vcl-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From arku...@apache.org
Subject svn commit: r1798002 - in /vcl/trunk: managementnode/lib/VCL/ managementnode/lib/VCL/Module/OS/Linux/ managementnode/lib/VCL/Module/Provisioning/VMware/ mysql/
Date Wed, 07 Jun 2017 21:10:44 GMT
Author: arkurth
Date: Wed Jun  7 21:10:44 2017
New Revision: 1798002

URL: http://svn.apache.org/viewvc?rev=1798002&view=rev
Log:
VCL-1045
Added explicit DataStructure.pm::get_vmhost_profile_password subroutine.

Updated utils.pm::get_vmhost_info to retrieve the cryptsecret if vmprofile.secretid is set.

Removed vmprofile.secretid contstraint from vcl.sql and update-vcl.sql.

Modified:
    vcl/trunk/managementnode/lib/VCL/DataStructure.pm
    vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm
    vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm
    vcl/trunk/managementnode/lib/VCL/utils.pm
    vcl/trunk/mysql/update-vcl.sql
    vcl/trunk/mysql/vcl.sql

Modified: vcl/trunk/managementnode/lib/VCL/DataStructure.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/DataStructure.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/DataStructure.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/DataStructure.pm Wed Jun  7 21:10:44 2017
@@ -284,9 +284,10 @@ $SUBROUTINE_MAPPINGS{vmhost_profile_virt
 $SUBROUTINE_MAPPINGS{vmhost_profile_vmdisk} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{vmdisk}';
 $SUBROUTINE_MAPPINGS{vmhost_profile_vmpath} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{vmpath}';
 $SUBROUTINE_MAPPINGS{vmhost_profile_username} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{username}';
-$SUBROUTINE_MAPPINGS{vmhost_profile_password} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{password}';
+#$SUBROUTINE_MAPPINGS{vmhost_profile_password} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{password}';
 $SUBROUTINE_MAPPINGS{vmhost_profile_eth0generated} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{eth0generated}';
 $SUBROUTINE_MAPPINGS{vmhost_profile_eth1generated} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{eth1generated}';
+$SUBROUTINE_MAPPINGS{vmhost_profile_secret_id} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{vmprofile}{secretid}';
 
 $SUBROUTINE_MAPPINGS{vmhost_repository_imagetype_name} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{repositoryimagetype}{name}';
 $SUBROUTINE_MAPPINGS{vmhost_datastore_imagetype_name} = '$self->request_data->{reservation}{RESERVATION_ID}{computer}{vmhost}{datastoreimagetype}{name}';
@@ -2798,7 +2799,7 @@ sub get_image_domain_password {
 	}
 	
 	my $image_domain_password = $self->mn_os->decrypt_cryptsecret($secret_id, $encrypted_password);
-	#notify($ERRORS{'DEBUG'}, 0, string_to_ascii($image_domain_password));
+	#notify($ERRORS{'DEBUG'}, 0, "retrieved Active Directory domain password: '$image_domain_password'");
 	return $image_domain_password;
 }
 
@@ -2838,6 +2839,49 @@ sub get_domain_credentials {
 }
 
 #//////////////////////////////////////////////////////////////////////////////
+
+=head2 get_vmhost_profile_password
+
+ Parameters  : $display_warnings (optional)
+ Returns     : string
+ Description : Returns the decrypted VM host profile password if both
+               vmprofile.password and vmprofile.secretid are set. If
+               vmprofile.password is set but vmprofile.secretid is not, assumes
+               the password was set prior to VCL 2.5 and returns raw value of
+               vmprofile.password.
+
+=cut
+
+sub get_vmhost_profile_password {
+	my $self = shift;
+	if (ref($self) !~ /VCL::/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
+		return 0;
+	}
+	
+	my $display_warnings = shift;
+	$display_warnings = 1 unless defined($display_warnings);
+	
+	my $reservation_id = $self->reservation_id();
+	
+	my $password = $self->request_data->{reservation}{$reservation_id}{computer}{vmhost}{vmprofile}{password};
+	if (!defined($password)) {
+		notify($ERRORS{'WARNING'}, 0, "failed to retrieve decrypted VM profile password, vmprofile.password
is not defined in this DataStructure.pm object") if $display_warnings;
+		return;
+	}
+	
+	my $secret_id = $self->get_vmhost_profile_secret_id();
+	if (!defined($secret_id)) {
+		notify($ERRORS{'DEBUG'}, 0, "vmprofile.password is set but vmprofile.secretid is NOT, assuming
vmprofile.password is a pre-VCL 2.5 clear-text password: '$password'");
+		return $password;
+	}
+	
+	my $decrypted_password = $self->mn_os->decrypt_cryptsecret($secret_id, $password);
+	notify($ERRORS{'DEBUG'}, 0, "decrypted VM profile password: '$decrypted_password'");
+	return $decrypted_password;
+}
+
+#//////////////////////////////////////////////////////////////////////////////
 
