2013-02-25 22:05:33 +00:00
|
|
|
# IBM(c) 2013 EPL license http://www.eclipse.org/legal/epl-v10.html
|
|
|
|
# This function specifically validates that the peer we are talking to is signed by the xCAT blessed CA and no other CA
|
2013-03-15 21:12:53 +00:00
|
|
|
Function VerifyxCATCert ($sender, $cert, $chain, $polerrs) {
|
|
|
|
if ($polerrs -ne "None" -and $polerrs -ne "RemoteCertificateChainErrors") { return $false } #if the overall policy suggests rejection, go with it
|
|
|
|
#why do we tolerate RemoteCertificateChainErrors? Because we are going to check specifically for the CA configured for this xCAT installation
|
|
|
|
#we chose not to add xCAT's CA to the root store, as that implies the OS should trust xCAT's CA for non-xCAT related things. That is madness.
|
|
|
|
#Of course, that's the madness typical with x509, but we need not propogate the badness...
|
|
|
|
#we are measuring something more specific than 'did any old CA sign this', we specifically want to assue the signer CA is xCAT's
|
2013-02-25 22:05:33 +00:00
|
|
|
foreach ($cert in $chain.chainElements) {
|
2013-03-15 21:12:53 +00:00
|
|
|
if ($script:xcatcacert.thumbprint.Equals($cert.Certificate.thumbprint)) {
|
2013-02-27 22:05:53 +00:00
|
|
|
return $true
|
|
|
|
}
|
2013-02-25 22:05:33 +00:00
|
|
|
}
|
2013-02-27 22:05:53 +00:00
|
|
|
return $false
|
2013-02-25 22:05:33 +00:00
|
|
|
}
|
|
|
|
|
2013-03-15 21:12:53 +00:00
|
|
|
#we import the xCAT certificate authority into the appropriate scope.
|
|
|
|
#It's not trusted by system policy, but our overidden verify function will find it. Too bad MS doesn't allow us custom store names under the user
|
|
|
|
#repository for whatever reason. We'll just 'import' it every session from file, which is harmless to do multiple times
|
|
|
|
#this isn't quite as innocuous as the openssl mechanisms to do this sort of thing, but it's as close as I could figure to get
|
2013-03-04 21:25:23 +00:00
|
|
|
Function Import-xCATCA ( $certpath ) {
|
2013-03-15 21:12:53 +00:00
|
|
|
$script:xcatcacert=Import-Certificate -FilePath $certpath -CertStoreLocation Cert:\CurrentUser\My
|
2013-02-25 22:05:33 +00:00
|
|
|
}
|
2013-02-27 22:05:53 +00:00
|
|
|
|
2013-03-15 21:12:53 +00:00
|
|
|
#this removes the xCAT CA from trust store, if user wishes to explicitly remove xCAT key post deploy
|
|
|
|
#A good idea for appliances that want to not show weird stuff. The consequences of not calling it are harmless: a useless extra public cert
|
|
|
|
#in admin's x509 cert store
|
2013-03-04 21:25:23 +00:00
|
|
|
Function Remove-xCATCA ( $certpath ) {
|
2013-03-15 21:12:53 +00:00
|
|
|
Import-xCATCA($certpath) #this seems insane, but it's easiest way to make sure we have the correct path
|
2013-02-27 22:05:53 +00:00
|
|
|
rm $script:xcatcacert.PSPath
|
2013-02-25 22:05:33 +00:00
|
|
|
}
|
|
|
|
|
2013-02-27 22:05:53 +00:00
|
|
|
#specify a client certificate to use in pfx format
|
2013-03-04 21:25:23 +00:00
|
|
|
Function Set-xCATClientCertificate ( $pfxPath ) {
|
2013-02-27 22:05:53 +00:00
|
|
|
$script:xcatclientcert=Import-pfxCertificate $pfxPath -certStoreLocation cert:\currentuser\my
|
|
|
|
}
|
2013-03-04 21:25:23 +00:00
|
|
|
Function Remove-xCATClientCertificate( $pfxPath ) {
|
2013-03-16 01:50:29 +00:00
|
|
|
Set-xCATClientCertificate($pfxpath)
|
2013-02-27 22:05:53 +00:00
|
|
|
rm cert:\currentuser\my\$script:xcatclientcert.thumbprint
|
|
|
|
}
|
|
|
|
|
|
|
|
#key here is that we might have two certificates:
|
|
|
|
#-one intended to identify the system that was deployed by xcat
|
|
|
|
#-one intended to identify the user to do things like 'rpower'
|
2013-03-15 21:12:53 +00:00
|
|
|
#however, user will just have to control it by calling Set-xCATClientCertificate on the file for now
|
|
|
|
#TODO: if user wants password protected PFX file, we probably would want to import it once and retain thumb across sessions...
|
2013-03-04 21:25:23 +00:00
|
|
|
Function Select-xCATClientCert ($sender, $targetHost, $localCertificates, $remoteCertificate,$acceptableIssuers) {
|
2013-02-27 22:05:53 +00:00
|
|
|
$script:xcatclientcert
|
|
|
|
}
|
2013-03-04 21:25:23 +00:00
|
|
|
Function Connect-xCAT {
|
2013-02-27 22:05:53 +00:00
|
|
|
Param(
|
2013-03-16 01:50:29 +00:00
|
|
|
$mgtServer=$xcathost,
|
2013-03-15 19:42:17 +00:00
|
|
|
$mgtServerPort=3001,
|
2013-02-27 22:05:53 +00:00
|
|
|
$mgtServerAltName=$mgtServer
|
|
|
|
)
|
2013-03-15 19:42:17 +00:00
|
|
|
$script:xcatconnection = New-Object Net.Sockets.TcpClient($mgtServer,$mgtServerPort)
|
2013-03-16 01:50:29 +00:00
|
|
|
$verifycallback = Get-Content Function:\VerifyxCATCert
|
|
|
|
$certselect = Get-Content Function:\Select-xCATClientCert
|
2013-03-15 21:12:53 +00:00
|
|
|
$script:xcatstream = $script:xcatconnection.GetStream()
|
2013-03-16 01:50:29 +00:00
|
|
|
$script:securexCATStream = New-Object System.Net.Security.SSLStream($script:xcatstream,$false,$verifycallback,$certselect)
|
2013-03-15 21:12:53 +00:00
|
|
|
$script:securexCATStream.AuthenticateAsClient($mgtServerAltName)
|
2013-03-16 01:50:22 +00:00
|
|
|
$script:xcatwriter = New-Object System.IO.StreamWriter($script:securexCATStream)
|
|
|
|
$script:xcatreader = New-Object System.IO.StreamReader($script:securexCATStream)
|
|
|
|
}
|
|
|
|
|
|
|
|
Function Get-Power {
|
|
|
|
Param(
|
|
|
|
$nodeRange
|
|
|
|
)
|
2013-03-16 01:50:29 +00:00
|
|
|
Connect-xCAT
|
2013-03-16 01:50:22 +00:00
|
|
|
$data = "<xcatrequest>`n`t<command>rpower</command>`n`t<arg>stat</arg>`n`t<noderange>$nodeRange</noderange>`n</xcatrequest>`n"
|
|
|
|
$script:xcatwriter.WriteLine($data)
|
|
|
|
$script:xcatwriter.Flush()
|
|
|
|
$response=""
|
|
|
|
$lastline=""
|
2013-03-16 01:50:29 +00:00
|
|
|
while (! $lastline.Contains("</xcatresponse>") -and $script:xcatreader) {
|
2013-03-16 01:50:22 +00:00
|
|
|
$lastline = $script:xcatreader.ReadLine()
|
|
|
|
$response = $response + $lastline
|
|
|
|
}
|
|
|
|
write-host $response
|
2013-03-04 21:25:23 +00:00
|
|
|
}
|