatar
Leigh B. Stoller committed
173
#
174
# Set this differently for readability. 
Leigh B. Stoller's avatar
Leigh B. Stoller committed
175
#
176
177
178
$MAGIC_TESTBED_VERSION = "";
$MAGIC_TESTBED_START   = "Added by Emulab for the ProtoGENI module";
$MAGIC_TESTBED_END     = "End of Emulab added section";
Leigh B. Stoller's avatar
Leigh B. Stoller committed
179

Leigh B. Stoller's avatar
Leigh B. Stoller committed
180
181
182
#
# Packages.
#
183
184
185
186
187
188
189
my %packlist =
    ("libxml2>=2.6.26"       => "/usr/ports/textproc/libxml2",
     "p5-Frontier-RPC"       => "/usr/ports/net/p5-Frontier-RPC",
     "p5-XML-LibXML>=1.70"   => "/usr/ports/textproc/p5-XML-LibXML",
     "xmlsec1"               => "/usr/ports/security/xmlsec1",
     "p5-Crypt-SSLeay>=0.57" => "/usr/ports/security/p5-Crypt-SSLeay",
     "p5-Crypt-OpenSSL-X509" => "/usr/ports/security/p5-Crypt-OpenSSL-X509",
190
     "p5-Crypt-X509"         => "/usr/ports/security/p5-Crypt-X509",
191
192
     "xerces-c2>=2.7.0"      => "/usr/ports/textproc/xerces-c2",
     "p5-XML-SemanticDiff"   => "/usr/ports/textproc/p5-XML-SemanticDiff",
193
     );
Leigh B. Stoller's avatar
Leigh B. Stoller committed
194
195
my $needpkgs = 0;

196
197
198
Phase "ports", "Installing ports", sub {
    foreach my $pkgname (sort(keys(%packlist))) {
	my $pkgdir = $packlist{$pkgname};
199

200
201
202
203
204
205
	Phase "$pkgname", "Checking for $pkgname", sub {
	    if (!ExecQuiet("$PKG_INFO -E '${pkgname}*'")) {
		PhaseSkip("Already installed");
	    }
	    chdir "$pkgdir" or
		PhaseFail("Unable to change to cd to $pkgdir");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
206

207
208
209
210
	    ExecQuietFatal("make -DBATCH install");
	};
    }
};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
211

212
213
214
215
216
217
218
219
220
221
222
#
# crossdomain.xml is needed to allow the flash client to talk to
# this host.
#
my $crosstext = <<'CROSSEND';
<?xml version="1.0"?>
<cross-domain-policy>
    <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>
CROSSEND

223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
Phase "crossdomain", "Installing www crossdomain.xml", sub {
    Phase "create", "Creating file", sub {
	DoneIfExists("$TB/www/crossdomain.xml");
	CreateFileFatal("$TB/www/crossdomain.xml", $crosstext);
    };
    Phase "chmod", "Setting permissions", sub {
	ExecQuietFatal("$CHMOD 0644 $TB/www/crossdomain.xml");
    };
};

Phase "dirs", "Creating directories", sub {
    foreach my $dir ("$TB/www/protogeni",
		     "$TB/etc/genicacerts",
		     "$TB/www/protogeni/advertisements",
		     "$TB/www/protogeni/authorities") {
	Phase $dir, $dir, sub {
	    PhaseSkip("already exists")
		if (-e $dir);
	    
	    mkdir $dir, 0775 or
		PhaseFail("Unable to create $dir : $!");
	};
    }
};
247

248
249
250
#
# Another version of this file?
#
251
252
253
$crosstext = <<'CROSSEND';
<?xml version="1.0"?>
<cross-domain-policy>
254
    <allow-access-from domain="*.emulab.net" />
255
256
257
258
    <allow-access-from domain="*.protogeni.net" />
</cross-domain-policy>
CROSSEND

259
260
261
262
263
264
265
266
267
Phase "crossdomain2", "Installing protogeni crossdomain.xml", sub {
    Phase "create", "Creating file", sub {
	DoneIfExists("$TB/www/protogeni/crossdomain.xml");
	CreateFileFatal("$TB/www/protogeni/crossdomain.xml", $crosstext);
    };
    Phase "chmod", "Setting permissions", sub {
	ExecQuietFatal("$CHMOD 0644 $TB/www/protogeni/crossdomain.xml");
    };
};
268

269
270
271
#
# Flash Policy.
#
272
my $FLASH_LINE = "flashpolicy stream tcp  nowait          root    /bin/echo               /bin/echo '<cross-domain-policy> <site-control permitted-cross-domain-policies=\"master-only\"/> <allow-access-from domain=\"*\" to-ports=\"80,443,$PROTOGENI_RPCPORT,$OUTERBOSS_XMLRPCPORT\"/> </cross-domain-policy>'";
273

274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
Phase "flashpolicy", "Installing the flash policy", sub {
    Phase "services", "Adding services entry", sub {
	DoneIfEdited("/etc/services");
	AppendToFileFatal("/etc/services", 'flashpolicy     843/tcp');
    };
    Phase "inetd", "Adding inetd.conf entry", sub {
	DoneIfEdited("$INETD_CONF");
	AppendToFileFatal($INETD_CONF, $FLASH_LINE);
    };
    Phase "restarting", "Restarting inetd", sub {
	PhaseSkip("not changed")
	    if (PhaseWasSkipped("inetd"));
	HUPDaemon("inetd");
    };
};
289

Leigh B. Stoller's avatar
Leigh B. Stoller committed
290
291
292
293
294
#
# The web server needs to do client authentication, for the geni xmlrpc
# interface. A bundle of CA certs from the trusted roots (emulabs) will
# be used. This bundle will periodically update as sites come online.
#
295
296
297
298
299
300
301
302
303
304
305
306
Phase "bundles", "Installing SSL bundles", sub {
    Phase "genica", "Installing genica.bundle", sub {
	DoneIfExists("$TB/etc/genica.bundle");
	ExecQuietFatal("$CP $TB/etc/emulab.pem $TB/etc/genica.bundle");
	ExecQuietFatal("$CHMOD 0644 $TB/etc/genica.bundle");
    };
    Phase "genicrl", "Installing genicrl.bundle", sub {
	DoneIfExists("$TB/etc/genicrl.bundle");
	ExecQuietFatal("$TOUCH $TB/etc/genicrl.bundle");
	ExecQuietFatal("$CHMOD 0644 $TB/etc/genicrl.bundle");
    };
};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
307
308
if ($asch) {
    #
309
    # For xmlsec1
Leigh B. Stoller's avatar
Leigh B. Stoller committed
310
    #
311
312
313
314
315
316
317
318
319
320
321
322
323
324
    Phase "genicacerts", "Initial genicacerts directory", sub {
	DoneIfExists("$TB/etc/genicacerts/emulab.pem");
	ExecQuietFatal("$CP $TB/etc/emulab.pem $TB/etc/genicacerts");
    };
    Phase "wwwgenica", "Copying genica.bundle to www", sub {
	DoneIfExists("$TB/www/genica.bundle");
	ExecQuietFatal("$CP $TB/etc/genica.bundle $TB/www/genica.bundle");
	ExecQuietFatal("$CHMOD 0644 $TB/www/genica.bundle");
    };
    Phase "wwwgenicrl", "Copying genicrl.bundle to www", sub {
	DoneIfExists("$TB/www/genicrl.bundle");
	ExecQuietFatal("$CP $TB/etc/genicrl.bundle $TB/www/genicrl.bundle");
	ExecQuietFatal("$CHMOD 0644 $TB/www/genicrl.bundle");
    };
325
}
326

327
328
329
#
# I do not understand where this file comes from.
#
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
Phase "index", "Creating ssl index.txt.attr", sub {
    BackUpFileFatal("$TB/ssl/index.txt.attr");
    DeleteFileFatal("$TB/ssl/index.txt.attr");
    CreateFileFatal("$TB/ssl/index.txt.attr", 'unique_subject = no');
};
Phase "sslcnf", "Updating ssl syscert.cnf", sub {
    ExecQuietFatal("$GMAKE -C @top_builddir@/ssl install-conf");
};
Phase "apache", "Updating apache config", sub {
    DoneIfIdentical("@top_builddir@/apache/httpd.conf", "$HTTPD_CONF");
    BackUpFileFatal("$HTTPD_CONF");
    ExecQuietFatal("$GMAKE -C $TOP_OBJDIR/apache install");
};
Phase "rcconf", "Updating $RCCONF", sub {
    DoneIfEdited($RCCONF);
    AppendToFileFatal($RCCONF, "$APACHE_FLAGS=\"-DSSL -DPGENI\"");
};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
347
348
349
350

