This repository was archived by the owner on Jan 24, 2018. It is now read-only.
[ADD] clouder_certificate_authority: Implement CA using CFSSL #180
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| .. image:: https://img.shields.io/badge/licence-LGPL--3-blue.svg | ||
| :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html | ||
| :alt: License: LGPL-3 | ||
|
|
||
| ============================ | ||
| Clouder Certificte Authority | ||
| ============================ | ||
|
|
||
| This module provides a Certificate Authority using Clouder and CFSSL, | ||
|
|
||
|
|
||
| Configuration | ||
| ============= | ||
|
|
||
| Clouder configuration instructions are available at https://clouder.readthedocs.io/ | ||
|
|
||
| Usage | ||
| ===== | ||
|
|
||
| To use this module, you need to: | ||
|
|
||
| #. Create a CFSSL Service in the Clouder Control Panel | ||
|
|
||
| Known issues / Roadmap | ||
| ====================== | ||
|
|
||
| * Add more Signature Profile options - https://github.com/cloudflare/cfssl/blob/86ecfbe5750ebf05565e4c80104d0a7919792fee/doc/cmd/cfssl.txt#L113 | ||
|
|
||
| Bug Tracker | ||
| =========== | ||
|
|
||
| Bugs are tracked on `GitHub Issues | ||
| <https://github.com/clouder-community/clouder/issues>`_. In case of trouble, please | ||
| check there if your issue has already been reported. If you spotted it first, | ||
| help us smashing it by providing a detailed and welcomed feedback. | ||
|
|
||
| Credits | ||
| ======= | ||
|
|
||
| Contributors | ||
| ------------ | ||
|
|
||
| * Dave Lasley <dave@laslabs.com> | ||
|
|
||
| Maintainer | ||
| ---------- | ||
|
|
||
| This module is maintained by Clouder Community. | ||
|
|
||
| To contribute to this module, please visit https://github.com/clouder-community/clouder |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # Copyright 2016 LasLabs Inc. | ||
| # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # Copyright 2016 LasLabs Inc. | ||
| # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). | ||
|
|
||
| { | ||
| 'name': 'Clouder Certificate Authority', | ||
| 'version': '10.0.10.0.0', | ||
| 'category': 'Clouder', | ||
| 'depends': [ | ||
| 'clouder', | ||
| 'clouder_template_proxy', | ||
| ], | ||
| 'author': 'LasLabs Inc.', | ||
| 'license': 'LGPL-3', | ||
| 'website': 'https://github.com/clouder-community/clouder', | ||
| 'data': [ | ||
| 'data/image_template.xml', | ||
| 'data/image.xml', | ||
| 'data/image_port.xml', | ||
| 'data/image_volume.xml', | ||
| 'data/application_tag.xml', | ||
| 'data/application_type.xml', | ||
| 'data/application_template.xml', | ||
| 'data/application.xml', | ||
| 'data/certificate_policy_use.xml', | ||
| ], | ||
| 'installable': True, | ||
| 'application': False, | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # Copyright 2016 LasLabs Inc. | ||
| # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). | ||
|
|
||
| import logging | ||
|
|
||
| from contextlib import contextmanager | ||
|
|
||
| _logger = logging.getLogger(__name__) | ||
|
|
||
| try: | ||
| import cfssl | ||
| except ImportError: | ||
| _logger.info('CFSSL Python library is not installed.') | ||
|
|
||
|
|
||
| class API(object): | ||
| """ It provides a base for all Models requiring API functionality """ | ||
|
|
||
| cfssl = cfssl | ||
|
|
||
| @contextmanager | ||
| @api.model_cr_context | ||
| def get_api(self, certificate_authority=None): | ||
| """ It returns a :obj:`cfssl.CFSSL` for the cert authority. | ||
|
|
||
| Args: | ||
| certificate_authority (:type:`clouder.CertificateAuthority`): | ||
| The certificate authority record singleton representing the | ||
| remote API. The CA does not have to be initialized yet. Use | ||
| :type:`None` if ``self`` is the CA that should be connected | ||
| to. | ||
| """ | ||
| try: | ||
| # @TODO: Figure out how the hell to get this host from the base | ||
| host = '000.000.000.000' | ||
| port = certificate_authority.port_id.local_port | ||
| api = cfssl.CFSSL(host, port, ssl=True) | ||
| yield api | ||
| finally: | ||
| pass | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <!-- Copyright 2016 LasLabs Inc. | ||
| License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). --> | ||
|
|
||
| <odoo> | ||
|
|
||
| <record id="application_openssl_exec" model="clouder.application"> | ||
| <field name="name">OpenSSL</field> | ||
| <field name="code">exec</field> | ||
| <field name="type_id" ref="application_type_openssl" /> | ||
| <field name="tag_ids" eval="[(4, ref('clouder.tag_exec'))]" /> | ||
| <field name="default_image_id" ref="image_openssl_exec" /> | ||
| <field name="sequence">1</field> | ||
| <field name="required" eval="True"/> | ||
| <field name="update_strategy">auto</field> | ||
| </record> | ||
|
|
||
| <record id="application_cfssl_data" model="clouder.application"> | ||
| <field name="name">CFSSL Data</field> | ||
| <field name="code">data</field> | ||
| <field name="type_id" ref="application_type_cfssl" /> | ||
| <field name="tag_ids" eval="[(4, ref('clouder.tag_data'))]" /> | ||
| <field name="default_image_id" ref="image_cfssl_data" /> | ||
| <field name="sequence">1</field> | ||
| <field name="required" eval="True" /> | ||
| </record> | ||
|
|
||
| <record id="application_cfssl_exec" model="clouder.application"> | ||
| <field name="name">CFSSL Exec</field> | ||
| <field name="code">exec</field> | ||
| <field name="type_id" ref="application_type_cfssl" /> | ||
| <field name="tag_ids" eval="[(4, ref('clouder.tag_exec'))]" /> | ||
| <field name="default_image_id" ref="image_cfssl_exec" /> | ||
| <field name="sequence">2</field> | ||
| <field name="required" eval="True" /> | ||
| <field name="update_strategy">auto</field> | ||
| <field name="child_ids" | ||
| eval="[(4, ref('application_openssl_exec'))]" | ||
|
Contributor
Author
There was a problem hiding this comment. If I nest an exec in an exec like this, will the deploy recurse correctly?
