From 10e48a1331cf4e96d544a7e33dff4f570bc56def Mon Sep 17 00:00:00 2001
From: Steffen <steffen@infrabox.net>
Date: Mon, 18 Feb 2019 07:31:25 +0000
Subject: [PATCH] add support for additional SSH keys

---
 README.md                                     |   1 -
 src/api/handlers/projects/sshkeys.py          | 122 ++++++++++++++++++
 .../src/components/project/SSHKeys.vue        |  97 ++++++++++++++
 .../src/components/project/Settings.vue       |  13 +-
 src/dashboard-client/src/models/Project.js    |  17 +++
 src/dashboard-client/src/store.js             |   7 +
 src/db/migrations/00028.sql                   |   2 +-
 src/db/migrations/00029.sql                   |   9 ++
 .../policies/projects_sshkeys.rego            |  37 ++++++
 src/scheduler/kubernetes/scheduler.py         |  29 ++++-
 10 files changed, 324 insertions(+), 10 deletions(-)
 create mode 100644 src/api/handlers/projects/sshkeys.py
 create mode 100644 src/dashboard-client/src/components/project/SSHKeys.vue
 create mode 100644 src/db/migrations/00029.sql
 create mode 100644 src/openpolicyagent/policies/projects_sshkeys.rego

diff --git a/README.md b/README.md
index 8caacdadf..7cc7c24d0 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,6 @@ Some of InfraBox' features are:
 - [Set resource limits (CPU and memory) for each task](https://github.com/SAP/infrabox-examples)
 - [GitHub integration](docs/install/configure/github.md)
 - [Gerrit integration](docs/install/configure/gerrit.md)
-- GitLab (coming soon)
 - [LDAP support](docs/install/configure/ldap.md)
 - [Periodically schedule builds](docs/cronjobs.md)
 - [and many more, see our examples](https://github.com/SAP/infrabox-examples)
diff --git a/src/api/handlers/projects/sshkeys.py b/src/api/handlers/projects/sshkeys.py
new file mode 100644
index 000000000..d331b3784
--- /dev/null
+++ b/src/api/handlers/projects/sshkeys.py
@@ -0,0 +1,122 @@
+import re
+
+from flask import request, g, abort
+from flask_restplus import Resource, fields
+
+from pyinfrabox.utils import validate_uuid
+from pyinfraboxutils.ibflask import OK
+from pyinfraboxutils.ibrestplus import api, response_model
+
+from croniter import croniter
+
+ns = api.namespace('SSHKeys',
+                   path='/api/v1/projects/<project_id>/sshkeys',
+                   description='SSH Key related operations')
+
+sshkey_model = api.model('CronJob', {
+    'name': fields.String(required=True),
+    'id': fields.String(required=True),
+    'secret': fields.String(required=True),
+})
+
+add_sshkey_model = api.model('AddCronJob', {
+    'name': fields.String(required=True, max_length=255),
+    'secret': fields.String(required=True, max_length=255),
+})
+
+@ns.route('/')
+@api.doc(responses={403: 'Not Authorized'})
+class SSHKeys(Resource):
+
+    name_pattern = re.compile('^[a-zA-Z0-9_]+$')
+
+    @api.marshal_list_with(sshkey_model)
+    def get(self, project_id):
+        '''
+        Returns project's sshkeys
+        '''
+        p = g.db.execute_many_dict('''
+            SELECT k.id, k.name, s.name as secret
+            FROM sshkey k
+            JOIN secret s
+            ON  s.id = k.secret_id
+            WHERE s.project_id = %s
+            AND k.project_id = %s
+        ''', [project_id, project_id])
+        return p
+
+    @api.expect(add_sshkey_model)
+    @api.response(200, 'Success', response_model)
+    def post(self, project_id):
+        '''
+        Add new sshkey
+        '''
+        b = request.get_json()
+
+        if not CronJobs.name_pattern.match(b['name']):
+            abort(400, 'CronJob name must be not empty alphanumeric string.')
+
+        result = g.db.execute_one_dict("""
+            SELECT id
+            FROM secret
+            WHERE project_id = %s
+            AND name = %s
+        """, [project_id, b['secret']])
+
+        if not result:
+            abort(400, 'Secret does not exist')
+
+        secret_id = result['id']
+
+        result = g.db.execute_one_dict("""
+            SELECT COUNT(*) as cnt
+            FROM sshkey
+            WHERE project_id = %s
+        """, [project_id])
+
+        if result['cnt'] > 50:
+            abort(400, 'Too many sshkeys.')
+
+        r = g.db.execute_one("""
+            SELECT count(*)
+            FROM sshkey
+            WHERE project_id = %s
+            AND name = %s
+        """, [project_id, b['name']])
+
+        if r[0] > 0:
+            abort(400, 'SSH Key with this name already exist')
+
+        g.db.execute('''
+            INSERT INTO sshkey (project_id, name, secret_id) VALUES(%s, %s, %s)
+        ''', [project_id, b['name'], secret_id])
+
+        g.db.commit()
+
+        return OK('Successfully added SSH Key')
+
+@ns.route('/<sshkey_id>')
+@api.doc(responses={403: 'Not Authorized'})
+class CronJob(Resource):
+    @api.response(200, 'Success', response_model)
+    def delete(self, project_id, sshkey_id):
+        '''
+        Delete a sshkey
+        '''
+        if not validate_uuid(sshkey_id):
+            abort(400, "Invalid sshkey uuid.")
+
+        num_sshkeys = g.db.execute_one("""
+            SELECT COUNT(*) FROM sshkey
+            WHERE project_id = %s and id = %s
+        """, [project_id, sshkey_id])[0]
+
+        if num_sshkeys == 0:
+            return abort(400, 'SSH Key does not exist.')
+
+        g.db.execute("""
+            DELETE FROM sshkey WHERE project_id = %s and id = %s
+        """, [project_id, sshkey_id])
+        g.db.commit()
+
+        return OK('Successfully deleted SSH Key.')
diff --git a/src/dashboard-client/src/components/project/SSHKeys.vue b/src/dashboard-client/src/components/project/SSHKeys.vue
new file mode 100644
index 000000000..935da44b1
--- /dev/null
+++ b/src/dashboard-client/src/components/project/SSHKeys.vue
@@ -0,0 +1,97 @@
+<template>
+    <div class="m-sm full-height">
+        <md-card md-theme="white" class="full-height clean-card">
+            <md-card-header>
+                <md-card-header-text class="setting-list">
+                    <md-icon>security</md-icon>
+                    <span>SSHKeys</span>
+                </md-card-header-text>
+            </md-card-header>
+            <md-card-area>
+                    <md-list class="m-t-md m-b-md md-double-line">
+                        <md-list-item>
+                            <div class="md-list-text-container">
+                                <span>
+                                    <md-input-container>
+                                        <label>Name</label>
+                                        <md-input @keyup.enter.native="addSSHKey" required v-model="name"></md-input>
+                                    </md-input-container>
+                                </span>
+                            </div>
+
+                            <div class="md-list-text-container">
+                                <span>
+                                    <md-input-container>
+                                        <label for="secret_select">Secret</label>
+                                        <md-select name="secret_select" id="secret_select" v-model="secret">
+                                            <md-option v-for="s in project.secrets" :value=r :key="s.name" class="bg-white">{{s.name}}</md-option>
+                                        </md-select>
+                                    </md-input-container>
+                                </span>
+                            </div>
+
+                            <md-button class="md-icon-button md-list-action" @click="addSSHKey()">
+                                <md-icon md-theme="running" class="md-primary">add_circle</md-icon>
+                                <md-tooltip>Add SSH Key</md-tooltip>
+                            </md-button>
+                        </md-list-item>
+                        <md-list-item v-for="k in project.sshkeys" :key="k.id">
+                            <md-input-container class="m-l-sm">
+                                {{ k.name }}
+                            </md-input-container>
+                            <md-input-container class="m-l-sm">
+                                {{ k.secret }}
+                            </md-input-container>
+                            <md-button class="md-icon-button md-list-action" @click="project.removeSSHKey(co)">
+                                <md-icon class="md-primary">delete</md-icon>
+                                <md-tooltip>Remove sshkey</md-tooltip>
+                            </md-button>
+                        </md-list-item>
+                    </md-list>
+            </md-card-area>
+        </md-card>
+    </div>
+</template>
+
+<script>
+export default {
+    props: ['project'],
+    data: () => {
+        return {
+            'name': '',
+            'secret': ''
+        }
+    },
+    created () {
+        this.project._loadSSHKeys()
+    },
+    methods: {
+        deleteSSHKEY (id) {
+            NewAPIService.delete(`projects/${this.project.id}/sshkeys/${id}`)
+            .then((response) => {
+                NotificationService.$emit('NOTIFICATION', new Notification(response))
+                this.project._reloadSSHKeys()
+            })
+            .catch((err) => {
+                NotificationService.$emit('NOTIFICATION', new Notification(err))
+            })
+        },
+        addCronJob () {
+            const d = {
+                name: this.name,
+                secret: this.secret
+            }
+            NewAPIService.post(`projects/${this.project.id}/sshkeys`, d)
+            .then((response) => {
+                NotificationService.$emit('NOTIFICATION', new Notification(response))
+                this.name = ''
+                this.minute = ''
+                this.project._reloadSSHKeys()
+            })
+            .catch((err) => {
+                NotificationService.$emit('NOTIFICATION', new Notification(err))
+            })
+        }
+    }
+}
+</script>
diff --git a/src/dashboard-client/src/components/project/Settings.vue b/src/dashboard-client/src/components/project/Settings.vue
index 0469b9c70..855a74f9b 100644
--- a/src/dashboard-client/src/components/project/Settings.vue
+++ b/src/dashboard-client/src/components/project/Settings.vue
@@ -1,14 +1,17 @@
 <template>
     <md-layout md-row>
-        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="33" md-flex-xlarge="33" class="b-r thin-border">
+        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="50" md-flex-xlarge="50" class="b-r thin-border">
             <ib-project-secrets :project="project"></ib-project-secrets>
         </md-layout>
-        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="33" md-flex-xlarge="33" class="b-r thin-border">
+        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="50" md-flex-xlarge="50" class="b-r thin-border">
             <ib-project-collaborators :project="project"></ib-project-collaborators>
         </md-layout>
-        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="33" md-flex-xlarge="33">
+        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="50" md-flex-xlarge="50">
             <ib-project-tokens :project="project"></ib-project-tokens>
         </md-layout>
+        <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="50" md-flex-medium="50" md-flex-large="50" md-flex-xlarge="50">
+            <ib-project-sshkeys :project="project"></ib-project-sshkeys>
+        </md-layout>
         <md-layout md-column md-gutter md-flex-xsmall="100" md-flex-small="100" md-flex-medium="100" md-flex-large="100" md-flex-xlarge="100">
             <ib-project-cronjobs :project="project"></ib-project-cronjobs>
         </md-layout>
@@ -24,6 +27,7 @@ import ProjectTokens from './Tokens'
 import ProjectCollaborators from './Collaborators'
 import ProjectBadges from './Badges'
 import ProjectCronJobs from './Cron'
+import ProjectSSHKeys from './SSHKeys'
 
 export default {
     props: ['project'],
@@ -32,7 +36,8 @@ export default {
         'ib-project-tokens': ProjectTokens,
         'ib-project-collaborators': ProjectCollaborators,
         'ib-project-badges': ProjectBadges,
-        'ib-project-cronjobs': ProjectCronJobs
+        'ib-project-cronjobs': ProjectCronJobs,
+        'ib-project-sshkeys': ProjectSSHKeys
     }
 }
 </script>
diff --git a/src/dashboard-client/src/models/Project.js b/src/dashboard-client/src/models/Project.js
index a9dc98e25..511eb6d2b 100644
--- a/src/dashboard-client/src/models/Project.js
+++ b/src/dashboard-client/src/models/Project.js
@@ -207,6 +207,23 @@ export default class Project {
             })
     }
 
+    _loadSSHKeys () {
+        if (this.cronjobs) {
+            return
+        }
+
+        this._reloadSSHKeys()
+    }
+
+    _reloadSSHKeys () {
+        return NewAPIService.get(`projects/${this.id}/sshkeys`)
+            .then((sshkeys) => {
+                store.commit('setSSHKeys', { project: this, sshkeys: sshkeys })
+            })
+            .catch((err) => {
+                NotificationService.$emit('NOTIFICATION', new Notification(err))
+            })
+    }
     _loadRoles () {
         if (this.roles) {
             return
diff --git a/src/dashboard-client/src/store.js b/src/dashboard-client/src/store.js
index fdbbf1168..975acc31d 100644
--- a/src/dashboard-client/src/store.js
+++ b/src/dashboard-client/src/store.js
@@ -186,6 +186,12 @@ function addJobs (state, jobs) {
     }
 }
 
+function setSSHKeys (state, data) {
+    const project = data.project
+    const sshkeys = data.sshkeys
+    project.sshkeys = sshkeys
+}
+
 function setCronJobs (state, data) {
     const project = data.project
     const cronjobs = data.cronjobs
@@ -308,6 +314,7 @@ const mutations = {
     addJobs,
     setSecrets,
     setCronJobs,
+    setSSHKeys,
     setCollaborators,
     setRoles,
     setTokens,
diff --git a/src/db/migrations/00028.sql b/src/db/migrations/00028.sql
index 9f28effae..3b7f352f9 100644
--- a/src/db/migrations/00028.sql
+++ b/src/db/migrations/00028.sql
@@ -1 +1 @@
-ALTER TABLE "commit" ADD COLUMN gerrit_change_id varchar;
\ No newline at end of file
+ALTER TABLE "commit" ADD COLUMN gerrit_change_id varchar;
diff --git a/src/db/migrations/00029.sql b/src/db/migrations/00029.sql
new file mode 100644
index 000000000..fa18eb14d
--- /dev/null
+++ b/src/db/migrations/00029.sql
@@ -0,0 +1,9 @@
+CREATE TABLE sshkey (
+    project_id uuid NOT NULL,
+    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    name character varying(255) NOT NULL,
+    secret_id uuid NOT NULL
+);
+
+ALTER TABLE ONLY sshkey
+    ADD CONSTRAINT sshkey_pkey PRIMARY KEY (id);
diff --git a/src/openpolicyagent/policies/projects_sshkeys.rego b/src/openpolicyagent/policies/projects_sshkeys.rego
new file mode 100644
index 000000000..4f3a35d64
--- /dev/null
+++ b/src/openpolicyagent/policies/projects_sshkeys.rego
@@ -0,0 +1,37 @@
+package infrabox
+
+import input as api
+
+import data.infrabox.collaborators.collaborators
+import data.infrabox.projects.projects
+import data.infrabox.roles
+
+projects_sshkeys_administrator([user, project]){
+    collaborators[i].project_id = project
+    collaborators[i].user_id = user
+    roles[collaborators[i].role] >= 20
+}
+
+# Allow GET access to /api/v1/projects/<project_id>/sshkeys for project administrators
+allow {
+    api.method = "GET"
+    api.path = ["api", "v1", "projects", project_id, "sshkeys"]
+    api.token.type = "user"
+    projects_sshkeys_administrator([api.token.user.id, project_id])
+}
+
+# Allow POST access to /api/v1/projects/<project_id>/sshkeys for project administrators
+allow {
+    api.method = "POST"
+    api.path = ["api", "v1", "projects", project_id, "sshkeys"]
+    api.token.type = "user"
+    projects_sshkeys_administrator([api.token.user.id, project_id])
+}
+
+# Allow DELETE access to /api/v1/projects/<project_id>/sshkeys/<cronjob_id> for project administrators
+allow {
+    api.method = "DELETE"
+    api.path = ["api", "v1", "projects", project_id, "sshkeys", cronjob_id]
+    api.token.type = "user"
+    projects_sshkeys_administrator([api.token.user.id, project_id])
+}
\ No newline at end of file
diff --git a/src/scheduler/kubernetes/scheduler.py b/src/scheduler/kubernetes/scheduler.py
index 1062322b4..1a8400f14 100644
--- a/src/scheduler/kubernetes/scheduler.py
+++ b/src/scheduler/kubernetes/scheduler.py
@@ -16,6 +16,7 @@
 from pyinfraboxutils import get_logger, get_env
 from pyinfraboxutils.db import connect_db
 from pyinfraboxutils.token import encode_job_token
+from pyinfraboxutils.secrets import decrypt_secret
 
 class APIException(Exception):
     def __init__(self, result):
@@ -586,7 +587,7 @@ def kube_job(self, job_id, cpu, mem, services=None):
         project_type = result[0]
         project_id = result[1]
 
-        private_key = None
+        private_key = ''
         if project_type == 'github':
             cursor = self.conn.cursor()
             cursor.execute('''
@@ -616,11 +617,31 @@ def kube_job(self, job_id, cpu, mem, services=None):
                 }, {
                     'name': 'INFRABOX_GIT_HOSTNAME',
                     'value': os.environ['INFRABOX_GERRIT_HOSTNAME']
-                }, {
-                    'name': 'INFRABOX_GIT_PRIVATE_KEY',
-                    'value': key.read()
                 }]
 
+                private_key = key.read()
+
+        cursor = self.conn.cursor()
+        cursor.execute('''
+            SELECT s.value
+            FROM secret s
+            JOIN sshkey k
+            ON k.secret_id = s.id
+            WHERE k.project_id = %s
+            AND s.project_id = %s
+        ''', [project_id, project_id])
+        result = cursor.fetchall()
+        cursor.close()
+
+        for r in result:
+            private_key += '\n%s' decrypt_secret(r[0])
+
+        if private_key:
+            env += [{
+                'name': 'INFRABOX_GIT_PRIVATE_KEY',
+                'value': private_key
+            }]
+
         root_url = os.environ['INFRABOX_ROOT_URL']
 
         if services: