bosh-director 1.2989.0 → 1.2992.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9f215637e0cd9049a0e14c0124379078a10a8100
-  data.tar.gz: dc7e5c19309e2a290503437b01ac8823a1c8127b
+  metadata.gz: 77b59d978580198275ba946df8f880fcaa6e28b0
+  data.tar.gz: 51860050f654ff925193f6a37034a900cd58eb61
 SHA512:
-  metadata.gz: 8cf3189968d508035f74271005f71e46dbf3249e3c712c1e52c84af13d48c48d5e1f376e62d2e18a5ef3d7f3d40faaa3e458bc35924b6fce1179ff297c9ba33f
-  data.tar.gz: 94df18e413abef5467b2a8c82db328cf5e234bbbc8eb73d682bbc7e47ee3c62a6be78f14f2a4153cce5c3cc8c1934ea5268c07fc11f0cf291046209180d7d51a
+  metadata.gz: e02624596050a9fc81ecb3dcbbf35f908b20446556967b564211d5f1cdebd0ca7d98372fdd0a1ea04d38a5b074e0adad8cdaebacffb218dfd0ec622c934b7b35
+  data.tar.gz: bc13e1aeb80ea0f6cf1e3d4212891a8db9990c8618a65bcf2267c46eba5fb3a614a367a14bcd2818f5b0aa52bb5a46225466cbec39d617d8aefd796e79e64fb8

data/db/migrations/director/20150611193110_add_trusted_certs_sha1_to_vms.rb

@@ -0,0 +1,9 @@
+require 'digest/sha1'
+
+Sequel.migration do
+  change do
+    alter_table(:vms) do
+      add_column :trusted_certs_sha1, String, { :default => Digest::SHA1.hexdigest('') }
+    end
+  end
+end

data/lib/bosh/director.rb

@@ -136,6 +136,7 @@ module Bosh::Director
 end
 
 require 'bosh/director/thread_pool'
+require 'bosh/director/api/extensions/scoping'
 require 'bosh/director/api/controllers/backups_controller'
 require 'bosh/director/api/controllers/deployments_controller'
 require 'bosh/director/api/controllers/packages_controller'

data/lib/bosh/director/api/controllers/backups_controller.rb

@@ -4,7 +4,7 @@ module Bosh::Director
   module Api::Controllers
     class BackupsController < BaseController
       post '/' do
-        start_task { @backup_manager.create_backup(@user) }
+        start_task { @backup_manager.create_backup(current_user) }
       end
 
       get '/' do

data/lib/bosh/director/api/controllers/base_controller.rb

@@ -25,6 +25,8 @@ module Bosh::Director
           @logger = Config.logger
         end
 
+        register Bosh::Director::Api::Extensions::Scoping
+
         mime_type :tgz,       'application/x-compressed'
         mime_type :multipart, 'multipart/form-data'
 
@@ -46,24 +48,6 @@ module Bosh::Director
           true
         end
 
-        before do
-          auth_provided = %w(HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION).detect do |key|
-            request.env.has_key?(key)
-          end
-
-          if auth_provided
-            begin
-              @user = @identity_provider.corroborate_user(request.env)
-            rescue AuthenticationError
-            end
-          end
-
-          if requires_authentication? && @user.nil?
-            response['WWW-Authenticate'] = 'Basic realm="BOSH Director"'
-            throw(:halt, [401, "Not authorized\n"])
-          end
-        end
-
         after { headers('Date' => Time.now.rfc822) } # As thin doesn't inject date
 
         configure do

data/lib/bosh/director/api/controllers/cloud_configs_controller.rb

@@ -10,7 +10,7 @@ module Bosh::Director
         status(201)
       end
 
-      get '/' do
+      get '/', scope: [:read] do
         if params['limit'].nil? || params['limit'].empty?
           status(400)
           body("limit is required")

