Commit e0d59dde authored by Leigh Stoller's avatar Leigh Stoller

Add methods to check for user having a valid encrypted ssl certificate,

and to generate one. When generating one, look for a revoked/expired
certificate and reuse the key (and password) otherwise generate a new
key and new random password. This allows existing Emulab users who have
never used Geni, to use the APT/Cloud interface without having to create
a key via the web interface.
parent 4a2668a8
......@@ -59,6 +59,7 @@ my $OURDOMAIN = "@OURDOMAIN@";
my $MIN_UNIX_UID = @MIN_UNIX_UID@;
my $MIN_UNIX_GID = @MIN_UNIX_GID@;
my $tbacct = "$TB/sbin/tbacct";
my $MKUSERCERT = "$TB/sbin/mkusercert";
# Create() flags.
$NEWUSER_FLAGS_PROJLEADER = 0x01;
......@@ -1130,7 +1131,8 @@ sub SetStatus($$)
}
#
# Get user ssl certificate (pubkey).
# Get user ssl certificate (pubkey). The certificate might be expired, but
# that is okay for the caller.
#
sub SSLCert($$$;$)
{
......@@ -1158,6 +1160,56 @@ sub SSLCert($$$;$)
return 0;
}
#
# Does user have an encrypted certificate (not revoked, not expired)
#
sub HasValidEncryptedCert($)
{
my ($self) = @_;
my $uid_idx = $self->uid_idx();
my $query_result =
DBQueryWarn("select idx from user_sslcerts ".
"where uid_idx='$uid_idx' and encrypted=1 and ".
" revoked is null and expires > now()");
return -1
if (!defined($query_result));
return 0
if (!$query_result->numrows);
return 1;
}
#
# Try to regenerate encrypted SSL cert using existing passphrase, or make
# up a new passphrase if we do not have one in the DB.
#
sub GenEncryptedCert($)
{
my ($self) = @_;
my $uid_idx = $self->uid_idx();
my $uid = $self->uid();
my $certpass;
my $query_result =
DBQueryWarn("select password from user_sslcerts ".
"where uid_idx='$uid_idx' and encrypted=1 and ".
" revoked is null");
return -1
if (!defined($query_result));
if ($query_result->numrows) {
($certpass) = $query_result->fetchrow_array();
}
else {
$certpass = substr(lc(emutil::GenHash()), 0, 12);
}
system("$MKUSERCERT -r -p $certpass $uid");
return -1
if ($?);
return 0;
}
#
# Revoke ssl certificates.
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment