2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-29 13:00:03 +00:00

Incorporate auto discovery for remote discovery

Avail ourselves of secure vouching to handle new and
replaced.
This commit is contained in:
Jarrod Johnson 2022-07-20 16:21:25 -04:00
parent 0dc7b532cc
commit 2d8bcb4c0f
3 changed files with 22 additions and 2 deletions

View File

@ -256,7 +256,7 @@ node = {
'so long as the node has no existing public key. '
'"open" allows discovery even if a known public key '
'is already stored',
'validlist': ('manual', 'permissive', 'pxe', 'open'),
'validlist': ('manual', 'permissive', 'pxe', 'open', 'verified'),
},
'info.note': {
'description': 'A field used for administrators to make arbitrary '

View File

@ -1153,7 +1153,15 @@ def discover_node(cfg, handler, info, nodename, manual):
'pubkeys.tls_hardwaremanager attribute is cleared '
'first'.format(nodename)})
return False # With a permissive policy, do not discover new
elif policies & set(('open', 'permissive')) or manual:
elif policies & set(('open', 'permissive', 'verified')) or manual:
if 'verified' in policies:
if not handler.https_supported or not util.cert_matches(info['fingerprint'], handler.https_cert):
log.log({'info': 'Detected replacement of {0} without verified '
'fingerprint and discovery policy is setto verified, not '
'doing discovery unless discovery.policy=open or '
'pubkeys.tls_hardwaremanager attribute is cleared '
'first'.format(nodename)})
return False
info['nodename'] = nodename
if info['handler'] == pxeh:
return do_pxe_discovery(cfg, handler, info, manual, nodename, policies)

View File

@ -146,12 +146,24 @@ def get_fingerprint(certificate, algo='sha512'):
return 'sha256$' + hashlib.sha256(certificate).hexdigest()
elif algo == 'sha512':
return 'sha512$' + hashlib.sha512(certificate).hexdigest()
elif algo == 'sha384':
return 'sha384$' + hashlib.sha384(certificate).hexdigest()
raise Exception('Unsupported fingerprint algorithm ' + algo)
hashlens = {
48: hashlib.sha384,
64: hashlib.sha512,
32: hashlib.sha256
}
def cert_matches(fingerprint, certificate):
if not fingerprint or not certificate:
return False
if '$' not in fingerprint:
fingerprint = base64.b64decode(certificate)
algo = hashlens[len(fingerprint)]
return algo(certificate).digest() == fingerprint
algo, _, fp = fingerprint.partition('$')
newfp = None
if algo in ('sha512', 'sha256'):