Merge pull request #2911 from bacongobbler/18-ssl-proposal

Proposal: SSL support for custom domains

Author: Matthew Fisher

client/Makefile

@@ -1,6 +1,6 @@
 
 build: setup-venv
-	venv/bin/pip install docopt==0.6.2 python-dateutil==2.4.1 PyYAML==3.11 requests==2.5.1 git+https://github.com/pyinstaller/pyinstaller@7413317 termcolor==1.1.0
+	venv/bin/pip install docopt==0.6.2 python-dateutil==2.4.1 PyYAML==3.11 requests==2.5.1 git+https://github.com/pyinstaller/pyinstaller@7413317 tabulate==0.7.4 termcolor==1.1.0
 	venv/bin/pyinstaller deis.spec
 	chmod +x dist/deis
 

client/deis.py

@@ -20,6 +20,7 @@
   limits        manage resource limits for your application
   tags          manage tags for application containers
   releases      manage releases of an application
+  certs         manage SSL endpoints for an app
 
   keys          manage ssh keys used for `git push` deployments
   perms         manage permissions for applications
@@ -68,12 +69,13 @@
 from docopt import docopt
 from docopt import DocoptExit
 import requests
+from tabulate import tabulate
 from termcolor import colored
 
 __version__ = '1.5.0-dev'
 
 # what version of the API is this client compatible with?
-__api_version__ = '1.1'
+__api_version__ = '1.2'
 
 
 locale.setlocale(locale.LC_ALL, '')
@@ -977,6 +979,94 @@ def builds_list(self, args):
         else:
             raise ResponseError(response)
 
+    def certs(self, args):
+        """
+        Valid commands for certs:
+
+        certs:list            list SSL certificates for an app
+        certs:add             add an SSL certificate to an app
+        certs:update          update an existing certifcate for an app
+        certs:remove          remove an SSL certificate from an app
+
+        Use `deis help [command]` to learn more.
+        """
+        sys.argv[1] = 'certs:list'
+        args = docopt(self.certs_list.__doc__)
+        return self.certs_list(args)
+
+    def certs_add(self, args):
+        """
+        Binds a certificate/key pair to an application.
+
+        Usage: deis certs:add <cert> <key>
+
+        Arguments:
+          <cert>
+            The public key of the SSL certificate.
+          <key>
+            The private key of the SSL certificate.
+        """
+        cert = args.get('<cert>')
+        key = args.get('<key>')
+        body = {'certificate': file(cert).read().strip(), 'key': file(key).read().strip()}
+        sys.stdout.write("Adding SSL endpoint... ")
+        sys.stdout.flush()
+        try:
+            progress = TextProgress()
+            progress.start()
+            response = self._dispatch('post', "/v1/certs", json.dumps(body))
+        finally:
+            progress.cancel()
+            progress.join()
+        if response.status_code == requests.codes.created:
+            self._logger.info("done")
+            data = response.json()
+            self._logger.info("{common_name}".format(**data))
+        else:
+            raise ResponseError(response)
+
+    def certs_list(self, args):
+        """
+        Show certificate information for an SSL application.
+
+        Usage: deis certs:list
+        """
+        response = self._dispatch('get', "/v1/certs")
+        if response.status_code == requests.codes.ok:
+            data = response.json()
+            table = [['Common Name', 'Expires']]
+            if len(data['results']) == 0:
+                self._logger.info('No certs')
+                return
+            for item in data['results']:
+                # strip unused fields
+                for field in item.keys():
+                    if field not in ['common_name', 'expires']:
+                        del item[field]
+                table += [[item['common_name'], item['expires']]]
+            self._logger.info(tabulate(table, headers='firstrow'))
+        else:
+            raise ResponseError(response)
+
+    def certs_remove(self, args):
+        """
+        removes a certificate/key pair from the application.
+
+        Usage: deis certs:remove <cn> [options]
+
+        Arguments:
+          <cn>
+            the common name of the cert to remove from the app.
+        """
+        cn = args.get('<cn>')
+        sys.stdout.write("Removing {}... ".format(cn))
+        sys.stdout.flush()
+        response = self._dispatch('delete', "/v1/certs/{}".format(cn))
+        if response.status_code == requests.codes.no_content:
+            self._logger.info('Done.')
+        else:
+            raise ResponseError(response)
+
     def config(self, args):
         """
         Valid commands for config:

client/setup.py

@@ -59,7 +59,7 @@
       install_requires=[
           'docopt==0.6.2', 'python-dateutil==2.4.1',
           'PyYAML==3.11', 'requests==2.5.1',
-          'termcolor==1.1.0'
+          'tabulate==0.7.4', 'termcolor==1.1.0'
       ],
       zip_safe=True,
       **KWARGS)

contrib/ec2/deis.template.json

@@ -297,6 +297,12 @@
             "LoadBalancerPort": "80",
             "Protocol": "HTTP"
           },
+          {
+            "InstancePort": "443",
+            "InstanceProtocol": "TCP",
+            "LoadBalancerPort": "443",
+            "Protocol": "TCP"
+          },
           {
             "InstancePort": "2222",
             "InstanceProtocol": "TCP",
@@ -320,6 +326,7 @@
         "GroupDescription": "Deis Web ELB SecurityGroup",
         "SecurityGroupIngress": [
           {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0"},
+          {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "0.0.0.0/0"},
           {"IpProtocol": "tcp", "FromPort": "2222", "ToPort": "2222", "CidrIp": "0.0.0.0/0"}
         ],
         "VpcId": { "Ref" : "VPC" }
@@ -332,6 +339,7 @@
         "SecurityGroupIngress" : [
           {"IpProtocol": "tcp", "FromPort" : "22",  "ToPort" : "22",  "CidrIp" : { "Ref" : "SSHFrom" }},
           {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceSecurityGroupId": { "Ref": "DeisWebELBSecurityGroup" } },
+          {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "SourceSecurityGroupId": { "Ref": "DeisWebELBSecurityGroup" } },
           {"IpProtocol": "tcp", "FromPort": "2222", "ToPort": "2222", "SourceSecurityGroupId": { "Ref": "DeisWebELBSecurityGroup" } }
         ],
         "VpcId" : { "Ref" : "VPC" }

controller/api/__init__.py

@@ -2,4 +2,4 @@
 The **api** Django app presents a RESTful web API for interacting with the **deis** system.
 """
 
-__version__ = '1.1.2'
+__version__ = '1.2.0'

controller/api/models.py

@@ -6,6 +6,7 @@
 
 from __future__ import unicode_literals
 import base64
+from datetime import datetime
 import etcd
 import importlib
 import logging
@@ -17,7 +18,7 @@
 
 from django.conf import settings
 from django.contrib.auth import get_user_model
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ValidationError, SuspiciousOperation
 from django.db import models
 from django.db.models import Count
 from django.db.models import Max
@@ -26,6 +27,7 @@
 from django.utils.encoding import python_2_unicode_compatible
 from docker.utils import utils as dockerutils
 from json_field.fields import JSONField
+from OpenSSL import crypto
 import requests
 from rest_framework.authtoken.models import Token
 
@@ -110,6 +112,13 @@ def validate_domain(value):
         raise ValidationError('"{}" contains unexpected characters'.format(value))
 
 
+def validate_certificate(value):
+    try:
+        crypto.load_certificate(crypto.FILETYPE_PEM, value)
+    except crypto.Error as e:
+        raise ValidationError('Could not load certificate: {}'.format(e))
+
+
 class AuditedModel(models.Model):
     """Add created and updated fields to a model."""
 
@@ -825,6 +834,38 @@ def __str__(self):
         return self.domain
 
 
+@python_2_unicode_compatible
+class Certificate(AuditedModel):
+    """
+    Public and private key pair used to secure application traffic at the router.
+    """
+    owner = models.ForeignKey(settings.AUTH_USER_MODEL)
+    # there is no upper limit on the size of an x.509 certificate
+    certificate = models.TextField(validators=[validate_certificate])
+    key = models.TextField()
+    # X.509 certificates allow any string of information as the common name.
+    common_name = models.TextField(unique=True)
+    expires = models.DateTimeField()
+
+    def __str__(self):
+        return self.common_name
+
+    def _get_certificate(self):
+        try:
+            return crypto.load_certificate(crypto.FILETYPE_PEM, self.certificate)
+        except crypto.Error as e:
+            raise SuspiciousOperation(e)
+
+    def save(self, *args, **kwargs):
+        certificate = self._get_certificate()
+        if not self.common_name:
+            self.common_name = certificate.get_subject().CN
+        if not self.expires:
+            # convert openssl's expiry date format to Django's DateTimeField format
+            self.expires = datetime.strptime(certificate.get_notAfter(), '%Y%m%d%H%M%SZ')
+        return super(Certificate, self).save(*args, **kwargs)
+
+
 @python_2_unicode_compatible
 class Key(UuidAuditedModel):
     """An SSH public key."""
@@ -878,6 +919,16 @@ def _log_domain_removed(**kwargs):
     log_event(domain.app, msg)
 
 
+def _log_cert_added(**kwargs):
+    cert = kwargs['instance']
+    logger.info("cert {} added".format(cert))
+
+
+def _log_cert_removed(**kwargs):
+    cert = kwargs['instance']
+    logger.info("cert {} removed".format(cert))
+
+
 def _etcd_publish_key(**kwargs):
     key = kwargs['instance']
     _etcd_client.write('/deis/builder/users/{}/{}'.format(
@@ -917,33 +968,45 @@ def _etcd_purge_app(**kwargs):
         pass
 
 
+def _etcd_publish_cert(**kwargs):
+    cert = kwargs['instance']
+    if kwargs['created']:
+        _etcd_client.write('/deis/certs/{}/cert'.format(cert), cert.certificate)
+        _etcd_client.write('/deis/certs/{}/key'.format(cert), cert.key)
+
+
+def _etcd_purge_cert(**kwargs):
+    cert = kwargs['instance']
+    try:
+        _etcd_client.delete('/deis/certs/{}'.format(cert),
+                            prevExist=True, dir=True, recursive=True)
+    except KeyError:
+        pass
+
+
 def _etcd_publish_domains(**kwargs):
-    app = kwargs['instance'].app
-    app_domains = app.domain_set.all()
-    if app_domains:
-        _etcd_client.write('/deis/domains/{}'.format(app),
-                           ' '.join(str(d.domain) for d in app_domains))
+    domain = kwargs['instance']
+    if kwargs['created']:
+        _etcd_client.write('/deis/domains/{}'.format(domain), domain.app)
 
 
 def _etcd_purge_domains(**kwargs):
-    app = kwargs['instance'].app
-    app_domains = app.domain_set.all()
-    if app_domains:
-        _etcd_client.write('/deis/domains/{}'.format(app),
-                           ' '.join(str(d.domain) for d in app_domains))
-    else:
-        try:
-            _etcd_client.delete('/deis/domains/{}'.format(app))
-        except KeyError:
-            pass
+    domain = kwargs['instance']
+    try:
+        _etcd_client.delete('/deis/certs/{}'.format(domain),
+                            prevExist=True, dir=True, recursive=True)
+    except KeyError:
+        pass
 
 
 # Log significant app-related events
 post_save.connect(_log_build_created, sender=Build, dispatch_uid='api.models.log')
 post_save.connect(_log_release_created, sender=Release, dispatch_uid='api.models.log')
 post_save.connect(_log_config_updated, sender=Config, dispatch_uid='api.models.log')
 post_save.connect(_log_domain_added, sender=Domain, dispatch_uid='api.models.log')
+post_save.connect(_log_cert_added, sender=Certificate, dispatch_uid='api.models.log')
 post_delete.connect(_log_domain_removed, sender=Domain, dispatch_uid='api.models.log')
+post_delete.connect(_log_cert_removed, sender=Certificate, dispatch_uid='api.models.log')
 
 
 # automatically generate a new token on creation
@@ -968,3 +1031,5 @@ def create_auth_token(sender, instance=None, created=False, **kwargs):
     post_delete.connect(_etcd_purge_domains, sender=Domain, dispatch_uid='api.models')
     post_save.connect(_etcd_create_app, sender=App, dispatch_uid='api.models')
     post_delete.connect(_etcd_purge_app, sender=App, dispatch_uid='api.models')
+    post_save.connect(_etcd_publish_cert, sender=Certificate, dispatch_uid='api.models')
+    post_delete.connect(_etcd_purge_cert, sender=Certificate, dispatch_uid='api.models')

controller/api/serializers.py

@@ -245,6 +245,8 @@ def validate_domain(self, value):
         if value[-1:] == ".":
             value = value[:-1]  # strip exactly one dot from the right, if present
         labels = value.split('.')
+        if 'xip.io' in value:
+            return value
         if labels[0] == '*':
             raise serializers.ValidationError(
                 'Adding a wildcard subdomain is currently not supported.')
@@ -260,6 +262,22 @@ def validate_domain(self, value):
         return value
 
 
+class CertificateSerializer(ModelSerializer):
+    """Serialize a :class:`~api.models.Cert` model."""
+
+    owner = serializers.ReadOnlyField(source='owner.username')
+    expires = serializers.DateTimeField(format=settings.DEIS_DATETIME_FORMAT, read_only=True)
+    created = serializers.DateTimeField(format=settings.DEIS_DATETIME_FORMAT, read_only=True)
+    updated = serializers.DateTimeField(format=settings.DEIS_DATETIME_FORMAT, read_only=True)
+
+    class Meta:
+        """Metadata options for a DomainCertSerializer."""
+        model = models.Certificate
+        extra_kwargs = {'certificate': {'write_only': True},
+                        'key': {'write_only': True}}
+        read_only_fields = ['common_name', 'expires', 'created', 'updated']
+
+
 class PushSerializer(ModelSerializer):
     """Serialize a :class:`~api.models.Push` model."""