Commit 46757729 authored by Leigh B Stoller's avatar Leigh B Stoller

Add simple (initial) support passing encrypted secrets to the cluster CM,

to be decrypted using the per-exp ssl keypair we create and store on the
nodes. In this case, you can add this to your rspec in the node element.
You can add as many as you want, use the name attribute. We generate a
random password and encrypt the plain text:

  <emulab:password></emulab:password>

which becomes:

    <emulab:password name="foo" encrypted="true">-----BEGIN PKCS7-----
MIIBpAYJKoZIhvcNAQcDoIIBlTCCAZECAQAxggFMMIIBSAIBADCBsDCBqDELMAkG
A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5
MR0wGwYDVQQKExRVdGFoIE5ldHdvcmsgVGVzdGJlZDEPMA0GA1UECxMGQVBUTEFC
MRcwFQYDVQQDEw53d3cuYXB0bGFiLm5ldDEoMCYGCSqGSIb3DQEJARYZdGVzdGJl
ZC1vcHNAZmx1eC51dGFoLmVkdQIDAs8NMA0GCSqGSIb3DQEBAQUABIGAKeyo7mPO
rHRF2G9t0h8/ALBBh7ChD1zCYvRFi2qvvUIIv/kfCNPhujRfodIYR65dP3tfM+BH
VTRxjJrMYH63m8Fz9KMZlVYn+DhMeiwerqTxvVs823zyxcDrOUzTzzakWmJVSqvl
33Po/7CYZ2iq67ATF1Xym3DsRQbQSuwgzu8wPAYJKoZIhvcNAQcBMB0GCWCGSAFl
AwQBKgQQRw0kmvwhIur/ZlfFbB75qoAQXTKjzwN1HDJW4x5GAcWNPA==
-----END PKCS7-----
    </emulab:password>

which can then be decrypted using the private key to get the plaintext
password.
parent 172e7af8
......@@ -52,6 +52,7 @@ use GeniHRN;
use libtestbed;
use English;
use Data::Dumper;
use File::Temp qw(tempfile :mktemp tmpnam :POSIX);
use overload ('""' => 'Stringify');
# Configure variables
......@@ -1089,6 +1090,65 @@ sub SetSites($$$$$$)
return 0;
}
#
# Encrypt blocks.
#
sub EncryptBlocks($$$)
{
my ($pxml, $certificate, $pmsg) = @_;
my @encrypt = ();
my $rspec = GeniXML::Parse($$pxml);
if (! defined($rspec)) {
print STDERR "EncryptBlocks: Could not parse rspec\n";
return -1;
}
foreach my $ref (GeniXML::FindNodes("n:node", $rspec)->get_nodelist()) {
foreach my $encref (GeniXML::FindNodesNS("n:encrypt", $ref,
$GeniXML::EMULAB_NS)->get_nodelist()) {
my $text = $encref->textContent();
next
if (!$text || $text eq "");
my $encrypted = GeniXML::GetText("encrypted", $encref);
next
if ($encrypted);
push(@encrypt, $encref);
}
foreach my $encref (GeniXML::FindNodesNS("n:password", $ref,
$GeniXML::EMULAB_NS)->get_nodelist()) {
my $plaintext = substr(TBGenSecretKey(), 0, 12);
$encref->appendText($plaintext);
push(@encrypt, $encref);
}
}
if (@encrypt) {
my $certname = $certificate->WriteToFile();
if (!defined($certname)) {
$$pmsg = "Could not encrypt blocks; not able to write certificate";
return -1;
}
foreach my $ref (@encrypt) {
my $tempname = mktemp("/tmp/encrypt.XXXXXX");
emutil::PipeCommand("/usr/bin/openssl smime ".
"-encrypt -outform PEM ".
"-out $tempname ".
"-aes256 $certname",
$ref->textContent(), $pmsg);
if ($?) {
return -1;
}
my $encrypted = `cat $tempname`;
$ref->setAttribute("encrypted", "true");
$ref->removeChildNodes();
$ref->appendText($encrypted);
unlink($tempname);
}
$$pxml = GeniXML::Serialize($rspec);
}
return 0;
}
sub IsHead($)
{
my ($self) = @_;
......
......@@ -657,6 +657,14 @@ my $alt_certificate = GeniCertificate->Create($altblob);
fatal("Could not create alt certificate")
if (!defined($alt_certificate));
#
# Encrypt blocks.
#
$tmp = APT_Profile::EncryptBlocks(\$rspecstr, $alt_certificate, \$errmsg);
if ($tmp) {
($tmp < 0 ? fatal($errmsg) : UserError($errmsg));
}
#
# Generate credentials we need.
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment