feat(controller): add deis certs

Author: Matthew Fisher

client/Makefile

@@ -1,6 +1,6 @@
 
 build: setup-venv
-	venv/bin/pip install docopt==0.6.2 python-dateutil==2.4.1 PyYAML==3.11 requests==2.5.1 git+https://github.com/pyinstaller/pyinstaller@7413317 termcolor==1.1.0
+	venv/bin/pip install docopt==0.6.2 python-dateutil==2.4.1 PyYAML==3.11 requests==2.5.1 git+https://github.com/pyinstaller/pyinstaller@7413317 tabulate==0.7.4 termcolor==1.1.0
 	venv/bin/pyinstaller deis.spec
 	chmod +x dist/deis
 

client/deis.py

@@ -20,6 +20,7 @@
   limits        manage resource limits for your application
   tags          manage tags for application containers
   releases      manage releases of an application
+  certs         manage ssl endpoints for an app
 
   keys          manage ssh keys used for `git push` deployments
   perms         manage permissions for applications
@@ -68,6 +69,7 @@
 from docopt import docopt
 from docopt import DocoptExit
 import requests
+from tabulate import tabulate
 from termcolor import colored
 
 __version__ = '1.5.0-dev'
@@ -977,6 +979,94 @@ def builds_list(self, args):
         else:
             raise ResponseError(response)
 
+    def certs(self, args):
+        """
+        Valid commands for certs:
+
+        certs:list            list ssl certificates for an app
+        certs:add             add an ssl certificate to an app
+        certs:update          update an existing certifcate for an app
+        certs:remove          remove an ssl certificate from an app
+
+        Use `deis help [command]` to learn more.
+        """
+        sys.argv[1] = 'certs:list'
+        args = docopt(self.certs_list.__doc__)
+        return self.certs_list(args)
+
+    def certs_add(self, args):
+        """
+        Binds a certificate/key pair to an application.
+
+        Usage: deis certs:add <cert> <key>
+
+        Arguments:
+          <cert>
+            The public key of the SSL certificate.
+          <key>
+            The private key of the SSL certificate.
+        """
+        cert = args.get('<cert>')
+        key = args.get('<key>')
+        body = {'certificate': file(cert).read().strip(), 'key': file(key).read().strip()}
+        sys.stdout.write("Adding SSL endpoint... ")
+        sys.stdout.flush()
+        try:
+            progress = TextProgress()
+            progress.start()
+            response = self._dispatch('post', "/v1/certs", json.dumps(body))
+        finally:
+            progress.cancel()
+            progress.join()
+        if response.status_code == requests.codes.created:
+            self._logger.info("done")
+            data = response.json()
+            self._logger.info("{common_name}".format(**data))
+        else:
+            raise ResponseError(response)
+
+    def certs_list(self, args):
+        """
+        Show certificate information for an ssl application.
+
+        Usage: deis certs:list
+        """
+        response = self._dispatch('get', "/v1/certs")
+        if response.status_code == requests.codes.ok:
+            data = response.json()
+            table = [['Common Name', 'Expires']]
+            if len(data['results']) == 0:
+                self._logger.info('No certs')
+                return
+            for item in data['results']:
+                # strip unused fields
+                for field in item.keys():
+                    if field not in ['common_name', 'expires']:
+                        del item[field]
+                table += [[item['common_name'], item['expires']]]
+            self._logger.info(tabulate(table, headers='firstrow'))
+        else:
+            raise ResponseError(response)
+
+    def certs_remove(self, args):
+        """
+        removes a certificate/key pair from the application.
+
+        Usage: deis certs:remove <cn> [options]
+
+        Arguments:
+          <cn>
+            the common name of the cert to remove from the app.
+        """
+        cn = args.get('<cn>')
+        sys.stdout.write("Removing {}... ".format(cn))
+        sys.stdout.flush()
+        response = self._dispatch('delete', "/v1/certs/{}".format(cn))
+        if response.status_code == requests.codes.no_content:
+            self._logger.info('Done.')
+        else:
+            raise ResponseError(response)
+
     def config(self, args):
         """
         Valid commands for config:

client/setup.py

@@ -59,7 +59,7 @@
       install_requires=[
           'docopt==0.6.2', 'python-dateutil==2.4.1',
           'PyYAML==3.11', 'requests==2.5.1',
-          'termcolor==1.1.0'
+          'tabulate==0.7.4', 'termcolor==1.1.0'
       ],
       zip_safe=True,
       **KWARGS)

controller/api/models.py

@@ -6,6 +6,7 @@
 
 from __future__ import unicode_literals
 import base64
+from datetime import datetime
 import etcd
 import importlib
 import logging
@@ -17,7 +18,7 @@
 
 from django.conf import settings
 from django.contrib.auth import get_user_model
-from django.core.exceptions import ValidationError
+from django.core.exceptions import ValidationError, SuspiciousOperation
 from django.db import models
 from django.db.models import Count
 from django.db.models import Max
@@ -26,6 +27,7 @@
 from django.utils.encoding import python_2_unicode_compatible
 from docker.utils import utils as dockerutils
 from json_field.fields import JSONField
+from OpenSSL import crypto
 import requests
 from rest_framework.authtoken.models import Token
 
@@ -110,6 +112,16 @@ def validate_domain(value):
         raise ValidationError('"{}" contains unexpected characters'.format(value))
 
 
+def validate_domain_certificate(value):
+    try:
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, value)
+        Domain.objects.get(domain=cert.get_subject().CN)
+    except crypto.Error as e:
+        raise ValidationError('Could not load certificate: {}'.format(e))
+    except Domain.DoesNotExist:
+        raise ValidationError('No matching domain was found for {}'.format(cert.get_subject().CN))
+
+
 class AuditedModel(models.Model):
     """Add created and updated fields to a model."""
 
