YannickB · lasley · Dec 15, 2016 · Dec 28, 2016 · Dec 30, 2016 · Jan 2, 2017
diff --git a/clouder_template_red_october/README.rst b/clouder_template_red_october/README.rst
@@ -0,0 +1,73 @@
+.. image:: https://img.shields.io/badge/licence-LGPL--3-blue.svg
+   :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+   :alt: License: LGPL-3
+
+==============================
+Clouder Template - Red October
+==============================
+
+This module provides a Clouder Template for Red October.
+
+Red October is a cryptographically-secure implementation of the two-person rule
+to protect sensitive data. From a technical perspective, Red October is a
+software-based encryption and decryption server. The server can be used to
+encrypt a payload in such a way that no one individual can decrypt it. The
+encryption of the payload is cryptographically tied to the credentials of the
+authorized users.
+
+Authorized persons can delegate their credentials to the server for a period of
+time. The server can decrypt any previously-encrypted payloads as long as the
+appropriate number of people have delegated their credentials to the server.
+
+This architecture allows Red October to act as a convenient decryption service.
+Other systems, including CloudFlare’s build system, can use it for decryption
+and users can delegate their credentials to the server via a simple web interface.
+All communication with Red October is encrypted with TLS,
+ensuring that passwords are not sent in the clear.
+
+`Read More on CloudFlare's Blog
+<https://blog.cloudflare.com/red-october-cloudflares-open-source-implementation-of-the-two-man-rule/>`_.
+
+`Browse Red October on Github
+<https://github.com/cloudflare/redoctober>`_.
+
+Configuration
+=============
+
+Clouder configuration instructions are available at https://clouder.readthedocs.io/
+
+Usage
+=====
+
+To use this module, you need to:
+
+#. Create a Red October application in Clouder
+
+Known issues / Roadmap
+======================
+
+* The container is currently using a self-signed certificate. This should be changed once a CA exists.
+* Runit is being installed via community repos, which are HTTP only. This is insecure.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues
+<https://github.com/clouder-community/clouder/issues>`_. In case of trouble, please
+check there if your issue has already been reported. If you spotted it first,
+help us smashing it by providing a detailed and welcomed feedback.
+
+Credits
+=======
+
+Contributors
+------------
+
+* Dave Lasley <dave@laslabs.com>
+
+Maintainer
+----------
+
+This module is maintained by Clouder Community.
+
+To contribute to this module, please visit https://github.com/clouder-community/clouder
diff --git a/clouder_template_red_october/__init__.py b/clouder_template_red_october/__init__.py
@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+# Copyright 2016 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import models
diff --git a/clouder_template_red_october/__manifest__.py b/clouder_template_red_october/__manifest__.py
@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+# Copyright 2016 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+{
+    'name': 'Clouder Template - Red October',
+    'version': '10.0.10.0.0',
+    'category': 'Clouder',
+    'depends': [
+        'clouder',
+        'clouder_template_proxy',
+    ],
+    'author': 'LasLabs Inc.',
+    'license': 'LGPL-3',
+    'website': 'https://github.com/clouder-community/clouder',
+    'data': [
+        'data/image_template.xml',
+        'data/image.xml',
+        'data/image_port.xml',
+        'data/image_volume.xml',
+        'data/application_type.xml',
+        'data/application_template.xml',
+        'data/application.xml',
+    ],
+    'installable': True,
+    'application': False,
+}
diff --git a/clouder_template_red_october/data/application.xml b/clouder_template_red_october/data/application.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="application_redoctober_data" model="clouder.application">
+        <field name="name">Red October Data</field>
+        <field name="code">data</field>
+        <field name="type_id" ref="application_type_redoctober" />
+        <field name="tag_ids" eval="[(4, ref('clouder.tag_data'))]" />
+        <field name="default_image_id" ref="image_redoctober_data" />
+        <field name="sequence">1</field>
+        <field name="required" eval="True"/>
+    </record>
+
+    <record id="application_redoctober_exec" model="clouder.application">
+        <field name="name">Red October Exec</field>
+        <field name="code">exec</field>
+        <field name="type_id" ref="application_type_redoctober" />
+        <field name="tag_ids" eval="[(4, ref('clouder.tag_exec'))]" />
+        <field name="default_image_id" ref="image_redoctober_exec" />
+        <field name="sequence">2</field>
+        <field name="required" eval="True"/>
+        <field name="update_strategy">auto</field>
+    </record>
+
+    <record id="application_redoctober" model="clouder.application">
+        <field name="name">Red October</field>
+        <field name="code">redoctober</field>
+        <field name="type_id" ref="application_type_redoctober" />
+        <field name="tag_ids" eval="[(4, ref('tag_cert_authority'))]" />
+        <field name="child_ids"
+               eval="[(4, ref('application_redoctober_data')),
+                      (4, ref('application_redoctober_exec')),
+                     ]"
+               />
+        <field name="sequence">1</field>
