Create an alternative api.armed behavior

Move from a clock based expiration to a simpler 'once' versus 'continous' model. 'once' is intended to be used generally, 'continuous' for stateless without benefit of TPM. The goal would be to use TPM to seal a key to avoid continuous.
2025-02-15 10:10:13 +00:00 · 2020-02-27 13:33:05 -05:00 · 2020-02-27 13:33:05 -05:00 · f955086cc3
commit f955086cc3
parent cd20a23626
2 changed files with 15 additions and 13 deletions
--- a/confluent_server/confluent/config/attributes.py
+++ b/confluent_server/confluent/config/attributes.py
@ -101,10 +101,10 @@ node = {
        'description': ('Crypt of api key for self api requests by node'),
    },
    'api.armed': {
-        'description': ('Indicates whether an insecure api key request is allowed. '
-                        'The format is an expiration time in ISO8601 format. When '
-                        'the indicated time passes or the first time a node claims '
-                        'the key, key grants will not be allowed.'),
+        'description': ('Indicates whether the node authentication token interface '
+                        'is armed.  If set to once, it will grant only the next '
+                        'request. If set to continuous, will allow many requests.'
+                        'Should not be set unless an OS deployment is pending.'),
    },
    #'id': {
    #    'description': ('Numeric identifier for node')
--- a/confluent_server/confluent/credserver.py
+++ b/confluent_server/confluent/credserver.py
@ -39,7 +39,7 @@ class CredServer(object):
                client.close()
                continue
            self.gpool.spawn_n(self.handle_client, client)
-    
+
    def handle_client(self, client):
            client.send('\xc2\xd1-\xa8\x80\xd8j\xba')
            tlv = bytearray(client.recv(2))
@ -53,12 +53,13 @@ class CredServer(object):
            if not apiarmed:
                client.close()
                return
-            now = datetime.datetime.utcnow()
-            expiry = datetime.datetime.strptime(apiarmed, "%Y-%m-%dT%H:%M:%SZ")
-            if now > expiry:
-                self.cfm.set_node_attributes({nodename: {'api.armed': ''}})
-                client.close()
-                return
+            if apiarmed not in ('armed', 'continuous'):
+                now = datetime.datetime.utcnow()
+                expiry = datetime.datetime.strptime(apiarmed, "%Y-%m-%dT%H:%M:%SZ")
+                if now > expiry:
+                    self.cfm.set_node_attributes({nodename: {'api.armed': ''}})
+                    client.close()
+                    return
            client.send(b'\x02\x20')
            rttoken = os.urandom(32)
            client.send(rttoken)
@ -76,9 +77,10 @@ class CredServer(object):
                client.close()
                return
            echotoken = client.recv(tlv[1])
-            self.cfm.set_node_attributes({nodename: {'api.key': echotoken, 'api.armed': ''}})
+            if apiarmed != 'continuous':
+                self.cfm.set_node_attributes({nodename: {'api.key': echotoken, 'api.armed': ''}})
            client.recv(2)  # drain end of message
-            client.send('\x05\x00') # report success     
+            client.send('\x05\x00') # report success
            client.close()

 if __name__ == '__main__':