F5Networks · zhang-shengping · Jul 9, 2019
diff --git a/.DS_Store b/.DS_Store
diff --git a/app/waf/src/components.ts b/app/waf/src/components.ts
@@ -21,6 +21,7 @@ import {
   ComputeManagerV2,
   IdentityServiceProvider,
   AuthWithOSIdentity,
+  BarbicanManagerV1,
 } from './services';
 import {NetworkDriver} from './services/network.service';
 import {WafBindingKeys} from './keys';
@@ -76,10 +77,19 @@ export class OpenStackComponent implements Component {
     return await new ComputeManagerV2(this.application).bindComputeService();
   });
 
+  bindingBarbican = Binding.bind(WafBindingKeys.SecretManager).toDynamicValue(
+    async () => {
+      return await new BarbicanManagerV1(
+        this.application,
+      ).bindBarbicanService();
+    },
+  );
+
   bindings = [
     this.bindingSolveAdminToken,
     this.bindingAuthMgr,
     this.bindingNetwork,
     this.bindingCompute,
+    this.bindingBarbican,
   ];
 }
diff --git a/app/waf/src/controllers/certificate.controller.ts b/app/waf/src/controllers/certificate.controller.ts
@@ -0,0 +1,145 @@
+/**
+ * Copyright 2019 F5 Networks, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {Filter, repository} from '@loopback/repository';
+import {
+  post,
+  param,
+  get,
+  getFilterSchemaFor,
+  patch,
+  del,
+  requestBody,
+  HttpErrors,
+  RequestContext,
+  RestBindings,
+} from '@loopback/rest';
+import {Certificate} from '../models';
+import {CertificateRepository} from '../repositories';
+import {Schema, Response, CollectionResponse} from '.';
+import {BaseController} from './base.controller';
+import {inject} from '@loopback/core';
+
+const prefix = '/adcaas/v1';
+const createDesc: string = 'Certificate resource that need to be created';
+const updateDesc: string =
+  'Certificate resource properties that need to be updated';
+
+export class CertificateController extends BaseController {
+  constructor(
+    @repository(CertificateRepository)
+    public certificateRepository: CertificateRepository,
+    @inject(RestBindings.Http.CONTEXT)
+    protected reqCxt: RequestContext,
+  ) {
+    super(reqCxt);
+  }
+
+  @post(prefix + '/certificates', {
+    responses: {
+      '200': Schema.response(
+        Certificate,
+        'Successfully create Certificate resource',
+      ),
+      '400': Schema.badRequest('Invalid Certificate resource'),
+      '422': Schema.unprocessableEntity('Unprocessable Certificate resource'),
+    },
+  })
+  async create(
+    @requestBody(Schema.createRequest(Certificate, createDesc))
+    reqBody: Partial<Certificate>,
+  ): Promise<Response> {
+    try {
+      reqBody.tenantId = await this.tenantId;
+      const data = await this.certificateRepository.create(reqBody);
+      return new Response(Certificate, data);
+    } catch (error) {
+      throw new HttpErrors.BadRequest(error.message);
+    }
+  }
+
+  @get(prefix + '/certificates', {
+    responses: {
+      '200': Schema.collectionResponse(
+        Certificate,
+        'Successfully retrieve Certificate resources',
+      ),
+    },
+  })
+  async find(
+    @param.query.object('filter', getFilterSchemaFor(Certificate))
+    filter?: Filter,
+  ): Promise<CollectionResponse> {
+    let data = await this.certificateRepository.find(filter, {
+      tenantId: await this.tenantId,
+    });
+    return new CollectionResponse(Certificate, data);
+  }
+
+  @get(prefix + '/certificates/{certificateId}', {
+    responses: {
+      responses: {
+        '200': Schema.response(
+          Certificate,
+          'Successfully retrieve Certificate resource',
+        ),
+        '404': Schema.notFound('Can not find Certificate resource'),
+      },
+    },
+  })
+  async findById(
+    @param(Schema.pathParameter('certificateId', 'Certificate resource ID'))
+    id: string,
+  ): Promise<Response> {
+    const data = await this.certificateRepository.findById(id, undefined, {
+      tenantId: await this.tenantId,
+    });
+    return new Response(Certificate, data);
+  }
+
+  @patch(prefix + '/certificates/{certificateId}', {
+    responses: {
+      '204': Schema.emptyResponse('Successfully update Certificate resource'),
+      '404': Schema.notFound('Can not find Certificate resource'),
+    },
+  })
+  async updateById(
+    @param(Schema.pathParameter('certificateId', 'Certificate resource ID'))
+    id: string,
+    @requestBody(Schema.updateRequest(Certificate, updateDesc))
+    certificate: Certificate,
+  ): Promise<void> {
+    console.log(id);
+    await this.certificateRepository.updateById(id, certificate, {
+      tenantId: await this.tenantId,
+    });
+  }
+
+  @del(prefix + '/certificates/{certificateId}', {
+    responses: {
+      '204': Schema.emptyResponse('Successfully delete Certificate resource'),
+      '404': Schema.notFound('Can not find Certificate resource'),
+    },
+  })
+  async deleteById(
+    @param(Schema.pathParameter('certificateId', 'Certificate resource ID'))
+    id: string,
+  ): Promise<void> {
+    await this.certificateRepository.deleteById(id, {
+      tenantId: await this.tenantId,
+    });
+  }
+}
diff --git a/app/waf/src/controllers/declaration.controller.ts b/app/waf/src/controllers/declaration.controller.ts
@@ -39,6 +39,8 @@ import {
   AS3DeployRequest,
   Adc,
   AS3Declaration,
+  TLSServerCertificate,
+  Certificate,
 } from '../models';
 import {inject, CoreBindings} from '@loopback/core';
 import {
@@ -54,6 +56,8 @@ import {
   RuleRepository,
   ActionRepository,
   AdcRepository,
+  TLSserverRepository,
+  CertificateRepository,
 } from '../repositories';
 import {BaseController, Schema, Response, CollectionResponse} from '.';
 import {ASGManager, PortsUpdateParams} from '../services';
@@ -92,7 +96,10 @@ export class DeclarationController extends BaseController {
     public actionRepository: ActionRepository,
     @repository(AdcRepository)
     public adcRepository: AdcRepository,
-    //Suppress get injection binding exeption by using {optional: true}
+    @repository(TLSserverRepository)
+    public tlsserverRepository: TLSserverRepository,
+    @repository(CertificateRepository)
+    public certificateRepository: CertificateRepository,
     @inject(RestBindings.Http.CONTEXT, {optional: true})
     protected reqCxt: RequestContext,
     @inject(CoreBindings.APPLICATION_INSTANCE)
@@ -117,6 +124,15 @@ export class DeclarationController extends BaseController {
       await this.loadPool(service.defaultPool);
     }
 
+    if (service.serverTLS) {
+      service.serverTLSContent = await this.tlsserverRepository.findById(
+        service.serverTLS,
+      );
+      if (service.serverTLSContent.certificates) {
+        await this.loadCertificateIndex(service.serverTLSContent.certificates);
+      }
+    }
+
     let assocs = await this.serviceEndpointpolicyAssociationRepository.find({
       where: {
         serviceId: service.id,
@@ -137,6 +153,67 @@ export class DeclarationController extends BaseController {
     }
   }
 
+  private async loadCertificateIndex(
+    certificates: TLSServerCertificate[],
+  ): Promise<void> {
+    for (let cert of certificates) {
+      const certList = await this.certificateRepository.find({
+        where: {
+          id: cert.certificate,
+        },
+      });
+
+      if (certList.length === 0) {
+        throw new HttpErrors.NotFound(
+          `Cannot find certificate ${cert.certificate}`,
+        );
+      }
+      cert.certContent = certList[0];
+
+      await this.loadCertificateData(cert.certContent);
+    }
+  }
+
+  private async loadCertificateData(certificate: Certificate) {
+    let userToken = await this.reqCxt.get(WafBindingKeys.Request.KeyUserToken);
+    let barbicanMgr = await this.wafapp.get(WafBindingKeys.SecretManager);
+
+    if (certificate.certificate) {
+      certificate.certificate = await barbicanMgr.getSecret(
+        userToken,
+        certificate.certificate,
+      );
+    }
+
+    if (certificate.chainCA) {
+      certificate.chainCA = await barbicanMgr.getSecret(
+        userToken,
+        certificate.chainCA,
+      );
+    }
+
+    if (certificate.pkcs12) {
+      certificate.pkcs12 = await barbicanMgr.getSecret(
+        userToken,
+        certificate.pkcs12,
+      );
+    }
+
+    if (certificate.passphrase) {
+      certificate.passphrase = await barbicanMgr.getSecret(
+        userToken,
+        certificate.passphrase,
+      );
+    }
+
+    if (certificate.privateKey) {
+      certificate.privateKey = await barbicanMgr.getSecret(
+        userToken,
+        certificate.privateKey,
+      );
+    }
+  }
+
   private async loadPool(pool: Pool): Promise<void> {
     pool.members = await this.poolRepository.members(pool.id).find();
 

diff --git a/app/waf/src/controllers/index.ts b/app/waf/src/controllers/index.ts
@@ -29,3 +29,5 @@ export * from './wafpolicy.controller';
 export * from './monitor.controller';
 export * from './membermonitorassc.controller';
 export * from './poolmonitorassc.controller';
+export * from './certificate.controller';
+export * from './tlsserver.controller';