Merge pull request #3556 from bacongobbler/3441-support-san-certificates

Matthew Fisher · Matthew Fisher · commit 4f506451a747 · 2015-04-24T15:05:34.000-07:00
feat(controller): support SAN certificates
diff --git a/client/deis.py b/client/deis.py
@@ -1043,18 +1043,36 @@ def certs_add(self, args):
         """
         Binds a certificate/key pair to an application.
 
-        Usage: deis certs:add <cert> <key>
+        Usage: deis certs:add <cert> <key> [options]
 
         Arguments:
           <cert>
             The public key of the SSL certificate.
           <key>
             The private key of the SSL certificate.
+
+        Options:
+          --common-name=<cname>
+            The common name of the certificate. If none is provided, the controller will
+            interpret the common name from the certificate.
+          --subject-alt-names=<sans>
+            The subject alternate names (SAN) of the certificate, separated by commas. This will
+            create multiple Certificate objects in the controller, one for each SAN.
         """
         cert = args.get('<cert>')
         key = args.get('<key>')
+        self._certs_add(cert, key, args.get('--common-name'))
+        sans = args.get('--subject-alt-names')
+        if sans:
+            [self._certs_add(cert, key, san) for san in sans.split(',')]
+
+    def _certs_add(self, cert, key, common_name=None):
         body = {'certificate': file(cert).read().strip(), 'key': file(key).read().strip()}
-        sys.stdout.write("Adding SSL endpoint... ")
+        if common_name:
+            body['common_name'] = common_name
+            sys.stdout.write("Adding SSL endpoint {}...".format(common_name))
+        else:
+            sys.stdout.write("Adding SSL endpoint... ")
         sys.stdout.flush()
         try:
             progress = TextProgress()
@@ -1066,7 +1084,8 @@ def certs_add(self, args):
         if response.status_code == requests.codes.created:
             self._logger.info("done")
             data = response.json()
-            self._logger.info("{common_name}".format(**data))
+            if not common_name:
+                self._logger.info("{common_name}".format(**data))
         else:
             raise ResponseError(response)
 
diff --git a/controller/api/serializers.py b/controller/api/serializers.py
@@ -275,8 +275,9 @@ class Meta:
         """Metadata options for a DomainCertSerializer."""
         model = models.Certificate
         extra_kwargs = {'certificate': {'write_only': True},
-                        'key': {'write_only': True}}
-        read_only_fields = ['common_name', 'expires', 'created', 'updated']
+                        'key': {'write_only': True},
+                        'common_name': {'required': False}}
+        read_only_fields = ['expires', 'created', 'updated']
 
 
 class PushSerializer(ModelSerializer):
diff --git a/controller/api/tests/test_certificate.py b/controller/api/tests/test_certificate.py
@@ -80,6 +80,20 @@ def test_create_certificate_with_domain(self):
                                     HTTP_AUTHORIZATION='token {}'.format(self.token))
         self.assertEqual(response.status_code, 201)
 
+    def test_create_certificate_with_different_common_name(self):
+        """
+        In some cases such as with SAN certificates, the certificate can cover more
+        than a single domain. In that case, we want to be able to specify the common
+        name for the certificate/key.
+        """
+        body = {'certificate': self.autotest_example_com_cert,
+                'key': self.key,
+                'common_name': 'foo.example.com'}
+        response = self.client.post(self.url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(response.data['common_name'], 'foo.example.com')
+
     def test_get_certificate_screens_data(self):
         """
         When a user retrieves a certificate, only the common name and expiry date should be
diff --git a/docs/reference/api-v1.3.rst b/docs/reference/api-v1.3.rst
@@ -14,6 +14,7 @@ What's New
 
 **New!** ``/users`` endpoint for listing users
 **New!** ``/logs`` endpoint now has a option for limiting the number of log lines returned
+**New!** ``/certs`` endpoint now has an optional parameter to set the common name for a certificate
 
 
 Authentication
@@ -385,6 +386,14 @@ Example Request:
         "key": "-----BEGIN RSA PRIVATE KEY-----"
     }
 
+Optional Parameters:
+
+.. code-block:: console
+
+    {
+        "common_name": "test.example.com"
+    }
+
 
 Example Response:
 
