provider/digitalocean: Add support for certificates

Besides the support for DO certificates themselves, this commit also
includes:

1) A new `RandTLSCert` function that generates a valid, self-signed TLS
certificate to be used in the test
2) A fix for the PEM encoding of the private key generated in
`RandSSHKeyPair`: the PEM was always empty
This commit is contained in:
Caio Filipini 2017-05-16 12:40:33 +02:00
parent 6681a86211
commit 45ad54c816
3 changed files with 297 additions and 12 deletions

View File

@ -0,0 +1,119 @@
package digitalocean
import (
"context"
"fmt"
"log"
"github.com/digitalocean/godo"
"github.com/hashicorp/terraform/helper/schema"
)
func resourceDigitalOceanCertificate() *schema.Resource {
return &schema.Resource{
Create: resourceDigitalOceanCertificateCreate,
Read: resourceDigitalOceanCertificateRead,
Delete: resourceDigitalOceanCertificateDelete,
Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"private_key": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"leaf_certificate": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"certificate_chain": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"not_after": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
"sha1_fingerprint": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
},
},
}
}
func buildCertificateRequest(d *schema.ResourceData) (*godo.CertificateRequest, error) {
req := &godo.CertificateRequest{
Name: d.Get("name").(string),
PrivateKey: d.Get("private_key").(string),
LeafCertificate: d.Get("leaf_certificate").(string),
CertificateChain: d.Get("certificate_chain").(string),
}
return req, nil
}
func resourceDigitalOceanCertificateCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*godo.Client)
log.Printf("[INFO] Create a Certificate Request")
certReq, err := buildCertificateRequest(d)
if err != nil {
return err
}
log.Printf("[DEBUG] Certificate Create: %#v", certReq)
cert, _, err := client.Certificates.Create(context.Background(), certReq)
if err != nil {
return fmt.Errorf("Error creating Certificate: %s", err)
}
d.SetId(cert.ID)
return resourceDigitalOceanCertificateRead(d, meta)
}
func resourceDigitalOceanCertificateRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*godo.Client)
log.Printf("[INFO] Reading the details of the Certificate %s", d.Id())
cert, _, err := client.Certificates.Get(context.Background(), d.Id())
if err != nil {
return fmt.Errorf("Error retrieving Certificate: %s", err)
}
d.Set("name", cert.Name)
d.Set("not_after", cert.NotAfter)
d.Set("sha1_fingerprint", cert.SHA1Fingerprint)
return nil
}
func resourceDigitalOceanCertificateDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*godo.Client)
log.Printf("[INFO] Deleting Certificate: %s", d.Id())
_, err := client.Certificates.Delete(context.Background(), d.Id())
if err != nil {
return fmt.Errorf("Error deleting Certificate: %s", err)
}
d.SetId("")
return nil
}

View File

@ -0,0 +1,117 @@
package digitalocean
import (
"context"
"fmt"
"strings"
"testing"
"github.com/digitalocean/godo"
"github.com/hashicorp/terraform/helper/acctest"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
)
func TestAccDigitalOceanCertificate_Basic(t *testing.T) {
var cert godo.Certificate
rInt := acctest.RandInt()
leafCertMaterial, privateKeyMaterial, err := acctest.RandTLSCert("Acme Co")
if err != nil {
t.Fatalf("Cannot generate test TLS certificate: %s", err)
}
rootCertMaterial, _, err := acctest.RandTLSCert("Acme Go")
if err != nil {
t.Fatalf("Cannot generate test TLS certificate: %s", err)
}
certChainMaterial := fmt.Sprintf("%s\n%s", strings.TrimSpace(rootCertMaterial), leafCertMaterial)
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckDigitalOceanCertificateDestroy,
Steps: []resource.TestStep{
{
ExpectNonEmptyPlan: true,
Config: testAccCheckDigitalOceanCertificateConfig_basic(rInt, privateKeyMaterial, leafCertMaterial, certChainMaterial),
Check: resource.ComposeTestCheckFunc(
testAccCheckDigitalOceanCertificateExists("digitalocean_certificate.foobar", &cert),
resource.TestCheckResourceAttr(
"digitalocean_certificate.foobar", "name", fmt.Sprintf("certificate-%d", rInt)),
resource.TestCheckResourceAttr(
"digitalocean_certificate.foobar", "private_key", fmt.Sprintf("%s\n", privateKeyMaterial)),
resource.TestCheckResourceAttr(
"digitalocean_certificate.foobar", "leaf_certificate", fmt.Sprintf("%s\n", leafCertMaterial)),
resource.TestCheckResourceAttr(
"digitalocean_certificate.foobar", "certificate_chain", fmt.Sprintf("%s\n", certChainMaterial)),
),
},
},
})
}
func testAccCheckDigitalOceanCertificateDestroy(s *terraform.State) error {
client := testAccProvider.Meta().(*godo.Client)
for _, rs := range s.RootModule().Resources {
if rs.Type != "digitalocean_certificate" {
continue
}
_, _, err := client.Certificates.Get(context.Background(), rs.Primary.ID)
if err != nil && !strings.Contains(err.Error(), "404") {
return fmt.Errorf(
"Error waiting for certificate (%s) to be destroyed: %s",
rs.Primary.ID, err)
}
}
return nil
}
func testAccCheckDigitalOceanCertificateExists(n string, cert *godo.Certificate) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[n]
if !ok {
return fmt.Errorf("Not found: %s", n)
}
if rs.Primary.ID == "" {
return fmt.Errorf("No Certificate ID is set")
}
client := testAccProvider.Meta().(*godo.Client)
c, _, err := client.Certificates.Get(context.Background(), rs.Primary.ID)
if err != nil {
return err
}
if c.ID != rs.Primary.ID {
return fmt.Errorf("Certificate not found")
}
*cert = *c
return nil
}
}
func testAccCheckDigitalOceanCertificateConfig_basic(rInt int, privateKeyMaterial, leafCert, certChain string) string {
return fmt.Sprintf(`
resource "digitalocean_certificate" "foobar" {
name = "certificate-%d"
private_key = <<EOF
%s
EOF
leaf_certificate = <<EOF
%s
EOF
certificate_chain = <<EOF
%s
EOF
}`, rInt, privateKeyMaterial, leafCert, certChain)
}

View File

@ -1,13 +1,14 @@
package acctest package acctest
import ( import (
"bufio"
"bytes" "bytes"
crand "crypto/rand" crand "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"math/big"
"math/rand" "math/rand"
"strings" "strings"
"time" "time"
@ -58,23 +59,71 @@ func RandStringFromCharSet(strlen int, charSet string) string {
// RandSSHKeyPair generates a public and private SSH key pair. The public key is // RandSSHKeyPair generates a public and private SSH key pair. The public key is
// returned in OpenSSH format, and the private key is PEM encoded. // returned in OpenSSH format, and the private key is PEM encoded.
func RandSSHKeyPair(comment string) (string, string, error) { func RandSSHKeyPair(comment string) (string, string, error) {
privateKey, err := rsa.GenerateKey(crand.Reader, 1024) privateKey, privateKeyPEM, err := genPrivateKey()
if err != nil {
return "", "", err
}
var privateKeyBuffer bytes.Buffer
privateKeyPEM := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}
if err := pem.Encode(bufio.NewWriter(&privateKeyBuffer), privateKeyPEM); err != nil {
return "", "", err
}
publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey) publicKey, err := ssh.NewPublicKey(&privateKey.PublicKey)
if err != nil { if err != nil {
return "", "", err return "", "", err
} }
keyMaterial := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(publicKey))) keyMaterial := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(publicKey)))
return fmt.Sprintf("%s %s", keyMaterial, comment), privateKeyBuffer.String(), nil return fmt.Sprintf("%s %s", keyMaterial, comment), privateKeyPEM, nil
}
// RandTLSCert generates a self-signed TLS certificate with a newly created
// private key, and returns both the cert and the private key PEM encoded.
func RandTLSCert(orgName string) (string, string, error) {
template := &x509.Certificate{
SerialNumber: big.NewInt(int64(RandInt())),
Subject: pkix.Name{
Organization: []string{orgName},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
privateKey, privateKeyPEM, err := genPrivateKey()
if err != nil {
return "", "", err
}
cert, err := x509.CreateCertificate(crand.Reader, template, template, &privateKey.PublicKey, privateKey)
if err != nil {
return "", "", err
}
certPEM, err := pemEncode(cert, "CERTIFICATE")
if err != nil {
return "", "", err
}
return certPEM, privateKeyPEM, nil
}
func genPrivateKey() (*rsa.PrivateKey, string, error) {
privateKey, err := rsa.GenerateKey(crand.Reader, 1024)
if err != nil {
return nil, "", err
}
privateKeyPEM, err := pemEncode(x509.MarshalPKCS1PrivateKey(privateKey), "RSA PRIVATE KEY")
if err != nil {
return nil, "", err
}
return privateKey, privateKeyPEM, nil
}
func pemEncode(b []byte, block string) (string, error) {
var buf bytes.Buffer
pb := &pem.Block{Type: block, Bytes: b}
if err := pem.Encode(&buf, pb); err != nil {
return "", err
}
return buf.String(), nil
} }
// Seeds random with current timestamp // Seeds random with current timestamp