#!/usr/bin/perl -w ############################################################################### # $Id$ ############################################################################### # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ############################################################################### =head1 NAME VCL::Module::OS::Linux::ManagementNode.pm =head1 SYNOPSIS Needs to be written =head1 DESCRIPTION This module provides VCL support for the management node's Linux operating system. =cut ############################################################################### package VCL::Module::OS::Linux::ManagementNode; # Specify the lib path using FindBin use FindBin; use lib "$FindBin::Bin/../../../.."; # Configure inheritance use base qw(VCL::Module::OS::Linux); # Specify the version of this module our $VERSION = '2.5.1'; # Specify the version of Perl to use use 5.008000; use strict; use warnings; use diagnostics; use VCL::utils; use Crypt::CBC; use Crypt::OpenSSL::RSA; use Crypt::Rijndael; use English; use File::Basename; use MIME::Base64; ############################################################################### =head1 CLASS VARIABLES =cut =head2 $MN_STAGE_SCRIPTS_DIRECTORY Data type : String Description : Location on the management node where scripts reside which are executed on the management node at various stages of a reservation. Example: /usr/local/vcl/tools/ManagementNode/Scripts =cut our $MN_STAGE_SCRIPTS_DIRECTORY = "$TOOLS/ManagementNode/Scripts"; =head2 $MN_PRIVATE_ENCRYPTION_KEY_FILE_PATH Data type : String Description : /root/.vcl/.key =cut our $MN_PRIVATE_ENCRYPTION_KEY_FILE_PATH = "/root/.vcl/$FQDN.key"; ############################################################################### =head1 OBJECT METHODS =cut #////////////////////////////////////////////////////////////////////////////// =head2 initialize Parameters : Returns : Description : =cut sub initialize { my $self = shift; unless (ref($self) && $self->isa('VCL::Module')) { notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as an object method"); return; } my $management_node_hostname = $self->data->get_management_node_hostname() || return; my $management_node_short_name = $self->data->get_management_node_short_name() || return; my $management_node_ip_address = $self->data->get_management_node_ipaddress() || return; $self->data->set_computer_id(0); $self->data->set_computer_hostname($management_node_hostname); $self->data->set_computer_node_name($management_node_short_name); $self->data->set_computer_short_name($management_node_short_name); $self->data->set_computer_public_ip_address($management_node_ip_address); # TODO: remove all use of management node private IP address my $management_node_private_ip_address = hostname_to_ip_address($management_node_hostname); if ($management_node_private_ip_address) { $self->data->set_computer_private_ip_address($management_node_private_ip_address); } else { notify($ERRORS{'WARNING'}, 0, "failed to initialize management node private IP address in DataStructure object, unable to resolve hostname '$management_node_hostname'"); } return 1; } #////////////////////////////////////////////////////////////////////////////// =head2 execute Parameters : $command, $display_output (optional), $timeout_seconds (optional) Returns : array Description : =cut sub execute { my ($argument) = @_; my ($command, $display_output, $timeout_seconds); # Check if this subroutine was called as an object method if (ref($argument) && ref($argument) =~ /VCL::Module/) { # Subroutine was called as an object method ($self->execute) my $self = shift; ($argument) = @_; } # Check the argument type if (ref($argument)) { if (ref($argument) eq 'HASH') { $command = $argument->{command}; $display_output = $argument->{display_output}; $timeout_seconds = $argument->{timeout_seconds}; } else { notify($ERRORS{'WARNING'}, 0, "invalid argument reference type passed: " . ref($argument) . ", if a reference is passed as the argument it may only be a hash or VCL::Module reference"); return; } } else { # Argument is not a reference, get the remaining arguments ($command, $display_output, $timeout_seconds) = @_; } # Run the command my ($exit_status, $output) = run_command($command, 1, $timeout_seconds); if (defined($exit_status) && defined($output)) { if ($display_output) { notify($ERRORS{'OK'}, 0, "executed command: '$command', exit status: $exit_status, output:\n" . join("\n", @$output)) if $display_output; } return ($exit_status, $output); } else { notify($ERRORS{'WARNING'}, 0, "failed to run command on management node: $command"); return; } } #////////////////////////////////////////////////////////////////////////////// =head2 copy_file_to Parameters : $source, $destination Returns : array Description : Copies file(s) from the management node to the Linux computer. =cut sub copy_file_to { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } # Get the source and destination arguments my ($source, $destination) = @_; if (!$source || !$destination) { notify($ERRORS{'WARNING'}, 0, "source and destination arguments were not specified"); return; } $destination =~ s/.*://g; return $self->copy_file($source, $destination); } #////////////////////////////////////////////////////////////////////////////// =head2 create_text_file Parameters : $file_path, $file_contents_string, $append (optional) Returns : boolean Description : Creates a text file on the management node. =cut sub create_text_file { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my ($file_path, $file_contents_string, $append) = @_; if (!defined($file_path)) { notify($ERRORS{'WARNING'}, 0, "file path argument was not supplied"); return; } elsif (!defined($file_contents_string)) { notify($ERRORS{'WARNING'}, 0, "file contents argument was not supplied"); return; } my $computer_node_name = $self->data->get_computer_node_name(); # Attempt to create the parent directory if it does not exist my $parent_directory_path = parent_directory_path($file_path); if (!$self->file_exists($parent_directory_path)) { $self->create_directory($parent_directory_path); } my $mode; my $mode_string; if ($append) { $mode = '>>'; $mode_string = 'append'; } else { $mode = '>'; $mode_string = 'create'; } if (!open FILE, $mode, $file_path) { notify($ERRORS{'WARNING'}, 0, "failed to $mode_string text file on $computer_node_name, file path could not be opened: $file_path"); return; } if (!print FILE $file_contents_string) { close FILE; notify($ERRORS{'WARNING'}, 0, "failed to $mode_string text file on $computer_node_name: $file_path, contents could not be written to the file"); return; } close FILE; notify($ERRORS{'DEBUG'}, 0, $mode_string . ($append ? 'ed' : 'd') . " text file on $computer_node_name: $file_path"); return 1; } #////////////////////////////////////////////////////////////////////////////// =head2 get_file_contents Parameters : $file_path, $display_warnings (optional) Returns : array or string Description : Retrieves the contents of a file on the management node. =cut sub get_file_contents { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my ($file_path, $display_warnings) = @_; if (!defined($file_path)) { notify($ERRORS{'WARNING'}, 0, "file path argument was not supplied"); return; } $display_warnings = 1 unless defined($display_warnings); my $computer_node_name = $self->data->get_computer_node_name(); if (!open FILE, '<', $file_path) { notify($ERRORS{'WARNING'}, 0, "failed to retrieve contents of file on $computer_node_name, file could not be opened: $file_path") if $display_warnings; return; } my @lines = ; close FILE; my $line_count = scalar(@lines); notify($ERRORS{'DEBUG'}, 0, "retrieved contents of file on $computer_node_name: $file_path ($line_count lines)"); if (wantarray) { map { s/[\r\n]+$//g; } (@lines); return @lines; } else { return join('', @lines); } } #////////////////////////////////////////////////////////////////////////////// =head2 get_management_node_reservation_info_json_file_path Parameters : none Returns : string Description : Returns the location where the files resides on the management node that contains JSON formatted information about the reservation. For Linux computers, the location is: /tmp/.json. =cut sub get_management_node_reservation_info_json_file_path { my $self = shift; if (ref($self) !~ /VCL::Module::OS/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my $reservation_id = $self->data->get_reservation_id(); return "/tmp/$reservation_id.json"; } #////////////////////////////////////////////////////////////////////////////// =head2 create_management_node_reservation_info_json_file Parameters : none Returns : boolean Description : Creates a text file on the the management node containing reservation data in JSON format. =cut sub create_management_node_reservation_info_json_file { my $self = shift; if (ref($self) !~ /VCL::Module::OS/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my $json_file_path = $self->get_management_node_reservation_info_json_file_path(); # IMPORTANT: Use $self->os->data here to retrieve DataStructure info for the computer being loaded # If $self->data->get_reservation_info_json_string is used, the computer info will be that of the management node, not the computer being loaded my $json_string = $self->os->data->get_reservation_info_json_string() || return; return $self->create_text_file($json_file_path, $json_string); } #////////////////////////////////////////////////////////////////////////////// =head2 delete_management_node_reservation_info_json_file Parameters : none Returns : boolean Description : Deletes the text file on the management node containing reservation data in JSON format. =cut sub delete_management_node_reservation_info_json_file { my $self = shift; if (ref($self) !~ /VCL::Module::OS/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my $json_file_path = $self->get_management_node_reservation_info_json_file_path(); return $self->delete_file($json_file_path); } #////////////////////////////////////////////////////////////////////////////// =head2 run_stage_scripts_on_management_node Parameters : $stage Returns : boolean Description : Runs scripts on the management node intended for the state specified by the argument. This is useful if you need to configure something such as a storage unit or firewall device specifically for each reservation. The stage argument may be any of the following: * post_capture * post_initial_connection * post_load * post_reservation * post_reserve * pre_capture * pre_reload The scripts are stored on the management node under: /usr/local/vcl/tools/ManagementNode/Scripts No scripts exist by default. When the vcld process reaches the stage specified by the argument, it will check the subdirectory with a name that matches the stage name. For example: /usr/local/vcl/tools/ManagementNode/Scripts/post_capture It will attempt to execute any files under this directory. Prior to executing the scripts, a JSON file is created under /tmp with information regarding the reservation. The actual file path will be: /tmp/.json Information about the reservation can be retrieved within the script by simply using grep or using something to parse JSON such as jsawk. Sample script: JSON_FILE="$1" echo "JSON file: ${JSON_FILE}" PRIVATE_IP=`cat ${JSON_FILE} | jsawk 'return this.computer.privateIPaddress'` echo "computer private IP: ${PRIVATE_IP}" =cut sub run_stage_scripts_on_management_node { my $self = shift; if (ref($self) !~ /VCL::/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } # Get the stage argument my $stage = shift; if (!$stage) { notify($ERRORS{'WARNING'}, 0, "stage argument was not supplied"); return; } my $management_node_stages = { 'post_capture' => 1, 'post_initial_connection' => 1, 'post_load' => 1, 'post_reservation' => 1, 'post_reserve' => 1, 'pre_capture' => 1, 'pre_reload' => 1, }; if (!defined($management_node_stages->{$stage})) { notify($ERRORS{'WARNING'}, 0, "invalid stage argument was supplied: $stage"); return; } elsif (!$management_node_stages->{$stage}) { # Note: Not currently used, could someday if a particular stage is defined for computer scripts but not MN scripts notify($ERRORS{'DEBUG'}, 0, "'$stage' stage scripts are not supported to be run on a managment node"); return 1; } # Override the die handler local $SIG{__DIE__} = sub{}; my $reservation_id = $self->data->get_reservation_id(); my $management_node_short_name = $self->data->get_management_node_short_name(); my $scripts_directory_path = "$MN_STAGE_SCRIPTS_DIRECTORY/$stage"; my @script_file_paths = $self->find_files($scripts_directory_path, '*'); if (!@script_file_paths) { notify($ERRORS{'DEBUG'}, 0, "no files exist in directory: $scripts_directory_path"); return 1; } # Sort the files so they can be executed in a known order @script_file_paths = sort_by_file_name(@script_file_paths); my $script_count = scalar(@script_file_paths); notify($ERRORS{'DEBUG'}, 0, "found $script_count files under $scripts_directory_path:\n" . join("\n", @script_file_paths)); # Create a JSON file on the management node containing reservation info $self->create_management_node_reservation_info_json_file(); my $mn_json_file_path = $self->get_management_node_reservation_info_json_file_path(); # Execute the scripts for my $script_file_path (@script_file_paths) { # Ignore certain intermediate directory paths if ($script_file_path =~ /\/(\.svn|\.git)\//i) { my $matching_section = $1; notify($ERRORS{'DEBUG'}, 0, "ignoring file on management node because it resides under intermediate directory '$matching_section': $script_file_path"); next; } # Ignore the .gitignore files if ($script_file_path =~ /\.gitignore/i) { my $matching_section = $1; notify($ERRORS{'DEBUG'}, 0, "ignoring gitignore file on management node from script directory '$matching_section': $script_file_path"); next; } my $command = "chmod +x $script_file_path && $script_file_path $mn_json_file_path"; my ($exit_status, $output) = $self->execute($command); if (!defined($output)) { notify($ERRORS{'WARNING'}, 0, "failed to execute script on management node: $command"); return; } else { notify($ERRORS{'DEBUG'}, 0, "executed script on management node $management_node_short_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output)); } } #$self->delete_management_node_reservation_info_json_file(); return 1; } #////////////////////////////////////////////////////////////////////////////// =head2 check_private_ip_addresses Parameters : none Returns : boolean Description : Retrieves private IP information for all computers in the database assigned to the management node and checks if the hostname resolves on the management node. If it resolves to a different address than the value stored in the database, the database is updated. =cut sub check_private_ip_addresses { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } # Get computers assigned to this management node my @management_node_computer_ids = get_management_node_computer_ids(); # Get private IP addresses from the database for all computers assigned to this managment node my $database_private_ip_address_info = get_computer_private_ip_address_info(@management_node_computer_ids); my @database_no_resolve; my @database_resolve_match; my @database_resolve_no_match; my @no_database_resolve; my @no_database_no_resolve; for my $hostname (sort keys %$database_private_ip_address_info) { my $database_private_ip_address = $database_private_ip_address_info->{$hostname}; my ($hostname) = $hostname =~ /^([^\.]+)/g; # Attempt to detmine the IP address the hostname resolves to via gethostip #my $resolved_ip_address = get_host_ip($hostname) || get_host_ip($hostname); my $resolved_ip_address = hostname_to_ip_address($hostname); if ($database_private_ip_address) { if (!$resolved_ip_address) { push @database_no_resolve, $hostname; #print "private IP address of $hostname set in the database: $database_private_ip_address, hostname does NOT resolve\n"; #notify($ERRORS{'DEBUG'}, 0, "private IP address of $hostname set in the database: $database_private_ip_address, hostname does NOT resolve"); } elsif ($database_private_ip_address eq $resolved_ip_address) { push @database_resolve_match, $hostname; print "private IP address of $hostname set in database matches IP address hostname resolves to: $database_private_ip_address\n"; notify($ERRORS{'DEBUG'}, 0, "private IP address of $hostname set in database matches IP address hostname resolves to: $database_private_ip_address"); } else { push @database_resolve_no_match, $hostname; print "private IP address $hostname resolves to ($resolved_ip_address) does NOT match database ($database_private_ip_address)\n"; notify($ERRORS{'DEBUG'}, 0, "private IP address $hostname resolves to ($resolved_ip_address) does NOT match database ($database_private_ip_address)"); update_computer_private_ip_address($hostname, $resolved_ip_address); } } else { # Private IP address is not set in the database if ($resolved_ip_address) { push @no_database_resolve, $hostname; print "private IP address of $hostname NOT set in database, hostname resolves to $resolved_ip_address\n"; notify($ERRORS{'DEBUG'}, 0, "private IP address of $hostname NOT set in database, hostname resolves to $resolved_ip_address"); update_computer_private_ip_address($hostname, $resolved_ip_address); } else { push @no_database_no_resolve, $hostname; #print "private IP address of $hostname NOT set in database and hostname does NOT resolve\n"; notify($ERRORS{'DEBUG'}, 0, "private IP address of $hostname NOT set in database and hostname does NOT resolve"); } } } my $database_no_resolve_count = scalar(@database_no_resolve); my $database_resolve_match_count = scalar(@database_resolve_match); my $database_resolve_no_match_count = scalar(@database_resolve_no_match); my $no_database_resolve_count = scalar(@no_database_resolve); my $no_database_no_resolve_count = scalar(@no_database_no_resolve); notify($ERRORS{'DEBUG'}, 0, "private IP address results:\n" . "database set, hostname does not resolve: $database_no_resolve_count\n" . "database set, hostname resolves to matching address: $database_resolve_match_count\n" . "database set, hostname resolves to different address: $database_resolve_no_match_count (" . join(', ', @database_resolve_no_match) . ")\n" . "database not set, hostname resolves: $no_database_resolve_count (" . join(', ', @no_database_resolve) . ")\n" . "database not set, hostname does not resolve: $no_database_no_resolve_count (" . join(', ', @no_database_no_resolve) . ")" ); return 1; } #////////////////////////////////////////////////////////////////////////////// =head2 setup_get_menu Parameters : none Returns : hash reference Description : Assembles the MN-related 'vcld -setup' menu items. =cut sub setup_get_menu { return { 'Management Node Operations' => { 'Check private IP addresses' => \&check_private_ip_addresses, }, }; } #////////////////////////////////////////////////////////////////////////////// =head2 get_private_key_file_path Parameters : none Returns : string Description : Returns the location on the management node where the private key resides that is used to decrypt secrets: /root/.vcl/.key =cut sub get_private_key_file_path { return $MN_PRIVATE_ENCRYPTION_KEY_FILE_PATH; } #////////////////////////////////////////////////////////////////////////////// =head2 _get_private_key_object_from_file Parameters : none Returns : string Description : Retrieves the private key string from the file on the management node and creates a Crypt::OpenSSL::RSA object based on it. =cut sub _get_private_key_object_from_file { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } return $self->{private_key_object_from_file} if defined($self->{private_key_object_from_file}); my $management_node_short_name = $self->data->get_management_node_short_name() || return; my $private_key_file_path = $self->get_private_key_file_path(); if (!$self->file_exists($private_key_file_path)) { notify($ERRORS{'OK'}, 0, "unable to retrieve private key from file on $management_node_short_name because file does NOT exist: $private_key_file_path"); return; } my $private_key_file_string = $self->get_file_contents($private_key_file_path); if (!$private_key_file_string) { notify($ERRORS{'WARNING'}, 0, "failed to retrieve private key from file on $management_node_short_name: $private_key_file_path"); return; } # Override the die handler local $SIG{__DIE__} = sub{}; # Create an RSA object based on the existing private key contained in the file my $rsa_private; eval { $rsa_private = Crypt::OpenSSL::RSA->new_private_key($private_key_file_string); }; if ($EVAL_ERROR || !$rsa_private) { notify($ERRORS{'WARNING'}, 0, "failed to create Crypt::OpenSSL::RSA object from $private_key_file_path on $management_node_short_name" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); return; } $self->{private_key_object_from_file} = $rsa_private; return $rsa_private; } #////////////////////////////////////////////////////////////////////////////// =head2 extract_public_key_from_private_key_file Parameters : none Returns : string Description : Retrieves the private key from the file on the management node and extracts the public key from the private key. The public key string is returned. =cut sub extract_public_key_from_private_key_file { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my $rsa_private = $self->_get_private_key_object_from_file() || return; my $management_node_short_name = $self->data->get_management_node_short_name(); my $private_key_file_path = $self->get_private_key_file_path(); # Override the die handler local $SIG{__DIE__} = sub{}; # Retrieve the public key string from the RSA object my $public_key_string; eval { $public_key_string = $rsa_private->get_public_key_x509_string(); }; if ($EVAL_ERROR || !