From bd7fde0602c66d1d37730f3f271cc4b4be05c8e5 Mon Sep 17 00:00:00 2001 From: Leigh B Stoller Date: Wed, 9 Mar 2016 07:48:09 -0700 Subject: [PATCH] Add support for generating key pair for encryption, to pass into geni-lib as a parameter (pub part), and the priv key into create_instance. --- apt/create_instance.in | 7 ++++- www/aptui/instantiate.ajax | 21 ++++++++++++--- www/aptui/instantiate.php | 9 +++---- www/aptui/manage_profile.ajax | 51 +++++++++++++++++++++++++++++++++-- 4 files changed, 76 insertions(+), 12 deletions(-) diff --git a/apt/create_instance.in b/apt/create_instance.in index 33b6e08e4..2adc1d039 100755 --- a/apt/create_instance.in +++ b/apt/create_instance.in @@ -43,7 +43,7 @@ sub usage() print "Usage: quickvm [-u uuid] [--site site:1=aggregate ...] \n"; exit(1); } -my @optlist = ('d', 'v', 'u=s', 'a=s', 'S'); +my @optlist = ('d', 'v', 'u=s', 'a=s', 'S', 'k=s'); my $debug = 0; my $verbose = 1; my $xmlfile; @@ -55,6 +55,7 @@ my $quickuuid; my $this_user; my $xmlparse; my $instance; +my $privkeyfile; my $slice; my $sitemap; my $usetracker = 0; @@ -141,6 +142,9 @@ if (! GetOptions(\%options, @optlist, "site=s%" => \$sitemap)) { if (defined($options{"a"})) { $default_aggregate_urn = $options{"a"}; } +if (defined($options{"k"})) { + $privkeyfile = $options{"k"}; +} if (defined($options{"d"})) { $debug = 1; } @@ -664,6 +668,7 @@ my $altblob = {"urn" => $alt_urn, "uuid" => $slice_uuid, "email" => $user_email, "nostore" => 1, + "keyfile" => $privkeyfile, "useaptca" => 1, "showuuid" => 1}; my $alt_certificate = GeniCertificate->Create($altblob); diff --git a/www/aptui/instantiate.ajax b/www/aptui/instantiate.ajax index 9c7389712..09808ed72 100644 --- a/www/aptui/instantiate.ajax +++ b/www/aptui/instantiate.ajax @@ -554,6 +554,7 @@ function CheckStep2() $am_array = Instance::DefaultAggregateList(); $errors = array(); + session_start(); # # The initial page load did profile checking, this is just a # secondary check, so if there are failures, we can show them @@ -578,7 +579,6 @@ function CheckStep2() # # Need to make sure we got verified. # - session_start(); if (!isset($_SESSION["verified"]) || !$_SESSION["verified"]) { $errors["error"] = "Your verification step failed"; } @@ -722,8 +722,6 @@ function Do_Submit() $this_user->email() : $formfields["email"]); $args["profile"] = $formfields["profile"]; if (!$this_user) { - session_start(); - if (isset($_SESSION["verified"])) { $args["auth_token"] = $_SESSION["auth_token"]; } @@ -744,6 +742,15 @@ function Do_Submit() $options .= "--site 'site:${siteid}=${urn}' "; } } + if (isset($_SESSION["privkey"])) { + $keyname = tempnam("/tmp", "genilibkey"); + $fp = fopen($keyname, "w"); + fwrite($fp, $_SESSION["privkey"]); + fclose($fp); + chmod($keyname, 0666); + $options .= " -k $keyname"; + } + # # Invoke the backend. # @@ -752,8 +759,14 @@ function Do_Submit() if (!$instance) { SPITAJAX_ERROR(2, $errors); + if (isset($keyname)) { + unlink($keyname); + } return; } + if (isset($keyname)) { + unlink($keyname); + } $blob = array("redirect" => "status.php?uuid=" . $instance->uuid()); # @@ -776,8 +789,8 @@ function Do_Submit() array("value" => $creator->auth_token(), "expires" => $expires, "domain" => $cookiedomain)); - session_destroy(); } + session_destroy(); SPITAJAX_RESPONSE($blob); return; } diff --git a/www/aptui/instantiate.php b/www/aptui/instantiate.php index a8c9fbdb8..20ac98369 100644 --- a/www/aptui/instantiate.php +++ b/www/aptui/instantiate.php @@ -509,11 +509,10 @@ if (!isset($create)) { $defaults["sshkey"] = $geniuser->SSHKey(); } } - if (!$this_user) { - # We use a session. in case we need to do verification - session_start(); - session_unset(); - } + # We use a session, in case we need to do verification or other things. + session_start(); + session_unset(); + SPITFORM($defaults, false, array()); echo "
\n"; SPITFOOTER(); diff --git a/www/aptui/manage_profile.ajax b/www/aptui/manage_profile.ajax index 8d2212b4b..fb55a13ca 100644 --- a/www/aptui/manage_profile.ajax +++ b/www/aptui/manage_profile.ajax @@ -414,6 +414,9 @@ function Do_BindParameters() SPITAJAX_ERROR(1, "Not enough permission to instantiate profile"); return; } + # See instantiate.php; this code should probably move into instantiate.ajax + session_start(); + if (Do_CheckForm($formfields, $profile, $rval)) { # Special return value for JS code. SPITAJAX_ERROR(2, $rval); @@ -448,7 +451,8 @@ function Do_BindParameters() # Invoke the backend. # $retval = SUEXEC($this_uid, "nobody", - "webrungenilib $warningsfatal -b $parmfname -o $outfname $infname", + "webrungenilib $warningsfatal -b $parmfname ". + " -o $outfname $infname", SUEXEC_ACTION_IGNORE); if ($retval != 0) { @@ -504,7 +508,15 @@ function Do_CheckForm($formfields, $profile, &$rval) $defval = $def->defaultValue; $options = $def->legalValues; - if ($type == "integer") { + if ($type == "pubkey") { + if (GenGenilibKey()) { + $errors[$name] = "Could not create key pair"; + } + else { + $result[$name] = $_SESSION["pubkey"]; + } + } + elseif ($type == "integer") { if (!preg_match("/^\d*$/", $val)) { $errors[$name] = "Invalid value; must be an integer"; } @@ -541,6 +553,41 @@ function Do_CheckForm($formfields, $profile, &$rval) $rval = $result; return 0; } + +function GenGenilibKey() +{ + $keyname = tempnam("/tmp", "genilibkey"); + $pubname = tempnam("/tmp", "genilibpub"); + + chmod($keyname, 0666); + chmod($pubname, 0666); + + # + # First generate the private key. + # + $retval = myexec("/usr/bin/openssl genrsa -rand /dev/urandom ". + " -out $keyname 1024"); + if ($retval) { + unlink($keyname); + unlink($pubname); + return -1; + } + # + # Now extract the public portion. + # + $retval = myexec("/usr/bin/openssl rsa -in $keyname -pubout -out $pubname"); + if ($retval) { + unlink($keyname); + unlink($pubname); + return -1; + } + $_SESSION["privkey"] = file_get_contents($keyname); + $_SESSION["pubkey"] = file_get_contents($pubname); + session_commit(); + unlink($keyname); + unlink($pubname); + return 0; +} # Local Variables: # mode:php -- GitLab