DeployTagCertificate.java

/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package com.intel.mtwilson.tag.rest.v2.rpc;

import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
import com.intel.dcsg.cpg.crypto.Sha1Digest;
import com.intel.dcsg.cpg.io.UUID;
import com.intel.dcsg.cpg.net.InternetAddress;
import com.intel.dcsg.cpg.tls.policy.impl.InsecureTlsPolicy;
import com.intel.mtwilson.agent.HostAgent;
import com.intel.mtwilson.agent.HostAgentFactory;
import com.intel.mtwilson.datatypes.ConnectionString;
import com.intel.mtwilson.datatypes.TxtHostRecord;
import com.intel.mtwilson.launcher.ws.ext.RPC;
import com.intel.mtwilson.repository.RepositoryException;
import com.intel.mtwilson.repository.RepositoryInvalidInputException;
import com.intel.mtwilson.tag.common.Global;
import com.intel.mtwilson.tag.dao.TagJdbi;
import com.intel.mtwilson.tag.dao.jdbi.CertificateDAO;
import com.intel.mtwilson.tag.model.Certificate;
import com.intel.mtwilson.tag.model.CertificateLocator;
import java.io.IOException;
import java.util.Date;
import java.util.List;
import org.apache.shiro.authz.annotation.RequiresPermissions;


/**
 * The "deploy" link next to each certificate in the UI calls this RPC
 * 
 * @author ssbangal
 */
@RPC("deploy-tag-certificate")
@JacksonXmlRootElement(localName="deploy_tag_certificate")
public class DeployTagCertificate implements Runnable{
    
    private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(DeployTagCertificate.class);

       
    private UUID certificateId;
    private InternetAddress host;
    
    public UUID getCertificateId() {
        return certificateId;
    }

    public void setCertificateId(UUID certificateId) {
        this.certificateId = certificateId;
    }

    public InternetAddress getHost() {
        return host;
    }

    public void setHost(InternetAddress host) {
        this.host = host;
    }
    
    
    @Override
    @RequiresPermissions({"tag_certificates:deploy","hosts:search"})         
    public void run() {
        log.debug("RPC: DeployTagCertificate - Got request to deploy certificate with ID {}.", certificateId);        
        try (CertificateDAO dao = TagJdbi.certificateDao()) {
            CertificateLocator locator = new CertificateLocator();
            locator.id = certificateId;
            
            Certificate obj = dao.findById(certificateId);
            if (obj != null) 
            {
                // verify the certificate validity first
                Date today = new Date();
                log.debug("RPC: DeployTagCertificate - Certificate not before {}", obj.getNotBefore());
                log.debug("RPC: DeployTagCertificate - Certificate not after {}", obj.getNotAfter());
                log.debug("RPC: DeployTagCertificate - Current date {}", today);
                if (today.before(obj.getNotBefore()) || today.after(obj.getNotAfter())) {
                    log.error("RPC: DeployTagCertificate - Certificate with subject {} is expired/invalid. Will not be deployed.", obj.getSubject());
                    throw new RepositoryInvalidInputException(locator);
                }
                
                // Before deploying, we need to verify if the host is same as the one for which the certificate was created.
                List<TxtHostRecord> hostList = Global.mtwilson().queryForHosts(host.toString(), true);
                if(hostList == null || hostList.isEmpty() ) {
                    log.error("RPC: DeployTagCertificate - No hosts were returned back matching name " + host.toString());
                    throw new RepositoryInvalidInputException(locator);
                }
                TxtHostRecord hostRecord = hostList.get(0);
                
                if (!hostRecord.Hardware_Uuid.equals(obj.getSubject())) {
                    log.error("RPC: DeployTagCertificate - The certificate provided [{}] does not map to the host specified [{}]. Certificate will not be deployed on the host.", obj.getSubject(), hostRecord.Hardware_Uuid);
                    throw new RepositoryInvalidInputException(locator);
                }
                
                deployAssetTagToHost(obj.getSha1(), hostRecord);
            } else {
                log.error("RPC: DeployTagCertificate - Failed to retreive certificate while trying to discover host by certificate ID.");
                throw new RepositoryInvalidInputException(locator);
            }

        } catch (RepositoryException re) {
            throw re;            
        } catch (Exception ex) {
            log.error("RPC: DeployTagCertificate - Error during certificate deployment.", ex);
            throw new RepositoryException(ex);
        } 
        
    }

    private void deployAssetTagToHost(Sha1Digest tag, TxtHostRecord hostRecord) throws IOException {
        HostAgentFactory hostAgentFactory = new HostAgentFactory();
        //ByteArrayResource tlsKeystore = new ByteArrayResource();
//        ConnectionString connectionString = ConnectionString.from(hostRecord);
//        HostAgent hostAgent = hostAgentFactory.getHostAgent(connectionString, new InsecureTlsPolicy());
        HostAgent hostAgent = hostAgentFactory.getHostAgent(hostRecord);
        hostAgent.setAssetTag(tag);
    }
    
}