#
# user/project that slices (experiments) belong to.
#
Leigh B. Stoller's avatar
Leigh B. Stoller committed
351
my $geniuser = User->Lookup($geniuserid);
352
353
354
Phase "geniuser", "Creating user $geniuserid", sub {
    PhaseSkip("already created")
	if (defined($geniuser));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
355

356
357
    PhaseFail("geniuser.xml does not exist")
	if (! -e "$TB/etc/protogeni/geniuser.xml");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
358

359
360
    ExecQuietFatal("$SUDO -u $PROTOUSER ".
		   "$WAP $NEWUSER $TB/etc/protogeni/geniuser.xml");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
361

362
    $geniuser = User->Lookup($geniuserid);
363
    PhaseFail("$geniuserid did not create properly")
Leigh B. Stoller's avatar
Leigh B. Stoller committed
364
	if (!defined($geniuser));
365

366
    ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $TBACCT verify $geniuserid");
367
368
};

Leigh B. Stoller's avatar
Leigh B. Stoller committed
369
my $geniproj = Project->Lookup($geniprojid);
370
371
372
Phase "geniproj", "Creating project $geniprojid", sub {
    PhaseSkip("already created")
	if (defined($geniproj));
Leigh B. Stoller's avatar
Leigh B. Stoller committed
373

374
375
    PhaseFail("geniproj.xml does not exist")
	if (! -e "$TB/etc/protogeni/geniproj.xml");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
376

377
378
379
    ExecQuietFatal("$SUDO -u $PROTOUSER ".
		   "$WAP $NEWPROJ $TB/etc/protogeni/geniproj.xml");
    ExecQuietFatal("$SUDO -u $PROTOUSER $WAP $MKPROJ -s $geniprojid");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
380
381

    $geniproj = Project->Lookup($geniprojid);
382
    PhaseFail("$geniprojid did not create")
Leigh B. Stoller's avatar
Leigh B. Stoller committed
383
	if (!defined($geniproj));
384
};
Leigh B. Stoller's avatar
Leigh B. Stoller committed
385
386
$geniuser->Refresh();
$geniproj->Refresh();
387

Leigh B. Stoller's avatar
Leigh B. Stoller committed
388
# Create an encrypted certificate for the test scripts.
389
390
391
Phase "usercert", "Creating certificate for $geniuserid", sub {
    my $sslcert;
    $geniuser->SSLCert(1, \$sslcert);
Leigh B. Stoller's avatar
Leigh B. Stoller committed
392

393
394
    PhaseSkip("already created")
	if (defined($sslcert));
395

396
397
398
    my $passwd = substr(TBGenSecretKey(), 0, 10);
    PhaseFail("failed to generate password")
	if (!defined($passwd) || $passwd eq "");
Leigh B. Stoller's avatar
Leigh B. Stoller committed
399
    
400
401
402
403
404
405
406
407
408
409
410
411
    ExecQuietFatal("$SUDO -u $PROTOUSER ".
		   "$WAP $MKUSERCERT -p '$passwd' $geniuserid");
};

# Now that we have the geniuser ...
Phase "chown", "Changing ownership on dirs", sub {
    ExecQuietFatal("$CHOWN $geniuserid ".
		   "$TB/www/protogeni/advertisements ".
		   "$TB/www/protogeni/authorities");
};

Phase "dbstuff", "Adding a few things to Emulab DB", sub {
Leigh B. Stoller's avatar
Leigh B. Stoller committed
412
    #
413
414
415
    # Need this fake type for now.
    #
    # It would be unusual if this OSID did not exist.
Leigh B. Stoller's avatar
Leigh B. Stoller committed
416
    #
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
    my $osinfo = OSinfo->Lookup(TBOPSPID(), "RHL-STD");
    PhaseFail("RHL-STD does not exist")
	if (!defined($osinfo));

    my $osid = $osinfo->osid();

