mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-29 13:00:03 +00:00
Incorporate auto discovery for remote discovery
Avail ourselves of secure vouching to handle new and replaced.
This commit is contained in:
parent
0dc7b532cc
commit
2d8bcb4c0f
@ -256,7 +256,7 @@ node = {
|
||||
'so long as the node has no existing public key. '
|
||||
'"open" allows discovery even if a known public key '
|
||||
'is already stored',
|
||||
'validlist': ('manual', 'permissive', 'pxe', 'open'),
|
||||
'validlist': ('manual', 'permissive', 'pxe', 'open', 'verified'),
|
||||
},
|
||||
'info.note': {
|
||||
'description': 'A field used for administrators to make arbitrary '
|
||||
|
@ -1153,7 +1153,15 @@ def discover_node(cfg, handler, info, nodename, manual):
|
||||
'pubkeys.tls_hardwaremanager attribute is cleared '
|
||||
'first'.format(nodename)})
|
||||
return False # With a permissive policy, do not discover new
|
||||
elif policies & set(('open', 'permissive')) or manual:
|
||||
elif policies & set(('open', 'permissive', 'verified')) or manual:
|
||||
if 'verified' in policies:
|
||||
if not handler.https_supported or not util.cert_matches(info['fingerprint'], handler.https_cert):
|
||||
log.log({'info': 'Detected replacement of {0} without verified '
|
||||
'fingerprint and discovery policy is setto verified, not '
|
||||
'doing discovery unless discovery.policy=open or '
|
||||
'pubkeys.tls_hardwaremanager attribute is cleared '
|
||||
'first'.format(nodename)})
|
||||
return False
|
||||
info['nodename'] = nodename
|
||||
if info['handler'] == pxeh:
|
||||
return do_pxe_discovery(cfg, handler, info, manual, nodename, policies)
|
||||
|
@ -146,12 +146,24 @@ def get_fingerprint(certificate, algo='sha512'):
|
||||
return 'sha256$' + hashlib.sha256(certificate).hexdigest()
|
||||
elif algo == 'sha512':
|
||||
return 'sha512$' + hashlib.sha512(certificate).hexdigest()
|
||||
elif algo == 'sha384':
|
||||
return 'sha384$' + hashlib.sha384(certificate).hexdigest()
|
||||
raise Exception('Unsupported fingerprint algorithm ' + algo)
|
||||
|
||||
|
||||
hashlens = {
|
||||
48: hashlib.sha384,
|
||||
64: hashlib.sha512,
|
||||
32: hashlib.sha256
|
||||
}
|
||||
|
||||
def cert_matches(fingerprint, certificate):
|
||||
if not fingerprint or not certificate:
|
||||
return False
|
||||
if '$' not in fingerprint:
|
||||
fingerprint = base64.b64decode(certificate)
|
||||
algo = hashlens[len(fingerprint)]
|
||||
return algo(certificate).digest() == fingerprint
|
||||
algo, _, fp = fingerprint.partition('$')
|
||||
newfp = None
|
||||
if algo in ('sha512', 'sha256'):
|
||||
|
Loading…
Reference in New Issue
Block a user