Merge lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat into lp:ubuntu/oneiric/eucalyptus

Proposed by James Page
Status: Merged
Merged at revision: 182
Proposed branch: lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat
Merge into: lp:ubuntu/oneiric/eucalyptus
Diff against target: 2347 lines (+2232/-2)
14 files modified
.pc/29-euca_conf-sslv3.patch/tools/euca_conf.in (+1555/-0)
.pc/30-clock_drift.patch/tools/client-policy-template.xml (+73/-0)
.pc/30-clock_drift.patch/tools/service-policy-template.xml (+67/-0)
.pc/30-clock_drift.patch/util/euca_axis.c (+459/-0)
.pc/applied-patches (+2/-0)
debian/changelog (+13/-0)
debian/eucalyptus-cloud.upstart (+1/-0)
debian/patches/29-euca_conf-sslv3.patch (+18/-0)
debian/patches/30-clock_drift.patch (+38/-0)
debian/patches/series (+2/-0)
tools/client-policy-template.xml (+1/-0)
tools/euca_conf.in (+1/-1)
tools/service-policy-template.xml (+1/-0)
util/euca_axis.c (+1/-1)
To merge this branch: bzr merge lp:~james-page/ubuntu/oneiric/eucalyptus/fix-sslv3-compat
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+76258@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory '.pc/29-euca_conf-sslv3.patch'
2=== added directory '.pc/29-euca_conf-sslv3.patch/tools'
3=== added file '.pc/29-euca_conf-sslv3.patch/tools/euca_conf.in'
4--- .pc/29-euca_conf-sslv3.patch/tools/euca_conf.in 1970-01-01 00:00:00 +0000
5+++ .pc/29-euca_conf-sslv3.patch/tools/euca_conf.in 2011-09-21 09:10:44 +0000
6@@ -0,0 +1,1555 @@
7+#!/bin/bash
8+#Copyright (c) 2009 Eucalyptus Systems, Inc.
9+#
10+#This program is free software: you can redistribute it and/or modify
11+#it under the terms of the GNU General Public License as published by
12+#the Free Software Foundation, only version 3 of the License.
13+#
14+#This file is distributed in the hope that it will be useful, but WITHOUT
15+#ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
16+#FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17+#for more details.
18+#
19+#You should have received a copy of the GNU General Public License along
20+#with this program. If not, see <http://www.gnu.org/licenses/>.
21+#
22+#Please contact Eucalyptus Systems, Inc., 130 Castilian
23+#Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/>
24+#if you need additional information or have any questions.
25+#
26+#This file may incorporate work covered under the following copyright and
27+#permission notice:
28+#
29+# Software License Agreement (BSD License)
30+#
31+# Copyright (c) 2008, Regents of the University of California
32+#
33+#
34+# Redistribution and use of this software in source and binary forms, with
35+# or without modification, are permitted provided that the following
36+# conditions are met:
37+#
38+# Redistributions of source code must retain the above copyright notice,
39+# this list of conditions and the following disclaimer.
40+#
41+# Redistributions in binary form must reproduce the above copyright
42+# notice, this list of conditions and the following disclaimer in the
43+# documentation and/or other materials provided with the distribution.
44+#
45+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
46+# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
47+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
48+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
49+# OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
50+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
51+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
52+# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
53+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
54+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
55+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF
56+# THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE
57+# LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS
58+# SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
59+# IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA
60+# BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN
61+# THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT
62+# OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR
63+# WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH
64+# ANY SUCH LICENSES OR RIGHTS.
65+#
66+#
67+#FAKEREG="yes"
68+
69+FILE="@prefix@/etc/eucalyptus/eucalyptus.local.conf"
70+DEFAULTS_FILE="@prefix@/etc/eucalyptus/eucalyptus.conf"
71+IMPORTFILE=""
72+EUCALYPTUS=""
73+CC_PORT=""
74+NC_PORT=""
75+CLOUD_PORT=""
76+CLOUD_SSL_PORT=""
77+NAME=""
78+INSTANCE=""
79+EUCA_USER=""
80+HYPERVISOR=""
81+DHCPD=""
82+DHCP_USER=""
83+BRIDGE=""
84+NEWNODES=""
85+NODEMODE=""
86+WALRUS_MODE=""
87+SYNC=""
88+WALRUS=""
89+WALRUS_MODE=""
90+CLUSNAME=""
91+NEWCLUS=""
92+CLUSMODE=""
93+UPGRADE_CONF=""
94+SETUP=""
95+VERSION=""
96+CHECK=""
97+TOSYNC=""
98+TO_BACKUP="Y"
99+CREDENTIALZIPFILE=""
100+SCP="`which scp 2> /dev/null`"
101+SCP_OPT=""
102+RSYNC="`which rsync 2> /dev/null`"
103+LOCALSYNC="N"
104+WGET="`which wget 2> /dev/null`"
105+VERBOSE="N"
106+LIST=""
107+ENABLED=""
108+DISABLED=""
109+TO_START=""
110+
111+
112+usage () {
113+ echo "$0 [options] [<file>]"
114+ echo
115+ echo "where <file> is the configuration file ($FILE by default)"
116+ echo " --help this message"
117+ echo " -d <dir> point EUCALYPTUS to <dir>"
118+ echo " --no-rsync don't use rsync"
119+ echo " --no-scp don't use scp"
120+ echo " --skip-scp-hostcheck skip scp interactive host keycheck"
121+ echo " --local-sync force local key sync"
122+ echo " --get-credentials <zipfile> download credentials to <zipfile>"
123+ echo " --register-nodes \"host host ...\" add new nodes to EUCALYPTUS"
124+ echo " --discover-nodes find and add nodes on local network"
125+ echo " --deregister-nodes \"host host ...\" remove nodes from EUCALYPTUS"
126+ echo " --register-cluster <clustername> <host> add new cluster to EUCALYPTUS"
127+ echo " --deregister-cluster <clustername> remove cluster from EUCALYPTUS"
128+ echo " --register-walrus <host> add walrus to EUCALYPTUS"
129+ echo " --deregister-walrus <host> remove walrus from EUCALYPTUS"
130+ echo " --register-sc <clustername> <host> add storage controller"
131+ echo " --deregister-sc <clustername> remove storage controller from EUCALYPTUS"
132+ echo " --list-walruses list registered walrus(es)"
133+ echo " --list-clusters list registered CCs"
134+ echo " --list-nodes list registered NCs"
135+ echo " --list-scs list registered SCs"
136+ echo " --no-sync used only with --register-* to skip syncing keys"
137+ echo " --cc-port <port> set CC port"
138+ echo " --nc-port <port> set NC port"
139+ echo " --instances <path> set the INSTANCE path"
140+# echo " --cloud-port <port1> <port2> set the 2 cloud ports"
141+ echo " --hypervisor <kvm|xen> set hypervisor to use"
142+ echo " --user <euca_user> set the user to use"
143+ echo " --dhcpd <dhcpd> set the dhcpd binary to <name>"
144+ echo " --dhcp_user <user> set the username to run dhcpd as"
145+ echo " --name <var> returns the value or <name>"
146+ echo " --import-conf <file> import variables from <file> into $FILE"
147+ echo " --setup perform initial setup"
148+ echo " --enable {cloud|walrus|sc} enable service at next start"
149+ echo " --disable {cloud|walrus|sc} disable service at next start"
150+ echo " --check {nc|cc|cloud|sc|walrus} pre-flight checks"
151+# echo " --sync {nc|cc|cloud|sc|walrus} pre-flight checks"
152+ echo " --version eucalyptus version"
153+ echo
154+}
155+
156+# utility function to make a copy of the conf file
157+check_and_backup () {
158+ # can we write to the configuration file?
159+ if [ ! -w $1 ]; then
160+ echo "Cannot write to $1!"
161+ exit 1
162+ fi
163+
164+ # let's see if we need a copy
165+ if [ "$TO_BACKUP" = "Y" ]; then
166+ cp $1 $1.bak
167+ TO_BACKUP="N"
168+ fi
169+}
170+
171+# 3 paramenter: the file, the variable name, the new value
172+change_var_value () {
173+ check_and_backup $1
174+ sed -i "s<^[[:blank:]#]*\(${2}\).*<\1=\"${3}\"<" $1
175+}
176+# comment lines matching $2 ($1 is the file)
177+comment () {
178+ check_and_backup $1
179+ sed -i "s<^[[:blank:]]*\(${2}.*\)<#\1<" $1
180+}
181+# comment lines matching $2 ($1 is the file)
182+uncomment () {
183+ check_and_backup $1
184+ sed -i "s<^[#[:blank:]]*\(${2}.*\)<\1<" $1
185+}
186+
187+check_heartbeat() {
188+ local __host="$1"
189+ local __service="$2"
190+ local ret=""
191+
192+ # checks
193+ if [ -z "$__host" -o -z "$__service" ]; then
194+ echo "check_heartbeat: need a host and a service!"
195+ return 1
196+ fi
197+ if [ -z "$WGET" -o ! -x "$WGET" ]; then
198+ echo "ERROR: wget is missing, cannot continue."
199+ return 1
200+ fi
201+
202+ # let's talk to the host and check if something is running
203+ ret="`$WGET -q -T 10 -t 1 -O - http://${__host}:8773/services/Heartbeat`"
204+ if [ "$?" != "0" -o -z "$ret" ]; then
205+ return 1
206+ fi
207+
208+ # we need both ehabled and local to be true
209+ if ! echo $ret |grep "enabled=true" > /dev/null ; then
210+ return 1
211+ elif ! echo $ret |grep "local=true" > /dev/null ; then
212+ return 1
213+ fi
214+
215+ return 0
216+}
217+
218+check_ws() {
219+ local URL="$1"
220+ local ret=""
221+ local soap_error=""
222+
223+ if [ -z "$URL" ]; then
224+ echo "check_ws: need a URL!"
225+ return 1
226+ fi
227+
228+ if [ -n "${FAKEREG}" ]; then
229+ ret=""
230+ elif [ "$2" != "" ]; then
231+ if [ "$VERBOSE" = "Y" ]; then
232+ echo "$WGET -q -T 10 -t 1 -O - \"$URL\"" "|sed 's/<euca:registered>\\(.*\\)<\\/euca:registered>/\\n\\1\\n/g;s/<euca:name>/\\n>/g;s/<\\/*euca:item>//g;s/<\\/*euca:[^>]*>/ /g'|awk -F\">\" '/>/{print \" \"$2}')"
233+ fi
234+ E=$($WGET -q -T 10 -t 1 -O - "$URL"|\
235+ sed 's/<euca:registered>\(.*\)<\/euca:registered>/\n\1\n/g;s/<euca:name>/\n>/g;s/<\/*euca:item>//g;s/<\/*euca:[^>]*>/ /g'|\
236+ awk -F">" '/>/{print " "$2}')
237+ eval "$2=\"${E}\""
238+ else
239+ if [ "$VERBOSE" = "Y" ]; then
240+ echo "$WGET -q -T 10 -t 1 -O - \"$URL\" |grep faultstring | sed 's:.*<faultstring>\(.*\)</faultstring>.*:\1:'"
241+ fi
242+ soap_error="`$WGET -q -T 10 -t 1 -O - \"$URL\"`"
243+ ret="$?"
244+ soap_error="`echo $soap_error |grep faultstring | sed 's:.*<faultstring>\(.*\)</faultstring>.*:\1:'`"
245+ if test -n "$soap_error" ; then
246+ echo $soap_error
247+ ret="1"
248+ fi
249+ fi
250+ return $ret
251+}
252+
253+component_sync_keys() {
254+ local COMPONENT=""
255+ local NAME=""
256+
257+ if [ "$SYNC" = "N" ]; then
258+ return 0
259+ fi
260+
261+ if [ $# -lt 1 ]; then
262+ return 1
263+ fi
264+
265+ COMPONENT="$1"
266+ shift
267+ NAME="$2"
268+ shift
269+
270+ if [ "$COMPONENT" = "walrus" ]; then
271+ echo "syncing walrus"
272+ elif [ "$COMPONENT" = "cc" ]; then
273+ echo "syncing cc($NAME)"
274+ elif [ "$COMPONENT" = "sc" ]; then
275+ echo "syncing sc($NAME)"
276+ elif [ "$COMPONENT" = "nc" ]; then
277+ echo "syncing nc"
278+ fi
279+
280+
281+}
282+
283+# copy files over.
284+sync_keys() {
285+ local DESTDIR=""
286+ local REMOTE=""
287+ local FILES=""
288+ local FILE=""
289+
290+ if [ "$SYNC" = "N" ]; then
291+ return 0
292+ fi
293+
294+ if [ $# -lt 4 ]; then
295+ return 1
296+ fi
297+
298+ SOURCEDIRS="$1"
299+ shift
300+ DESTDIR="$1"
301+ shift
302+ REMOTE="$1"
303+ shift
304+ while [ $# -ge 1 ]; do
305+ FILE=""
306+ for sd in `echo $SOURCEDIRS | sed "s/,/ /g"`
307+ do
308+ if [ -e "${sd}/${1}" ]; then
309+ FILE="${sd}/${1}"
310+ fi
311+ done
312+ if [ "$FILE" = "" ]; then
313+ echo "Warning: cannot file file ${1} in ${SOURCEDIRS}"
314+ else
315+ FILES="$FILES $FILE"
316+ fi
317+
318+ shift
319+ done
320+
321+ # is REMOTE actually localhost?
322+ if [ ${LOCALSYNC} = "Y" -o ${REMOTE} = "127.0.0.1" -o ${REMOTE} = localhost -o ${REMOTE} = "`hostname -s`" -o ${REMOTE} = "`hostname -f`" ]; then
323+ # machine is localhost, not need for remote syncing
324+ for i in $FILES
325+ do
326+ if [ ! -e $i ]; then
327+ echo "ERROR: cannot find cluster credentials."
328+ exit 1
329+ else
330+ if ! $RSYNC -a $i $DESTDIR ; then
331+ echo "ERROR: cannot copy file (${i}) to destination (${DESTDIR})"
332+ return 1
333+ fi
334+ fi
335+ done
336+ return 0
337+ fi
338+
339+ # try rsync first
340+ if [ -n "$RSYNC" ]; then
341+ echo
342+ echo -n "Trying rsync to sync keys with \"${REMOTE}\"..."
343+ [ -z "${RSYNC_RSH}" ] && RSYNC_RSH="ssh"
344+ if sudo -u ${EUCA_USER} ${RSYNC} --rsh "${RSYNC_RSH}" -az ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR}/ > /dev/null ; then
345+ echo "done."
346+ return 0
347+ else
348+ echo "failed."
349+ fi
350+ fi
351+
352+ # scp next
353+ if [ -n "$SCP" ]; then
354+ echo
355+ if [ "$EUCA_USER" = "" ]; then
356+ if getent passwd eucalyptus > /dev/null ; then
357+ echo "Using 'eucalyptus' as EUCA_USER"
358+ EUCA_USER="eucalyptus"
359+ else
360+ echo "EUCA_USER is not defined!"
361+ return 1
362+ fi
363+ fi
364+ echo
365+ echo "Trying scp to sync keys to: ${EUCA_USER}@${REMOTE}:${DESTDIR}..."
366+ if [ "$EUID" = `getent passwd $EUCA_USER | cut -f3 -d:` ]; then
367+ $SCP $SCP_OPT ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR} > /dev/null
368+ else
369+ sudo -u ${EUCA_USER} $SCP $SCP_OPT ${FILES} ${EUCA_USER}@${REMOTE}:${DESTDIR} > /dev/null
370+ fi
371+ if [ "$?" = "0" ]; then
372+ echo "done."
373+ return 0
374+ else
375+ echo "failed."
376+ fi
377+ fi
378+
379+ return 1
380+}
381+
382+xsearch() {
383+ local needle="$1" i="" haystack=" "
384+ shift
385+ for i in "$@"; do
386+ haystack="${haystack}$(printf "%s" "$i" | tr '\n' ' ') "
387+ done
388+ [ "${haystack#* ${needle} }" != "${haystack}" ]
389+}
390+
391+if [ $# -eq 0 ]; then
392+ usage
393+ exit 1
394+fi
395+
396+# let's parse the command line
397+while [ $# -gt 0 ]; do
398+ if [ "$1" = "-h" -o "$1" = "-help" -o "$1" = "?" -o "$1" = "--help" ]; then
399+ usage
400+ exit 1
401+ fi
402+
403+ if [ "$1" = "-synckeys" -o "$1" = "-synckey" ]; then
404+ NODEMODE="SYNC"
405+ shift
406+ continue
407+ fi
408+ if [ "$1" = "-norsync" -o "$1" = "--no-rsync" ]; then
409+ RSYNC=""
410+ shift
411+ continue
412+ fi
413+ if [ "$1" = "--local-sync" ]; then
414+ LOCALSYNC="Y"
415+ shift
416+ continue
417+ fi
418+ if [ "$1" = "--list-scs" ]; then
419+ LIST="$LIST storages"
420+ shift
421+ continue
422+ fi
423+ if [ "$1" = "--list-walruses" ]; then
424+ LIST="$LIST walruses"
425+ shift
426+ continue
427+ fi
428+ if [ "$1" = "--list-clusters" ]; then
429+ LIST="$LIST clusters"
430+ shift
431+ continue
432+ fi
433+ if [ "$1" = "--list-nodes" ]; then
434+ LIST="$LIST nodes"
435+ shift
436+ continue
437+ fi
438+ if [ "$1" = "--verbose" ]; then
439+ VERBOSE="Y"
440+ shift
441+ continue
442+ fi
443+ if [ "$1" = "-noscp" -o "$1" = "--no-scp" ]; then
444+ SCP=""
445+ shift
446+ continue
447+ fi
448+ if [ "$1" = "--skip-scp-hostcheck" ]; then
449+ SCP_OPT="-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null"
450+ shift
451+ continue
452+ fi
453+ if [ "$1" = "-version" -o "$1" = "--version" ]; then
454+ VERSION="Y"
455+ shift
456+ continue
457+ fi
458+ if [ "$1" = "-setup" -o "$1" = "--setup" ]; then
459+ SETUP="Y"
460+ shift
461+ continue
462+ fi
463+ if [ "$1" = "--no-sync" ]; then
464+ SYNC="N"
465+ shift
466+ continue
467+ fi
468+ if [ "$1" = "--deregister-walrus" ]; then
469+ WALRUS_MODE="DEL"
470+ shift
471+ continue
472+ fi
473+ if [ "$1" = "--discover-nodes" ]; then
474+ NODEMODE="DISCOVER"
475+ RSYNC_RSH="ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null"
476+ shift
477+ continue
478+ fi
479+ if [ $# -eq 1 ]; then
480+ # we dont have options with no argument, so it has to be
481+ # the file
482+ FILE="$1"
483+ if [ "${FILE:0:1}" = '-' ]; then
484+ usage
485+ exit 1
486+ fi
487+ break
488+ fi
489+
490+ # all other parameters requires at least 1 argument
491+ if [ $# -lt 2 ]; then
492+ usage
493+ exit 1
494+ fi
495+
496+ # old command line options not used anylonger
497+ if [ "$1" = "-cc" -o "$1" = "-nc" -o "$1" = "-cloud" ]; then
498+ echo "-cc, -nc and -cloud are not used anymore"
499+ shift; shift;
500+ continue
501+ fi
502+
503+ if [ "$1" = "-d" ]; then
504+ if [ ! -d "${2}" ]; then
505+ echo "Is $2 where Eucalyptus is installed?"
506+ exit 1
507+ fi
508+ EUCALYPTUS="${2}"
509+ shift; shift
510+ continue
511+ fi
512+ if [ "$1" = "-name" -o "$1" = "--name" ]; then
513+ NAME="$NAME $2"
514+ shift; shift
515+ continue
516+ fi
517+ if [ "$1" = "-bridge" ]; then
518+ BRIDGE="$2"
519+ shift; shift
520+ continue
521+ fi
522+ if [ "$1" = "-upgrade-conf" -o "$1" = "--upgrade-conf" ]; then
523+ # hidden options to upgrade from an older version
524+ UPGRADE_CONF="$2"
525+ if [ ! -e "$UPGRADE_CONF" ]; then
526+ echo "Cannot read $UPGRADE_CONF"
527+ exit 1
528+ fi
529+ shift; shift
530+ continue
531+ fi
532+ if [ "$1" = "-import-conf" -o "$1" = "--import-conf" ]; then
533+ IMPORTFILE="$2"
534+ if [ ! -e "$IMPORTFILE" ]; then
535+ echo "Cannot read $IMPORTFILE"
536+ exit 1
537+ fi
538+ shift; shift
539+ continue
540+ fi
541+ if [ "$1" = "-dhcpd" -o "$1" = "--dhcpd" ]; then
542+ DHCPD="$2"
543+ shift; shift
544+ continue
545+ fi
546+ if [ "$1" = "-dhcp_user" -o "$1" = "--dhcp_user" ]; then
547+ DHCPC_USER="$2"
548+ shift; shift
549+ continue
550+ fi
551+ if [ "$1" = "-nodes" ]; then
552+ NODES="${2}"
553+ shift; shift
554+ continue
555+ fi
556+ if [ "$1" = "-ccp" -o "$1" = "--cc-port" ]; then
557+ CC_PORT="$2"
558+ shift; shift
559+ continue
560+ fi
561+ if [ "$1" = "-ncp" -o "$1" = "--nc-port" ]; then
562+ NC_PORT="$2"
563+ shift; shift
564+ continue
565+ fi
566+ if [ "$1" = "-instances" -o "$1" = "--instances" ]; then
567+ INSTANCE="$2"
568+ shift; shift
569+ continue
570+ fi
571+ if [ "$1" = "-user" -o "$1" = "--user" ]; then
572+ EUCA_USER="$2"
573+ shift; shift
574+ continue
575+ fi
576+ if [ "$1" = "-hypervisor" -o "$1" = "--hypervisor" ]; then
577+ if [ "$2" != "xen" -a "$2" != "kvm" ]; then
578+ echo "Only kvm or xen are supported at the moment"
579+ exit 1
580+ fi
581+ HYPERVISOR="$2"
582+ shift; shift
583+ continue
584+ fi
585+ if [ "$1" = "-cloudp" ]; then
586+ if [ $# -lt 3 ]; then
587+ echo "We need 2 ports for cloud controller"
588+ exit 1
589+ fi
590+# doesn't work right now
591+# CLOUD_PORT="$2"
592+# CLOUD_SSL_PORT="$3"
593+ shift; shift; shift
594+ continue
595+ fi
596+ if [ "$1" = "--get-credentials" ]; then
597+ CREDENTIALZIPFILE="${2}"
598+ shift; shift;
599+ continue
600+ fi
601+ if [ "$1" = "-addnode" -o "$1" = "--register-nodes" ]; then
602+ NEWNODES="${2}"
603+ NODEMODE="ADD"
604+ shift; shift
605+ continue
606+ fi
607+ if [ "$1" = "-delnode" -o "$1" = "--deregister-nodes" ]; then
608+ NEWNODES="${2}"
609+ NODEMODE="REM"
610+ shift; shift
611+ continue
612+ fi
613+ if [ "$1" = "--register-walrus" ]; then
614+ WALRUS_MODE="ADD"
615+ WALRUS="$2"
616+ shift; shift
617+ continue
618+ fi
619+ if [ "$1" = "--deregister-sc" ]; then
620+ SC_MODE="DEL"
621+ SCNAME="$2"
622+ shift; shift
623+ continue
624+ fi
625+ if [ "$1" = "--register-sc" ]; then
626+ if [ $# -lt 3 ]; then
627+ echo "--register-sc requires a CC and a hostname"
628+ exit 1
629+ fi
630+ SC_MODE="ADD"
631+ SCNAME="$2"
632+ SCHOST="$3"
633+ shift; shift; shift
634+ continue
635+ fi
636+ if [ "$1" = "-addcluster" -o "$1" = "--register-cluster" ]; then
637+ if [ $# -lt 3 ]; then
638+ echo "--register-cluster requires a user assigned name and CC hostname"
639+ exit 1
640+ fi
641+ CLUSNAME="$2"
642+ NEWCLUS="$3"
643+ CLUSMODE="ADD"
644+ shift; shift; shift
645+ continue
646+ fi
647+ if [ "$1" = "--deregister-cluster" ]; then
648+ CLUSNAME="$2"
649+ CLUSMODE="DEL"
650+ shift; shift
651+ continue
652+ fi
653+ if [ "$1" = "-check" -o "$1" = "--check" ]; then
654+ if [ "$2" != "cc" -a "$2" != "cloud" -a "$2" != "nc" -a "$2" != "sc" -a "$2" != "walrus" ]; then
655+ echo "-check requires cc, nc, sc, walrus or cloud"
656+ exit 1
657+ fi
658+ CHECK="$2"
659+ shift; shift
660+ continue
661+ fi
662+ if [ "$1" = "--enable" ]; then
663+ if [ "$2" != "cloud" -a "$2" != "sc" -a "$2" != "walrus" ]; then
664+ echo "--enable requires cloud, sc or walrus"
665+ exit 1
666+ fi
667+ ENABLED="$ENABLED $2"
668+ shift; shift
669+ continue
670+ fi
671+ if [ "$1" = "--disable" ]; then
672+ if [ "$2" != "cloud" -a "$2" != "sc" -a "$2" != "walrus" ]; then
673+ echo "--disable requires cloud, sc or walrus"
674+ exit 1
675+ fi
676+ DISABLED="$DISABLED $2"
677+ shift; shift
678+ continue
679+ fi
680+ if [ "$1" = "-sync" -o "$1" = "--sync" ]; then
681+ if [ "$2" != "cc" -a "$2" != "cloud" -a "$2" != "nc" -a "$2" != "sc" -a "$2" != "walrus" ]; then
682+ echo "-sync requires cc, nc, sc, walrus or cloud"
683+ exit 1
684+ fi
685+ TOSYNC="$2"
686+ shift; shift
687+ continue
688+ fi
689+ usage
690+ exit 1
691+done
692+
693+if [ -z "${FILE}" -o ! -f "${FILE}" ]; then
694+ echo "$FILE is not a valid eucalyptus configuration file"
695+ exit 1
696+fi
697+
698+# if asked to print the version that's all we do
699+if [ "$VERSION" = "Y" ]; then
700+ . $DEFAULTS_FILE
701+ . $FILE
702+
703+ if [ -e $EUCALYPTUS/etc/eucalyptus/eucalyptus-version ]; then
704+ VERSION="$EUCALYPTUS/etc/eucalyptus/eucalyptus-version"
705+ elif [ -e @prefix@/etc/eucalyptus/eucalyptus-version ]; then
706+ VERSION="@prefix@/etc/eucalyptus/eucalyptus-version"
707+ fi
708+ if [ -n "$VERSION" ]; then
709+ echo -n "Eucalyptus version: "
710+ cat $VERSION
711+ else
712+ echo "Cannot find eucalyptus installation!"
713+ exit 1
714+ fi
715+ exit 0
716+fi
717+
718+# let's change the value
719+if [ -n "$EUCALYPTUS" ]; then
720+ change_var_value $FILE EUCALYPTUS "${EUCALYPTUS}"
721+fi
722+if [ -n "$CC_PORT" ]; then
723+ change_var_value $FILE CC_PORT "${CC_PORT}"
724+fi
725+if [ -n "$NC_PORT" ]; then
726+ change_var_value $FILE NC_PORT "${NC_PORT}"
727+fi
728+if [ -n "$CLOUD_PORT" ]; then
729+ change_var_value $FILE CLOUD_PORT "${CLOUD_PORT}"
730+fi
731+if [ -n "$CLOUD_SSL_PORT" ]; then
732+ change_var_value $FILE CLOUD_SSL_PORT "${CLOUD_SSL_PORT}"
733+fi
734+if [ -n "$INSTANCE" ]; then
735+ change_var_value $FILE INSTANCE_PATH "${INSTANCE}"
736+fi
737+if [ -n "$DHCPD" ]; then
738+ change_var_value $FILE VNET_DHCPDAEMON "${DHCPD}"
739+fi
740+if [ -n "$DHCPC_USER" ]; then
741+ change_var_value $FILE VNET_DHCPUSER "${DHCPC_USER}"
742+ uncomment $FILE VNET_DHCPUSER
743+fi
744+if [ -n "$NODES" ]; then
745+ change_var_value $FILE NODES "${NODES}"
746+fi
747+if [ -n "$HYPERVISOR" ]; then
748+ change_var_value $FILE HYPERVISOR "${HYPERVISOR}"
749+ uncomment $FILE HYPERVISOR
750+fi
751+if [ -n "$BRIDGE" ]; then
752+ change_var_value $FILE VNET_BRIDGE "${BRIDGE}"
753+ uncomment $FILE VNET_BRIDGE
754+fi
755+if [ -n "$EUCA_USER" ]; then
756+ ID="`which id 2> /dev/null`"
757+ if [ -n "$ID" ]; then
758+ if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then
759+ echo "WARNING: $EUCA_USER doesn't exists!"
760+ fi
761+ fi
762+ change_var_value $FILE EUCA_USER "${EUCA_USER}"
763+fi
764+for x in $NAME ; do
765+ VALUE=`cat $FILE |grep $x|cut -f 2 -d =|tr '"' ' '`
766+ echo "$x=$VALUE"
767+done
768+
769+# modify the current conf file based on an older configuration, or from import file
770+if [ -n "$UPGRADE_CONF" -o -n "$IMPORTFILE" ]; then
771+ VARS="EUCA_USER ENABLE_WS_SECURITY DISABLE_EBS HYPERVISOR LOGLEVEL SWAP_SIZE CC_PORT MANUAL_INSTANCES_CLEANUP NC_CACHE_SIZE SCHEDPOLICY NODES NC_SERVICE NC_PORT MAX_MEM MAX_CORES INSTANCE_PATH VNET_BRIDGE VNET_DHCPDAEMON VNET_DHCPUSER VNET_PRIVINTERFACE VNET_PUBINTERFACE VNET_INTERFACE DISABLE_TUNNELING DISABLE_DNS POWER_IDLETHRESH POWER_WAKETHRESH CONCURRENT_DISK_OPS"
772+ VNET_VARS="VNET_MODE VNET_SUBNET VNET_NETMASK VNET_DNS VNET_ADDRSPERNET VNET_PUBLICIPS VNET_BROADCAST VNET_ROUTER VNET_MACMAP VNET_CLOUDIP VNET_LOCALIP"
773+
774+ if [ -n "$UPGRADE_CONF" ]; then
775+ # source the old config
776+ VARS_TO_DO=$VARS
777+ VNET_VARS_TO_DO=$VNET_VARS
778+ . $UPGRADE_CONF
779+ elif [ -n "$IMPORTFILE" ]; then
780+ VARS_TO_DO=""
781+ VNET_VARS_TO_DO=""
782+ . $IMPORTFILE
783+ for i in $VNET_VARS
784+ do
785+ VAL="$(echo \$${i})"
786+ eval VAL=$VAL
787+ if [ -n "$VAL" ]; then
788+ VNET_VARS_TO_DO="$VNET_VARS_TO_DO $i"
789+ fi
790+ done
791+ fi
792+
793+ # let's start from no network
794+ for x in $VNET_VARS_TO_DO ; do
795+ comment $FILE $x
796+ done
797+
798+ # modified the defined variables
799+ for x in $VARS_TO_DO ; do
800+ y="$(echo \$${x})"
801+ eval y="$y"
802+ if [ -z "$y" ]; then
803+ # we just leave NODES uncommented even if it's empty
804+ if [ "$x" != "NODES" ]; then
805+ comment $FILE $x
806+ fi
807+ else
808+ uncomment $FILE $x
809+ change_var_value $FILE $x "${y}"
810+ fi
811+ done
812+ # and add the network variables
813+ echo >> $FILE
814+ echo "# network configuration from the input configuration file" >> $FILE
815+ for x in $VNET_VARS_TO_DO ; do
816+ y="$(echo \$${x})"
817+ eval y="$y"
818+ if [ -n "$y" ]; then
819+ if [ "$x" = "VNET_INTERFACE" ]; then
820+ change_var_value $FILE VNET_PRIVINTERFACE "${y}"
821+ change_var_value $FILE VNET_PUBINTERFACE "${y}"
822+ else
823+ echo "$x=\"${y}\"" >> $FILE
824+ fi
825+ fi
826+ done
827+fi
828+
829+# we may need the location of the ssh key for eucalyptus
830+EUCA_HOME="`getent passwd eucalyptus|cut -f 6 -d ':'`"
831+if [ -f "${EUCA_HOME}/.ssh/id_rsa.pub" ]; then
832+ SSHKEY=`cat ${EUCA_HOME}/.ssh/id_rsa.pub`
833+else
834+ SSHKEY=""
835+fi
836+
837+# we need defaults in eucalyptus.conf
838+. $DEFAULTS_FILE
839+. $FILE
840+# get node from nodes.list if it exists
841+if [ -e "$EUCALYPTUS/var/lib/eucalyptus/nodes.list" ]; then
842+ NODES=`cat $EUCALYPTUS/var/lib/eucalyptus/nodes.list`
843+fi
844+
845+# first time setup
846+if [ -n "$SETUP" ]; then
847+ ROOTWRAP="$EUCALYPTUS/usr/lib/eucalyptus/euca_rootwrap"
848+
849+ # first of all setup euca_rootwrap
850+ if [ ! -x "$ROOTWRAP" ]; then
851+ echo "Cannot find $ROOTWRAP (or not readable)!"
852+ exit 1
853+ fi
854+ # get EUCA group
855+ if [ -z "$EUCA_USER" ]; then
856+ echo "Is EUCA_USER defined?"
857+ exit 1
858+ fi
859+ # if running as root no need to do anything
860+ if [ "$EUCA_USER" != "root" ]; then
861+ ID="`which id 2> /dev/null`"
862+ if [ -z "$ID" ]; then
863+ echo "Cannot find command $ID"
864+ exit 1
865+ fi
866+ if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then
867+ echo "User $EUCA_USER doesn't exists!"
868+ exit 1
869+ fi
870+ EUCA_GROUP="`$ID -ng $EUCA_USER 2>/dev/null`"
871+ if [ -z "$EUCA_GROUP" ]; then
872+ echo "Cannot detect $EUCA_USER group"
873+ exit 1
874+ fi
875+ if ! chown root:$EUCA_GROUP $ROOTWRAP ; then
876+ exit 1
877+ fi
878+ if ! chmod 4750 $ROOTWRAP ; then
879+ exit 1
880+ fi
881+ fi
882+
883+ # let's create the instance path
884+ if [ -n "$INSTANCE_PATH" -a "$INSTANCE_PATH" != "not_configured" -a ! -d "$INSTANCE_PATH" ]; then
885+ if ! mkdir -p $INSTANCE_PATH ; then
886+ echo "Failed to create instance path!"
887+ exit 1
888+ fi
889+ if ! chown $EUCA_USER:$EUCA_GROUP $INSTANCE_PATH ; then
890+ exit 1
891+ fi
892+ fi
893+
894+ chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus
895+ ret=$?
896+ chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/log/eucalyptus
897+ let $((ret += $?))
898+ chown -R $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus
899+ let $((ret += $?))
900+ chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/etc/eucalyptus/eucalyptus.conf
901+ let $((ret += $?))
902+
903+ # let's create more needed directory with the right permissions
904+ mkdir -p $EUCALYPTUS/var/lib/eucalyptus/db
905+ let $((ret += $?))
906+ chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/db
907+ let $((ret += $?))
908+ chmod 700 $EUCALYPTUS/var/lib/eucalyptus/db
909+ let $((ret += $?))
910+ mkdir -p $EUCALYPTUS/var/lib/eucalyptus/keys
911+ let $((ret += $?))
912+ chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/keys
913+ let $((ret += $?))
914+ chmod 700 $EUCALYPTUS/var/lib/eucalyptus/keys
915+ let $((ret += $?))
916+ mkdir -p $EUCALYPTUS/var/lib/eucalyptus/CC
917+ let $((ret += $?))
918+ chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/lib/eucalyptus/CC
919+ let $((ret += $?))
920+ chmod 700 $EUCALYPTUS/var/lib/eucalyptus/CC
921+ let $((ret += $?))
922+
923+ exit $ret
924+fi
925+
926+if [ -n "$TOSYNC" ]; then
927+ echo "not implemented"
928+fi
929+
930+# pre-flight checks
931+if [ -n "$CHECK" ]; then
932+ ROOTWRAP="$EUCALYPTUS/usr/lib/eucalyptus/euca_rootwrap"
933+
934+ # vblade and aoe may be needed
935+ if [ "$DISABLE_EBS" != "Y" -a "$DISABLE_EBS" != "y" ]; then
936+ if [ "$CHECK" = "sc" ]; then
937+ VBLADE="`which vblade 2> /dev/null`"
938+ if [ -z "$VBLADE" ]; then
939+ echo
940+ echo "ERROR: EBS is enabled and vblade was not found"
941+ exit 1
942+ fi
943+ fi
944+ fi
945+
946+ # first of all check euca_rootwrap
947+ if [ ! -x $ROOTWRAP ]; then
948+ echo "Cannot find euca_rootwrap!"
949+ exit 1
950+ fi
951+ # get EUCA group
952+ if [ -z "$EUCA_USER" ]; then
953+ echo "Running eucalyptus as root"
954+ EUCA_USER="root"
955+ EUCA_GROUP="root"
956+ fi
957+ # if running as root no need to do anything
958+ if [ "$EUCA_USER" != "root" ]; then
959+ ID="`which id 2> /dev/null`"
960+ if [ -z "$ID" ]; then
961+ echo "Cannot find command id"
962+ exit 1
963+ fi
964+ if ! $ID $EUCA_USER > /dev/null 2> /dev/null ; then
965+ echo "User $EUCA_USER doesn't exists!"
966+ exit 1
967+ fi
968+ EUCA_GROUP="`$ID -ng $EUCA_USER 2>/dev/null`"
969+ if [ -z "$EUCA_GROUP" ]; then
970+ echo "Cannot detect $EUCA_USER group: using $EUCA_USER"
971+ exit 1
972+ fi
973+ # need to check if euca_rootwrap can run as EUCA_USER
974+ TEST_EUID="`sudo -u $EUCA_USER $ROOTWRAP $ID -u`"
975+ if [ "$?" != "0" -o "$TEST_EUID" != "0" ]; then
976+ echo "Problem running $ROOTWRAP! Did you run euca_conf -setup?"
977+ exit 1
978+ fi
979+ fi
980+
981+ # let's be sure we have the INSTANCE_PATH
982+ if [ "$CHECK" = "nc" ]; then
983+ if [ -z "$INSTANCE_PATH" ]; then
984+ echo "INSTANCE_PATH is not defined"
985+ exit 1
986+ fi
987+ if [ ! -d "$INSTANCE_PATH" ]; then
988+ echo "$INSTANCE_PATH doesn't exist: did you run euca_conf -setup?"
989+ exit 1
990+ fi
991+ fi
992+
993+ # let's set up directories which could disappears if /var/run is
994+ # in memory
995+ if [ ! -d $EUCALYPTUS/var/run/eucalyptus ]; then
996+ if ! mkdir -p $EUCALYPTUS/var/run/eucalyptus ; then
997+ # error should come from mkdir
998+ exit 1
999+ fi
1000+ fi
1001+ if ! chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus ; then
1002+ # error should come from chown
1003+ exit 1
1004+ fi
1005+
1006+
1007+ if [ "$CHECK" = "cc" ]; then
1008+ if [ ! -d $EUCALYPTUS/var/run/eucalyptus/net ]; then
1009+ if ! mkdir -p $EUCALYPTUS/var/run/eucalyptus/net ; then
1010+ # error should come from mkdir
1011+ exit 1
1012+ fi
1013+ fi
1014+ if ! chown $EUCA_USER:$EUCA_GROUP $EUCALYPTUS/var/run/eucalyptus/net ; then
1015+ # error should come from chown
1016+ exit 1
1017+ fi
1018+ fi
1019+ # good to go
1020+ exit 0
1021+fi
1022+
1023+createCloudURL () {
1024+ if ! getSecretKey; then
1025+ echo "ERROR: cannot get credentials"
1026+ return 1
1027+ fi
1028+ ARGS="AWSAccessKeyId=$AKEY"
1029+ KEY=$1
1030+ shift
1031+ VAL=$1
1032+ shift
1033+ while ( test -n "$KEY" -a -n "$VAL")
1034+ do
1035+ ARGS="${ARGS}&${KEY}=${VAL}"
1036+ KEY=$1
1037+ shift
1038+ VAL=$1
1039+ shift
1040+ done
1041+ if [ -z "$SKEY" ]; then
1042+ echo "ERROR: SKEY parameter is not set."
1043+ export URL=""
1044+ return 1
1045+ fi
1046+ ARGS="${ARGS}&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=$(date -u '+%Y-%m-%dT%H%%3A%M%%3A%S.000Z')&Version=eucalyptus"
1047+ SIGNATURE=$(echo -en "GET\n127.0.0.1\n/services/Configuration\n${ARGS}" | openssl dgst -sha256 -hmac ${SKEY} -binary | openssl base64)
1048+ export URL="http://127.0.0.1:8773/services/Configuration?${ARGS}&Signature=${SIGNATURE}"
1049+ if [ "$VERBOSE" = "Y" ]; then
1050+ echo $URL
1051+ fi
1052+ return 0
1053+}
1054+
1055+getSecretKey() {
1056+ if [ -d "$EUCALYPTUS/var/lib/eucalyptus/db/" ]; then
1057+ DBDIR="$EUCALYPTUS/var/lib/eucalyptus/db/"
1058+ else
1059+ echo "ERROR: cannot locate eucalyptus database, try logging in through the admin web interface."
1060+ exit 1
1061+ fi
1062+
1063+ FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/*auth* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Ss][Ee][Cc][Rr][Ee][Tt][Kk][Ee][Yy]/ {print NR}'`
1064+ if [ "$FIELD" = "" ]; then
1065+ echo "ERROR: cannot locate entry in eucalyptus database, try logging in through the admin web interface"
1066+ export SKEY=""
1067+ return 1
1068+ fi
1069+ SKEY=$(eval echo $(awk -v field=${FIELD} -F, '/INSERT INTO AUTH_USERS.*admin/ {print $field}' ${DBDIR}/*auth* | head -n 1 | sed 's/[()]//g'))
1070+
1071+ FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/*auth* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Qq][Uu][Ee][Rr][Yy]_[Ii][Dd]/ {print NR}'`
1072+ if [ "$FIELD" = "" ]; then
1073+ echo "ERROR: cannot locate entry in eucalyptus database, try logging in through the admin web interface"
1074+ export AKEY=""
1075+ return 1
1076+ fi
1077+ AKEY=$(eval echo $(awk -v field=${FIELD} -F, '/INSERT INTO AUTH_USERS.*admin/ {print $field}' ${DBDIR}/*auth* | head -n 1 | sed 's/[()]//g'))
1078+
1079+ return 0
1080+}
1081+
1082+checkLocalService() {
1083+ local SERVICE=""
1084+
1085+ if [ -z "$WGET" -o ! -x "$WGET" ]; then
1086+ echo "ERROR: wget is missing, cannot continue."
1087+ return 1
1088+ fi
1089+
1090+ SERVICE="$1"
1091+ if [ -z "$SERVICE" ]; then
1092+ echo "ERROR: must pass in service name (CLC, CC)"
1093+ return 1
1094+ elif [ "$SERVICE" = "CLC" ]; then
1095+ if [ -n "$FAKEREG" ]; then
1096+ local SOURCEDIR="$EUCALYPTUS/var/lib/eucalyptus/keys/"
1097+ for i in cloud
1098+ do
1099+ if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then
1100+ openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
1101+ fi
1102+ done
1103+ fi
1104+
1105+ CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
1106+ elif [ "$SERVICE" = "CC" ]; then
1107+ CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"
1108+ fi
1109+
1110+ if [ -n "${FAKEREG}" ]; then
1111+ CMD="echo"
1112+ fi
1113+ if ! eval $CMD ; then
1114+ echo "ERROR: you need to be on the $SERVICE host and the $SERVICE needs to be running."
1115+ return 1
1116+ fi
1117+ return 0
1118+}
1119+
1120+if [ -n "$CREDENTIALZIPFILE" ]; then
1121+ if [ -f "$CREDENTIALZIPFILE" ]; then
1122+ echo "file '$CREDENTIALZIPFILE' already exists, please remove and try again"
1123+ exit 1
1124+ fi
1125+ if ! checkLocalService "CLC" ; then
1126+ exit 1
1127+ fi
1128+
1129+ if [ -d "$EUCALYPTUS/var/lib/eucalyptus/db/" ]; then
1130+ DBDIR="$EUCALYPTUS/var/lib/eucalyptus/db/"
1131+ else
1132+ echo "ERROR: cannot locate eucalyptus database, try logging in through the admin web interface."
1133+ exit 1
1134+ fi
1135+ FIELD=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/* | sed 's/,/\n/g' | awk '/[Aa][Uu][Tt][Hh]_[Uu][Ss][Ee][Rr]_[Tt][Oo][Kk][Ee][Nn]/ {print NR}'`
1136+ if [ -z "$FIELD" ]; then
1137+ echo "cannot find code field in database, please go to the Eucalyptus web UI to obtain credentials."
1138+ exit 1
1139+ fi
1140+ VERCOL=`grep -i "CREATE .*TABLE AUTH_USERS" ${DBDIR}/* | sed 's/,/\n/g' | awk '/[Vv][Ee][Rr][Ss][Ii][Oo][Nn]/ {print NR}'`
1141+ if [ -z "$VERCOL" ]; then
1142+ echo "cannot find version field in database, please go to the Eucalyptus web UI to obtain credentials."
1143+ exit 1
1144+ fi
1145+ KEY=$(eval echo $(awk -v field=${FIELD} -v vercol=${VERCOL} -F, 'BEGIN { token=""; max=-1; } /INSERT INTO AUTH_USERS.*admin/ { if ($vercol>max) { max=$vercol; token=$field; } } END { print token; }' ${DBDIR}/* | head -n 1 | sed 's/[()]//g'))
1146+ if [ -z "$KEY" ]; then
1147+ echo "cannot find code in database, please go to the Eucalyptus web UI to obtain credentials."
1148+ exit 1
1149+ fi
1150+ CMD="$WGET --no-check-certificate \"https://localhost:8443/getX509?user=admin&code=$KEY\" -O $CREDENTIALZIPFILE"
1151+ if ! eval $CMD ; then
1152+ echo "failed to obtain credentals, please try again or go to the Eucalyptus web UI."
1153+ exit 1
1154+ fi
1155+fi
1156+
1157+# adding a new cluster
1158+if [ -n "$CLUSNAME" ]; then
1159+ if ! checkLocalService "CLC" ; then
1160+ exit 1
1161+ fi
1162+
1163+ if [ "$CLUSMODE" = "ADD" ]; then
1164+ if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1165+ SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/${CLUSNAME}/
1166+ DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1167+ else
1168+ echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!"
1169+ exit 1
1170+ fi
1171+
1172+ URL=""
1173+ if ! createCloudURL "Action" "RegisterCluster" "Host" "${NEWCLUS}" "Name" "${CLUSNAME}" "Port" "${CC_PORT}"; then
1174+ exit 1
1175+ fi
1176+
1177+ if ! check_ws "$URL" ; then
1178+ echo "ERROR: failed to register new cluster, please log in to the admin interface and check cloud status."
1179+ exit 1
1180+ fi
1181+
1182+ if [ -n "${FAKEREG}" ]; then
1183+ mkdir -p $SOURCEDIR
1184+ if [ -n "${FAKEREG}" ]; then
1185+ mkdir -p $SOURCEDIR
1186+ for i in cluster node
1187+ do
1188+ if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then
1189+ openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
1190+ fi
1191+ done
1192+ fi
1193+ fi
1194+
1195+ # sync the keys
1196+ if ! sync_keys "${DESTDIR},${SOURCEDIR}" ${DESTDIR} ${NEWCLUS} node-cert.pem cluster-cert.pem cluster-pk.pem node-pk.pem vtunpass cloud-cert.pem; then
1197+ echo "ERROR: failed to sync keys with ${NEWCLUS}; registration will not be complete until keys can be synced, please try again."
1198+ exit 1
1199+ fi
1200+ echo
1201+ echo "SUCCESS: new cluster '${CLUSNAME}' on host '${NEWCLUS}' successfully registered."
1202+ elif [ "$CLUSMODE" = "DEL" ]; then
1203+ URL=""
1204+ # let's see if we have such a cluster
1205+ LIST_RES=""
1206+ if ! createCloudURL "Action" "DescribeClusters" ; then
1207+ exit 1
1208+ fi
1209+ if ! check_ws "$URL" LIST_RES ; then
1210+ echo "ERROR: cannot talk with CLC"
1211+ exit 1
1212+ fi
1213+ FOUND="N"
1214+ for x in $LIST_RES ; do
1215+ if [ "$x" = "${CLUSNAME}" ]; then
1216+ FOUND="Y"
1217+ break
1218+ fi
1219+ done
1220+ if [ "$FOUND" = "N" ]; then
1221+ echo "No registered cluster $CLUSNAME was found"
1222+ exit 1
1223+ fi
1224+
1225+ # now let's deregister
1226+ URL=""
1227+ if ! createCloudURL "Action" "DeregisterCluster" "Name" "${CLUSNAME}"; then
1228+ exit 1
1229+ fi
1230+
1231+ if ! check_ws "$URL" ; then
1232+ echo "ERROR: failed to deregister new cluster, please log in to the admin interface and check cloud status."