    DBQueryWarn("replace into node_types (type,class,isvirtnode,isdynamic) ".
		"values ('pcfake','pcvm',1,1)")
	or PhaseFail("Error inserting node_types");
	
    DBQueryWarn("replace into node_type_attributes ".
		"(type,attrkey,attrvalue,attrtype) values ".
		"('pcfake','rebootable','1','boolean')")
	or PhaseFail("Error inserting rebootable attribute");
    
    DBQueryWarn("replace into node_type_attributes ".
		"(type,attrkey,attrvalue,attrtype) values ".
		"('pcfake','default_osid','$osid','integer')")
	or PhaseFail("Error inserting default_osid attribute");
};
    
Leigh B. Stoller's avatar
Leigh B. Stoller committed
438
#
439
# Databases.
440
#
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
Phase "databases", "Creating Databases", sub {
    foreach my $dbname ("geni", "geni-ch", "geni-cm") {
	Phase $dbname, "Creating DB $dbname", sub {
	    if (!ExecQuiet("$MYSQLSHOW $dbname")) {
		PhaseSkip("already exists");
	    }
	    ExecQuietFatal("$MYSQLADMIN create $dbname");
	};
	Phase "fill${dbname}", "Initializing DB $dbname", sub {
	    if (!ExecQuiet("$MYSQLDUMP -d $dbname geni_users")) {
		PhaseSkip("already initialized");
	    }
	    ExecQuietFatal("$MYSQL $dbname < $TB/etc/protogeni/protogeni.sql");
	};
	Phase "fix${dbname}", "Patching DB $dbname", sub {
	    ExecQuietFatal("$MYSQL -e \"UPDATE geni_authorities ".
			   "   SET type='ses' ".
			   "WHERE hrn LIKE '%.ses' AND type='';\" $dbname");
	};
    }
};
462

463
#
464
465
# This script builds the certs and registers them. Separate script so
# it can be rerun independently, as when updating certificates.
466
#
467
468
469
470
471
Phase "initcerts", "Creating PG certificates", sub {
    # This script will not overwrite existing certificates, so okay
    # to call again even if certs already exist.
    ExecQuietFatal("$INITCERTS");
};
472

473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
#
# On the clients, we have to get the bundle from the CH website and
# then break it up for xmlsec (see above). We use a script for this
# since the clients need to do this everytime a new client is added.
# This script restarts apache.
#
if (!$asch) {
    Phase "getcacerts", "Getting current CA bundle", sub {
	ExecQuietFatal("$GETCACERTS -l -p");
    };
    #
    # This cron entry will autoupdate the CA/CRL certs by getting them from
    # the CH website.
    #
    Phase "crontab", "Updating $CRONTAB", sub {
	DoneIfEdited($CRONTAB);
	AppendToFileFatal($CRONTAB,
			  "13  4  *  *	*  root  $GETCACERTS");
    };
}
else {
    #
    # But on the clearinghouse, we have to generate the CRL bundle for 
    # downloading by remote sites.
    #
    Phase "crontab", "Updating $CRONTAB", sub {
	DoneIfEdited($CRONTAB);
	AppendToFileFatal($CRONTAB,
			  "10  4  *  *  *  root  $GENCRLBUNDLE");
    };
}

505
if (!$asch) {
506
    #
507
    # Register the certificates at the clearinghouse.
508
    #
509
510
511
    Phase "register", "Registering PG certificates", sub {
	PhaseFail("You have not emailed your root CA to the clearinghouse yet!")
	    if (! "$TB/etc/.protogeni_federated");
512

513
514
515
516
517
	PhaseSkip("already registered")
	    if (-e "$TB/etc/.protogeni_registered");
	
	ExecQuietFatal("$REGISTERCERTS");
    };
518
}
Leigh B. Stoller's avatar
Leigh B. Stoller committed
519
520
521
522
523
524
525
526
527
exit(0);

sub fatal($)
{
    my ($msg) = @_;

    die("*** $0:\n".
	"    $msg\n");
}