add --secure, defaults to off

2 files changed, 79 insertions, 11 deletions

diff --git a/migrate.py b/migrate.py
index 83770d5..a7d673f 100755
--- a/migrate.py
+++ b/migrate.py
@@ -61,6 +61,7 @@ def get_args():
     parser.add_argument('--client', dest='client', default='spicy', choices=['spicec', 'spicy'])
     parser.add_argument('--vdagent', choices=['on', 'off'], default='on')
     parser.add_argument('--usbtablet', choices=['on', 'off'], default='on')
+    parser.add_argument('--secure', choices=['on', 'off'], default='off')
     args = parser.parse_args(sys.argv[1:])
     if os.path.exists(args.qemu):
         args.qemu_exec = args.qemu
@@ -72,17 +73,23 @@ def get_args():
     print "qemu = %s" % args.qemu_exec
     return args
 
-def start_qemu(qemu_exec, image, spice_port, qmp_filename, incoming_port=None, extra_args=[]):
+def start_qemu(qemu_exec, image, spice_port, qmp_filename, incoming_port=None, extra_args=[], secure=False):
     incoming_args = []
     if incoming_port:
         incoming_args = ("-incoming tcp::%s" % incoming_port).split()
+    spice_params = ["disable-ticketing"]
+    if secure:
+        spice_params.extend(['tls-port=%s' % spice_port, 'x509-dir=%s' % os.getcwd()])
+    else:
+        spice_params.append("port=%s" % spice_port)
     args = ([qemu_exec, "-qmp", "unix:%s,server,nowait" % qmp_filename,
-        "-spice", "disable-ticketing,port=%s" % spice_port]
+        "-spice", ','.join(spice_params)]
         + extra_args + incoming_args)
     if os.path.exists(image):
         args += ["-m", "512", "-drive",
                  "file=%s,index=0,media=disk,cache=unsafe" % image, "-snapshot"]
-    print repr(args)
+    print args
+    print ' '.join(args)
     proc = Popen(args, executable=qemu_exec, stdin=PIPE, stdout=PIPE)
     while not os.path.exists(qmp_filename):
         time.sleep(0.1)
@@ -98,9 +105,16 @@ def start_qemu(qemu_exec, image, spice_port, qmp_filename, incoming_port=None, e
     proc.incoming_port = incoming_port
     return proc
 
-def start_client(client, spice_port):
-    return Popen(("%(client)s -h localhost -p %(port)d" % dict(port=spice_port,
-        client=client)).split(), executable=client)
+def start_client(client, spice_port, secure, host_subject):
+    cmdline = [str(client), '-h', 'localhost']
+    if secure:
+        cmdline.extend(['-s', str(spice_port), '--host-subject', host_subject, '--ca-file',
+            os.path.join(os.getcwd(), 'ca-cert.pem')])
+    else:
+        cmdline.extend(['-p', str(spice_port)])
+    print cmdline
+    print ' '.join(cmdline)
+    return Popen(cmdline, executable=client)
 
 def wait_active(q, active):
     events = ["RESUME"] if active else ["STOP"]
@@ -135,7 +149,7 @@ class Migrator(object):
     migration_count = 0
 
     def __init__(self, log, client, qemu_exec, image, monitor_files, client_count,
-                 spice_ports, migration_port, vdagent, usbtablet):
+                 spice_ports, migration_port, vdagent, usbtablet, secure, host_subject):
         self.client = client
         self.log = log
         self.qemu_exec = qemu_exec
@@ -146,6 +160,8 @@ class Migrator(object):
         self.spice_ports = spice_ports
         self.vdagent = vdagent
         self.usbtablet = usbtablet
+        self.secure = secure
+        self.host_subject = host_subject
         extra_args = []
         if self.vdagent:
             extra_args = ['-device', 'virtio-serial', '-chardev', 'spicevmc,name=vdagent,id=vdagent', '-device', 'virtserialport,chardev=vdagent,name=com.redhat.spice.0']
@@ -165,6 +181,7 @@ class Migrator(object):
                           spice_port=self.spice_ports[which],
                           qmp_filename=self.monitor_files[which],
                           extra_args=self.extra_args,
+                          secure=self.secure,
                           **kw)
             
