From d94247cb9f7746f75b176cbed0a32e9e902e7e7d Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Fri, 20 Jan 2017 00:32:45 +0100
Subject: API keys are now provided in the config file.

Also added CA cert verification for internal TLS connections.
---
 tools/compileconfig.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'tools/compileconfig.py')

diff --git a/tools/compileconfig.py b/tools/compileconfig.py
index 1fa352e..bbc2277 100755
--- a/tools/compileconfig.py
+++ b/tools/compileconfig.py
@@ -7,10 +7,14 @@ import argparse
 import sys
 import yaml
 import re
+import base64
 
 class Symbol(str):
     pass
 
+class Binary(str):
+    pass
+
 clean_string = re.compile(r'^[-.:_/A-Za-z0-9 ]*$')
 clean_symbol = re.compile(r'^[_A-Za-z0-9]*$')
 
@@ -34,6 +38,8 @@ def gen_erlang(term, level=1):
     separator = ",\n" + indent
     if isinstance(term, Symbol):
         return quote_erlang_symbol(term)
+    elif isinstance(term, Binary):
+        return "<<" + ",".join([str(ord(c)) for c in term]) + ">>"
     elif isinstance(term, basestring):
         return quote_erlang_string(term)
     elif isinstance(term, int):
@@ -194,9 +200,13 @@ def parse_ratelimit((type, description)):
         print >>sys.stderr, "%s: Only one ratelimit expression supported right now" % (type,)
     return (Symbol(type), descriptions)
 
+def api_keys(config):
+    return [(node["nodename"], Binary(base64.b64decode(node["publickey"]))) for node in config["apikeys"]]
+
 def gen_config(nodename, config, localconfig):
     print "generating config for", nodename
     paths = localconfig["paths"]
+    apikeys = api_keys(config)
     bind_addresses = {
         "frontend": localconfig.get("frontendaddresses", {}).get(nodename),
         "storage": localconfig.get("storageaddresses", {}).get(nodename),
@@ -231,6 +241,7 @@ def gen_config(nodename, config, localconfig):
         (Symbol("https_certfile"), paths["https_certfile"]),
         (Symbol("https_keyfile"), paths["https_keyfile"]),
         (Symbol("https_cacertfile"), paths["https_cacertfile"]),
+        (Symbol("https_cacert_fingerprint"), Binary(base64.b16decode(config["cafingerprint"]))),
     ]
 
     catlfishconfig.append((Symbol("mmd"), config["mmd"]))
@@ -333,7 +344,7 @@ def gen_config(nodename, config, localconfig):
             print >>sys.stderr, "Neither logprivatekey nor hsm configured for signing node", nodename
             sys.exit(1)
     plopconfig += [
-        (Symbol("log_public_key"), paths["logpublickey"]),
+        (Symbol("log_public_key"), Binary(base64.b64decode(config["logpublickey"]))),
         (Symbol("own_key"), (nodename, "%s/%s-private.pem" % (paths["privatekeys"], nodename))),
     ]
     if "frontendnodes" in nodetype:
@@ -341,6 +352,7 @@ def gen_config(nodename, config, localconfig):
     plopconfig += [
         (Symbol("allowed_clients"), list(allowed_clients)),
         (Symbol("allowed_servers"), list(allowed_servers)),
+        (Symbol("apikeys"), apikeys),
     ]
 
     erlangconfig = [
-- 
cgit v1.1