1233+ exit 1
1234+ fi
1235+ echo
1236+ echo "SUCCESS: cluster '${CLUSNAME}' successfully deregistered."
1237+ fi
1238+fi
1239+
1240+# walrus
1241+if [ -n "$WALRUS" -o -n "$WALRUS_MODE" ]; then
1242+ if ! checkLocalService "CLC" ; then
1243+ exit 1
1244+ fi
1245+
1246+ if [ "$WALRUS_MODE" = "ADD" ]; then
1247+ echo "Adding WALRUS host $WALRUS"
1248+ if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1249+ SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1250+ DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1251+ else
1252+ echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!"
1253+ exit 1
1254+ fi
1255+
1256+ URL=""
1257+ if ! createCloudURL "Action" "RegisterWalrus" "Host" "${WALRUS}" "Name" "walrus" "Port" "8773"; then
1258+ exit 1
1259+ fi
1260+
1261+ if ! check_ws "$URL" ; then
1262+ echo "ERROR: failed to register Walrus, please log in to the admin interface and check cloud status."
1263+ exit 1
1264+ fi
1265+
1266+ # check that walrus is at least running on the remote host
1267+ sleep 3
1268+ if ! check_heartbeat ${WALRUS} walrus ; then
1269+ echo "WARNING: Walrus is not up on host ${WALRUS}; registration will not be complete until walrus is running."
1270+ fi
1271+
1272+ # sync the keys
1273+ if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${WALRUS} euca.p12 ; then
1274+ echo "ERROR: failed to sync keys with ${WALRUS}; registration will not be complete until keys can be synced, please try again."
1275+ exit 1
1276+ fi
1277+ echo
1278+ echo "SUCCESS: new walrus on host '${WALRUS}' successfully registered."
1279+
1280+ elif [ "$WALRUS_MODE" = "DEL" ]; then
1281+ URL=""
1282+ if ! createCloudURL "Action" "DeregisterWalrus" "Name" "walrus"; then
1283+ exit 1
1284+ fi
1285+ if ! check_ws "$URL" ; then
1286+ echo "ERROR: failed to deregister Walrus, please log in to the admin interface and check cloud status."
1287+ exit 1
1288+ fi
1289+ echo
1290+ echo "SUCCESS: Walrus successfully deregistered."
1291+ fi
1292+fi
1293+
1294+# sc
1295+if [ -n "$SCNAME" ]; then
1296+ if ! checkLocalService "CLC" ; then
1297+ exit 1
1298+ fi
1299+
1300+ if [ "$SC_MODE" = "ADD" ]; then
1301+ echo "Adding SC $SCHOST to cluster $SCNAME"
1302+ if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1303+ SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1304+ DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1305+ else
1306+ echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful!"
1307+ exit 1
1308+ fi
1309+
1310+ URL=""
1311+ if ! createCloudURL "Action" "RegisterStorageController" "Host" "${SCHOST}" "Name" "${SCNAME}" "Port" "8773"; then
1312+ exit 1
1313+ fi
1314+ if ! check_ws "$URL"; then
1315+ echo "ERROR: failed to register storage controller, please log in to the admin interface and check cloud status."
1316+ exit 1
1317+ fi
1318+ if [ -n "${FAKEREG}" ]; then
1319+ mkdir -p $SOURCEDIR
1320+ for i in sc
1321+ do
1322+ if [ ! -e "$SOURCEDIR/${i}-cert.pem" -o ! -e "$SOURCEDIR/${i}-pk.pem" ]; then
1323+ openssl req -new -nodes -x509 -out $SOURCEDIR/${i}-cert.pem -keyout $SOURCEDIR/${i}-pk.pem -days 365 -subj "/C=US/ST=CA/L=City/CN=localhost/emailAddress=root@localhost"
1324+ fi
1325+ done
1326+ fi
1327+
1328+ # sync the keys
1329+ if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${SCHOST} euca.p12; then
1330+ echo "ERROR: failed to sync keys with ${SCHOST}; registration will not be complete until keys can be synced, please try again."
1331+ exit 1
1332+ fi
1333+ echo
1334+ echo "SUCCESS: new SC for cluster '${SCNAME}' on host '${SCHOST}' successfully registered."
1335+
1336+ elif [ "$SC_MODE" = "DEL" ]; then
1337+ # let's see if we have such a storage controller
1338+ LIST_RES=""
1339+ if ! createCloudURL "Action" "DescribeStorageControllers" ; then
1340+ exit 1
1341+ fi
1342+ if ! check_ws "$URL" LIST_RES ; then
1343+ echo "ERROR: cannot talk with CLC"
1344+ exit 1
1345+ fi
1346+ FOUND="N"
1347+ for x in $LIST_RES ; do
1348+ if [ "$x" = "${SCNAME}" ]; then
1349+ FOUND="Y"
1350+ break
1351+ fi
1352+ done
1353+ if [ "$FOUND" = "N" ]; then
1354+ echo "No registered storage controller $SCNAME was found"
1355+ exit 1
1356+ fi
1357+
1358+ # now let's deregister
1359+ URL=""
1360+ if ! createCloudURL "Action" "DeregisterStorageController" "Name" "${SCNAME}"; then
1361+ exit 1
1362+ fi
1363+ if ! check_ws "$URL" ; then
1364+ echo "ERROR: failed to deregister StorageController, please log in to the admin interface and check cloud status."
1365+ exit 1
1366+ fi
1367+ echo
1368+ echo "SUCCESS: Storage controller for cluster '${SCNAME}' successfully deregistered."
1369+ fi
1370+fi
1371+
1372+# operations on the nodes
1373+if [ -n "$NODEMODE" ]; then
1374+ # for synckey we fake addnodes
1375+ if [ "$NODEMODE" = "SYNC" ]; then
1376+ if [ -z "$NODES" ]; then
1377+ echo "Warning: there are no NODES configured"
1378+ else
1379+ NEWNODES="${NODES}"
1380+ NODEMODE="ADD"
1381+ fi
1382+ fi
1383+ if [ "$NODEMODE" = "DISCOVER" ]; then
1384+ if ! which avahi-browse >/dev/null 2>&1; then
1385+ echo "ERROR: avahi-browse not installed, so cannot discover nodes"
1386+ exit 1
1387+ fi
1388+ NEWNODES=
1389+ for DISCOVERED in $(avahi-browse -prt _eucalyptus._tcp | grep '^=.*"type=node"' | cut -d\; -f8 | sort -u); do
1390+ if ! xsearch "$DISCOVERED" "$NODES"; then
1391+ read -p "New node found on $DISCOVERED; add it? [Yn] " CONFIRM
1392+ CONFIRM="$(printf %s "$CONFIRM" | tr A-Z a-z | cut -c1)"
1393+ if [ "x$CONFIRM" = x ] || [ "x$CONFIRM" = xy ]; then
1394+ NEWNODES="${NEWNODES:+$NEWNODES }$DISCOVERED"
1395+ fi
1396+ fi
1397+ done
1398+ NODEMODE="ADD"
1399+ fi
1400+
1401+ # check we have a valid command
1402+ if [ "$NODEMODE" != "ADD" -a "$NODEMODE" != "REM" ]; then
1403+ echo "ERROR: unknown mode '$NODEMODE', don't know what to do"
1404+ exit 1
1405+ fi
1406+
1407+ if [ -d "${EUCALYPTUS}/var/lib/eucalyptus/keys/" ]; then
1408+ SOURCEDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1409+ DESTDIR=${EUCALYPTUS}/var/lib/eucalyptus/keys/
1410+ else
1411+ echo "ERROR: cannot find key directory ($EUCALYPTUS/var/lib/eucalyptus/keys), check that your installation was successful and that this cluster is already registered!"
1412+ exit 1
1413+ fi
1414+
1415+ # CC needs to be running
1416+ if ! checkLocalService "CC" ; then
1417+ exit 1
1418+ fi
1419+
1420+ # warn the user on where we expect the keys to be
1421+ if [ "$NODEMODE" = "ADD" ]; then
1422+ echo
1423+ echo "INFO: We expect all nodes to have eucalyptus installed in $EUCALYPTUS/var/lib/eucalyptus/keys for key synchronization."
1424+ fi
1425+
1426+ # adding (or removing) nodes
1427+ for NEWNODE in ${NEWNODES} ; do
1428+ # let's see if the node is already in the node list
1429+ its_here="0"
1430+ for x in $NODES ; do
1431+ if [ "$x" = "${NEWNODE}" ]; then
1432+ its_here="1"
1433+ break
1434+ fi
1435+ done
1436+
1437+ # remove is simpler: just remove the node name
1438+ if [ "$NODEMODE" = "REM" ]; then
1439+ if [ "$its_here" = "0" ]; then
1440+ echo "Node ${NEWNODE} is not known"
1441+ continue
1442+ fi
1443+ NEW_NODES=""
1444+ for x in $NODES; do
1445+ if [ "$x" = "${NEWNODE}" ]; then
1446+ continue
1447+ fi
1448+ NEW_NODES="$x $NEW_NODES"
1449+ done
1450+ echo "$NEW_NODES" | tr ' ' '\n' | uniq > $EUCALYPTUS/var/lib/eucalyptus/nodes.list
1451+ echo "SUCCESS: removed node '${NEWNODE}' from '$FILE'"
1452+ continue
1453+ fi
1454+
1455+ # let's sync keys with the nodes
1456+ if ! sync_keys ${SOURCEDIR} ${DESTDIR} ${NEWNODE} node-cert.pem cluster-cert.pem node-pk.pem cloud-cert.pem; then
1457+ errors=1
1458+ echo
1459+ echo "ERROR: could not synchronize keys with $NEWNODE!"
1460+ echo "The configuration will not have this node."
1461+ if [ "$SSHKEY" = "" ]; then
1462+ echo "User $EUCA_USER may have to run ssh-keygen!"
1463+ else
1464+ echo "Hint: to setup passwordless login to the nodes as user $EUCA_USER, you can"
1465+ echo "run the following commands on node $NEWNODE:"
1466+ echo "sudo -u $EUCA_USER mkdir -p ~${EUCA_USER}/.ssh"
1467+ echo "sudo -u $EUCA_USER tee ~${EUCA_USER}/.ssh/authorized_keys > /dev/null <<EOT"
1468+ echo "$SSHKEY"
1469+ echo "EOT"
1470+ echo ""
1471+ echo "Be sure that authorized_keys is not group/world readable or writable"
1472+ fi
1473+ continue
1474+ fi
1475+
1476+ # if the node is already listed, we are done
1477+ if [ "$its_here" = "1" ]; then
1478+ continue
1479+ fi
1480+
1481+ # add the node
1482+ NODES="${NODES} $NEWNODE"
1483+ echo "$NODES" | tr ' ' '\n' | uniq > $EUCALYPTUS/var/lib/eucalyptus/nodes.list
1484+
1485+ done
1486+fi
1487+
1488+
1489+for x in $LIST ; do
1490+ LIST_RES=""
1491+
1492+ if [ "$x" = "walruses" ]; then
1493+ if ! createCloudURL "Action" "DescribeWalruses" ; then
1494+ exit 1
1495+ fi
1496+ if ! check_ws "$URL" LIST_RES ; then
1497+ exit 1
1498+ fi
1499+ if [ -n "$LIST_RES" ]; then
1500+ echo "registered walruses:"
1501+ fi
1502+ echo "$LIST_RES"
1503+ fi
1504+ if [ "$x" = "storages" ]; then
1505+ if ! createCloudURL "Action" "DescribeStorageControllers" ; then
1506+ exit 1
1507+ fi
1508+ if ! check_ws "$URL" LIST_RES ; then
1509+ exit 1
1510+ fi
1511+ if [ -n "$LIST_RES" ]; then
1512+ echo "registered storage controllers:"
1513+ fi
1514+ echo "$LIST_RES"
1515+ fi
1516+ if [ "$x" = "clusters" ]; then
1517+ if ! createCloudURL "Action" "DescribeClusters" ; then
1518+ exit 1
1519+ fi
1520+ if ! check_ws "$URL" LIST_RES ; then
1521+ exit 1
1522+ fi
1523+ if [ -n "$LIST_RES" ]; then
1524+ echo "registered clusters:"
1525+ fi
1526+ echo "$LIST_RES"
1527+ fi
1528+ if [ "$x" = "nodes" ]; then
1529+ if ! createCloudURL "Action" "DescribeNodes" ; then
1530+ exit 1
1531+ fi
1532+ if ! check_ws "$URL" LIST_RES ; then
1533+ exit 1
1534+ fi
1535+ if [ -n "$LIST_RES" ]; then
1536+ echo "registered nodes:"
1537+ fi
1538+ echo "$LIST_RES"
1539+ fi
1540+done
1541+
1542+
1543+# enable/disable services
1544+if [ -r $EUCALYPTUS/var/lib/eucalyptus/services ]; then
1545+ for x in `cat $EUCALYPTUS/var/lib/eucalyptus/services` ; do
1546+ TO_START="$TO_START $x"
1547+ done
1548+fi
1549+if [ -n "$DISABLED" -o -n "$ENABLED" ]; then
1550+ for x in $TO_START $ENABLED ; do
1551+ to_start="Y"
1552+ for y in $DISABLED ; do
1553+ if [ "$x" = "$y" ]; then
1554+ to_start="N"
1555+ fi
1556+ done
1557+ [ $to_start = "Y" ] && echo $x
1558+ done | sort | uniq > $EUCALYPTUS/var/lib/eucalyptus/services
1559+fi
1560+
1561+[ "$errors" = "1" ] && exit 1 || exit 0
1562
1563=== added directory '.pc/30-clock_drift.patch'
1564=== added directory '.pc/30-clock_drift.patch/tools'
1565=== added file '.pc/30-clock_drift.patch/tools/client-policy-template.xml'
1566--- .pc/30-clock_drift.patch/tools/client-policy-template.xml 1970-01-01 00:00:00 +0000
1567+++ .pc/30-clock_drift.patch/tools/client-policy-template.xml 2011-09-21 09:10:44 +0000
1568@@ -0,0 +1,73 @@
1569+<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
1570+ <wsp:ExactlyOne>
1571+ <wsp:All>
1572+ <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
1573+ <wsp:Policy>
1574+ <sp:InitiatorToken>
1575+ <wsp:Policy>
1576+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
1577+ <wsp:Policy>
1578+ <sp:RequireEmbeddedTokenReference/>
1579+ <sp:WssX509V3Token10/>
1580+ </wsp:Policy>
1581+ </sp:X509Token>
1582+ </wsp:Policy>
1583+ </sp:InitiatorToken>
1584+ <sp:RecipientToken>
1585+ <wsp:Policy>
1586+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
1587+ <wsp:Policy>
1588+ <sp:RequireEmbeddedTokenReference/>
1589+ <sp:WssX509V3Token10/>
1590+ </wsp:Policy>
1591+ </sp:X509Token>
1592+ </wsp:Policy>
1593+ </sp:RecipientToken>
1594+
1595+ <sp:AlgorithmSuite>
1596+ <wsp:Policy>
1597+ <sp:Basic256Rsa15/>
1598+ </wsp:Policy>
1599+ </sp:AlgorithmSuite>
1600+
1601+ <sp:Layout>
1602+ <wsp:Policy>
1603+ <sp:Strict/>
1604+ </wsp:Policy>
1605+ </sp:Layout>
1606+
1607+ <sp:IncludeTimestamp/>
1608+ <sp:OnlySignEntireHeadersAndBody/>
1609+ </wsp:Policy>
1610+ </sp:AsymmetricBinding>
1611+
1612+ <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
1613+ <wsp:Policy>
1614+ <sp:MustSupportRefKeyIdentifier/>
1615+ <sp:MustSupportRefEmbeddedToken/>
1616+ </wsp:Policy>
1617+ </sp:Wss10>
1618+
1619+ <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
1620+ <sp:Body/>
1621+ <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
1622+ </sp:SignedParts>
1623+
1624+ <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
1625+ <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
1626+ <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
1627+ <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
1628+ <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
1629+ <!--
1630+ <rampc:User>CLIENT-USERNAME</rampc:User>
1631+ <rampc:PasswordType>Digest</rampc:PasswordType>
1632+ <rampc:PasswordCallbackClass>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/libpwcb.so</rampc:PasswordCallbackClass>
1633+ <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
1634+ <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
1635+ <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
1636+ -->
1637+ </rampc:RampartConfig>
1638+ </wsp:All>
1639+ </wsp:ExactlyOne>
1640+</wsp:Policy>
1641+
1642
1643=== added file '.pc/30-clock_drift.patch/tools/service-policy-template.xml'
1644--- .pc/30-clock_drift.patch/tools/service-policy-template.xml 1970-01-01 00:00:00 +0000
1645+++ .pc/30-clock_drift.patch/tools/service-policy-template.xml 2011-09-21 09:10:44 +0000
1646@@ -0,0 +1,67 @@
1647+<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
1648+ <wsp:ExactlyOne>
1649+ <wsp:All>
1650+ <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
1651+ <wsp:Policy>
1652+ <sp:InitiatorToken>
1653+ <wsp:Policy>
1654+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">a
1655+ <wsp:Policy>
1656+ <sp:RequireEmbeddedTokenReference/>
1657+ <sp:WssX509V3Token10/>
1658+ </wsp:Policy>
1659+ </sp:X509Token>
1660+ </wsp:Policy>
1661+ </sp:InitiatorToken>
1662+ <sp:RecipientToken>
1663+ <wsp:Policy>
1664+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
1665+ <wsp:Policy>
1666+ <sp:RequireEmbeddedTokenReference/>
1667+ <sp:WssX509V3Token10/>
1668+ </wsp:Policy>
1669+ </sp:X509Token>
1670+ </wsp:Policy>
1671+ </sp:RecipientToken>
1672+
1673+ <sp:AlgorithmSuite>
1674+ <wsp:Policy>
1675+ <sp:Basic256Rsa15/>
1676+ </wsp:Policy>
1677+ </sp:AlgorithmSuite>
1678+
1679+ <sp:Layout>
1680+ <wsp:Policy>
1681+ <sp:Strict/>
1682+ </wsp:Policy>
1683+ </sp:Layout>
1684+
1685+ <sp:IncludeTimestamp/>
1686+ <sp:OnlySignEntireHeadersAndBody/>
1687+ <!-- <sp:EncryptSignature/> -->
1688+ </wsp:Policy>
1689+ </sp:AsymmetricBinding>
1690+
1691+ <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
1692+ <wsp:Policy>
1693+ <sp:MustSupportRefKeyIdentifier/>
1694+ <sp:MustSupportRefEmbeddedToken/>
1695+ <sp:MustSupportRefIssuerSerial/>
1696+ </wsp:Policy>
1697+ </sp:Wss10>
1698+
1699+ <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
1700+ <sp:Body/>
1701+ <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
1702+ </sp:SignedParts>
1703+
1704+ <rampc:RampartConfig xmlns:rampc="http://ws.apache.org/rampart/c/policy">
1705+ <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:ReceiverCertificate>
1706+ <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>
1707+ <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>
1708+ <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
1709+ </rampc:RampartConfig>
1710+ </wsp:All>
1711+ </wsp:ExactlyOne>
1712+</wsp:Policy>
1713+
1714
1715=== added directory '.pc/30-clock_drift.patch/util'
1716=== added file '.pc/30-clock_drift.patch/util/euca_axis.c'
1717--- .pc/30-clock_drift.patch/util/euca_axis.c 1970-01-01 00:00:00 +0000
1718+++ .pc/30-clock_drift.patch/util/euca_axis.c 2011-09-21 09:10:44 +0000
1719@@ -0,0 +1,459 @@
1720+/*
1721+Copyright (c) 2009 Eucalyptus Systems, Inc.
1722+
1723+This program is free software: you can redistribute it and/or modify
1724+it under the terms of the GNU General Public License as published by
1725+the Free Software Foundation, only version 3 of the License.
1726+
1727+This file is distributed in the hope that it will be useful, but WITHOUT
1728+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
1729+FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
1730+for more details.
1731+
1732+You should have received a copy of the GNU General Public License along
1733+with this program. If not, see <http://www.gnu.org/licenses/>.
1734+
1735+Please contact Eucalyptus Systems, Inc., 130 Castilian
1736+Dr., Goleta, CA 93101 USA or visit <http://www.eucalyptus.com/licenses/>
1737+if you need additional information or have any questions.
1738+
1739+This file may incorporate work covered under the following copyright and
1740+permission notice:
1741+
1742+ Software License Agreement (BSD License)
1743+
1744+ Copyright (c) 2008, Regents of the University of California
1745+
1746+
1747+ Redistribution and use of this software in source and binary forms, with
1748+ or without modification, are permitted provided that the following
1749+ conditions are met:
1750+
1751+ Redistributions of source code must retain the above copyright notice,
1752+ this list of conditions and the following disclaimer.
1753+
1754+ Redistributions in binary form must reproduce the above copyright
1755+ notice, this list of conditions and the following disclaimer in the
1756+ documentation and/or other materials provided with the distribution.
1757+
1758+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
1759+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
1760+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
1761+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
1762+ OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
1763+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
1764+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
1765+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
1766+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
1767+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
1768+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. USERS OF
1769+ THIS SOFTWARE ACKNOWLEDGE THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE
1770+ LICENSED MATERIAL, COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS
1771+ SOFTWARE, AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
1772+ IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA, SANTA
1773+ BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY, WHICH IN
1774+ THE REGENTS’ DISCRETION MAY INCLUDE, WITHOUT LIMITATION, REPLACEMENT
1775+ OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO IDENTIFIED, OR
1776+ WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT NEEDED TO COMPLY WITH
1777+ ANY SUCH LICENSES OR RIGHTS.
1778+*/
1779+/* BRIEF EXAMPLE MSG:
1780+<soapenv:Envelope>.
1781+ <soapenv:Header>
1782+ [..snip..]
1783+ <wsse:Security>
1784+ [..snip..]
1785+ <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
1786+ EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
1787+ ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
1788+ wsu:Id="CertId-469">[..snip..]</wsse:BinarySecurityToken>
1789+ [..snip..]
1790+ <ds:Signature>
1791+ <ds:SignedInfo>
1792+ <!-- <ref-id> points to a signed element. Body, Timestamp, To, Action, and MessageId element are expected to be signed-->
1793+ <ds:Reference URI="#<ref-id>>
1794+ [..snip..]
1795+ </ds:Reference>
1796+ </ds:SignedInfo>
1797+ <ds:KeyInfo Id="KeyId-374652">
1798+ <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22112351">
1799+ <!-- this thing points to the wsse:BinarySecurityToken above -->
1800+ <wsse:Reference URI="#CertId-469" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
1801+ </wsse:SecurityTokenReference>
1802+ </ds:KeyInfo>
1803+ </ds:Signature>
1804+ </wsse:Security>
1805+ </soapenv:Header>
1806+ <soapenv:Body>...</soapenv:Body>
1807+</soapenv:Envelope>.
1808+*/
1809+
1810+#include "oxs_axiom.h"
1811+#include "oxs_x509_cert.h"
1812+#include "oxs_key_mgr.h"
1813+#include "rampart_handler_util.h"
1814+#include "rampart_sec_processed_result.h"
1815+#include "rampart_error.h"
1816+#include "axis2_op_ctx.h"
1817+#include "rampart_context.h"
1818+#include "rampart_constants.h"
1819+#include "axis2_addr.h"
1820+#include "axiom_util.h"
1821+#include "rampart_timestamp_token.h"
1822+
1823+#include <neethi_policy.h>
1824+#include <neethi_util.h>
1825+#include <axutil_utils.h>
1826+#include <axis2_client.h>
1827+#include <axis2_stub.h>
1828+
1829+#include "misc.h" /* check_file, logprintf */
1830+#include "euca_axis.h"
1831+
1832+#define NO_U_FAIL(x) do{ \
1833+AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[rampart][eucalyptus-verify] " #x );\
1834+AXIS2_ERROR_SET(env->error, RAMPART_ERROR_FAILED_AUTHENTICATION, AXIS2_FAILURE);\
1835+return AXIS2_FAILURE; \
1836+}while(0)
1837+
1838+axis2_status_t __euca_authenticate(const axutil_env_t *env,axis2_msg_ctx_t *out_msg_ctx, axis2_op_ctx_t *op_ctx)
1839+{
1840+ //***** First get the message context before doing anything dumb w/ a NULL pointer *****/
1841+ axis2_msg_ctx_t *msg_ctx = NULL; //<--- incoming msg context, it is NULL, see?
1842+ msg_ctx = axis2_op_ctx_get_msg_ctx(op_ctx, env, AXIS2_WSDL_MESSAGE_LABEL_IN);
1843+
1844+ //***** Print everything from the security results, just for testing now *****//
1845+ rampart_context_t *rampart_context = NULL;
1846+ axutil_property_t *property = NULL;
1847+
1848+ property = axis2_msg_ctx_get_property(msg_ctx, env, RAMPART_CONTEXT);
1849+ if(property)
1850+ {
1851+ rampart_context = (rampart_context_t *)axutil_property_get_value(property, env);
1852+ // AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ======== PRINTING PROCESSED WSSEC TOKENS ======== ");
1853+ rampart_print_security_processed_results_set(env,msg_ctx);
1854+ }
1855+
1856+ //***** Extract Security Node from header from enveloper from msg_ctx *****//
1857+ axiom_soap_envelope_t *soap_envelope = NULL;
1858+ axiom_soap_header_t *soap_header = NULL;
1859+ axiom_node_t *sec_node = NULL;
1860+
1861+
1862+ soap_envelope = axis2_msg_ctx_get_soap_envelope(msg_ctx, env);
1863+ if(!soap_envelope) NO_U_FAIL("SOAP envelope cannot be found.");
1864+ soap_header = axiom_soap_envelope_get_header(soap_envelope, env);
1865+ if (!soap_header) NO_U_FAIL("SOAP header cannot be found.");
1866+ sec_node = rampart_get_security_header(env, msg_ctx, soap_header); // <---- here it is!
1867+ if(!sec_node)NO_U_FAIL("No node wsse:Security -- required: ws-security");
1868+
1869+ //***** Find the wsse:Reference to the BinarySecurityToken *****//
1870+ //** Path is: Security/
1871+ //** *sec_node must be non-NULL, kkthx **//
1872+ axiom_node_t *sig_node = NULL;
1873+ axiom_node_t *key_info_node = NULL;
1874+ axiom_node_t *sec_token_ref_node = NULL;
1875+ /** the ds:Signature node **/
1876+ sig_node = oxs_axiom_get_first_child_node_by_name(env,sec_node, OXS_NODE_SIGNATURE, OXS_DSIG_NS, OXS_DS );
1877+ if(!sig_node)NO_U_FAIL("No node ds:Signature -- required: signature");
1878+ /** the ds:KeyInfo **/
1879+ key_info_node = oxs_axiom_get_first_child_node_by_name(env, sig_node, OXS_NODE_KEY_INFO, OXS_DSIG_NS, NULL );
1880+ if(!key_info_node)NO_U_FAIL("No node ds:KeyInfo -- required: signature key");
1881+ /** the wsse:SecurityTokenReference **/
1882+ sec_token_ref_node = oxs_axiom_get_first_child_node_by_name(env, key_info_node,OXS_NODE_SECURITY_TOKEN_REFRENCE, OXS_WSSE_XMLNS, NULL);
1883+ if(!sec_token_ref_node)NO_U_FAIL("No node wsse:SecurityTokenReference -- required: signing token");
1884+ //** in theory this is the branching point for supporting all kinds of tokens -- we only do BST Direct Reference **/
1885+
1886+ //***** Find the wsse:Reference to the BinarySecurityToken *****//
1887+ //** *sec_token_ref_node must be non-NULL **/
1888+ axis2_char_t *ref = NULL;
1889+ axis2_char_t *ref_id = NULL;
1890+ axiom_node_t *token_ref_node = NULL;
1891+ axiom_node_t *bst_node = NULL;
1892+ /** the wsse:Reference node **/
1893+ token_ref_node = oxs_axiom_get_first_child_node_by_name(env, sec_token_ref_node,OXS_NODE_REFERENCE, OXS_WSSE_XMLNS, NULL);
1894+ /** pull out the name of the BST node **/
1895+ ref = oxs_token_get_reference(env, token_ref_node);
1896+ ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
1897+ /** get the wsse:BinarySecurityToken used to sign the message **/
1898+ bst_node = oxs_axiom_get_node_by_id(env, sec_node, "Id", ref_id, OXS_WSU_XMLNS);
1899+ if(!bst_node){oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);NO_U_FAIL("Cant find the required node");}
1900+
1901+
1902+ //***** Find the wsse:Reference to the BinarySecurityToken *****//
1903+ //** *bst_node must be non-NULL **/
1904+ axis2_char_t *data = NULL;
1905+ oxs_x509_cert_t *_cert = NULL;
1906+ oxs_x509_cert_t *recv_cert = NULL;
1907+ axis2_char_t *file_name = NULL;
1908+ axis2_char_t *recv_x509_buf = NULL;
1909+ axis2_char_t *msg_x509_buf = NULL;
1910+
1911+ /** pull out the data from the BST **/
1912+ data = oxs_axiom_get_node_content(env, bst_node);
1913+ /** create an oxs_X509_cert **/
1914+ _cert = oxs_key_mgr_load_x509_cert_from_string(env, data);
1915+ if(_cert)
1916+ {
1917+ //***** FINALLY -- we have the certificate used to sign the message. authenticate it HERE *****//
1918+ msg_x509_buf = oxs_x509_cert_get_data(_cert,env);
1919+ if(!msg_x509_buf)NO_U_FAIL("OMG WHAT NOW?!");
1920+ /*
1921+ recv_x509_buf = (axis2_char_t *)rampart_context_get_receiver_certificate(rampart_context, env);
1922+ if(recv_x509_buf)
1923+ recv_cert = oxs_key_mgr_load_x509_cert_from_string(env, recv_x509_buf);
1924+ else
1925+ {
1926+ file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
1927+ if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
1928+ if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
1929+ recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
1930+ }
1931+ */
1932+
1933+ file_name = rampart_context_get_receiver_certificate_file(rampart_context, env);
1934+ if(!file_name) NO_U_FAIL("Policy for the service is incorrect -- ReceiverCertificate is not set!!");
1935+ if (check_file(file_name)) NO_U_FAIL("No cert file ($EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem) found, failing");
1936+ recv_cert = oxs_key_mgr_load_x509_cert_from_pem_file(env, file_name);
1937+
1938+ if (recv_cert) {
1939+ recv_x509_buf = oxs_x509_cert_get_data(recv_cert,env);
1940+ } else {
1941+ NO_U_FAIL("could not populate receiver cert");
1942+ }
1943+
1944+ if( axutil_strcmp(recv_x509_buf,msg_x509_buf)!=0){
1945+ AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Received x509 certificate value ---------" );
1946+ AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, msg_x509_buf );
1947+ AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," --------- Local x509 certificate value! ---------" );
1948+ AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI, recv_x509_buf );
1949+ AXIS2_LOG_CRITICAL(env->log,AXIS2_LOG_SI," ---------------------------------------------------" );
1950+ NO_U_FAIL("The certificate specified is invalid!");
1951+ }
1952+ if(verify_references(sig_node, env, out_msg_ctx, soap_envelope) == AXIS2_FAILURE) {
1953+ return AXIS2_FAILURE;
1954+ }
1955+
1956+ }
1957+ else
1958+ {
1959+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_DEFAULT, "Cannot load certificate from string =%s", data);
1960+ NO_U_FAIL("Failed to build certificate from BinarySecurityToken");
1961+ }
1962+ oxs_x509_cert_free(_cert, env);
1963+ oxs_x509_cert_free(recv_cert, env);
1964+
1965+ return AXIS2_SUCCESS;
1966+
1967+}
1968+
1969+/**
1970+ * Verifes that Body, Timestamp, To, Action, and MessageId elements are signed and located
1971+ * where expected by the application logic. Timestamp is checked for expiration regardless
1972+ * of its actual location.
1973+ */
1974+axis2_status_t verify_references(axiom_node_t *sig_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axiom_soap_envelope_t *envelope) {
1975+ axiom_node_t *si_node = NULL;
1976+ axiom_node_t *ref_node = NULL;
1977+ axis2_status_t status = AXIS2_SUCCESS;
1978+
1979+ si_node = oxs_axiom_get_first_child_node_by_name(env,sig_node, OXS_NODE_SIGNEDINFO, OXS_DSIG_NS, OXS_DS);
1980+
1981+ if(!si_node) {
1982+ axis2_char_t *tmp = axiom_node_to_string(sig_node, env);
1983+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart]sig = %s", tmp);
1984+ NO_U_FAIL("Couldn't find SignedInfo!");
1985+ }
1986+
1987+ axutil_qname_t *qname = NULL;
1988+ axiom_element_t *parent_elem = NULL;
1989+ axiom_children_qname_iterator_t *qname_iter = NULL;
1990+
1991+ parent_elem = axiom_node_get_data_element(si_node, env);
1992+ if(!parent_elem)
1993+ {
1994+ NO_U_FAIL("Could not get Reference elem");
1995+ }
1996+
1997+ axis2_char_t *ref = NULL;
1998+ axis2_char_t *ref_id = NULL;
1999+ axiom_node_t *signed_node = NULL;
2000+ axiom_node_t *envelope_node = NULL;
2001+
2002+ short signed_elems[5] = {0,0,0,0,0};
2003+
2004+ envelope_node = axiom_soap_envelope_get_base_node(envelope, env);
2005+
2006+ qname = axutil_qname_create(env, OXS_NODE_REFERENCE, OXS_DSIG_NS, NULL);
2007+ qname_iter = axiom_element_get_children_with_qname(parent_elem, env, qname, si_node);
2008+ while (axiom_children_qname_iterator_has_next(qname_iter , env)) {
2009+ ref_node = axiom_children_qname_iterator_next(qname_iter, env);
2010+ axis2_char_t *txt = axiom_node_to_string(ref_node, env);
2011+
2012+ /* get reference to a signed element */
2013+ ref = oxs_token_get_reference(env, ref_node);
2014+ if(ref == NULL || strlen(ref) == 0 || ref[0] != '#') {
2015+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unsupported reference ID in %s", txt);
2016+ status = AXIS2_FAILURE;
2017+ break;
2018+ }
2019+
2020+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] %s, ref = %s", txt, ref);
2021+
2022+ /* get rid of '#' */
2023+ ref_id = axutil_string_substring_starting_at(axutil_strdup(env, ref), 1);
2024+ signed_node = oxs_axiom_get_node_by_id(env, envelope_node, OXS_ATTR_ID, ref_id, OXS_WSU_XMLNS);
2025+ if(!signed_node) {
2026+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Error retrieving elementwith ID=%s", ref_id);
2027+ status = AXIS2_FAILURE;
2028+ break;
2029+ }
2030+ if(verify_node(signed_node, env, msg_ctx, ref, signed_elems)) {
2031+ status = AXIS2_FAILURE;
2032+ break;
2033+ }
2034+ }
2035+
2036+
2037+ axutil_qname_free(qname, env);
2038+ qname = NULL;
2039+
2040+ if(status == AXIS2_FAILURE) {
2041+ NO_U_FAIL("Failed to verify location of signed elements!");
2042+ }
2043+
2044+ /* This is needed to make sure that all security-critical elements are signed */
2045+ for(int i = 0; i < 5; i++) {
2046+ if(signed_elems[i] == 0) {
2047+ NO_U_FAIL("Not all required elements are signed");
2048+ }
2049+ }
2050+
2051+ return status;
2052+
2053+}
2054+
2055+/**
2056+ * Verifies XPath location of signed elements.
