keystone store service cert

yunionio · Apr 22, 2020 · b682e1b · b682e1b
1 parent d9575b2
commit b682e1b
Show file tree

Hide file tree

Showing 15 changed files with 605 additions and 106 deletions.
diff --git a/cmd/climc/shell/endpoints.go b/cmd/climc/shell/endpoints.go
@@ -64,14 +64,15 @@ func init() {
 	})
 
 	type EndpointCreateOptions struct {
-		SERVICE   string `help:"Service ID or Name"`
-		REGION    string `help:"Region"`
-		INTERFACE string `help:"Interface types" choices:"internal|public|admin|console"`
-		URL       string `help:"URL"`
-		Zone      string `help:"Zone"`
-		Name      string `help:"Name"`
-		Enabled   bool   `help:"Enabled"`
-		Disabled  bool   `help:"Disabled"`
+		SERVICE            string `help:"Service ID or Name"`
+		REGION             string `help:"Region"`
+		INTERFACE          string `help:"Interface types" choices:"internal|public|admin|console"`
+		URL                string `help:"URL"`
+		Zone               string `help:"Zone"`
+		Name               string `help:"Name"`
+		Enabled            bool   `help:"Enabled"`
+		Disabled           bool   `help:"Disabled"`
+		ServiceCertificate string `help:"Service certificate id or name"`
 	}
 	R(&EndpointCreateOptions{}, "endpoint-create", "Create endpoint", func(s *mcclient.ClientSession, args *EndpointCreateOptions) error {
 		params := jsonutils.NewDict()
@@ -95,6 +96,9 @@ func init() {
 		} else if !args.Enabled && args.Disabled {
 			params.Add(jsonutils.JSONFalse, "enabled")
 		}
+		if len(args.ServiceCertificate) > 0 {
+			params.Add(jsonutils.NewString(args.ServiceCertificate), "service_certificate")
+		}
 		ep, err := modules.EndpointsV3.Create(s, params)
 		if err != nil {
 			return err
@@ -104,11 +108,12 @@ func init() {
 	})
 
 	type EndpointUpdateOptions struct {
-		ID       string `help:"ID or name of endpoint"`
-		Url      string `help:"URL"`
-		Name     string `help:"Name"`
-		Enabled  bool   `help:"Enabled"`
-		Disabled bool   `help:"Disabled"`
+		ID                 string `help:"ID or name of endpoint"`
+		Url                string `help:"URL"`
+		Name               string `help:"Name"`
+		Enabled            bool   `help:"Enabled"`
+		Disabled           bool   `help:"Disabled"`
+		ServiceCertificate string `help:"Service certificate id or name"`
 	}
 	R(&EndpointUpdateOptions{}, "endpoint-update", "Update a endpoint", func(s *mcclient.ClientSession, args *EndpointUpdateOptions) error {
 		params := jsonutils.NewDict()
@@ -123,6 +128,9 @@ func init() {
 		} else if !args.Enabled && args.Disabled {
 			params.Add(jsonutils.JSONFalse, "enabled")
 		}
+		if len(args.ServiceCertificate) > 0 {
+			params.Add(jsonutils.NewString(args.ServiceCertificate), "service_certificate")
+		}
 		ep, err := modules.EndpointsV3.Patch(s, args.ID, params)
 		if err != nil {
 			return err

diff --git a/cmd/climc/shell/servicecertificates.go b/cmd/climc/shell/servicecertificates.go
@@ -0,0 +1,60 @@
+package shell
+
+import (
+	"yunion.io/x/onecloud/pkg/mcclient"
+	"yunion.io/x/onecloud/pkg/mcclient/modules"
+	"yunion.io/x/onecloud/pkg/mcclient/options"
+)
+
+func init() {
+	R(&options.ServiceCertificateCreateOptions{}, "service-cert-create", "Create service cert", func(s *mcclient.ClientSession, opts *options.ServiceCertificateCreateOptions) error {
+		params, err := opts.Params()
+		if err != nil {
+			return err
+		}
+		cert, err := modules.ServiceCertificatesV3.Create(s, params)
+		if err != nil {
+			return err
+		}
+		printObject(cert)
+		return nil
+	})
+	type ServiceCertificateGetOptions struct {
+		ID string `json:"-"`
+	}
+	R(&ServiceCertificateGetOptions{}, "service-cert-show", "Show service cert", func(s *mcclient.ClientSession, opts *ServiceCertificateGetOptions) error {
+		cert, err := modules.ServiceCertificatesV3.Get(s, opts.ID, nil)
+		if err != nil {
+			return err
+		}
+		printObject(cert)
+		return nil
+	})
+
+	type ServiceCertificateListOptions struct {
+		options.BaseListOptions
+	}
+	R(&ServiceCertificateListOptions{}, "service-cert-list", "List service certs", func(s *mcclient.ClientSession, opts *ServiceCertificateListOptions) error {
+		params, err := options.ListStructToParams(opts)
+		if err != nil {
+			return err
+		}
+		result, err := modules.ServiceCertificatesV3.List(s, params)
+		if err != nil {
+			return err
+		}
+		printList(result, modules.ServiceCertificatesV3.GetColumns(s))
+		return nil
+	})
+	type ServiceCertificateDeleteOptions struct {
+		ID string `json:"-"`
+	}
+	R(&ServiceCertificateDeleteOptions{}, "service-cert-delete", "Delete service cert", func(s *mcclient.ClientSession, opts *ServiceCertificateDeleteOptions) error {
+		cert, err := modules.ServiceCertificatesV3.Delete(s, opts.ID, nil)
+		if err != nil {
+			return err
+		}
+		printObject(cert)
+		return nil
+	})
+}
diff --git a/pkg/apis/compute/zz_generated.model.go b/pkg/apis/compute/zz_generated.model.go
diff --git a/pkg/apis/identity/endpoint.go b/pkg/apis/identity/endpoint.go
@@ -19,10 +19,20 @@ import "yunion.io/x/onecloud/pkg/apis"
 type EndpointDetails struct {
 	apis.StandaloneResourceDetails
 	SEndpoint
+	CertificateDetails
 
 	// 服务名称,例如keystone, glance, region等
 	ServiceName string `json:"service_name"`
 
 	// 服务类型,例如identity, image, compute等
 	ServiceType string `json:"service_type"`
 }
+
+type CertificateDetails struct {
+	apis.SCertificateResourceBase
+	CertName string `json:"cert_name"`
+	CertId   string `json:"cert_id"`
+
+	CaCertificate string `json:"ca_certificate"`
+	CaPrivateKey  string `json:"ca_private_key"`
+}
diff --git a/pkg/apis/identity/zz_generated.model.go b/pkg/apis/identity/zz_generated.model.go
diff --git a/pkg/apis/zz_generated.model.go b/pkg/apis/zz_generated.model.go
diff --git a/pkg/cloudcommon/db/certificateresource.go b/pkg/cloudcommon/db/certificateresource.go
@@ -0,0 +1,20 @@
+package db
+
+import (
+	"time"
+)
+
+type SCertificateResourceBase struct {
+	Certificate string `create:"required" list:"user" update:"user"`
+	PrivateKey  string `create:"required" list:"admin" update:"user"`
+
+	// derived attributes
+	PublicKeyAlgorithm      string    `create:"optional" list:"user" update:"user"`
+	PublicKeyBitLen         int       `create:"optional" list:"user" update:"user"`
+	SignatureAlgorithm      string    `create:"optional" list:"user" update:"user"`
+	Fingerprint             string    `create:"optional" list:"user" update:"user"`
+	NotBefore               time.Time `create:"optional" list:"user" update:"user"`
+	NotAfter                time.Time `create:"optional" list:"user" update:"user"`
+	CommonName              string    `create:"optional" list:"user" update:"user"`
+	SubjectAlternativeNames string    `create:"optional" list:"user" update:"user"`
+}
diff --git a/pkg/cloudcommon/validators/validators_cert.go b/pkg/cloudcommon/validators/validators_cert.go
@@ -15,6 +15,7 @@
 package validators
 