@@ -820,11 +832,44 @@ class Domain(AuditedModel):
     owner = models.ForeignKey(settings.AUTH_USER_MODEL)
     app = models.ForeignKey('App')
     domain = models.TextField(blank=False, null=False, unique=True)
+    cert = models.ForeignKey('DomainCert', null=True)
 
     def __str__(self):
         return self.domain
 
 
+@python_2_unicode_compatible
+class DomainCert(AuditedModel):
+    """
+    Public and private key pair used to secure application traffic at the router.
+    """
+    owner = models.ForeignKey(settings.AUTH_USER_MODEL)
+    # there is no upper limit on the size of an x.509 certificate
+    certificate = models.TextField(validators=[validate_domain_certificate])
+    key = models.TextField()
+    # X.509 certificates allow any string of information as the common name.
+    common_name = models.TextField(unique=True)
+    expires = models.DateTimeField()
+
+    def __str__(self):
+        return self.common_name
+
+    def _get_certificate(self):
+        try:
+            return crypto.load_certificate(crypto.FILETYPE_PEM, self.certificate)
+        except crypto.Error as e:
+            raise SuspiciousOperation(e)
+
+    def save(self, *args, **kwargs):
+        certificate = self._get_certificate()
+        if not self.common_name:
+            self.common_name = certificate.get_subject().CN
+        if not self.expires:
+            # convert openssl's expiry date format to Django's DateTimeField format
+            self.expires = datetime.strptime(certificate.get_notAfter(), '%Y%m%d%H%M%SZ')
+        return super(DomainCert, self).save(*args, **kwargs)
+
+
 @python_2_unicode_compatible
 class Key(UuidAuditedModel):
     """An SSH public key."""
@@ -878,6 +923,16 @@ def _log_domain_removed(**kwargs):
     log_event(domain.app, msg)
 
 
+def _log_cert_added(**kwargs):
+    cert = kwargs['instance']
+    logger.info("cert {} added".format(cert))
+
+
+def _log_cert_removed(**kwargs):
+    cert = kwargs['instance']
+    logger.info("cert {} removed".format(cert))
+
+
 def _etcd_publish_key(**kwargs):
     key = kwargs['instance']
     _etcd_client.write('/deis/builder/users/{}/{}'.format(
@@ -917,6 +972,19 @@ def _etcd_purge_app(**kwargs):
         pass
 
 
+def _etcd_publish_cert(**kwargs):
+    cert = kwargs['instance']
+    if kwargs['created']:
+        _etcd_client.write('/deis/certs/{}/cert'.format(cert), cert.certificate)
+        _etcd_client.write('/deis/certs/{}/key'.format(cert), cert.key)
+
+
+def _etcd_purge_cert(**kwargs):
+    cert = kwargs['instance']
+    _etcd_client.delete('/deis/certs/{}'.format(cert),
+                        prevExist=True, dir=True, recursive=True)
+
+
 def _etcd_publish_domains(**kwargs):
     app = kwargs['instance'].app
     app_domains = app.domain_set.all()
@@ -943,7 +1011,9 @@ def _etcd_purge_domains(**kwargs):
 post_save.connect(_log_release_created, sender=Release, dispatch_uid='api.models.log')
 post_save.connect(_log_config_updated, sender=Config, dispatch_uid='api.models.log')
 post_save.connect(_log_domain_added, sender=Domain, dispatch_uid='api.models.log')
+post_save.connect(_log_cert_added, sender=DomainCert, dispatch_uid='api.models.log')
 post_delete.connect(_log_domain_removed, sender=Domain, dispatch_uid='api.models.log')
+post_delete.connect(_log_cert_removed, sender=DomainCert, dispatch_uid='api.models.log')
 
 
 # automatically generate a new token on creation
@@ -968,3 +1038,5 @@ def create_auth_token(sender, instance=None, created=False, **kwargs):
     post_delete.connect(_etcd_purge_domains, sender=Domain, dispatch_uid='api.models')
     post_save.connect(_etcd_create_app, sender=App, dispatch_uid='api.models')
     post_delete.connect(_etcd_purge_app, sender=App, dispatch_uid='api.models')
+    post_save.connect(_etcd_publish_cert, sender=DomainCert, dispatch_uid='api.models')
+    post_delete.connect(_etcd_purge_cert, sender=DomainCert, dispatch_uid='api.models')

controller/api/serializers.py

@@ -260,6 +260,21 @@ def validate_domain(self, value):
         return value
 
 
+class DomainCertSerializer(ModelSerializer):
+    """Serialize a :class:`~api.models.Cert` model."""
+
+    expires = serializers.DateTimeField(format=settings.DEIS_DATETIME_FORMAT, read_only=True)
+    created = serializers.DateTimeField(format=settings.DEIS_DATETIME_FORMAT, read_only=True)
+    updated = serializers.DateTimeField(format=settings.DEIS_DATETIME_FORMAT, read_only=True)
+
+    class Meta:
+        """Metadata options for a DomainCertSerializer."""
+        model = models.DomainCert
+        extra_kwargs = {'certificate': {'write_only': True},
+                        'key': {'write_only': True}}
+        read_only_fields = ['owner', 'common_name', 'expires', 'created', 'updated']
+
+
 class PushSerializer(ModelSerializer):
     """Serialize a :class:`~api.models.Push` model."""