$public_key_string) { notify($ERRORS{'WARNING'}, 0, "failed to extract public key from private key file $private_key_file_path on $management_node_short_name, failed to retrieve public key from private key contained in the file" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); return; } return $public_key_string; } #////////////////////////////////////////////////////////////////////////////// =head2 generate_private_key_file Parameters : none Returns : boolean Description : Creates a 4096 bit RSA private key file on the management node at /root/.vcl/.key. =cut sub generate_private_key_file { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my $arguments_hash_ref = shift; if (defined($arguments_hash_ref) && !ref($arguments_hash_ref) || ref($arguments_hash_ref) ne 'HASH') { notify($ERRORS{'WARNING'}, 0, "argument was supplied but is not a hash reference:\n" . format_data($arguments_hash_ref)); return; } my $private_key_file_path = $self->get_private_key_file_path(); my $bits = 4096; # If provided and true, existing private key file will be deleted if it exists my $force = $arguments_hash_ref->{force}; my $management_node_id = $self->data->get_management_node_id() || return; my $management_node_short_name = $self->data->get_management_node_short_name() || return; my $reservation_id = $self->data->get_reservation_id(); notify($ERRORS{'DEBUG'}, 0, "*** attempting to generate a new private key file on $management_node_short_name: $private_key_file_path ***"); # Make sure the private key file does not already exist if ($self->file_exists($private_key_file_path)) { if ($force) { (my $timestamp = makedatestring()) =~ s/\s+/_/g; my $backup_private_key_file_path = $private_key_file_path . "_$timestamp"; if ($self->copy_file($private_key_file_path, $backup_private_key_file_path)) { notify($ERRORS{'OK'}, 0, "force argument was specified, existing private key file will be overwritten, created backup copy: $private_key_file_path --> $backup_private_key_file_path"); } else { notify($ERRORS{'WARNING'}, 0, "failed to generate encryption keys, force argument was specified, existing private key file exists but failed to create backup copy: $private_key_file_path --> $backup_private_key_file_path"); return; } } else { notify($ERRORS{'WARNING'}, 0, "failed to generate encryption keys, private key file already exists: $private_key_file_path"); return; } } # Delete cached RSA object if ($self->{private_key_object_from_file}) { notify($ERRORS{'DEBUG'}, 0, "deleting cached RSA private key object"); delete $self->{private_key_object_from_file}; } # Delete all existing cryptsecret entries for the management node # The website's API won't delete any that may have been created with an earlier key delete_management_node_cryptsecret($management_node_id); # Override the die handler local $SIG{__DIE__} = sub{}; # Create a new RSA object containing a private/public key pair # Create an RSA object based on the existing private key contained in the file my $rsa_generate; eval { $rsa_generate = Crypt::OpenSSL::RSA->generate_key($bits); }; if ($EVAL_ERROR || !$rsa_generate) { notify($ERRORS{'WARNING'}, 0, "failed to create private key file on management node $management_node_short_name: $private_key_file_path, RSA object could not be created" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); return; } my $private_key_string; eval { $private_key_string = $rsa_generate->get_private_key_string(); }; if ($EVAL_ERROR || !$private_key_string) { notify($ERRORS{'WARNING'}, 0, "failed to create private key file on management node $management_node_short_name: $private_key_file_path, private key string could not be retireved from RSA object" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); return; } my $public_key_string; eval { $public_key_string = $rsa_generate->get_public_key_x509_string(); }; if ($EVAL_ERROR || !$public_key_string) { notify($ERRORS{'WARNING'}, 0, "failed to create private key file on management node $management_node_short_name: $private_key_file_path, public key string could not be retireved from RSA object" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); return; } $self->create_text_file($private_key_file_path, $private_key_string) || return; # Update cryptkey table with the public key string if (!set_management_node_cryptkey_pubkey($management_node_id, $public_key_string)) { notify($ERRORS{'WARNING'}, 0, "created private key file on management node $management_node_short_name: $private_key_file_path, failed to update cryptkey table in database, attempting to delete private key file just created: $private_key_file_path"); $self->delete_file($private_key_file_path); return; } # Call the XML-RPC API to create a new cryptsecret entry for this reservation call_check_crypt_secrets($reservation_id); notify($ERRORS{'OK'}, 0, "created private key file on management node $management_node_short_name: $private_key_file_path, updated cryptkey.pubkey value in database"); return 1; } #////////////////////////////////////////////////////////////////////////////// =head2 decrypt_cryptsecret Parameters : $secret_id, $encrypted_string Returns : string Description : Decrypts an encrypted string stored in the database such as addomain.password. The $secret_id argument must match a cryptsecret.secretid value in the database. The corresponding cryptsecret.cryptsecret value is a base64-encoded string that is encrypted using the management node's public key stored in cryptkey.pubkey. The management node's private key is used to decrypt it. =cut sub decrypt_cryptsecret { my $self = shift; if (ref($self) !~ /VCL::Module/i) { notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method"); return; } my ($secret_id, $encrypted_string, $recreate_key) = @_; if (!defined($secret_id)) { notify($ERRORS{'WARNING'}, 0, "secret ID argument was not supplied"); return; } if (!defined($encrypted_string)) { notify($ERRORS{'WARNING'}, 0, "encrypted string argument was not supplied"); return; } my $management_node_id = $self->data->get_management_node_id() || return; my $management_node_short_name = $self->data->get_management_node_short_name() || return; my $private_key_file_path = $self->get_private_key_file_path(); if ($recreate_key) { notify($ERRORS{'DEBUG'}, 0, "previous attempt to decrypt cryptsecret failed, attempting to regenerate private key and cryptsecret entries"); if (!$self->generate_private_key_file({force => 1})) { notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to verify private key stored in file on management node is valid and its public key matches the cryptkey.pubkey value in the database"); return; } } # Pass opposite of $recreate_key as $suppress_warning argument my $cryptsecret = get_management_node_cryptsecret_value($management_node_id, $secret_id, !$recreate_key); if (!$cryptsecret) { #notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to retrieve cryptsecret.cryptsecret value for management node ID $management_node_id"); $recreate_key ? return : return $self->decrypt_cryptsecret($secret_id, $encrypted_string, 1); } # The encrypted string (addomain.password, etc) and cryptsecret.cryptsecret should ALWAYS be base64 encoded # They must be decoded to binary before being passed to decrypt functions my $encrypted_string_decoded = decode_base64($encrypted_string); my $cryptsecret_decoded = decode_base64($cryptsecret); my $rsa_private = $self->_get_private_key_object_from_file(); if (!$rsa_private) { #notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to create RSA object based on management node's private key"); $recreate_key ? return : return $self->decrypt_cryptsecret($secret_id, $encrypted_string, 1); } # Override the die handler local $SIG{__DIE__} = sub{}; my $key; eval { $key = $rsa_private->decrypt($cryptsecret_decoded); }; if ($EVAL_ERROR || !$key) { # Wrong key error: # RSA.xs:202: OpenSSL error: oaep decoding error notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to decrypt cryptsecret using RSA object based on management node's private key file: $private_key_file_path" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); $recreate_key ? return : return $self->decrypt_cryptsecret($secret_id, $encrypted_string, 1); } my $encrypted_string_length = length($encrypted_string_decoded); if ($encrypted_string_length < 32) { # This should always be at least 32 bytes # If less than 16, the next 2 substr commands may fail with 'substr outside of string' errors notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, encrypted string length: $encrypted_string_length bytes, it must be 32 bytes or more:\n$encrypted_string\n\n" . decode_base64($encrypted_string)); return; } my $iv = substr($encrypted_string_decoded, 0, 16); my $ciphered_string = substr($encrypted_string_decoded, 16); my $cipher; eval { $cipher = Crypt::CBC->new( { 'key' => $key, 'cipher' => 'Crypt::Rijndael', 'iv' => $iv, 'header' => 'none', 'literal_key' => 1, } ); }; if (!$cipher || $EVAL_ERROR) { notify($ERRORS{'WARNING'}, 0, "unable to decrypt secret ID $secret_id, failed to create Crypt::CBC object" . ($EVAL_ERROR ? ", error:\n" . $EVAL_ERROR : '')); return; } my $decrypted_string = $cipher->decrypt($ciphered_string); if (defined($decrypted_string)) { notify($ERRORS{'OK'}, 0, "decrypted secret ID $secret_id"); return $decrypted_string; } else { notify($ERRORS{'WARNING'}, 0, "failed to decrypt secret ID $secret_id"); $recreate_key ? return : return $self->decrypt_cryptsecret($secret_id, $encrypted_string, 1); } } #////////////////////////////////////////////////////////////////////////////// 1; __END__ =head1 SEE ALSO L =cut