 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rsa"
@@ -24,8 +25,12 @@ import (
 	"encoding/pem"
 	"fmt"
 	"reflect"
+	"strings"
 
 	"yunion.io/x/jsonutils"
+
+	api "yunion.io/x/onecloud/pkg/apis/compute"
+	"yunion.io/x/onecloud/pkg/httperrors"
 )
 
 type ValidatorPEM struct {
@@ -372,3 +377,69 @@ func (v *ValidatorPrivateKey) MatchCertificate(cert *x509.Certificate) error {
 	}
 	return nil
 }
+
+type ValidatorCertKey struct {
+	*ValidatorCertificate
+	*ValidatorPrivateKey
+
+	certPubKeyAlgo string
+}
+
+func NewCertKeyValidator(cert, key string) *ValidatorCertKey {
+	return &ValidatorCertKey{
+		ValidatorCertificate: NewCertificateValidator(cert),
+		ValidatorPrivateKey:  NewPrivateKeyValidator(key),
+	}
+}
+
+func (v *ValidatorCertKey) Validate(data *jsonutils.JSONDict) error {
+	keyV := map[string]IValidator{
+		"certificate": v.ValidatorCertificate,
+		"private_key": v.ValidatorPrivateKey,
+	}
+	for _, v := range keyV {
+		if err := v.Validate(data); err != nil {
+			return err
+		}
+	}
+	cert := v.ValidatorCertificate.Certificates[0]
+	var certPubKeyAlgo string
+	{
+		// x509.PublicKeyAlgorithm.String() is only available since go1.10
+		switch cert.PublicKeyAlgorithm {
+		case x509.RSA:
+			certPubKeyAlgo = api.LB_TLS_CERT_PUBKEY_ALGO_RSA
+		case x509.ECDSA:
+			certPubKeyAlgo = api.LB_TLS_CERT_PUBKEY_ALGO_ECDSA
+		default:
+			certPubKeyAlgo = fmt.Sprintf("algo %#v", cert.PublicKeyAlgorithm)
+		}
+		if !api.LB_TLS_CERT_PUBKEY_ALGOS.Has(certPubKeyAlgo) {
+			return httperrors.NewInputParameterError("invalid cert pubkey algorithm: %s, want %s",
+				certPubKeyAlgo, api.LB_TLS_CERT_PUBKEY_ALGOS.String())
+		}
+	}
+	v.certPubKeyAlgo = certPubKeyAlgo
+	if err := v.ValidatorPrivateKey.MatchCertificate(cert); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (v *ValidatorCertKey) UpdateCertKeyInfo(ctx context.Context, data *jsonutils.JSONDict) *jsonutils.JSONDict {
+	cert := v.ValidatorCertificate.Certificates[0]
+	// NOTE subject alternative names also includes email, url, ip addresses,
+	// but we ignore them here.
+	//
+	// NOTE we use white space to separate names
+	data.Set("common_name", jsonutils.NewString(cert.Subject.CommonName))
+	data.Set("subject_alternative_names", jsonutils.NewString(strings.Join(cert.DNSNames, " ")))
+
+	data.Set("not_before", jsonutils.NewTimeString(cert.NotBefore))
+	data.Set("not_after", jsonutils.NewTimeString(cert.NotAfter))
+	data.Set("public_key_algorithm", jsonutils.NewString(v.certPubKeyAlgo))
+	data.Set("public_key_bit_len", jsonutils.NewInt(int64(v.ValidatorCertificate.PublicKeyBitLen())))
+	data.Set("signature_algorithm", jsonutils.NewString(cert.SignatureAlgorithm.String()))
+	data.Set("fingerprint", jsonutils.NewString(api.LB_TLS_CERT_FINGERPRINT_ALGO_SHA256+":"+v.ValidatorCertificate.FingerprintSha256String()))
+	return data
+}