diff --git a/config/etc/certs/omc_pri.key_pri.key.aes_en b/config/etc/certs/omc_pri.key_pri.key.aes_en new file mode 100644 index 00000000..9ed848ec Binary files /dev/null and b/config/etc/certs/omc_pri.key_pri.key.aes_en differ diff --git a/config/etc/certs/omc_pub.key_pub.key b/config/etc/certs/omc_pub.key_pub.key new file mode 100644 index 00000000..8e7ecc5c --- /dev/null +++ b/config/etc/certs/omc_pub.key_pub.key @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0BP+WJNddrEd9OskJ9A +W6QFR4GrU/N82FOSzWlJQi2nHnPXA+0fADZ8B5sD011LmS1wznKl9922fw2S5Sz0 +dc2pCPNCZ4HhkDhlBUkZ07sIswIuoU40vjvQZJgjNHQGIoAADPjcxGWjHibkmioP ++7Y6Zvot80xZGXzZbdya8zXAEZFrVtYZsmbYt0Vh2cSUJlkpyqKf3JFrBYlR8bWr +VH4Mf2pM1Z29ouW+UgNZ3/vL4JpTeLjYQs1not2HHYo5VgwX/20zGeNInCRIc/7H +YHLkRa9YhfpN5TIkbynrBbKV5hx+lJ9iADqWR7Ug1OHx7zgfm1iz25VflDNls+Mp +JwIDAQAB +-----END PUBLIC KEY----- diff --git a/features/cm/software.go b/features/cm/software.go index 81ad080e..d8657399 100644 --- a/features/cm/software.go +++ b/features/cm/software.go @@ -1,6 +1,7 @@ package cm import ( + "bytes" "fmt" "net/http" "os" @@ -22,6 +23,7 @@ const ( SoftwareStatusInactive = "Inactive" SoftwareStatusActive = "Active" DigestsSignOkString = "digests signatures OK" + SoftwareVerifiedOk = "Verified OK" ) var ( @@ -32,6 +34,23 @@ var ( CustomUriSoftwareNE = config.UriPrefix + "/systemManagement/{apiVersion}/{neType}/software/{version}/{neId}" ) +// 验证签名 +func verify_signature(public_key_name string, source_cms_file string, source_file string) bytes.Buffer { + cmd := exec.Command("/usr/local/omc/run/iv", "verify_signature", public_key_name, source_cms_file, source_file) + var out bytes.Buffer + cmd.Stdout = &out + cmd.Env = append(os.Environ(), + "FOO=duplicate_value", // 重复被忽略 + "FOO=actual_value", // 实际被使用 + ) + err := cmd.Run() + if err != nil { + log.Error(err) + } + + return out +} + func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) { log.Debug("UploadSoftwareFile processing... ") @@ -77,7 +96,18 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) { return } + filePrefix := fileName[:strings.Index(fileName, ".zip")] + filePath := fmt.Sprintf("%s/%s", softwarePath, fileName) + cmd := exec.Command("unzip", filePath) + cmd.Dir = softwarePath + out, err := cmd.CombinedOutput() + log.Debugf("Exec outpout:%s", string(out)) + if err != nil { + log.Error("Failed to unzip:", err) + services.ResponseInternalServerError500ProcessError(w, err) + return + } md5File, err := global.GetFileMD5Sum(filePath) if err != nil { log.Error("Faile to GetFileMD5Sum:", err) @@ -93,20 +123,31 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) { } if config.GetYamlConfig().OMC.CheckSign { - cmd := exec.Command("rpm", "-K", filePath) - out, err := cmd.CombinedOutput() - log.Debugf("Exec outpout:%s", string(out)) - if err != nil { - log.Error("Failed to execute rpm:", err) - services.ResponseInternalServerError500ProcessError(w, err) - return - } - if !strings.Contains(string(out), DigestsSignOkString) { + rpmFileName := filePrefix + ".rpm" + rpmFilePath := softwarePath + "/" + rpmFileName + cmsFileName := rpmFileName + ".cms" + cmsFilePath := softwarePath + "/" + cmsFileName + result := verify_signature(config.GetYamlConfig().Auth.PublicKey, cmsFilePath, rpmFilePath) + if result.String() != SoftwareVerifiedOk { err = global.ErrCMNotMatchSignFile log.Error(err) services.ResponseInternalServerError500ProcessError(w, err) return } + // cmd := exec.Command("rpm", "-K", filePath) + // out, err := cmd.CombinedOutput() + // log.Debugf("Exec outpout:%s", string(out)) + // if err != nil { + // log.Error("Failed to execute rpm:", err) + // services.ResponseInternalServerError500ProcessError(w, err) + // return + // } + // if !strings.Contains(string(out), DigestsSignOkString) { + // err = global.ErrCMNotMatchSignFile + // log.Error(err) + // services.ResponseInternalServerError500ProcessError(w, err) + // return + // } } //neBackup := dborm.NeBackup{NeType: neType, NeId: neId, Md5Sum: md5Sum} diff --git a/restagent/config/config.go b/restagent/config/config.go index e26ddabe..a1191a28 100644 --- a/restagent/config/config.go +++ b/restagent/config/config.go @@ -60,6 +60,7 @@ type YamlConfig struct { CheckContentType bool `yaml:"checkContentType"` TestMode bool `yaml:"testMode"` RBACMode bool `yaml:"rbacMode"` + RunDir string `yaml:"runDir"` } `yaml:"omc"` Alarm struct { @@ -98,10 +99,12 @@ type YamlConfig struct { } `yaml:"ne"` Auth struct { - Crypt string `yaml:"crypt"` - Token bool `yaml:"token"` - Expires uint32 `yaml:"expires"` - Session string `yaml:"session"` + Crypt string `yaml:"crypt"` + Token bool `yaml:"token"` + Expires uint32 `yaml:"expires"` + Session string `yaml:"session"` + PublicKey string `yaml:"publicKey"` + PrivateKey string `yaml:"privateKey"` } `yaml:"auth"` Params struct { diff --git a/restagent/etc/restconf.yaml b/restagent/etc/restconf.yaml index 31c2a66d..1b312829 100644 --- a/restagent/etc/restconf.yaml +++ b/restagent/etc/restconf.yaml @@ -63,6 +63,7 @@ omc: checkContentType: false testMode: true rbacMode: true + runDir: # Alarm module setting # Forward interface: @@ -91,6 +92,8 @@ auth: token: true expires: 1800 session: multiple + publicKey: /usr/local/omc/etc/certs/omc_pub.key + privateKey: /usr/local/omc/etc/certs/omc_pri.key # Parameter for limit number # rmuid_maxnum: the max number of rmUID, default: 50