 1;
 __END__

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/ManagementNode.pm Wed Jun  7 21:10:44
2017
@@ -682,7 +682,7 @@ sub _get_private_key_object_from_file {
 		$rsa_private = Crypt::OpenSSL::RSA->new_private_key($private_key_file_string);
 	};
 	if ($EVAL_ERROR || !$rsa_private) {
-		notify($ERRORS{'WARNING'}, 0, "failed to create private key file Crypt::OpenSSL::RSA object
from $private_key_file_path on $management_node_short_name" . ($EVAL_ERROR ? ", error:\n"
. $EVAL_ERROR : ''));
+		notify($ERRORS{'WARNING'}, 0, "failed to create Crypt::OpenSSL::RSA object from $private_key_file_path
on $management_node_short_name" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : ''));
 		return;
 	}
 	
@@ -729,71 +729,6 @@ sub extract_public_key_from_private_key_
 
 #//////////////////////////////////////////////////////////////////////////////
 
-=head2 check_encryption_keys
-
- Parameters  : none
- Returns     : string
- Description : Retrieves the cryptkeys.pubkey value from the database for the
-               management node and extracts the public key from the private key
-               file on the management node. Returns true if they match. Returns
-               false if they differ or if either could not be retrieved.
-
-=cut
-
-sub check_encryption_keys {
-	my $self = shift;
-	if (ref($self) !~ /VCL::Module/i) {
-		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called
as a class method");
-		return;
-	}
-	
-	my $management_node_id = $self->data->get_management_node_id() || return;
-	my $management_node_short_name = $self->data->get_management_node_short_name() ||
return;
-	
-	notify($ERRORS{'DEBUG'}, 0, "*** checking encryption keys on $management_node_short_name
***");
-	
-	# Get the cryptkey.pubkey value from the database for the management node
-	my $public_key_string_database_value = get_management_node_cryptkey_pubkey($management_node_id,
0) || return;
-	
-	# Create an RSA object based on the existing public key stored in the database, then extract
the (hopefully same) public key from the object
-	# Do this to verify the public key is correctly formatted, the RSA module should strip any
extraneous space or newlines
-	my $rsa_public;
-	eval {
-		$rsa_public = Crypt::OpenSSL::RSA->new_public_key($public_key_string_database_value);
-	};
-	if ($EVAL_ERROR || !$rsa_public) {
-		notify($ERRORS{'WARNING'}, 0, "failed to create RSA object from public key stored in database:\n$public_key_string_database_value"
. ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : ''));
-		return;
-	}
-	
-	# Retrieve the public key string from the RSA object
-	my $public_key_string_database_extracted;
-	eval {
-		$public_key_string_database_extracted = $rsa_public->get_public_key_x509_string();
-	};
-	if ($EVAL_ERROR || !$public_key_string_database_extracted) {
-		notify($ERRORS{'WARNING'}, 0, "retrieved cryptkey.pubkey value from database, created RSA
object based on this public key, but failed to extract the public key from the object, there
may be a problem with the public key stored in the database:\n$public_key_string_database_value"
. ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : ''));
-		return;
-	}
-	
-	# Extract the public key string from the private key file stored on the management node
-	my $public_key_string_private_extracted = $self->extract_public_key_from_private_key_file()
|| return;
-	
-	if ($public_key_string_database_extracted eq $public_key_string_private_extracted) {
-		notify($ERRORS{'OK'}, 0, "public key extracted from private key file on $management_node_short_name
matches database cryptkey.pubkey value");
-		return 1;
-	}
-	else {
-		notify($ERRORS{'WARNING'}, 0, "public key extracted from private key file on $management_node_short_name
does not match database cryptkey.pubkey value:\n" .
-			"public key stored in database (cryptkey.pubkey):\n" . string_to_ascii($public_key_string_database_extracted)
. "\n" .
-			"public key extracted from private key file:\n" . string_to_ascii($public_key_string_private_extracted)
-		);
-		return 0;
-	}
-}
-
-#//////////////////////////////////////////////////////////////////////////////
-
 =head2 generate_private_key_file
 