2057+ */
2058+int verify_node(axiom_node_t *signed_node, const axutil_env_t *env, axis2_msg_ctx_t *msg_ctx, axis2_char_t *ref, short *signed_elems) {
2059+
2060+ if(!axutil_strcmp(OXS_NODE_BODY, axiom_util_get_localname(signed_node, env))) {
2061+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Body", ref);
2062+ signed_elems[0] = 1;
2063+
2064+ axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
2065+ if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
2066+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected parent element for Body with ID = %s", ref);
2067+ return 1;
2068+ }
2069+
2070+ parent = axiom_node_get_parent(parent,env);
2071+ if(parent) {
2072+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
2073+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
2074+ return 1;
2075+ }
2076+
2077+ } else if(!axutil_strcmp(RAMPART_SECURITY_TIMESTAMP, axiom_util_get_localname(signed_node, env))) {
2078+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Timestamp", ref);
2079+ signed_elems[1] = 1;
2080+
2081+ /* Regardless of the location of the Timestamp, verify the one that is signed */
2082+ if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) {
2083+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
2084+ return 1;
2085+ }
2086+
2087+ } else if(!axutil_strcmp(AXIS2_WSA_ACTION, axiom_util_get_localname(signed_node, env))) {
2088+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is Action", ref);
2089+ signed_elems[2] = 1;
2090+
2091+ if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
2092+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Action with ID = %s", ref);
2093+ return 1;
2094+ }
2095+
2096+ } else if(!axutil_strcmp(AXIS2_WSA_TO, axiom_util_get_localname(signed_node, env))) {
2097+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is To", ref);
2098+ signed_elems[3] = 1;
2099+
2100+ if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
2101+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for To with ID = %s", ref);
2102+ return 1;
2103+ }
2104+
2105+
2106+ } else if(!axutil_strcmp(AXIS2_WSA_MESSAGE_ID, axiom_util_get_localname(signed_node, env))) {
2107+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is MessageId", ref);
2108+ signed_elems[4] = 1;
2109+
2110+ if(verify_addr_hdr_elem_loc(signed_node, env, ref)) {
2111+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for MessageId with ID = %s", ref);
2112+ return 1;
2113+ }
2114+
2115+ } else {
2116+ AXIS2_LOG_WARNING(env->log, AXIS2_LOG_SI, "[euca-rampart] node %s is UNKNOWN", ref);
2117+ }
2118+
2119+ return 0;
2120+}
2121+
2122+/**
2123+ * Verify that an addressing element is located in <Envelope>/<Header>
2124+ */
2125+int verify_addr_hdr_elem_loc(axiom_node_t *signed_node, const axutil_env_t *env, axis2_char_t *ref) {
2126+
2127+ axiom_node_t *parent = axiom_node_get_parent(signed_node,env);
2128+
2129+ if(axutil_strcmp(OXS_NODE_HEADER, axiom_util_get_localname(parent, env))) {
2130+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of addressing elem is %s", axiom_node_to_string(parent, env));
2131+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
2132+ return 1;
2133+
2134+ }
2135+ parent = axiom_node_get_parent(parent,env);
2136+
2137+ if(axutil_strcmp(OXS_NODE_ENVELOPE, axiom_util_get_localname(parent, env))) {
2138+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] second parent of addressing elem is %s", axiom_node_to_string(parent, env));
2139+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed addressing elem with ID = %s", ref);
2140+ return 1;
2141+
2142+ }
2143+
2144+ parent = axiom_node_get_parent(parent,env);
2145+ if(parent) {
2146+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[euca-rampart] parent of Envelope = %s", axiom_node_to_string(parent, env));
2147+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Unexpected location of signed Body with ID = %s", ref);
2148+ return 1;
2149+ }
2150+
2151+ return 0;
2152+}
2153+
2154+
2155+int InitWSSEC(axutil_env_t *env, axis2_stub_t *stub, char *policyFile) {
2156+ axis2_svc_client_t *svc_client = NULL;
2157+ neethi_policy_t *policy = NULL;
2158+ axis2_status_t status = AXIS2_FAILURE;
2159+
2160+ //return(0);
2161+
2162+ svc_client = axis2_stub_get_svc_client(stub, env);
2163+ if (!svc_client) {
2164+ logprintfl (EUCAERROR, "InitWSSEC(): ERROR could not get svc_client from stub\n");
2165+ return(1);
2166+ }
2167+ axis2_svc_client_engage_module(svc_client, env, "rampart");
2168+
2169+ policy = neethi_util_create_policy_from_file(env, policyFile);
2170+ if (!policy) {
2171+ logprintfl (EUCAERROR, "InitWSSEC(): ERROR could not initialize policy file %s\n", policyFile);
2172+ return(1);
2173+ }
2174+ status = axis2_svc_client_set_policy(svc_client, env, policy);
2175+
2176+ return(0);
2177+}
2178+
2179
2180=== modified file '.pc/applied-patches'
2181--- .pc/applied-patches 2011-09-15 13:35:03 +0000
2182+++ .pc/applied-patches 2011-09-21 09:10:44 +0000
2183@@ -16,3 +16,5 @@
2184 26-google-collections-1.0-ftbfs.patch
2185 27-soap-security.patch
2186 28-fix-startup-crash.patch
2187+29-euca_conf-sslv3.patch
2188+30-clock_drift.patch
2189
2190=== modified file 'debian/changelog'
2191--- debian/changelog 2011-09-15 13:35:03 +0000
2192+++ debian/changelog 2011-09-21 09:10:44 +0000
2193@@ -1,3 +1,16 @@
2194+eucalyptus (2.0.1+bzr1256-0ubuntu8) oneiric; urgency=low
2195+
2196+ * Fix compatibility issues with SSLv3 (LP: #851611):
2197+ - d/patches/29-euca_conf-sslv3.patch: Use --secure-protocol=SSLv3
2198+ with wget when communicating with CLC.
2199+ - d/eucalyptus-cloud.upstart: Use --secure-protocol=SSLv3 with wget
2200+ when checking for CLC startup complete.
2201+ * d/patches/30-clock_drift.patch: Resolve issue with rampart blocking
2202+ communication between CC and NC when time is fractionally in the
2203+ future (LP: #854946):
2204+
2205+ -- James Page <james.page@ubuntu.com> Wed, 21 Sep 2011 09:57:58 +0100
2206+
2207 eucalyptus (2.0.1+bzr1256-0ubuntu7) oneiric; urgency=low
2208
2209 * d/patches/28-fix-startup-crash.patch: Fix from Graziano Obertelli
2210
2211=== modified file 'debian/eucalyptus-cloud.upstart'
2212--- debian/eucalyptus-cloud.upstart 2010-02-03 19:01:47 +0000
2213+++ debian/eucalyptus-cloud.upstart 2011-09-21 09:10:44 +0000
2214@@ -12,6 +12,7 @@
2215 . /etc/eucalyptus/eucalyptus-ipaddr.conf
2216 # Should this check something on :8773 instead? -mdz
2217 if wget -q -T10 -t1 -O- --no-check-certificate \
2218+ --secure-protocol=SSLv3 \
2219 https://$CLOUD_IP_ADDR:8443/register | \
2220 grep CloudVersion; then
2221
2222
2223=== added file 'debian/patches/29-euca_conf-sslv3.patch'
2224--- debian/patches/29-euca_conf-sslv3.patch 1970-01-01 00:00:00 +0000
2225+++ debian/patches/29-euca_conf-sslv3.patch 2011-09-21 09:10:44 +0000
2226@@ -0,0 +1,18 @@
2227+Description: Force wget to use SSLv3 protocol when talking to CLC
2228+ otherwise SSL comms failures happen.
2229+Origin: https://build.opensuse.org/package/view_file?file=eucalyptus-force-sslv3.patch&package=eucalyptus&project=Virtualization%3ACloud%3AEucalyptus&srcmd5=603fc985140105bd4ed7a079a4dc7258
2230+Forwarded: not-needed
2231+
2232+Index: eucalyptus/tools/euca_conf.in
2233+===================================================================
2234+--- eucalyptus.orig/tools/euca_conf.in 2011-09-20 17:03:52.995305737 +0100
2235++++ eucalyptus/tools/euca_conf.in 2011-09-20 17:05:46.935553670 +0100
2236+@@ -1096,7 +1096,7 @@
2237+ done
2238+ fi
2239+
2240+- CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
2241++ CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate --secure-protocol=SSLv3 https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
2242+ elif [ "$SERVICE" = "CC" ]; then
2243+ CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"
2244+ fi
2245
2246=== added file 'debian/patches/30-clock_drift.patch'
2247--- debian/patches/30-clock_drift.patch 1970-01-01 00:00:00 +0000
2248+++ debian/patches/30-clock_drift.patch 2011-09-21 09:10:44 +0000
2249@@ -0,0 +1,38 @@
2250+Author: Graziano Obertelli <graziano@eucalyptus.com>
2251+Description: Permit fractional time difference between NC and CC
2252+Bug-Ubuntu: http://pad.lv/854946
2253+
2254+--- a/tools/client-policy-template.xml 2011-03-30 16:44:16 +0000
2255++++ b/tools/client-policy-template.xml 2011-04-07 22:26:08 +0000
2256+@@ -57,6 +57,7 @@
2257+ <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
2258+ <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
2259+ <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
2260++ <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
2261+ <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
2262+ <!--
2263+ <rampc:User>CLIENT-USERNAME</rampc:User>
2264+
2265+--- a/tools/service-policy-template.xml 2011-03-30 16:44:16 +0000
2266++++ b/tools/service-policy-template.xml 2011-04-07 22:26:08 +0000
2267+@@ -60,6 +60,7 @@
2268+ <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>
2269+ <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>
2270+ <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
2271++ <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
2272+ </rampc:RampartConfig>
2273+ </wsp:All>
2274+ </wsp:ExactlyOne>
2275+
2276+--- a/util/euca_axis.c 2011-03-30 16:44:16 +0000
2277++++ b/util/euca_axis.c 2011-04-07 22:26:08 +0000
2278+@@ -360,7 +360,7 @@
2279+ signed_elems[1] = 1;
2280+
2281+ /* Regardless of the location of the Timestamp, verify the one that is signed */
2282+- if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) {
2283++ if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 20)) {
2284+ oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
2285+ return 1;
2286+ }
2287+
2288
2289=== modified file 'debian/patches/series'
2290--- debian/patches/series 2011-09-15 13:35:03 +0000
2291+++ debian/patches/series 2011-09-21 09:10:44 +0000
2292@@ -16,3 +16,5 @@
2293 26-google-collections-1.0-ftbfs.patch
2294 27-soap-security.patch
2295 28-fix-startup-crash.patch
2296+29-euca_conf-sslv3.patch
2297+30-clock_drift.patch
2298
2299=== modified file 'tools/client-policy-template.xml'
2300--- tools/client-policy-template.xml 2011-05-26 10:21:56 +0000
2301+++ tools/client-policy-template.xml 2011-09-21 09:10:44 +0000
2302@@ -57,6 +57,7 @@
2303 <rampc:ReceiverCertificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:ReceiverCertificate>
2304 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-CERT</rampc:Certificate>
2305 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/CLIENT-KEY</rampc:PrivateKey>
2306+ <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
2307 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
2308 <!--
2309 <rampc:User>CLIENT-USERNAME</rampc:User>
2310
2311=== modified file 'tools/euca_conf.in'
2312--- tools/euca_conf.in 2010-09-27 23:41:14 +0000
2313+++ tools/euca_conf.in 2011-09-21 09:10:44 +0000
2314@@ -1096,7 +1096,7 @@
2315 done
2316 fi
2317
2318- CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
2319+ CMD="$WGET -T 10 -t 1 -O - -q --no-check-certificate --secure-protocol=SSLv3 https://127.0.0.1:8443/register | grep CloudVersion >/dev/null"
2320 elif [ "$SERVICE" = "CC" ]; then
2321 CMD="$WGET -T 10 -t 1 -O - -q http://127.0.0.1:8774/axis2/services/ | grep EucalyptusCC >/dev/null"
2322 fi
2323
2324=== modified file 'tools/service-policy-template.xml'
2325--- tools/service-policy-template.xml 2011-05-26 10:21:56 +0000
2326+++ tools/service-policy-template.xml 2011-09-21 09:10:44 +0000
2327@@ -60,6 +60,7 @@
2328 <rampc:Certificate>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-CERT</rampc:Certificate>
2329 <rampc:PrivateKey>EUCALYPTUS_HOME/var/lib/eucalyptus/keys/SERVER-KEY</rampc:PrivateKey>
2330 <!-- <rampc:TimeToLive>14400</rampc:TimeToLive> -->
2331+ <rampc:ClockSkewBuffer>20</rampc:ClockSkewBuffer>
2332 </rampc:RampartConfig>
2333 </wsp:All>
2334 </wsp:ExactlyOne>
2335
2336=== modified file 'util/euca_axis.c'
2337--- util/euca_axis.c 2011-05-26 10:21:56 +0000
2338+++ util/euca_axis.c 2011-09-21 09:10:44 +0000
2339@@ -360,7 +360,7 @@
2340 signed_elems[1] = 1;
2341
2342 /* Regardless of the location of the Timestamp, verify the one that is signed */
2343- if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 0)) {
2344+ if(AXIS2_FAILURE == rampart_timestamp_token_validate(env, msg_ctx, signed_node, 20)) {
2345 oxs_error(env, OXS_ERROR_LOCATION, OXS_ERROR_ELEMENT_FAILED, "Validation failed for Timestamp with ID = %s", ref);
2346 return 1;
2347 }

Subscribers

People subscribed via source and target branches

to all changes: