From 971808efbdea43d97021c38ca82a758b971d3564 Mon Sep 17 00:00:00 2001
From: lissav <lissav@us.ibm.com>
Date: Mon, 3 Mar 2014 13:18:53 -0500
Subject: [PATCH]  support zone root ssh keys

---
 xCAT-server/lib/xcat/plugins/credentials.pm | 73 ++++++++++++++++-----
 1 file changed, 58 insertions(+), 15 deletions(-)

diff --git a/xCAT-server/lib/xcat/plugins/credentials.pm b/xCAT-server/lib/xcat/plugins/credentials.pm
index bc4f3c397..fcf3ebef8 100644
--- a/xCAT-server/lib/xcat/plugins/credentials.pm
+++ b/xCAT-server/lib/xcat/plugins/credentials.pm
@@ -28,6 +28,7 @@ use strict;
 use xCAT::Table;
 use Data::Dumper;
 use xCAT::NodeRange;
+use xCAT::Zone;
 use IO::Socket::INET;
 use Time::HiRes qw(sleep);
 
@@ -112,34 +113,71 @@ sub process_request
     } else {
         $root = "/root";
     }
+    
+    foreach my $parm (@params_to_return) {
+       
+       # if  paramter is ssh_root_key or ssh_root_pub_key then
+       # we need to see if a zonename is attached
+       # it comes in as ssh_root_key:zonename
+       # if zonename then we need to read the keys from the zone table sshkeydir attribute
+       
+       my $errorfindingkeys=0;
+       my $foundkeys=0;
+       my $sshrootkeydir="$root/.ssh";   # old default
+       if ((($parm =~ /^ssh_root_key/) || ($parm =~ /^ssh_root_pub_key/)) && ($foundkeys==0)){
+         my ($rootkeyparm,$zonename) = split(/:/,$parm);
+         if ($zonename) {   
+            $parm=$rootkeyparm;  # take the zone off
+           `logger -t xCAT -p local4.info "credentials: The node is asking for zone:$zonename sshkeys ."`;
+           $sshrootkeydir = xCAT::Zone->getzonekeydir($zonename);
+           if ($sshrootkeydir == 1) { # error return
+               `logger -t xCAT -p local4.info "credentials: The node is asking for zone:$zonename sshkeys and the $zonename is not defined."`;
+           } else {
+                $foundkeys=1;  # don't want to read the zone data twice
+           }
+         }
+       }
 
-    foreach (@params_to_return) {
-
-       if (/ssh_root_key/) { 
-          unless (-r "$root/.ssh/id_rsa") {
+       if ($parm  =~ /ssh_root_key/) { 
+          unless (-r "$sshrootkeydir/id_rsa") {
             push @{$rsp->{'error'}},"Unable to read root's private ssh key";
             `logger -t xCAT -p local4.info "credentials: Unable to read root's private ssh key"` ;
             next;
           }
-          $tfilename = "$root/.ssh/id_rsa";
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
+          $tfilename = "$sshrootkeydir/id_rsa";
+         `logger -t xCAT -p local4.info "credentials: The  ssh root private key is in $tfilename."`;
 
-       } elsif (/xcat_server_cred/) {
+       } elsif ($parm =~ /ssh_root_pub_key/) {
+          unless (-r "$sshrootkeydir/id_rsa.pub") {
+            push @{$rsp->{'error'}},"Unable to read root's public ssh key";
+            `logger -t xCAT -p local4.info "credentials: Unable to read root's public ssh key"` ;
+            next;
+          }
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
+          $tfilename = "$sshrootkeydir/id_rsa.pub";
+         `logger -t xCAT -p local4.info "credentials: The  ssh root public key is in $tfilename."`;
+
+       } elsif ($parm =~ /xcat_server_cred/) {
           unless (-r "/etc/xcat/cert/server-cred.pem") {
             push @{$rsp->{'error'}},"Unable to read xcat_server_cred";
             `logger -t xCAT -p local4.info "credentials: Unable to read xcat_server_cred"` ;
             next;
           }
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
           $tfilename = "/etc/xcat/cert/server-cred.pem";
 
-       } elsif (/xcat_client_cred/ or /xcat_root_cred/) {
+       } elsif (($parm =~ /xcat_client_cred/) or ($parm =~ /xcat_root_cred/)) {
           unless (-r "$root/.xcat/client-cred.pem") {
             push @{$rsp->{'error'}},"Unable to read xcat_client_cred or xcat_root_cred";
             `logger -t xCAT -p local4.info "credentials: Unable to read xcat_client_cred or xcat_root_cred"` ;
             next;
           }
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
           $tfilename = "$root/.xcat/client-cred.pem";
 
-       } elsif (/ssh_dsa_hostkey/) {
+       } elsif ($parm =~ /ssh_dsa_hostkey/) {
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
 	  if (-r "/etc/xcat/hostkeys/$client/ssh_host_dsa_key") {
 	  	$tfilename="/etc/xcat/hostkeys/$client/ssh_host_dsa_key";
 	  } elsif (-r "/etc/xcat/hostkeys/ssh_host_dsa_key") {
@@ -149,7 +187,8 @@ sub process_request
             `logger -t xCAT -p local4.info "credentials: Unable to read private DSA key"` ;
              next;
           }
-       } elsif (/ssh_rsa_hostkey/) {
+       } elsif ($parm =~ /ssh_rsa_hostkey/) {
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
           if (-r "/etc/xcat/hostkeys/$client/ssh_host_rsa_key") {
 	  	 $tfilename="/etc/xcat/hostkeys/$client/ssh_host_rsa_key";
 	  } elsif (-r "/etc/xcat/hostkeys/ssh_host_rsa_key") {   
@@ -159,7 +198,8 @@ sub process_request
             `logger -t xCAT -p local4.info "credentials: Unable to read private RSA key"` ;
              next;
           }
-       } elsif (/xcat_cfgloc/) {
+       } elsif ($parm =~ /xcat_cfgloc/) {
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
           unless (-r "/etc/xcat/cfgloc") {
             push @{$rsp->{'error'}},"Unable to read /etc/xcat/cfgloc ";
             `logger -t xCAT -p local4.info "credentials: Unable to read /etc/xcat/cfgloc"` ;
@@ -167,7 +207,8 @@ sub process_request
           }
           $tfilename = "/etc/xcat/cfgloc";
 
-       } elsif (/krb5_keytab/) { #TODO: MUST RELAY TO MASTER
+       } elsif ($parm =~ /krb5_keytab/) { #TODO: MUST RELAY TO MASTER
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
            my $princsuffix=$request->{'_xcat_clientfqdn'}->[0];
            $ENV{KRB5CCNAME}="/tmp/xcat/krb5cc_xcat_$$";
            system('kinit -S kadmin/admin -k -t /etc/xcat/krb5_pass xcat/admin');
@@ -188,10 +229,11 @@ sub process_request
            while (read($keytab,$buf,1140)) {
                $tabdata.=MIME::Base64::encode_base64($buf);
            }
-           push @{$rsp->{'data'}},{content=>[$tabdata],desc=>[$_]};
+           push @{$rsp->{'data'}},{content=>[$tabdata],desc=>[$parm]};
            unlink "/tmp/xcat/keytab.$$";
            next;
-       } elsif (/x509cert/) {
+       } elsif ($parm =~ /x509cert/) {
+          `logger -t xCAT -p local4.info "credentials: sending $parm"` ;
 	   my $csr = $request->{'csr'}->[0];
 	   my $csrfile;
            my $oldumask = umask 0077;
@@ -243,7 +285,7 @@ sub process_request
 	   close($csrfile);
 	   unlink "/tmp/xcat/client.cert.$$";
            my $certcontents = join('',@certdata);
-           push @{$rsp->{'data'}},{content=>[$certcontents],desc=>[$_]};
+           push @{$rsp->{'data'}},{content=>[$certcontents],desc=>[$parm]};
        } else {
           next;
        }
@@ -253,7 +295,7 @@ sub process_request
            @filecontent=<$tmpfile>;
            close($tmpfile);
            $retdata = "\n".join('',@filecontent);
-           push @{$rsp->{'data'}},{content=>[$retdata],desc=>[$_]};
+           push @{$rsp->{'data'}},{content=>[$retdata],desc=>[$parm]};
            $retdata="";
            @filecontent=();
        }
@@ -261,6 +303,7 @@ sub process_request
     if (defined $rsp->{data}->[0]) {
 	#if we got the data from the file, send the data message to the client
         xCAT::MsgUtils->message("D", $rsp, $callback, 0);
+        return;
     }else {
 	#if the file doesn't exist, send the error message to the client
         delete $rsp->{'data'};