diff --git a/xCAT-server/lib/xcat/plugins/frusetter.pm b/xCAT-server/lib/xcat/plugins/frusetter.pm new file mode 100644 index 000000000..17777caa5 --- /dev/null +++ b/xCAT-server/lib/xcat/plugins/frusetter.pm @@ -0,0 +1,52 @@ +package xCAT_plugin::frusetter; +use Data::Dumper; + +sub handled_commands { + return { + rewritemyfru => 'frusetter', + } +} + +sub ok_with_node { + my $node = shift; + #Here we connect to the node on a privileged port (in the clear) and ask the + #node if it just asked us for credential. It's convoluted, but it is + #a convenient way to see if root on the ip has approved requests for + #credential retrieval. Given the nature of the situation, it is only ok + #to assent to such requests before users can log in. During postscripts + #stage in stateful nodes and during the rc scripts of stateless boot + my $select = new IO::Select; + #sleep 0.5; # gawk script race condition might exist, try to lose just in case + my $sock = new IO::Socket::INET(PeerAddr=>$node, + Proto => "tcp", + PeerPort => shift); + my $rsp; + unless ($sock) {return 0}; + $select->add($sock); + print $sock "CREDOKBYYOU?\n"; + unless ($select->can_read(5)) { #wait for data for up to five seconds + return 0; + } + my $response = <$sock>; + chomp($response); + if ($response eq "CREDOKBYME") { + return 1; + } + return 0; +} +sub process_request { + my $request = shift; + my $callback = shift; + my $doreq = shift; + my $node = $request->{_xcat_clienthost}->[0]; + unless (ok_with_node($node,300)) { + $callback->({error=>["Unable to prove root on your IP approves of this request"],errorcode=>[1]}); + return; + } + $doreq->({command=>['rfrurewrite'], + noderange=>[$node], + }); + return; +} + +1;