+        <field name="required" eval="True"/>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/data/application_template.xml b/clouder_template_red_october/data/application_template.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="application_template_redoctober"
+            model="clouder.application.template"
+            >
+        <field name="name">Red October</field>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/data/application_type.xml b/clouder_template_red_october/data/application_type.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="application_type_redoctober"
+            model="clouder.application.type"
+            >
+        <field name="name">redoctober</field>
+        <field name="system_user">redoctober</field>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/data/image.xml b/clouder_template_red_october/data/image.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="image_redoctober_data" model="clouder.image">
+        <field name="name">image_redoctober_data</field>
+        <field name="template_ids"
+               eval="[(4, [ref('image_template_redoctober_data')])]"
+               />
+        <field name="parent_from">clouder/base:3.4</field>
+    </record>
+
+    <record id="image_redoctober_exec" model="clouder.image">
+        <field name="name">image_redoctober_exec</field>
+        <field name="template_ids"
+               eval="[(4, [ref('image_template_redoctober_exec')])]"
+               />
+        <field name="parent_from">lasley/redoctober-exec</field>
+        <field name="volumes_from">data</field>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/data/image_port.xml b/clouder_template_red_october/data/image_port.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="image_port_redoctober_http"
+            model="clouder.image.port"
+            >
+        <field name="template_id" ref="image_template_redoctober_exec" />
+        <field name="name">https</field>
+        <field name="local_port">8080</field>
+    </record>
+
+    <record id="image_port_redoctober_comm"
+            model="clouder.image.port"
+            >
+        <field name="template_id" ref="image_template_redoctober_exec" />
+        <field name="name">comm</field>
+        <field name="local_port">8081</field>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/data/image_template.xml b/clouder_template_red_october/data/image_template.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="image_template_redoctober_data"
+            model="clouder.image.template"
+            >
+        <field name="name">image_template_redoctober_data</field>
+    </record>
+
+    <record id="image_template_redoctober_exec"
+            model="clouder.image.template"
+            >
+        <field name="name">image_template_redoctober_exec</field>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/data/image_volume.xml b/clouder_template_red_october/data/image_volume.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2016 LasLabs Inc.
+     License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -->
+
+<odoo>
+
+    <record id="image_volume_redoctober_cert_store"
+            model="clouder.image.volume"
+            >
+        <field name="template_id" ref="image_template_redoctober_data" />
+        <field name="name">data</field>
+        <field name="localpath">/var/lib/redoctober/data</field>
+        <field name="user">redoctober</field>
+    </record>
+
+</odoo>
diff --git a/clouder_template_red_october/images/exec/Dockerfile b/clouder_template_red_october/images/exec/Dockerfile
@@ -0,0 +1,36 @@
+FROM clouder/base:3.4
+MAINTAINER Dave Lasley <dave@laslabs.com>
+
+RUN addgroup -S redoctober \
+    && adduser -S -g redoctober redoctober
+
+# Install Build Dependencies
+
+ENV buildDeps "build-base \
+               gcc \
+               git \
+               go \
+               libtool \
+               openssl \
+               runit@community"
+
+RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories
+
+RUN apk add --no-cache $buildDeps
+
+# Install Red October
+RUN git clone --depth=1 https://github.com/cloudflare/redoctober.git /usr/lib/go/src/github.com/cloudflare/redoctober
+RUN go install github.com/cloudflare/redoctober
+
+# Setup Environment
+ENV RO_DATA=/var/lib/redoctober/data \
+    RO_CERTS=$RO_DATA/server.crt \
+    RO_KEYS=$RO_DATA/server.pem
+
+ENTRYPOINT ["/go/src/github.com/cloudflare/redoctober/scripts/docker-entrypoint.sh"]
+
+CMD ["redoctober", \
+    "-addr=:8080", \
+    "-vaultpath=$RO_DATA/diskrecord.json", \
+    "-certs=$RO_CERTS", \
+    "-keys=$RO_KEYS"]
diff --git a/clouder_template_red_october/models/__init__.py b/clouder_template_red_october/models/__init__.py
@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+# Copyright 2016 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from . import container
diff --git a/clouder_template_red_october/models/container.py b/clouder_template_red_october/models/container.py
@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+# Copyright 2016 LasLabs Inc.
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from odoo import api, models
+
+
+class ClouderContainer(models.Model):
+    _inherit = 'clouder.container'
+
+    @api.multi
+    def deploy_post(self):
+        super(ClouderContainer, self).deploy_post()
+        for record in self:
+            if record.application_id.type_id.name == 'redoctober':
+                if record.application_id.code == 'data':
+                    # @TODO: Create a CSR, sign it with the CA, execute echo
+                    pass