data/lib/bosh/director/api/controllers/compiled_packages_controller.rb

@@ -37,7 +37,7 @@ module Bosh::Director
       end
 
       post '/import', consumes: :multipart do
-        task = @compiled_package_group_manager.create_from_file_path(@user, params[:nginx_upload_path])
+        task = @compiled_package_group_manager.create_from_file_path(current_user, params[:nginx_upload_path])
         redirect "/tasks/#{task.id}"
       end
 

data/lib/bosh/director/api/controllers/deployments_controller.rb

@@ -44,7 +44,7 @@ module Bosh::Director
         # the call returns a 404 if the deployment doesn't exist
         @deployment_manager.find_by_name(params[:deployment])
         latest_cloud_config = Bosh::Director::Api::CloudConfigManager.new.latest
-        task = @deployment_manager.create_deployment(@user, request.body, latest_cloud_config, options)
+        task = @deployment_manager.create_deployment(current_user, request.body, latest_cloud_config, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -69,7 +69,7 @@ module Bosh::Director
         deployment = @deployment_manager.find_by_name(params[:deployment])
         manifest = request.content_length.nil? ? StringIO.new(deployment.manifest) : request.body
         latest_cloud_config = Bosh::Director::Api::CloudConfigManager.new.latest
-        task = @deployment_manager.create_deployment(@user, manifest, latest_cloud_config, options)
+        task = @deployment_manager.create_deployment(current_user, manifest, latest_cloud_config, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -84,7 +84,7 @@ module Bosh::Director
           'filters' => params[:filters].to_s.strip.split(/[\s\,]+/)
         }
 
-        task = @instance_manager.fetch_logs(@user, deployment, job, index, options)
+        task = @instance_manager.fetch_logs(current_user, deployment, job, index, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -103,7 +103,7 @@ module Bosh::Director
         # until we can tell the agent to flush and wait, all snapshots are considered dirty
         options = {clean: false}
 
-        task = @snapshot_manager.create_deployment_snapshot_task(@user, deployment, options)
+        task = @snapshot_manager.create_deployment_snapshot_task(current_user, deployment, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -118,14 +118,14 @@ module Bosh::Director
         # until we can tell the agent to flush and wait, all snapshots are considered dirty
         options = {clean: false}
 
-        task = @snapshot_manager.create_snapshot_task(@user, instance, options)
+        task = @snapshot_manager.create_snapshot_task(current_user, instance, options)
         redirect "/tasks/#{task.id}"
       end
 
       delete '/:deployment/snapshots' do
         deployment = @deployment_manager.find_by_name(params[:deployment])
 
-        task = @snapshot_manager.delete_deployment_snapshots_task(@user, deployment)
+        task = @snapshot_manager.delete_deployment_snapshots_task(current_user, deployment)
         redirect "/tasks/#{task.id}"
       end
 
@@ -133,11 +133,11 @@ module Bosh::Director
         deployment = @deployment_manager.find_by_name(params[:deployment])
         snapshot = @snapshot_manager.find_by_cid(deployment, params[:cid])
 
-        task = @snapshot_manager.delete_snapshots_task(@user, [params[:cid]])
+        task = @snapshot_manager.delete_snapshots_task(current_user, [params[:cid]])
         redirect "/tasks/#{task.id}"
       end
 
-      get '/' do
+      get '/', scope: [:read] do
         latest_cloud_config = Api::CloudConfigManager.new.latest
         deployments = Models::Deployment.order_by(:name.asc).map do |deployment|
         cloud_config = if deployment.cloud_config.nil?
@@ -169,17 +169,17 @@ module Bosh::Director
         json_encode(deployments)
       end
 
-      get '/:name' do
+      get '/:name', scope: [:read] do
         deployment = @deployment_manager.find_by_name(params[:name])
         @deployment_manager.deployment_to_json(deployment)
       end
 
-      get '/:name/vms' do
+      get '/:name/vms', scope: [:read] do
         deployment = @deployment_manager.find_by_name(params[:name])
 
         format = params[:format]
         if format == 'full'
-          task = @vm_state_manager.fetch_vm_state(@user, deployment, format)
+          task = @vm_state_manager.fetch_vm_state(current_user, deployment, format)
           redirect "/tasks/#{task.id}"
         else
           @deployment_manager.deployment_vms_to_json(deployment)
@@ -192,7 +192,7 @@ module Bosh::Director
         options = {}
         options['force'] = true if params['force'] == 'true'
         options['keep_snapshots'] = true if params['keep_snapshots'] == 'true'
-        task = @deployment_manager.delete_deployment(@user, deployment, options)
+        task = @deployment_manager.delete_deployment(current_user, deployment, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -217,7 +217,7 @@ module Bosh::Director
 
       post '/:deployment/ssh', :consumes => [:json] do
         payload = json_decode(request.body)
-        task = @instance_manager.ssh(@user, payload)
+        task = @instance_manager.ssh(current_user, payload)
         redirect "/tasks/#{task.id}"
       end
 
@@ -236,7 +236,7 @@ module Bosh::Director
 
       # Initiate deployment scan
       post '/:deployment/scans' do
-        start_task { @problem_manager.perform_scan(@user, params[:deployment]) }
+        start_task { @problem_manager.perform_scan(current_user, params[:deployment]) }
       end
 
       # Get the list of problems for a particular deployment
@@ -256,14 +256,14 @@ module Bosh::Director
 
       put '/:deployment/problems', :consumes => [:json] do
         payload = json_decode(request.body)
-        start_task { @problem_manager.apply_resolutions(@user, params[:deployment], payload['resolutions']) }
+        start_task { @problem_manager.apply_resolutions(current_user, params[:deployment], payload['resolutions']) }
       end
 
       put '/:deployment/scan_and_fix', :consumes => :json do
         jobs_json = json_decode(request.body)['jobs']
         payload = convert_job_instance_hash(jobs_json)
 
-        start_task { @problem_manager.scan_and_fix(@user, params[:deployment], payload) }
+        start_task { @problem_manager.scan_and_fix(current_user, params[:deployment], payload) }
       end
 
       post '/', :consumes => :yaml do
@@ -271,7 +271,7 @@ module Bosh::Director
         options['recreate'] = true if params['recreate'] == 'true'
         latest_cloud_config = Bosh::Director::Api::CloudConfigManager.new.latest
 
-        task = @deployment_manager.create_deployment(@user, request.body, latest_cloud_config, options)
+        task = @deployment_manager.create_deployment(current_user, request.body, latest_cloud_config, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -281,7 +281,7 @@ module Bosh::Director
         keep_alive = json_decode(request.body)['keep-alive'] || FALSE
 
         task = JobQueue.new.enqueue(
-          @user,
+          current_user,
           Jobs::RunErrand,
           "run errand #{errand_name} from deployment #{deployment_name}",
           [deployment_name, errand_name, keep_alive],
@@ -290,7 +290,7 @@ module Bosh::Director
         redirect "/tasks/#{task.id}"
       end
 
-      get '/:deployment_name/errands' do
+      get '/:deployment_name/errands', scope: [:read] do
         deployment_plan = load_deployment_plan_without_binding
 
         errands = deployment_plan.jobs.select(&:can_run_as_errand?)

data/lib/bosh/director/api/controllers/info_controller.rb

@@ -7,12 +7,12 @@ module Bosh::Director
         false
       end
 
-      get '/' do
+      get '/', scope: [:read] do
         status = {
           'name' => Config.name,
           'uuid' => Config.uuid,
           'version' => "#{VERSION} (#{Config.revision})",
-          'user' => @user,
+          'user' => current_user,
           'cpi' => Config.cloud_type,
           'user_authentication' => @config.identity_provider.client_info,
           'features' => {

data/lib/bosh/director/api/controllers/locks_controller.rb

@@ -1,7 +1,7 @@
 module Bosh::Director
   module Api::Controllers
     class LocksController < BaseController
-      get '/' do
+      get '/', scope: [:read] do
         redis = Config.redis
 
         locks = []

data/lib/bosh/director/api/controllers/releases_controller.rb

@@ -9,7 +9,7 @@ module Bosh::Director
           rebase:         params['rebase'] == 'true',
           skip_if_exists: params['skip_if_exists'] == 'true',
         }
-        task = @release_manager.create_release_from_url(@user, payload['location'], options)
+        task = @release_manager.create_release_from_url(current_user, payload['location'], options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -17,11 +17,11 @@ module Bosh::Director
         options = {
           rebase: params['rebase'] == 'true',
         }
-        task = @release_manager.create_release_from_file_path(@user, params[:nginx_upload_path], options)
+        task = @release_manager.create_release_from_file_path(current_user, params[:nginx_upload_path], options)
         redirect "/tasks/#{task.id}"
       end
 
-      get '/' do
+      get '/', scope: [:read] do
         releases = Models::Release.order_by(:name.asc).map do |release|
           release_versions = release.versions_dataset.order_by(:version.asc).map do |rv|
             {
@@ -42,7 +42,7 @@ module Bosh::Director
         json_encode(releases)
       end
 
-      get '/:name' do
+      get '/:name', scope: [:read] do
         name = params[:name].to_s.strip
         release = @release_manager.find_by_name(name)
 
@@ -81,7 +81,7 @@ module Bosh::Director
         options['force'] = true if params['force'] == 'true'
         options['version'] = params['version']
 
-        task = @release_manager.delete_release(@user, release, options)
+        task = @release_manager.delete_release(current_user, release, options)
         redirect "/tasks/#{task.id}"
       end
     end

data/lib/bosh/director/api/controllers/stemcells_controller.rb

@@ -5,16 +5,16 @@ module Bosh::Director
     class StemcellsController < BaseController
       post '/', :consumes => :json do
         payload = json_decode(request.body)
-        task = @stemcell_manager.create_stemcell_from_url(@user, payload['location'])
+        task = @stemcell_manager.create_stemcell_from_url(current_user, payload['location'])
         redirect "/tasks/#{task.id}"
       end
 
       post '/', :consumes => :multipart do
-        task = @stemcell_manager.create_stemcell_from_file_path(@user, params[:nginx_upload_path])
+        task = @stemcell_manager.create_stemcell_from_file_path(current_user, params[:nginx_upload_path])
         redirect "/tasks/#{task.id}"
       end
 
-      get '/' do
+      get '/', scope: [:read] do
         stemcells = Models::Stemcell.order_by(:name.asc).map do |stemcell|
           {
             'name' => stemcell.name,
@@ -31,7 +31,7 @@ module Bosh::Director
         options = {}
         options['force'] = true if params['force'] == 'true'
         stemcell = @stemcell_manager.find_by_name_and_version(name, version)
-        task = @stemcell_manager.delete_stemcell(@user, stemcell, options)
+        task = @stemcell_manager.delete_stemcell(current_user, stemcell, options)
         redirect "/tasks/#{task.id}"
       end
     end

data/lib/bosh/director/api/extensions/scoping.rb

@@ -0,0 +1,45 @@
+module Bosh::Director
+  module Api
+    module Extensions
+      module Scoping
+        module Helpers
+          def current_user
+            @user
+          end
+        end
+
+        def self.registered(app)
+          app.set default_scope: :write
+          app.helpers(Helpers)
+        end
+
+        def scope(*roles)
+          condition do
+            roles = [settings.default_scope] if roles == [:default]
+
+            auth_provided = %w(HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION).detect do |key|
+              request.env.has_key?(key)
+            end
+
+            if auth_provided
+              begin
+                @user = identity_provider.corroborate_user(request.env, roles)
+              rescue AuthenticationError
+              end
+            end
+
+            if requires_authentication? && @user.nil?
+              response['WWW-Authenticate'] = 'Basic realm="BOSH Director"'
+              throw(:halt, [401, "Not authorized\n"])
+            end
+          end
+        end
+
+        def route(verb, path, options = {}, &block)
+          options[:scope] ||= :default
+          super(verb, path, options, &block)
+        end
+      end
+    end
+  end
+end

data/lib/bosh/director/api/local_identity_provider.rb

@@ -10,7 +10,7 @@ module Bosh
           {'type' => 'basic', 'options' => {}}
         end
 
-        def corroborate_user(request_env)
+        def corroborate_user(request_env, _)
           auth ||= Rack::Auth::Basic::Request.new(request_env)
           raise AuthenticationError unless auth.provided? && auth.basic? && auth.credentials
 

data/lib/bosh/director/api/uaa_identity_provider.rb

@@ -4,9 +4,10 @@ module Bosh
   module Director
     module Api
       class UAAIdentityProvider
-        def initialize(options)
+        def initialize(options, director_uuid)
           @url = options.fetch('url')
           Config.logger.debug "Initializing UAA Identity provider with url #{@url}"
+          @director_uuid = director_uuid
           @token_coder = CF::UAA::TokenCoder.new(skey: options.fetch('symmetric_key', nil), pkey: options.fetch('public_key', nil), scope: [])
         end
 
@@ -19,13 +20,39 @@ module Bosh
           }
         end
 
-        def corroborate_user(request_env)
+        def corroborate_user(request_env, requested_access)
           auth_header = request_env['HTTP_AUTHORIZATION']
           token = @token_coder.decode(auth_header)
+          validate_access(token, requested_access)
+
           token['user_name'] || token['client_id']
         rescue CF::UAA::DecodeError, CF::UAA::AuthError => e
           raise AuthenticationError, e.message
         end
+
+        private
+
+        def validate_access(token, requested_access)
+          if token['scope']
+            if token_has_admin_scope?(token['scope'])
+              return
+            end
+
+            if requested_access.include?(:read) && token_has_read_scope?(token['scope'])
+              return
+            end
+          end
+
+          raise AuthenticationError, 'Requested access is not allowed by the scope'
+        end
+
+        def token_has_read_scope?(token_scope)
+          token_scope.include?('bosh.read') || token_scope.include?("bosh.#{@director_uuid}.read")
+        end
+
+        def token_has_admin_scope?(token_scope)
+          token_scope.include?('bosh.admin') || token_scope.include?("bosh.#{@director_uuid}.admin")
+        end
       end
     end
   end

data/lib/bosh/director/cloudcheck_helper.rb

@@ -130,7 +130,9 @@ module Bosh::Director
       end
 
       agent_client(new_vm).wait_until_ready
+
       agent_client(new_vm).update_settings(Bosh::Director::Config.trusted_certs)
+      new_vm.update(:trusted_certs_sha1 => Digest::SHA1.hexdigest(Bosh::Director::Config.trusted_certs))
 
       # After this point agent is actually responding to
       # pings, so if the rest of this handler fails

data/lib/bosh/director/config.rb

@@ -388,7 +388,7 @@ module Bosh::Director
         end
 
         Config.logger.debug("Director configured with '#{provider_name}' user management provider")
-        provider_class.new(user_management['options'] || {})
+        provider_class.new(user_management['options'] || {}, @uuid)
       end
     end
 

data/lib/bosh/director/deployment_plan/instance.rb

@@ -368,6 +368,16 @@ module Bosh::Director
           @state == 'stopped' && @current_state['job_state'] == 'running'
       end
 
+      ##
+      # Checks if the target VM already has the same set of trusted SSL certificates
+      # as the director currently wants to install on all managed VMs. This will
+      # differ for VMs that existed before the director's configuration changed.
+      #
+      # @return [Boolean] true if the VM needs to be sent a new set of trusted certificates
+      def trusted_certs_changed?
+        Digest::SHA1.hexdigest(Bosh::Director::Config.trusted_certs) != @model.vm.trusted_certs_sha1
+      end
+
       ##
       # @return [Boolean] returns true if the any of the expected specifications
       #   differ from the ones provided by the VM
@@ -389,6 +399,7 @@ module Bosh::Director
           changes << :job if job_changed?
           changes << :state if state_changed?
           changes << :dns if dns_changed?
+          changes << :trusted_certs if trusted_certs_changed?
         end
         changes
       end

data/lib/bosh/director/deployment_plan/steps/package_compile_step.rb

@@ -1,4 +1,5 @@
 require 'bosh/director/compile_task_generator'
+require 'digest/sha1'
 
 module Bosh::Director
   module DeploymentPlan
@@ -160,6 +161,7 @@ module Bosh::Director
             agent = AgentClient.with_defaults(vm.agent_id)
             agent.wait_until_ready
             agent.update_settings(Bosh::Director::Config.trusted_certs)
+            vm.update(:trusted_certs_sha1 => Digest::SHA1.hexdigest(Bosh::Director::Config.trusted_certs))
 
             configure_vm(vm, agent, network_settings)
             vm_data.agent = agent

data/lib/bosh/director/instance_updater.rb

@@ -4,7 +4,6 @@ module Bosh::Director
   class InstanceUpdater
     include DnsHelper
 
-    UPDATE_STEPS = 7
     WATCH_INTERVALS = 10
 
     attr_reader :current_state
@@ -33,53 +32,59 @@ module Bosh::Director
       @agent = AgentClient.with_defaults(@vm.agent_id)
     end
 
-    def step
-      yield
-      report_progress
+    def report_progress(num_steps)
+      @event_log_task.advance(100.0 / num_steps)
     end
 
-    def report_progress
-      @event_log_task.advance(100.0 / update_steps())
-    end
-
-    def update_steps
-      @instance.job_changed? || @instance.packages_changed? ? UPDATE_STEPS + 1 : UPDATE_STEPS
-    end
-
-    def update(options = {})
+    def update_steps(options = {})
+      steps = []
       @canary = options.fetch(:canary, false)
 
-      @logger.info("Updating instance #{@instance}, changes: #{@instance.changes.to_a.join(', ')}")
-
       # Optimization to only update DNS if nothing else changed.
       if dns_change_only?
-        update_dns
-        return
+        steps << proc { update_dns }
+        return steps
       end
 
-      step { Preparer.new(@instance, agent, @logger).prepare }
-      step { stop }
-      step { take_snapshot }
+      steps << proc { Preparer.new(@instance, agent, @logger).prepare }
+      steps << proc { stop }
+      steps << proc { take_snapshot }
 
       if @target_state == "detached"
-        vm_updater.detach
-        return
+        steps << proc { vm_updater.detach }
+        return steps
+      end
+
+      steps << proc { recreate_vm(nil) }
+      steps << proc { update_networks }
+      steps << proc { update_dns }
+      steps << proc { update_persistent_disk }
+      steps << proc { update_settings }
+
+      if !trusted_certs_change_only?
+        steps << proc {
+          VmMetadataUpdater.build.update(@vm, {})
+          apply_state(@instance.spec)
+          RenderedJobTemplatesCleaner.new(@instance.model, @blobstore).clean
+        }
       end
 
-      step { recreate_vm(nil) }
-      step { update_networks }
-      step { update_dns }
-      step { update_persistent_disk }
+      steps << proc { start! if need_start? }
 
-      VmMetadataUpdater.build.update(@vm, {})
+      steps << proc { wait_until_running }
 
-      step { apply_state(@instance.spec) }
+      steps
+    end
 
-      RenderedJobTemplatesCleaner.new(@instance.model, @blobstore).clean
+    def update(options = {})
+      steps = update_steps(options)
 
-      start! if need_start?
+      @logger.info("Updating instance #{@instance}, changes: #{@instance.changes.to_a.join(', ')}")
 
-      step { wait_until_running }
+      steps.each do |step|
+        step.call
+        report_progress(steps.length)
+      end
 
       if @target_state == "started" && current_state["job_state"] != "running"
         raise AgentJobNotRunning, "`#{@instance}' is not running after update"
@@ -133,6 +138,10 @@ module Bosh::Director
       @instance.changes.include?(:dns) && @instance.changes.size == 1
     end
 
+    def trusted_certs_change_only?
+      @instance.changes.include?(:trusted_certs) && @instance.changes.size == 1
+    end
+
     def stop
       stopper = Stopper.new(@instance, agent, @target_state, Config, @logger)
       stopper.stop
@@ -268,6 +277,13 @@ module Bosh::Director
       @vm, @agent = network_updater.update
     end
 
+    def update_settings
+      if @instance.trusted_certs_changed?
+        @agent.update_settings(Config.trusted_certs)
+        @vm.update(:trusted_certs_sha1 => Digest::SHA1.hexdigest(Config.trusted_certs))
+      end
+    end
+
     # Returns an array of wait times distributed
     # on the [min_watch_time..max_watch_time] interval.
     #

data/lib/bosh/director/instance_updater/vm_updater.rb

@@ -85,7 +85,6 @@ module Bosh::Director
 
       def create(new_disk_id)
         @logger.info('Creating VM')
-
         vm_model = new_vm_model(new_disk_id)
 
         begin
@@ -94,6 +93,7 @@ module Bosh::Director
           agent_client = AgentClient.with_defaults(vm_model.agent_id)
           agent_client.wait_until_ready
           agent_client.update_settings(Bosh::Director::Config.trusted_certs)
+          vm_model.update(:trusted_certs_sha1 => Digest::SHA1.hexdigest(Bosh::Director::Config.trusted_certs))
         rescue Exception => e
           @logger.error("Failed to create/contact VM #{vm_model.cid}: #{e.inspect}")
           VmDeleter.new(@instance, vm_model, @cloud, @logger).delete

data/lib/bosh/director/models/vm.rb

@@ -6,6 +6,7 @@ module Bosh::Director::Models
     def validate
       validates_presence [:deployment_id, :agent_id]
       validates_unique :agent_id
+
     end
 
     def apply_spec

data/lib/bosh/director/resource_pool_updater.rb

@@ -54,6 +54,7 @@ module Bosh::Director
       agent = AgentClient.with_defaults(vm_model.agent_id)
       agent.wait_until_ready
       agent.update_settings(Config.trusted_certs)
+      vm_model.update(:trusted_certs_sha1 => Digest::SHA1.hexdigest(Config.trusted_certs))
 
       update_state(agent, vm_model, vm)
 

data/lib/bosh/director/version.rb

@@ -1,5 +1,5 @@
 module Bosh
   module Director
-    VERSION = '1.2989.0'
+    VERSION = '1.2992.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bosh-director
 version: !ruby/object:Gem::Version
-  version: 1.2989.0
+  version: 1.2992.0
 platform: ruby
 authors:
 - VMware
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-16 00:00:00.000000000 Z
+date: 2015-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt-ruby
@@ -30,126 +30,126 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh-director-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh_common
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh-template
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh_cpi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh_openstack_cpi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh_aws_cpi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh_vsphere_cpi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2989.0
+        version: 1.2992.0
 - !ruby/object:Gem::Dependency
   name: bosh_vcloud_cpi
   requirement: !ruby/object:Gem::Requirement
@@ -572,7 +572,7 @@ dependencies:
         version: '0'
 description: |-
   BOSH Director
-  0c4ecd
+  2996bb
 email: support@cloudfoundry.com
 executables:
 - bosh-director
@@ -627,6 +627,7 @@ files:
 - db/migrations/director/20150224193313_use_larger_text_types.rb
 - db/migrations/director/20150331002413_add_cloud_configs.rb
 - db/migrations/director/20150401184803_add_cloud_config_to_deployments.rb
+- db/migrations/director/20150611193110_add_trusted_certs_sha1_to_vms.rb
 - db/migrations/dns/20120123234908_initial.rb
 - lib/bosh/director.rb
 - lib/bosh/director/agent_client.rb
@@ -653,6 +654,7 @@ files:
 - lib/bosh/director/api/controllers/users_controller.rb
 - lib/bosh/director/api/deployment_lookup.rb
 - lib/bosh/director/api/deployment_manager.rb
+- lib/bosh/director/api/extensions/scoping.rb
 - lib/bosh/director/api/http_constants.rb
 - lib/bosh/director/api/instance_lookup.rb
 - lib/bosh/director/api/instance_manager.rb