publish SSH Keys to etcd instead of a chef data bag

Author: Gabriel Monroy

api/models.py

@@ -19,12 +19,13 @@
 from django.dispatch import receiver
 from django.dispatch.dispatcher import Signal
 from django.utils.encoding import python_2_unicode_compatible
+import etcd
 from guardian.shortcuts import get_users_with_perms
 from json_field.fields import JSONField  # @UnusedImport
 
 from api import fields, tasks
 from provider import import_provider_module
-from utils import dict_diff
+from utils import dict_diff, fingerprint
 
 
 logger = logging.getLogger(__name__)
@@ -907,16 +908,6 @@ def _publish_to_cm(**kwargs):
     kwargs['instance'].publish()
 
 
-def _publish_user_to_cm(**kwargs):
-    if kwargs.get('update_fields') == frozenset(['last_login']):
-        return
-    kwargs['instance'].publish()
-
-
-def _purge_user_from_cm(**kwargs):
-    kwargs['instance'].purge()
-
-
 def _log_build_created(**kwargs):
     if kwargs.get('created'):
         build = kwargs['instance']
@@ -934,13 +925,41 @@ def _log_config_updated(**kwargs):
     log_event(config.app, "Config {} updated".format(config))
 
 
+def _etcd_publish_key(**kwargs):
+    key = kwargs['instance']
+    _etcd_client.write('/deis/builder/users/{}/{}'.format(
+                 key.owner.username, fingerprint(key.public)), key.public)
+
+
+def _etcd_purge_key(**kwargs):
+    key = kwargs['instance']
+    _etcd_client.delete('/deis/builder/users/{}/{}'.format(
+                 key.owner.username, fingerprint(key.public)))
+
+
+def _etcd_purge_user(**kwargs):
+    username = kwargs['instance'].username
+    _etcd_client.delete('/deis/builder/users/{}'.format(username), dir=True, recursive=True)
+
+
 # Connect Django model signals
 # Sync database updates with the configuration management backend
 post_save.connect(_publish_to_cm, sender=App, dispatch_uid='api.models')
 post_save.connect(_publish_to_cm, sender=Formation, dispatch_uid='api.models')
-post_save.connect(_publish_user_to_cm, sender=User, dispatch_uid='api.models')
-post_delete.connect(_purge_user_from_cm, sender=User, dispatch_uid='api.models')
 # Log significant app-related events
 post_save.connect(_log_build_created, sender=Build, dispatch_uid='api.models')
 post_save.connect(_log_release_created, sender=Release, dispatch_uid='api.models')
 post_save.connect(_log_config_updated, sender=Config, dispatch_uid='api.models')
+
+# wire up etcd publishing if we can connect
+try:
+    _etcd_client = etcd.Client(host=settings.ETCD_HOST, port=int(settings.ETCD_PORT))
+    _etcd_client.get('/deis')
+except etcd.EtcdException:
+    logger.log(logging.WARNING, 'Cannot synchronize with etcd cluster')
+    _etcd_client = None
+
+if _etcd_client:
+    post_save.connect(_etcd_publish_key, sender=Key, dispatch_uid='api.models')
+    post_delete.connect(_etcd_purge_key, sender=Key, dispatch_uid='api.models')
+    post_delete.connect(_etcd_purge_user, sender=User, dispatch_uid='api.models')

api/tests/test_key.py

@@ -16,6 +16,14 @@
 from deis import settings
 
 
+PUBKEY = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfQkkUUoxpvcNMkvv7jqnfodgs37M2eBO" \
+         "APgLK+KNBMaZaaKB4GF1QhTCMfFhoiTW3rqa0J75bHJcdkoobtTHlK8XUrFqsquWyg3XhsT" \
+         "Yr/3RQQXvO86e2sF7SVDJqVtpnbQGc5SgNrHCeHJmf5HTbXSIjCO/AJSvIjnituT/SIAMGe" \
+         "Bw0Nq/iSltwYAek1hiKO7wSmLcIQ8U4A00KEUtalaumf2aHOcfjgPfzlbZGP0S0cuBwSqLr" \
+         "8b5XGPmkASNdUiuJY4MJOce7bFU14B7oMAy2xacODUs1momUeYtGI9T7X2WMowJaO7tP3Gl" \
+         "sgBMP81VfYTfYChAyJpKp2yoP autotest@autotesting comment"
+
+
 @override_settings(CELERY_ALWAYS_EAGER=True)
 class KeyTest(TestCase):
 
@@ -32,7 +40,7 @@ def test_key(self):
         Test that a user can add, remove and manage their SSH public keys
         """
         url = '/api/keys'
-        body = {'id': 'mykey@box.local', 'public': 'ssh-rsa XXX'}
+        body = {'id': 'mykey@box.local', 'public': PUBKEY}
         response = self.client.post(url, json.dumps(body), content_type='application/json')
         self.assertEqual(response.status_code, 201)
         key_id = response.data['id']
@@ -52,7 +60,7 @@ def test_key_cm(self):
         Test that creating and deleting a key updates configuration management
         """
         url = '/api/keys'
-        body = {'id': 'mykey@box.local', 'public': 'ssh-rsa XXX'}
+        body = {'id': 'mykey@box.local', 'public': PUBKEY}
         response = self.client.post(url, json.dumps(body), content_type='application/json')
         self.assertEqual(response.status_code, 201)
         key_id = response.data['id']
@@ -75,7 +83,7 @@ def test_key_duplicate(self):
         Test that a user cannot add a duplicate key
         """
         url = '/api/keys'
-        body = {'id': 'mykey@box.local', 'public': 'ssh-rsa XXX'}
+        body = {'id': 'mykey@box.local', 'public': PUBKEY}
         response = self.client.post(url, json.dumps(body), content_type='application/json')
         self.assertEqual(response.status_code, 201)
         response = self.client.post(url, json.dumps(body), content_type='application/json')

api/utils.py

@@ -1,7 +1,8 @@
 """
 Helper functions used by the Deis server.
 """
-
+import base64
+import hashlib
 import random
 
 
@@ -98,6 +99,15 @@ def dict_diff(dict1, dict2):
     return {k: diff[k] for k in diff if diff[k]}
 
 
+def fingerprint(key):
+    """
+    Return the fingerprint for an SSH Public Key
+    """
+    key = base64.b64decode(key.strip().split()[1].encode('ascii'))
+    fp_plain = hashlib.md5(key).hexdigest()
+    return ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2]))
+
+
 if __name__ == "__main__":
     import doctest
     doctest.testmod()

deis/settings.py

@@ -276,6 +276,9 @@
 # N is number of nodes in largest formation
 CELERYD_CONCURRENCY = 8
 
+# etcd settings
+ETCD_HOST, ETCD_PORT = os.environ.get('ETCD', '127.0.0.1:4001').split(',')[0].split(':')
+
 # default deis settings
 DEIS_LOG_DIR = os.path.abspath(os.path.join(__file__, '..', '..', 'logs'))
 LOG_LINES = 1000

requirements.txt

@@ -13,6 +13,7 @@ gunicorn==18.0
 paramiko==1.12.1
 psycopg2==2.5.2
 pycrypto==2.6.1
+python-etcd==0.3.0
 pyrax==1.6.2
 PyYAML==3.10
 redis==2.8.0