Merge pull request #2274 from coreos-inc/custom-cert-management

Custom SSL certificates config panel
2017-01-13 16:24:47 -05:00 · 2017-01-13 16:24:47 -05:00 · ac8cddc5a9
commit ac8cddc5a9
parent 279729d7e9 7e0fbeb625
14 changed files with 434 additions and 41 deletions
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@ -4,6 +4,8 @@ import logging
 import os
 import string

+import pathvalidate
+
 from datetime import datetime
 from random import SystemRandom

@ -25,6 +27,8 @@ from data import model
 from data.database import ServiceKeyApprovalType
 from util.useremails import send_confirmation_email, send_recovery_email
 from util.license import decode_license, LicenseDecodeError
+from util.security.ssl import load_certificate, CertInvalidException
+from util.config.validator import EXTRA_CA_DIRECTORY


 logger = logging.getLogger(__name__)
@ -824,6 +828,89 @@ class SuperUserServiceKeyApproval(ApiResource):
    abort(403)


+@resource('/v1/superuser/customcerts')
+@internal_only
+@show_if(features.SUPER_USERS)
+class SuperUserCustomCertificates(ApiResource):
+  """ Resource for managing custom certificates. """
+  @nickname('getCustomCertificates')
+  @require_fresh_login
+  @require_scope(scopes.SUPERUSER)
+  @verify_not_prod
+  def get(self):
+    if SuperUserPermission().can():
+      has_extra_certs_path = config_provider.volume_file_exists(EXTRA_CA_DIRECTORY)
+      extra_certs_found = config_provider.list_volume_directory(EXTRA_CA_DIRECTORY)
+      if extra_certs_found is None:
+        return {
+          'status': 'file' if has_extra_certs_path else 'none',
+        }
+
+      cert_views = []
+      for extra_cert_path in extra_certs_found:
+        try:
+          cert_full_path = os.path.join(EXTRA_CA_DIRECTORY, extra_cert_path)
+          with config_provider.get_volume_file(cert_full_path) as f:
+            certificate = load_certificate(f.read())
+            cert_views.append({
+              'path': extra_cert_path,
+              'names': list(certificate.names),
+              'expired': certificate.expired,
+            })
+        except CertInvalidException as cie:
+          cert_views.append({
+            'path': extra_cert_path,
+            'error': cie.message,
+          })
+        except IOError as ioe:
+          cert_views.append({
+            'path': extra_cert_path,
+            'error': ioe.message,
+          })
+
+      return {
+        'status': 'directory',
+        'certs': cert_views,
+      }
+
+    abort(403)
+
+
+@resource('/v1/superuser/customcerts/<certpath>')
+@internal_only
+@show_if(features.SUPER_USERS)
+class SuperUserCustomCertificate(ApiResource):
+  """ Resource for managing a custom certificate. """
+  @nickname('uploadCustomCertificate')
+  @require_fresh_login
+  @require_scope(scopes.SUPERUSER)
+  @verify_not_prod
+  def post(self, certpath):
+    if SuperUserPermission().can():
+      uploaded_file = request.files['file']
+      if not uploaded_file:
+        abort(400)
+
+      certpath = pathvalidate.sanitize_filename(certpath)
+      cert_full_path = os.path.join(EXTRA_CA_DIRECTORY, certpath)
+      config_provider.save_volume_file(cert_full_path, uploaded_file)
+      return '', 204
+
+    abort(403)
+
+  @nickname('deleteCustomCertificate')
+  @require_fresh_login
+  @require_scope(scopes.SUPERUSER)
+  @verify_not_prod
+  def delete(self, certpath):
+    if SuperUserPermission().can():
+      cert_full_path = os.path.join(EXTRA_CA_DIRECTORY, certpath)
+      config_provider.remove_volume_file(cert_full_path)
+      return '', 204
+
+    abort(403)
+
+
@resource('/v1/superuser/license')
@internal_only
@show_if(features.SUPER_USERS)