 
@@ -189,13 +206,19 @@ class Migrator(object):
         if len(self.clients) == 0:
             for i in range(self.client_count):
                 self.clients.append(start_client(client=self.client,
-                    spice_port=self.spice_ports[0]))
+                    spice_port=self.spice_ports[0], secure=self.secure, host_subject=self.host_subject))
                 wait_for_event(self.active.qmp, 'SPICE_INITIALIZED')
             if wait_for_user_input:
                 print "waiting for Enter to start migrations"
                 raw_input()
-        self.active.qmp.cmd('client_migrate_info', {'protocol':'spice',
-            'hostname':'localhost', 'port':self.target.spice_port})
+        migrate_info_arguments = {'protocol':'spice', 'hostname':'localhost'}
+        if self.secure:
+            migrate_info_arguments['port'] = -1
+            migrate_info_arguments['tls-port'] = self.target.spice_port
+            migrate_info_arguments['cert-subject'] = self.host_subject
+        else:
+            migrate_info_arguments['port'] = self.target.spice_port
+        self.active.qmp.cmd('client_migrate_info', migrate_info_arguments)
         self.active.qmp.cmd('migrate', {'uri': 'tcp:localhost:%s' % self.migration_port})
         wait_active(self.active.qmp, False)
         wait_active(self.target.qmp, True)
@@ -217,6 +240,11 @@ class Migrator(object):
 
 def main():
     args = get_args()
+    host_subject = None
+    if args.secure == 'on':
+        if any([not os.path.exists(f) for f in "ca-key.pem ca-cert.pem server-cert.pem server-key.pem".split()]):
+            os.system('./spice_make_certs.sh')
+        host_subject = ','.join(os.popen('openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "').read().strip().split(', '))
     print "log file %s" % args.log_filename
     log = open(args.log_filename, "a+")
     log.write("# "+str(datetime.datetime.now())+"\n")
@@ -224,7 +252,8 @@ def main():
         image=args.image, log=log, monitor_files=[args.qmp1, args.qmp2],
         migration_port=args.migrate_port, spice_ports=[args.spice_port1,
         args.spice_port2], client_count=args.client_count, vdagent=(args.vdagent=='on'),
-        usbtablet=(args.usbtablet=='on'))
+        usbtablet=(args.usbtablet=='on'),
+        secure=(args.secure=='on'), host_subject=host_subject)
     atexit.register(cleanup, migrator)
     while True:
         migrator.iterate()
diff --git a/spice_make_certs.sh b/spice_make_certs.sh
new file mode 100755
index 0000000..7765def
--- /dev/null
+++ b/spice_make_certs.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+SERVER_KEY=server-key.pem
+
+# creating a key for our ca
+if [ ! -e ca-key.pem ]; then
+    openssl genrsa -des3 -out ca-key.pem 1024
+fi
+# creating a ca
+if [ ! -e ca-cert.pem ]; then
+    openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
+fi
+# create server key
+if [ ! -e $SERVER_KEY ]; then
+    openssl genrsa -out $SERVER_KEY 1024
+fi
+# create a certificate signing request (csr)
+if [ ! -e server-key.csr ]; then
+    openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
+fi
+# signing our server certificate with this ca
+if [ ! -e server-cert.pem ]; then
+    openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
+fi
+
+# now create a key that doesn't require a passphrase
+openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
+mv $SERVER_KEY $SERVER_KEY.secure
+mv $SERVER_KEY.insecure $SERVER_KEY
+
+# show the results (no other effect)
+openssl rsa -noout -text -in $SERVER_KEY
+openssl rsa -noout -text -in ca-key.pem
+openssl req -noout -text -in server-key.csr
+openssl x509 -noout -text -in server-cert.pem
+openssl x509 -noout -text -in ca-cert.pem
+
+# echo --host-subject
+echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"