mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 08:12:40 +01:00
When registering a device, write a device ID
Summary: Ref T5833. In some cases, we need to know if an Almanac device is the localhost or not, so we can either handle or forward the request. To accomplish this, write a device ID when running `bin/almanac register`. Using `--allow-key-reuse` and `--identify-as`, multiple devices are permitted to //authenticate// as one device but //identify// as different devices. In the Phacility cluster, this allows all the `repoXXX` machines to have one keypair (making key management much easier) but still work as separate devices. This is an advanced feature; normal installs with 1-3 hosts would just generate a key + device per host and identify/authenticate as the same device. Test Plan: Ran commands with lots of flags like `PHACILITY_INSTANCE=local sudo -E ./bin/almanac register --device daemon.phacility.net --private-key ~/dev/core/conf/keys/daemon.key --force --allow-key-reuse --identify-as local001.phacility.net`. Got a good result from `AlmanacKeys::getDeviceID()` afterward. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5833 Differential Revision: https://secure.phabricator.com/D11452
This commit is contained in:
parent
d6ed9c2f68
commit
adf209e655
3 changed files with 40 additions and 2 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -15,6 +15,7 @@
|
|||
/conf/local/VERSION
|
||||
/conf/keys/device.pub
|
||||
/conf/keys/device.key
|
||||
/conf/keys/device.id
|
||||
|
||||
# Impact Font
|
||||
/resources/font/impact.ttf
|
||||
|
|
|
@ -23,7 +23,15 @@ final class AlmanacManagementRegisterWorkflow
|
|||
'name' => 'allow-key-reuse',
|
||||
'help' => pht(
|
||||
'Register even if another host is already registered with this '.
|
||||
'keypair.'),
|
||||
'keypair. This is an advanced featuer which allows a pool of '.
|
||||
'devices to share credentials.'),
|
||||
),
|
||||
array(
|
||||
'name' => 'identify-as',
|
||||
'param' => 'name',
|
||||
'help' => pht(
|
||||
'Specify an alternate host identity. This is an advanced '.
|
||||
'feature which allows a pool of devices to share credentials.'),
|
||||
),
|
||||
array(
|
||||
'name' => 'force',
|
||||
|
@ -85,6 +93,7 @@ final class AlmanacManagementRegisterWorkflow
|
|||
|
||||
$stored_public_path = AlmanacKeys::getKeyPath('device.pub');
|
||||
$stored_private_path = AlmanacKeys::getKeyPath('device.key');
|
||||
$stored_device_path = AlmanacKeys::getKeyPath('device.id');
|
||||
|
||||
if (!$args->getArg('force')) {
|
||||
if (Filesystem::pathExists($stored_public_path)) {
|
||||
|
@ -171,6 +180,24 @@ final class AlmanacManagementRegisterWorkflow
|
|||
Filesystem::writeFile($tmp_private, $raw_private_key);
|
||||
execx('mv -f %s %s', $tmp_private, $stored_private_path);
|
||||
|
||||
$raw_device = $device_name;
|
||||
$identify_as = $args->getArg('identify-as');
|
||||
if (strlen($identify_as)) {
|
||||
$raw_device = $identify_as;
|
||||
}
|
||||
|
||||
$console->writeOut(
|
||||
"%s\n",
|
||||
pht('Installing device ID...', $raw_device));
|
||||
|
||||
// The permissions on this file are more open because the webserver also
|
||||
// needs to read it.
|
||||
$tmp_device = new TempFile();
|
||||
Filesystem::changePermissions($tmp_device, 0644);
|
||||
execx('chown %s %s', $phd_user, $tmp_device);
|
||||
Filesystem::writeFile($tmp_device, $raw_device);
|
||||
execx('mv -f %s %s', $tmp_device, $stored_device_path);
|
||||
|
||||
if (!$public_key->getID()) {
|
||||
$console->writeOut(
|
||||
"%s\n",
|
||||
|
@ -184,7 +211,7 @@ final class AlmanacManagementRegisterWorkflow
|
|||
pht(
|
||||
'This host has been registered as "%s" and a trusted keypair '.
|
||||
'has been installed.',
|
||||
$device_name));
|
||||
$raw_device));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -9,4 +9,14 @@ final class AlmanacKeys extends Phobject {
|
|||
return $keys.ltrim($key_name, '/');
|
||||
}
|
||||
|
||||
public static function getDeviceID() {
|
||||
$device_id_path = self::getKeyPath('device.id');
|
||||
|
||||
if (Filesystem::pathExists($device_id_path)) {
|
||||
return trim(Filesystem::readFile($device_id_path));
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue