1 {-| Implementation of the Ganeti confd utilities.
3 This holds a few utility functions that could be useful in both
10 Copyright (C) 2011, 2012 Google Inc.
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 2 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful, but
18 WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program; if not, write to the Free Software
24 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
29 module Ganeti.Confd.Utils
36 import qualified Data.ByteString as B
37 import qualified Text.JSON as J
39 import Ganeti.BasicTypes
42 import qualified Ganeti.Constants as C
44 import Ganeti.HTools.Utils
46 -- | Returns the HMAC key.
47 getClusterHmac :: IO HashKey
48 getClusterHmac = fmap B.unpack $ B.readFile C.confdHmacKey
50 -- | Parses a signed request.
51 parseRequest :: HashKey -> String -> Result (String, String, ConfdRequest)
52 parseRequest key str = do
53 (SignedMessage hmac msg salt) <- fromJResult "parsing request" $ J.decode str
54 req <- if verifyMac key (Just salt) msg hmac
55 then fromJResult "parsing message" $ J.decode msg
56 else Bad "HMAC verification failed"
57 return (salt, msg, req)
59 -- | Mesage parsing. This can either result in a good, valid message,
60 -- or fail in the Result monad.
61 parseMessage :: HashKey -> String -> Integer
62 -> Result (String, ConfdRequest)
63 parseMessage hmac msg curtime = do
64 (salt, origmsg, request) <- parseRequest hmac msg
65 ts <- tryRead "Parsing timestamp" salt::Result Integer
66 if abs (ts - curtime) > fromIntegral C.confdMaxClockSkew
67 then fail "Too old/too new timestamp or clock skew"
68 else return (origmsg, request)
70 -- | Signs a message with a given key and salt.
71 signMessage :: HashKey -> String -> String -> SignedMessage
72 signMessage key salt msg =
73 SignedMessage { signedMsgMsg = msg
74 , signedMsgSalt = salt
75 , signedMsgHmac = hmac
77 where hmac = computeMac key (Just salt) msg