From 6ff92492d2d1712443fa2bef73f28bd8b8554e23 Mon Sep 17 00:00:00 2001
From: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Date: Tue, 6 Oct 2020 14:49:21 +0200
Subject: [OOM-K8S-CERT-EXTERNAL-PROVIDER] Create mock implementation

This project is a GOlang implementation of an external provider for kubernetes cert-manager.
External provider will use OOM CertService as backend signing CA.
Mock implementation only logs intent of certificate signing.
In order to provide the ultimate implemenatation please extend file 'certservice-provisioner.go'.

Issue-ID: OOM-2559
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ib3de4ca4c54424042ddaa50507375815cc3da7f4
---
 .../certservice-provisioner.go                     | 165 ++++++++++++++++++++-
 1 file changed, 161 insertions(+), 4 deletions(-)

(limited to 'certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go')

diff --git a/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go b/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go
index 5648082a..627c2d42 100644
--- a/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go
+++ b/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go
@@ -1,7 +1,164 @@
-package certservice_provisioner
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (c) 2019 Smallstep Labs, Inc.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
 
-import "fmt"
+package provisioners
 
-func SignCertificate() {
-	fmt.Println("--> This method is currently a stub.")
+import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
+	"k8s.io/apimachinery/pkg/types"
+	"onap.org/oom-certservice/k8s-external-provider/src/api"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sync"
+)
+
+var collection = new(sync.Map)
+
+type CertServiceCA struct {
+	name string
+	url  string
+	key  []byte
+}
+
+func New(iss *api.CertServiceIssuer, key []byte) (*CertServiceCA, error) {
+
+	ca := CertServiceCA{}
+	ca.name = iss.Name
+	ca.url = iss.Spec.URL
+	ca.key = key
+
+	log := ctrl.Log.WithName("certservice-provisioner")
+	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "key", ca.key)
+
+	return &ca, nil
+}
+
+func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
+	v, ok := collection.Load(namespacedName)
+	if !ok {
+		return nil, ok
+	}
+	p, ok := v.(*CertServiceCA)
+	return p, ok
+}
+
+func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) {
+	collection.Store(namespacedName, provisioner)
+}
+
+func (ca *CertServiceCA) Sign(ctx context.Context, cr *certmanager.CertificateRequest) ([]byte, []byte, error) {
+	log := ctrl.Log.WithName("certservice-provisioner")
+	log.Info("Signing certificate: ", "cert-name", cr.Name)
+
+	key, _ := base64.RawStdEncoding.DecodeString(string(ca.key))
+	log.Info("CA: ", "name", ca.name, "url", ca.url, "key", key)
+
+	crPEM := cr.Spec.CSRPEM
+	csrBase64 := crPEM
+	log.Info("Csr PEM: ", "bytes", csrBase64)
+
+	csr, err := decodeCSR(crPEM)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert := x509.Certificate{}
+	cert.Raw = csr.Raw
+
+	// TODO
+	// write here code which will call CertServiceCA and sign CSR
+	// END
+
+	encodedPEM, err := encodeX509(&cert)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	signedPEM := encodedPEM
+	trustedCA := encodedPEM
+
+	log.Info("Successfully signed: ", "cert-name", cr.Name)
+	log.Info("Signed cert PEM: ", "bytes", signedPEM)
+	log.Info("Trusted CA  PEM: ", "bytes", trustedCA)
+
+	return signedPEM, trustedCA, nil
+}
+
+// TODO JM utility methods - will be used in "real" implementation
+
+// decodeCSR decodes a certificate request in PEM format and returns the
+func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
+	block, rest := pem.Decode(data)
+	if block == nil || len(rest) > 0 {
+		return nil, fmt.Errorf("unexpected CSR PEM on sign request")
+	}
+	if block.Type != "CERTIFICATE REQUEST" {
+		return nil, fmt.Errorf("PEM is not a certificate request")
+	}
+	csr, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing certificate request: %v", err)
+	}
+	if err := csr.CheckSignature(); err != nil {
+		return nil, fmt.Errorf("error checking certificate request signature: %v", err)
+	}
+	return csr, nil
+}
+
+// encodeX509 will encode a *x509.Certificate into PEM format.
+func encodeX509(cert *x509.Certificate) ([]byte, error) {
+	caPem := bytes.NewBuffer([]byte{})
+	err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	if err != nil {
+		return nil, err
+	}
+	return caPem.Bytes(), nil
+}
+
+// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
+// CSRs generated by the Certificate resource have always those SANs. If no SANs
+// are available `certservice-issuer-certificate` will be used as a subject is always
+// required.
+func generateSubject(sans []string) string {
+	if len(sans) == 0 {
+		return "certservice-issuer-certificate"
+	}
+	for _, s := range sans {
+		if s != "127.0.0.1" && s != "localhost" {
+			return s
+		}
+	}
+	return sans[0]
+}
+
+func decode(cert string) []byte {
+	bytes, _ := base64.RawStdEncoding.DecodeString(cert)
+	return bytes
 }
-- 
cgit 1.2.3-korg