Add SSH cert to self api

This allows nodes to get a cert from confluent.
2025-04-04 17:48:35 +00:00 · 2020-04-16 13:11:05 -04:00 · 2020-04-16 13:11:05 -04:00 · 16667ed41c
commit 16667ed41c
parent b37c034d6f
3 changed files with 17 additions and 6 deletions
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@ -412,6 +412,10 @@ def resourcehandler_backend(env, start_response):
               ('X-Permitted-Cross-Domain-Policies', 'none')]
    reqbody = None
    reqtype = None
+    if env.get('PATH_INFO', '').startswith('/self/'):
+        for res in selfservice.handle_request(env, start_response):
+            yield res
+        return
    if 'CONTENT_LENGTH' in env and int(env['CONTENT_LENGTH']) > 0:
        reqbody = env['wsgi.input'].read(int(env['CONTENT_LENGTH']))
        reqtype = env['CONTENT_TYPE']
@ -420,10 +424,6 @@ def resourcehandler_backend(env, start_response):
    if operation != 'retrieve' and 'restexplorerop' in querydict:
        operation = querydict['restexplorerop']
        del querydict['restexplorerop']
-    if env.get('PATH_INFO', '').startswith('/self/'):
-        for res in selfservice.handle_request(env, operation, start_response):
-            yield res
-        return
    authorized = _authorize_request(env, operation)
    if 'logout' in authorized:
        start_response('200 Successful logout', headers)
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@ -1,5 +1,6 @@
 import confluent.config.configmanager as configmanager
 import confluent.netutil as netutil
+import confluent.sshutil as sshutil
 import crypt
 import json
 import yaml
@ -9,7 +10,7 @@ def yamldump(input):
    return yaml.safe_dump(input, default_flow_style=False)


-def handle_request(env, operation, start_response):
+def handle_request(env, start_response):
    nodename = env.get('HTTP_CONFLUENT_NODENAME', None)
    apikey = env.get('HTTP_CONFLUENT_APIKEY', None)
    if not (nodename and apikey):
@ -39,6 +40,8 @@ def handle_request(env, operation, start_response):
        start_response('406 Not supported', [])
        yield 'Unsupported content type in ACCEPT: ' + retype
        return
+    if 'CONTENT_LENGTH' in env and int(env['CONTENT_LENGTH']) > 0:
+        reqbody = env['wsgi.input'].read(int(env['CONTENT_LENGTH']))
    if env['PATH_INFO'] == '/self/deploycfg':
        myip = env.get('HTTP_X_FORWARDED_HOST', None)
        myip = myip.replace('[', '').replace(']', '')
@ -58,6 +61,14 @@ def handle_request(env, operation, start_response):
            ncfg['protocol'] = 'https'
        start_response('200 OK', (('Content-Type', retype),))
        yield dumper(ncfg)
+    elif env['PATH_INFO'] == '/self/sshcert':
+        if not sshutil.ca_exists():
+            start_response('500 Unconfigured', ())
+            yield 'CA is not configured on this system (run ...)'
+            return
+        cert = sshutil.sign_host_key(reqbody, nodename)
+        start_response('200 OK', (('Content-Type', 'text/plain'),))
+        yield cert
    else:
        start_response('404 Not Found', ())
        yield 'Not found'
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@ -40,7 +40,7 @@ def sign_host_key(pubkey, nodename):
    tmpdir = tempfile.mkdtemp()
    try:
        pkeyname = os.path.join(tmpdir, 'hostkey.pub')
-        with open(pkeyname, 'w') as pubfile:
+        with open(pkeyname, 'wb') as pubfile:
            pubfile.write(pubkey)
        subprocess.check_call(
            ['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename,