Skip to content

Commit

Permalink
feat: add tls certificates per app support to tls certificates interf…
Browse files Browse the repository at this point in the history
…ace (#172)

Signed-off-by: guillaume <[email protected]>
  • Loading branch information
gruyaume authored Oct 10, 2024
1 parent 25373b1 commit 81cd7c5
Show file tree
Hide file tree
Showing 6 changed files with 293 additions and 130 deletions.
122 changes: 122 additions & 0 deletions docs/json_schemas/tls_certificates/v1/provider.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
{
"$defs": {
"BaseModel": {
"properties": {},
"title": "BaseModel",
"type": "object"
},
"Certificate": {
"description": "Certificate model.",
"properties": {
"ca": {
"description": "The signing certificate authority.",
"title": "Ca",
"type": "string"
},
"certificate_signing_request": {
"description": "Certificate signing request.",
"title": "Certificate Signing Request",
"type": "string"
},
"certificate": {
"description": "Certificate.",
"title": "Certificate",
"type": "string"
},
"chain": {
"anyOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"type": "null"
}
],
"description": "List of certificates in the chain.",
"title": "Chain"
},
"recommended_expiry_notification_time": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"description": "Recommended expiry notification time in seconds.",
"title": "Recommended Expiry Notification Time"
},
"revoked": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "null"
}
],
"description": "Whether the certificate is revoked.",
"title": "Revoked"
}
},
"required": [
"ca",
"certificate_signing_request",
"certificate",
"chain",
"recommended_expiry_notification_time",
"revoked"
],
"title": "Certificate",
"type": "object"
},
"ProviderApplicationData": {
"description": "Provider application data model.",
"properties": {
"certificates": {
"contentMediaType": "application/json",
"contentSchema": {
"items": {
"$ref": "#/$defs/Certificate"
},
"type": "array"
},
"description": "List of certificates.",
"title": "Certificates",
"type": "string"
}
},
"required": [
"certificates"
],
"title": "ProviderApplicationData",
"type": "object"
}
},
"description": "Provider schema for TLS Certificates.",
"properties": {
"unit": {
"anyOf": [
{
"$ref": "#/$defs/BaseModel"
},
{
"type": "null"
}
],
"default": null
},
"app": {
"$ref": "#/$defs/ProviderApplicationData"
}
},
"required": [
"app"
],
"title": "ProviderSchema",
"type": "object"
}
69 changes: 69 additions & 0 deletions docs/json_schemas/tls_certificates/v1/requirer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"$defs": {
"CertificateSigningRequest": {
"description": "Certificate signing request model.",
"properties": {
"certificate_signing_request": {
"description": "Certificate signing request.",
"title": "Certificate Signing Request",
"type": "string"
},
"ca": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "null"
}
],
"description": "Whether the certificate is a CA.",
"title": "Ca"
}
},
"required": [
"certificate_signing_request",
"ca"
],
"title": "CertificateSigningRequest",
"type": "object"
},
"RequirerData": {
"description": "Requirer data model.\n\nThe same model is used for the unit and application data.",
"properties": {
"certificate_signing_requests": {
"contentMediaType": "application/json",
"contentSchema": {
"items": {
"$ref": "#/$defs/CertificateSigningRequest"
},
"type": "array"
},
"description": "List of certificate signing requests.",
"title": "Certificate Signing Requests",
"type": "string"
}
},
"required": [
"certificate_signing_requests"
],
"title": "RequirerData",
"type": "object"
}
},
"description": "Requirer schema for TLS Certificates.",
"properties": {
"unit": {
"$ref": "#/$defs/RequirerData"
},
"app": {
"$ref": "#/$defs/RequirerData"
}
},
"required": [
"unit",
"app"
],
"title": "RequirerSchema",
"type": "object"
}
5 changes: 1 addition & 4 deletions interfaces/tls_certificates/v1/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ compatible with the interface.
- Is expected to generate (or use an existing) private-key
- Is expected to provide a list of CSR's for which it requires certificates
- Is expected to specify whether the certificate request is for a Certificate Authority (CA) or not
- Is expected to use the appropriate databag depending on whether the Certificate is meant to be used by the unit or by the application.
- Is expected to stop using a certificate when revoked by the Provider

### Provider
Expand All @@ -40,8 +41,6 @@ compatible with the interface.

### Requirer

[\[JSON Schema\]](./schemas/requirer.json)

The requirer specifies a set of certificate signing requests (CSR's).

#### Example
Expand All @@ -64,8 +63,6 @@ The requirer specifies a set of certificate signing requests (CSR's).

### Provider

[\[JSON Schema\]](./schemas/provider.json)

The provider replies with a certificate, a CA Certificate and a CA chain for each of the
Certificate Signing Requests requested by the requirer.

Expand Down
101 changes: 101 additions & 0 deletions interfaces/tls_certificates/v1/schema.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
"""
This file defines the schemas for the provider and requirer sides of the `tls_certificates` interface.
It exposes two interfaces.schema_base.DataBagSchema subclasses called:
- ProviderSchema
- RequirerSchema
Examples:
ProviderSchema:
unit: <empty>
app: {
"certificates": [
{
"ca": "-----BEGIN CERTIFICATE----- ...",
"chain": [
"-----BEGIN CERTIFICATE----- ...",
"-----BEGIN CERTIFICATE----- ..."
],
"certificate_signing_request": "-----BEGIN CERTIFICATE REQUEST----- ...",
"certificate": "-----BEGIN CERTIFICATE----- ..."
}
]
}
RequirerSchema:
unit: {
"certificate_signing_requests": [
{
"certificate_signing_request": "-----BEGIN CERTIFICATE REQUEST----- ...",
"ca": true
}
]
}
app: <empty>
"""

from typing import List, Optional
from pydantic import BaseModel, Field, Json
from interface_tester.schema_base import DataBagSchema


class Certificate(BaseModel):
"""Certificate model."""
ca: str = Field(
description="The signing certificate authority."
)
certificate_signing_request: str = Field(
description="Certificate signing request."
)
certificate: str = Field(
description="Certificate."
)
chain: Optional[List[str]] = Field(
description="List of certificates in the chain."
)
recommended_expiry_notification_time: Optional[int] = Field(
description="Recommended expiry notification time in seconds."
)
revoked: Optional[bool] = Field(
description="Whether the certificate is revoked."
)


class CertificateSigningRequest(BaseModel):
"""Certificate signing request model."""
certificate_signing_request: str = Field(
description="Certificate signing request."
)
ca: Optional[bool] = Field(
description="Whether the certificate is a CA."
)


class ProviderApplicationData(BaseModel):
"""Provider application data model."""
certificates: Json[List[Certificate]] = Field(
description="List of certificates."
)


class RequirerData(BaseModel):
"""Requirer data model.
The same model is used for the unit and application data.
"""

certificate_signing_requests: Json[List[CertificateSigningRequest]] = Field(
description="List of certificate signing requests."
)


class ProviderSchema(DataBagSchema):
"""Provider schema for TLS Certificates."""

app: ProviderApplicationData


class RequirerSchema(DataBagSchema):
"""Requirer schema for TLS Certificates."""

app: RequirerData
unit: RequirerData
Loading

0 comments on commit 81cd7c5

Please sign in to comment.