  Parameters  : none
@@ -946,13 +881,11 @@ sub decrypt_cryptsecret {
 			return;
 		}
 	}
-	elsif (!$self->check_encryption_keys()) {
-		return $self->decrypt_cryptsecret($secret_id, $encrypted_string, 1);
-	}
 	
-	my $cryptsecret = get_management_node_cryptsecret_value($management_node_id, $secret_id);
+	# Pass opposite of $recreate_key as $suppress_warning argument
+	my $cryptsecret = get_management_node_cryptsecret_value($management_node_id, $secret_id,
!$recreate_key);
 	if (!$cryptsecret) {
-		notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to retrieve
cryptsecret.cryptsecret value for management node ID $management_node_id");
+		#notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to retrieve
cryptsecret.cryptsecret value for management node ID $management_node_id");
 		$recreate_key ? return : return $self->decrypt_cryptsecret($secret_id, $encrypted_string,
1);
 	}
 	
@@ -963,7 +896,7 @@ sub decrypt_cryptsecret {
 	
 	my $rsa_private = $self->_get_private_key_object_from_file();
 	if (!$rsa_private) {
-		notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to create
RSA object based on management node's private key");
+		#notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to create
RSA object based on management node's private key");
 		$recreate_key ? return : return $self->decrypt_cryptsecret($secret_id, $encrypted_string,
1);
 	}
 	

Modified: vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/Provisioning/VMware/VMware.pm Wed Jun  7 21:10:44
2017
@@ -299,13 +299,6 @@ sub initialize {
 	}
 	
 	my $request_state_name = $self->data->get_request_state_name();
-	my $vmhost_computer_name = $vmhost_data->get_computer_node_name();
-	my $vmhost_image_name = $vmhost_data->get_image_name();
-	my $vmhost_os_module_package = $vmhost_data->get_image_os_module_perl_package();
-	my $vmhost_lastcheck_time = $vmhost_data->get_computer_lastcheck_time(0);
-	my $vmhost_computer_id = $self->data->get_vmhost_computer_id();
-	my $vmprofile_name = $self->data->get_vmhost_profile_name();
-	my $vmprofile_password = $self->data->get_vmhost_profile_password(0);
 	
 	# Used only for development/testing
 	# If request state is 'test', full initialization is bypassed by default to speed things
up
@@ -318,6 +311,14 @@ sub initialize {
 		}
 	}
 	
+	my $vmhost_computer_name = $vmhost_data->get_computer_node_name();
+	my $vmhost_image_name = $vmhost_data->get_image_name();
+	my $vmhost_os_module_package = $vmhost_data->get_image_os_module_perl_package();
+	my $vmhost_lastcheck_time = $vmhost_data->get_computer_lastcheck_time(0);
+	my $vmhost_computer_id = $self->data->get_vmhost_computer_id();
+	my $vmprofile_name = $self->data->get_vmhost_profile_name();
+	my $vmprofile_password = $self->data->get_vmhost_profile_password(0);
+	
 	notify($ERRORS{'DEBUG'}, 0, "initializing " . ref($self) . " object");
 	
 	my $vmware_api;

Modified: vcl/trunk/managementnode/lib/VCL/utils.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/utils.pm?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/utils.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/utils.pm Wed Jun  7 21:10:44 2017
@@ -3796,6 +3796,8 @@ sub get_vmhost_info {
 	
 	return $ENV{vmhost_info}{$vmhost_identifier} if (!$no_cache && $ENV{vmhost_info}{$vmhost_identifier});
 	
+	my $management_node_id = get_management_node_id();
+	
 	# Get a hash ref containing the database column names
 	my $database_table_columns = get_database_table_columns();
 	
@@ -3804,6 +3806,7 @@ sub get_vmhost_info {
 		'vmprofile' => 'vmprofile',
 		'repositoryimagetype' => 'imagetype',
 		'datastoreimagetype' => 'imagetype',
+		'cryptsecret' => 'cryptsecret',
 	);
 	
 	# Construct the select statement
@@ -3817,7 +3820,7 @@ sub get_vmhost_info {
 			$select_statement .= "$table_alias.$column AS '$table_alias-$column',\n";
 		}
 	}
-	
+
 	# Remove the comma after the last column line
 	$select_statement =~ s/,$//;
 	
@@ -3825,7 +3828,13 @@ sub get_vmhost_info {
 	$select_statement .= <<EOF;
 FROM
 vmhost,
-vmprofile,
+vmprofile
+LEFT JOIN (cryptsecret, cryptkey) ON (
+	vmprofile.secretid = cryptsecret.secretid AND
+	cryptsecret.cryptkeyid = cryptkey.id AND
+	cryptkey.hosttype = 'managementnode' AND
+	cryptkey.hostid = $management_node_id
+),
 imagetype repositoryimagetype,
 imagetype datastoreimagetype,
 computer
@@ -3897,6 +3906,9 @@ EOF
 		if ($table eq 'vmhost') {
 			$vmhost_info->{$column} = $value;
 		}
+		elsif ($table eq 'cryptsecret') {
+			$vmhost_info->{vmprofile}{$table}{$column} = $value;
+		}
 		else {
 			$vmhost_info->{$table}{$column} = $value;
 		}
@@ -15000,7 +15012,7 @@ EOF
 
 =head2 get_management_node_cryptsecret_value
 
- Parameters  : $management_node_id, $secret_id
+ Parameters  : $management_node_id, $secret_id, $suppress_warning (optional)
  Returns     : boolean
  Description : Retrieves the cryptsecret.cryptsecret value matching the
                cryptsecret.secretid value from the database for the management
@@ -15009,7 +15021,7 @@ EOF
 =cut
 
 sub get_management_node_cryptsecret_value {
-	my ($management_node_id, $secret_id) = @_;
+	my ($management_node_id, $secret_id, $suppress_warning) = @_;
 	if (!defined($management_node_id)) {
 		notify($ERRORS{'WARNING'}, 0, "management node ID argument was not supplied");
 		return;
@@ -15034,7 +15046,7 @@ EOF
 	
 	my @rows = database_select($select_statement);
 	if (scalar @rows == 0) {
-		notify($ERRORS{'WARNING'}, 0, "failed to retrieve cryptsecret from database for management
node $management_node_id, secret ID: $secret_id");
+		notify($ERRORS{'WARNING'}, 0, "failed to retrieve cryptsecret from database for management
node $management_node_id, secret ID: $secret_id") unless $suppress_warning;
 		return;
 	}
 

Modified: vcl/trunk/mysql/update-vcl.sql
URL: http://svn.apache.org/viewvc/vcl/trunk/mysql/update-vcl.sql?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/mysql/update-vcl.sql (original)
+++ vcl/trunk/mysql/update-vcl.sql Wed Jun  7 21:10:44 2017
@@ -2692,7 +2692,6 @@ CALL DropExistingConstraints('vmprofile'
 CALL AddConstraintIfNotExists('vmprofile', 'imageid', 'image', 'id', 'none', '');
 CALL AddConstraintIfNotExists('vmprofile', 'repositoryimagetypeid', 'imagetype', 'id', 'update',
'CASCADE');
 CALL AddConstraintIfNotExists('vmprofile', 'datastoreimagetypeid', 'imagetype', 'id', 'update',
'CASCADE');
-CALL AddConstraintIfNotExists('vmprofile', 'secretid', 'cryptsecret', 'secretid', 'none',
'');
 
 -- --------------------------------------------------------
 

Modified: vcl/trunk/mysql/vcl.sql
URL: http://svn.apache.org/viewvc/vcl/trunk/mysql/vcl.sql?rev=1798002&r1=1798001&r2=1798002&view=diff
==============================================================================
--- vcl/trunk/mysql/vcl.sql (original)
+++ vcl/trunk/mysql/vcl.sql Wed Jun  7 21:10:44 2017
@@ -2696,7 +2696,6 @@ ALTER TABLE `vmhost` ADD CONSTRAINT FORE
 ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`imageid`) REFERENCES `image` (`id`);
 ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`repositoryimagetypeid`) REFERENCES `imagetype`
(`id`) ON UPDATE CASCADE;
 ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`datastoreimagetypeid`) REFERENCES `imagetype`
(`id`) ON UPDATE CASCADE;
-ALTER TABLE `vmprofile` ADD CONSTRAINT FOREIGN KEY (`secretid`) REFERENCES `cryptsecret`
(`secretid`);
 
 --
 -- Constraints for table `winKMS`



Mime
View raw message