Owner
There was a problem hiding this comment. Hum, you're creating a tree like this : I suspect we'd want to have this tree : More information incoming when I'll make a proper review of the PR (this day I hope) |
||
| /> | ||
| </record> | ||
|
|
||
| <record id="application_cfssl" model="clouder.application"> | ||
| <field name="name">CFSSL</field> | ||
| <field name="code">cfssl</field> | ||
| <field name="type_id" ref="application_type_cfssl" /> | ||
| <field name="tag_ids" eval="[(4, ref('tag_cert_authority'))]" /> | ||
| <field name="child_ids" | ||
| eval="[(4, ref('application_cfssl_data')), | ||
| (4, ref('application_cfssl_exec')), | ||
| ]" | ||
| /> | ||
| <field name="sequence">1</field> | ||
| <field name="required" eval="True" /> | ||
| </record> | ||
|
|
||
| </odoo> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <!-- Copyright 2016 LasLabs Inc. | ||
| License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). --> | ||
|
|
||
| <odoo> | ||
|
|
||
| <record id="tag_cert_authority" model="clouder.application.tag"> | ||
| <field name="name">cert_authority</field> | ||
| </record> | ||
|
|
||
| <record id="tag_openssl" model="clouder.application.tag"> | ||
| <field name="name">openssl</field> | ||
| </record> | ||
|
|
||
| </odoo> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <!-- Copyright 2016 LasLabs Inc. | ||
| License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). --> | ||
|
|
||
| <odoo> | ||
|
|
||
| <record id="application_template_cfssl" | ||
| model="clouder.application.template" | ||
| > | ||
| <field name="name">CFSSL</field> | ||
| </record> | ||
|
|
||
| <record id="application_template_openssl" | ||
| model="clouder.application.template" | ||
| > | ||
| <field name="name">OpenSSL</field> | ||
| </record> | ||
|
|
||
| </odoo> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <!-- Copyright 2016 LasLabs Inc. | ||
| License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). --> | ||
|
|
||
| <odoo> | ||
|
|
||
| <record id="application_type_cfssl" | ||
| model="clouder.application.type" | ||
| > | ||
| <field name="name">cfssl</field> | ||
| <field name="system_user">root</field> | ||
| <field name="tag_ids" | ||
| eval="[(6, 0, [ref('tag_cert_authority')])]" | ||
| /> | ||
| </record> | ||
|
|
||
| <record id="application_type_openssl" | ||
|
Owner
There was a problem hiding this comment. I don't think we really need the openssl application.type, we shall remove it and use cfssl.
Contributor
Author
There was a problem hiding this comment. Hmmm but they serve different purposes. What does an application type actually grant us anyways?
Owner
There was a problem hiding this comment. The application type is usually used in the .py files to know which function shall be executed. Ex: https://github.com/clouder-community/clouder/blob/0.9.0/clouder_template_odoo/template.py#L51 Until you have a template.py file in your module, you'll not really know if you need an openssl application type, but I'm willing to bet you'll not need it. |
||
| model="clouder.application.type" | ||
| > | ||
| <field name="name">openssl</field> | ||
| <field name="system_user">root</field> | ||
| <field name="tag_ids" | ||
| eval="[(6, 0, [ref('tag_openssl')])]" | ||
| /> | ||
| </record> | ||
|
|
||
| </odoo> | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need the IP of the container and exposed port here in order to access the web API. Or maybe I need the IP/port of the proxy instead? Any samples to point me to?
For ease of reference,
ClouderCertificateAuthorityis inheritingclouder.applicationby delegation, so we have all fields for the CFSSL application available.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment on clouder.service, it shall resolve the problem.