1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 08:12:40 +01:00

When registering a device, write a device ID

Summary:
Ref T5833. In some cases, we need to know if an Almanac device is the localhost or not, so we can either handle or forward the request.

To accomplish this, write a device ID when running `bin/almanac register`.

Using `--allow-key-reuse` and `--identify-as`, multiple devices are permitted to //authenticate// as one device but //identify// as different devices. In the Phacility cluster, this allows all the `repoXXX` machines to have one keypair (making key management much easier) but still work as separate devices. This is an advanced feature; normal installs with 1-3 hosts would just generate a key + device per host and identify/authenticate as the same device.

Test Plan: Ran commands with lots of flags like `PHACILITY_INSTANCE=local sudo -E ./bin/almanac register --device daemon.phacility.net --private-key ~/dev/core/conf/keys/daemon.key --force --allow-key-reuse --identify-as local001.phacility.net`. Got a good result from `AlmanacKeys::getDeviceID()` afterward.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5833

Differential Revision: https://secure.phabricator.com/D11452
This commit is contained in:
epriestley 2015-01-22 16:06:04 -08:00
parent d6ed9c2f68
commit adf209e655
3 changed files with 40 additions and 2 deletions

1
.gitignore vendored
View file

@ -15,6 +15,7 @@
/conf/local/VERSION
/conf/keys/device.pub
/conf/keys/device.key
/conf/keys/device.id
# Impact Font
/resources/font/impact.ttf

View file

@ -23,7 +23,15 @@ final class AlmanacManagementRegisterWorkflow
'name' => 'allow-key-reuse',
'help' => pht(
'Register even if another host is already registered with this '.
'keypair.'),
'keypair. This is an advanced featuer which allows a pool of '.
'devices to share credentials.'),
),
array(
'name' => 'identify-as',
'param' => 'name',
'help' => pht(
'Specify an alternate host identity. This is an advanced '.
'feature which allows a pool of devices to share credentials.'),
),
array(
'name' => 'force',
@ -85,6 +93,7 @@ final class AlmanacManagementRegisterWorkflow
$stored_public_path = AlmanacKeys::getKeyPath('device.pub');
$stored_private_path = AlmanacKeys::getKeyPath('device.key');
$stored_device_path = AlmanacKeys::getKeyPath('device.id');
if (!$args->getArg('force')) {
if (Filesystem::pathExists($stored_public_path)) {
@ -171,6 +180,24 @@ final class AlmanacManagementRegisterWorkflow
Filesystem::writeFile($tmp_private, $raw_private_key);
execx('mv -f %s %s', $tmp_private, $stored_private_path);
$raw_device = $device_name;
$identify_as = $args->getArg('identify-as');
if (strlen($identify_as)) {
$raw_device = $identify_as;
}
$console->writeOut(
"%s\n",
pht('Installing device ID...', $raw_device));
// The permissions on this file are more open because the webserver also
// needs to read it.
$tmp_device = new TempFile();
Filesystem::changePermissions($tmp_device, 0644);
execx('chown %s %s', $phd_user, $tmp_device);
Filesystem::writeFile($tmp_device, $raw_device);
execx('mv -f %s %s', $tmp_device, $stored_device_path);
if (!$public_key->getID()) {
$console->writeOut(
"%s\n",
@ -184,7 +211,7 @@ final class AlmanacManagementRegisterWorkflow
pht(
'This host has been registered as "%s" and a trusted keypair '.
'has been installed.',
$device_name));
$raw_device));
}
}

View file

@ -9,4 +9,14 @@ final class AlmanacKeys extends Phobject {
return $keys.ltrim($key_name, '/');
}
public static function getDeviceID() {
$device_id_path = self::getKeyPath('device.id');
if (Filesystem::pathExists($device_id_path)) {
return trim(Filesystem::readFile($device_id_path));
}
return null;
}
}