Hook up apiclient to TPM2 persistence, when available

2025-02-03 04:22:38 +00:00 · 2020-11-06 16:38:05 -05:00 · 2020-11-06 16:38:05 -05:00 · edaaa2393d
commit edaaa2393d
parent 1ecef6f251
2 changed files with 24 additions and 2 deletions
--- a/confluent_osdeploy/common/opt/confluent/bin/apiclient
+++ b/confluent_osdeploy/common/opt/confluent/bin/apiclient
@ -10,13 +10,32 @@ import ssl
 import sys

 def get_apikey(nodename, mgr):
+    sealnew = True
    if os.path.exists('/etc/confluent/confluent.apikey'):
        return open('/etc/confluent/confluent.apikey').read().strip()
    apikey = subprocess.check_output(['/opt/confluent/bin/clortho', nodename, mgr])
    if not isinstance(apikey, str):
        apikey = apikey.decode('utf8')
+    if apikey.startswith('SEALED:'):
+        sealnew = False
+        with open('/etc/confluent/confluent.sealedapikey', 'w+') as apiout:
+            apiout.write(apikey[7:])
+        with open('/etc/confluent/confluent.sealedapikey') as inp:
+            sp = subprocess.Popen(['/usr/bin/clevis-decrypt-tpm2'],
+                stdin=inp, stdout=subprocess.PIPE)
+            apikey = sp.communicate()[0]
+            if not isinstance(apikey, str):
+                apikey = apikey.decode('utf8')
    with open('/etc/confluent/confluent.apikey', 'w+') as apiout:
        apiout.write(apikey)
+    if sealnew and os.path.exists('/usr/bin/clevis-encrypt-tpm2'):
+        try:
+            with open('/etc/confluent/confluent.apikey') as apin:
+                sealed = subprocess.check_output(
+                    ['/usr/bin/clevis-encrypt-tpm2', '{}'], stdin=apin)
+            print(HTTPSClient().grab_url('/confluent-api/self/saveapikey', sealed).decode())
+        except Exception:
+            sys.stderr.write('Unable to persist API key through TPM2 sealing\n')
    apikey = apikey.strip()
    os.chmod('/etc/confluent/confluent.apikey', 0o600)
    return apikey
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@ -256,8 +256,11 @@ def handle_request(env, start_response):
        else:
            start_response('500 Error', (('Content-Type', 'text/plain'),))
            yield 'No pending profile detected, unable to accept status update'
-    elif env['PATH_INFO'] == '/self/savetoken':
-        print(repr(reqbody))
+    elif env['PATH_INFO'] == '/self/saveapikey':
+        cfg.set_node_attributes({
+            nodename: {'deployment.sealedapikey': {'value': reqbody}}})
+        start_response('200 OK', ())
+        yield ''
    else:
        start_response('404 Not Found', ())
        yield 'Not found'