Skip to content
This repository was archived by the owner on May 6, 2020. It is now read-only.

feat(api): validate a certificate's private key #1157

Merged
merged 1 commit into from
Jan 4, 2017
Merged

feat(api): validate a certificate's private key #1157

merged 1 commit into from
Jan 4, 2017

Conversation

bacongobbler
Copy link
Member

closes #1155

@bacongobbler bacongobbler added this to the v2.10 milestone Dec 7, 2016
@bacongobbler bacongobbler self-assigned this Dec 7, 2016
@deis-bot
Copy link

deis-bot commented Dec 7, 2016

@helgi and @Joshua-Anderson are potential reviewers of this pull request based on my analysis of git blame information. Thanks @bacongobbler!

@bacongobbler
Copy link
Member Author

@ineu feel free to give this one a try. It should fix your issue.

@codecov-io
Copy link

codecov-io commented Dec 8, 2016
edited
Loading

Current coverage is 87.32% (diff: 100%)

No coverage report found for master at 30ab1d3.

Powered by Codecov. Last update 30ab1d3...be44896

@ineu
Copy link

ineu commented Dec 8, 2016

Thanks @bacongobbler, going to try. Could you please point me to some documentation on how to update a single component? And also is there some kind of automatic build or do I need to build a Docker image from the repo?

@bacongobbler
Copy link
Member Author

You can just use the image CI built and uploaded to quay.io. After installing v2.9.0, try

kubectl --namespace=deis edit deployment deis-controller

Change the image to quay.io/deisci/controller:git-5b890a2 and Bob's your uncle.

mboersma
mboersma reviewed Dec 8, 2016
View reviewed changes
rootfs/api/tests/test_certificate.py
{
'name': 'random-test-cert',
'certificate': self.cert,
'key': 'I am Groot.'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😺

mboersma
mboersma reviewed Dec 8, 2016
View reviewed changes
rootfs/api/models/certificate.py
@@ -106,14 +113,23 @@ def domains(self):
def __str__(self):
return self.name

def _get_certificate(self):
def _load_certificate(self):
try:
Copy link
Member

@mboersma mboersma Dec 8, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this be a bit more DRY if it just called validate_private_key(self.certificate) from above and re-raised ValidationError as SuspiciousOperation? I guess validate_private_key would need to return the key as well then.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be, absolutely. I can refactor this.

@ineu
Copy link

ineu commented Dec 9, 2016

Tried it:

> $ deis certs:add foo bundle.crt bundle.crt
Adding SSL endpoint... Error: Unknown Error (400): {"key":["Could not load private key: []"]}

So if you upload something other but the correct private key it throws an error, as expected.

Though it's not the problem I've faced in #1155. I think to completely cover the cases when nginx would print an error (and fail to start) following usecases should be taken into account:

  1. User uploads incorrect private key: Fixed by this PR
  2. User uploads private key not matching the certificate (my case from Validate certificate on certs:add #1155)
  3. User joins cert and intermediate cert in the wrong order.

@bacongobbler
Copy link
Member Author

Thank you for providing your use cases. It wasn't clear in the original ticket.

If you feel like hacking on some tests/fixes for this in another PR that'd be great. I'll keep your ticket open in the meantime.

@bacongobbler bacongobbler force-pushed the validate-private-key branch 2 times, most recently from 37d014a to 3b80f77 Compare December 15, 2016 00:57
@vdice vdice added the LGTM1 label Dec 15, 2016
@bacongobbler bacongobbler merged commit 805a455 into deis:master Jan 4, 2017
@bacongobbler bacongobbler deleted the validate-private-key branch January 4, 2017 02:02
@bacongobbler bacongobbler mentioned this pull request Jan 11, 2017
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mboersma mboersma mboersma left review comments

Assignees

@bacongobbler bacongobbler

Labels
enhancement LGTM1 LGTM2
Projects
None yet
Milestone
v2.10
Development

Successfully merging this pull request may close these issues.

Validate certificate on certs:add
6 participants
@bacongobbler @deis-bot @codecov-io @ineu @mboersma @vdice