slapos_cloud: use caucase webservice for certificate management

master/bt5/slapos_cloud/DocumentTemplateItem/portal_components/document.erp5.Person.py

@@ -2,9 +2,16 @@ from AccessControl import ClassSecurityInfo, Unauthorized, getSecurityManager
 from Products.ERP5.Document.Person import Person as ERP5Person
 from Products.ERP5Type import Permissions
 
+class UserCertificateNotFound(Exception):
+  """Exception raised when certificate is not found"""
+  pass
+
+class UserCertificateFound(Exception):
+  """Exception raised when certificate is found"""
+  pass
+
 class Person(ERP5Person):
   security = ClassSecurityInfo()
-  security.declarePublic('getCertificate')
 
   def _checkCertificateRequest(self):
     try:
@@ -19,24 +26,46 @@ class Person(ERP5Person):
       if getSecurityManager().getUser().getId() != reference:
         raise
 
-  def _getCertificate(self):
-    return self.getPortalObject().portal_certificate_authority\
-      .getNewCertificate(self.getReference())
+  security.declarePublic('signCertificate')
+  def signCertificate(self, csr):
+    """Send csr for certificate signature"""
+    self._checkCertificateRequest()
+    if self.getDestinationReference():
+      raise UserCertificateFound("A Certificate already exists, please revoke it first!")
+    ca_service = self.getPortalObject().portal_web_services.caucase_adapter
+    csr_id = ca_service.putCertificateSigningRequest(csr)
 
-  def _revokeCertificate(self):
-    return self.getPortalObject().portal_certificate_authority\
-      .revokeCertificateByCommonName(self.getReference())
+    # Sign the csr immediately
+    crt_id, url = ca_service.signCertificate(csr_id)
+    self.setDestinationReference(crt_id)
+    return crt_id, url
 
+  security.declarePublic('getCertificate')
   def getCertificate(self):
-    """Returns new SSL certificate"""
+    """Returns existing SSL certificate"""
     self._checkCertificateRequest()
-    return self._getCertificate()
+    crt_id = self.getDestinationReference()
+    if crt_id:
+      return self.getPortalObject().portal_web_services.caucase_adapter\
+        .getCertificate(crt_id)
+    raise UserCertificateNotFound(
+      "No certificate set for the user %s" % self.getReference()
+    )
 
   security.declarePublic('revokeCertificate')
   def revokeCertificate(self):
     """Revokes existing certificate"""
     self._checkCertificateRequest()
-    self._revokeCertificate()
+    crt_id = self.getDestinationReference()
+    if crt_id:
+      response = self.getPortalObject().portal_web_services.caucase_adapter\
+        .revokeCertificate(crt_id)
+      # Remove Destination Reference
+      self.setDestinationReference("")
+      return response.read()
+    raise UserCertificateNotFound(
+      "No certificate set for the user %s" % self.getReference()
+    )
 
   security.declareProtected(Permissions.AccessContentsInformation,
                             'getTitle')

master/bt5/slapos_cloud/DocumentTemplateItem/portal_components/document.erp5.Person.xml

@@ -6,10 +6,22 @@
     </pickle>
     <pickle>
       <dictionary>
+        <item>
+            <key> <string>_recorded_property_dict</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>default_reference</string> </key>
             <value> <string>Person</string> </value>
         </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>document.erp5.Person</string> </value>
@@ -43,13 +55,28 @@
         <item>
             <key> <string>workflow_history</string> </key>
             <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
             </value>
         </item>
       </dictionary>
     </pickle>
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
     <pickle>
       <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
@@ -62,7 +89,7 @@
                 <item>
                     <key> <string>component_validation_workflow</string> </key>
                     <value>
-                      <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
                     </value>
                 </item>
               </dictionary>
@@ -71,7 +98,7 @@
       </dictionary>
     </pickle>
   </record>
-  <record id="3" aka="AAAAAAAAAAM=">
+  <record id="4" aka="AAAAAAAAAAQ=">
     <pickle>
       <global name="WorkflowHistoryList" module="Products.ERP5Type.patches.WorkflowTool"/>
     </pickle>

master/bt5/slapos_cloud/WorkflowTemplateItem/portal_workflow/computer_slap_interface_workflow/scripts/Computer_generateCertificate.py

 computer = state_change['object']
+# Get required arguments
+kwargs = state_change.kwargs
+
+try:
+  certificate_signature_request = kwargs["csr"]
+except KeyError, e:
+  raise TypeError("Computer_generateCertificate takes exactly 1 argument: %s" % str(e))
 
 if computer.getDestinationReference() is not None:
   context.REQUEST.set("computer_certificate", None)
-  context.REQUEST.set("computer_key", None)
+  context.REQUEST.set("computer_certificate_url", None)
   raise ValueError('Certificate still active.')
 
-ca = context.getPortalObject().portal_certificate_authority
-certificate_dict = ca.getNewCertificate(computer.getReference())
+ca_service = context.getPortalObject().portal_web_services.caucase_adapter
+csr_id = ca_service.putCertificateSigningRequest(certificate_signature_request)
+# Sign the csr immediately
+crt_id, url = ca_service.signCertificate(csr_id)
+certificate = ca_service.getCertificate(crt_id)
 
-computer.setDestinationReference(certificate_dict["id"])
+computer.setDestinationReference(crt_id)
 
-context.REQUEST.set("computer_certificate", certificate_dict["certificate"])
-context.REQUEST.set("computer_key", certificate_dict["key"])
+context.REQUEST.set("computer_certificate", certificate)
+context.REQUEST.set("computer_certificate_url", url)

master/bt5/slapos_cloud/WorkflowTemplateItem/portal_workflow/computer_slap_interface_workflow/scripts/Computer_generateCertificate.xml

@@ -52,6 +52,14 @@
             <key> <string>_params</string> </key>
             <value> <string>state_change</string> </value>
         </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Computer_generateCertificate</string> </value>

master/bt5/slapos_cloud/WorkflowTemplateItem/portal_workflow/computer_slap_interface_workflow/scripts/Computer_revokeCertificate.py

 computer = state_change['object']
 context.REQUEST.set('computer_certificate', None)
-context.REQUEST.set('computer_key', None)
+context.REQUEST.set('computer_certificate_url', None)
 destination_reference = computer.getDestinationReference()
 if destination_reference is None:
   raise ValueError('No certificate')
-context.getPortalObject().portal_certificate_authority.revokeCertificate(destination_reference)
+context.getPortalObject().portal_web_services.caucase_adapter\
+  .revokeCertificate(destination_reference)
 computer.setDestinationReference(None)